-
Notifications
You must be signed in to change notification settings - Fork 11
/
Copy pathopentdf-ers-mode.yaml
91 lines (89 loc) · 2.84 KB
/
opentdf-ers-mode.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# configures the platform to run just the entity resolution service and the well-known service
# primarily to be used for testing and development of external ERS connections
mode: entityresolution
logger:
level: debug
type: text
output: stdout
services:
entityresolution:
log_level: info
url: http://localhost:8888/auth
clientid: "tdf-entity-resolution"
clientsecret: "secret"
realm: "opentdf"
legacykeycloak: true
inferid:
from:
email: true
username: true
server:
auth:
enabled: true
enforceDPoP: false
public_client_id: "opentdf-public"
audience: "http://localhost:8080"
issuer: http://localhost:8888/auth/realms/opentdf
policy:
## Default policy for all requests
default: #"role:standard"
## Dot notation is used to access nested claims (i.e. realm_access.roles)
claim: # realm_access.roles
## Maps the external role to the opentdf role
## Note: left side is used in the policy, right side is the external role
map:
# standard: opentdf-standard
# admin: opentdf-admin
# org-admin: opentdf-org-admin
## Custom policy (see examples https://github.com/casbin/casbin/tree/master/examples)
csv: #|
# p, role:org-admin, policy:attributes, *, *, allow
# p, role:org-admin, policy:subject-mappings, *, *, allow
# p, role:org-admin, policy:resource-mappings, *, *, allow
# p, role:org-admin, policy:kas-registry, *, *, allow
# p, role:org-admin, policy:unsafe, *, *, allow
## Custom model (see https://casbin.org/docs/syntax-for-models/)
model: #|
# [request_definition]
# r = sub, res, act, obj
#
# [policy_definition]
# p = sub, res, act, obj, eft
#
# [role_definition]
# g = _, _
#
# [policy_effect]
# e = some(where (p.eft == allow)) && !some(where (p.eft == deny))
#
# [matchers]
# m = g(r.sub, p.sub) && globOrRegexMatch(r.res, p.res) && globOrRegexMatch(r.act, p.act) && globOrRegexMatch(r.obj, p.obj)
cors:
# "*" to allow any origin or a specific domain like "https://yourdomain.com"
allowedorigins:
- "*"
# List of methods. Examples: "GET,POST,PUT"
allowedmethods:
- GET
- POST
- PATCH
- PUT
- DELETE
- OPTIONS
# List of headers that are allowed in a request
allowedheaders:
- ACCEPT
- Authorization
- Content-Type
- X-CSRF-Token
- X-Request-ID
# List of response headers that browsers are allowed to access
exposedheaders:
- Link
# Sets whether credentials are included in the CORS request
allowcredentials: true
# Sets the maximum age (in seconds) of a specific CORS preflight request
maxage: 3600
grpc:
reflectionEnabled: true # Default is false
port: 8282