Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
{
security: {
protocol: process.env.PROTOCOL || 'http', // https or http
/*******************************************************************************
* Content Security Policy for the requests,
*******************************************************************************/
allowDomainsAccess: {
// Defines the default policy for fetching resources such as JavaScript, Images, CSS, Fonts, AJAX requests, Frames, HTML5 Media
defaults: [],
// Defines valid sources of images.
images: ['image.tmdb.org'],
// Defines valid sources of stylesheets or CSS.
styles: [],
// Defines valid sources of JavaScript.
scripts: [],
// Applies to XMLHttpRequest (AJAX), WebSocket, fetch(), <a ping> or EventSource. If not allowed the browser emulates a 400
connects: []
},
allowGroups: ['Administrators'], // Groups with access to the user interface
encryption: {
secretKey: __utils.absPath('./config/server/auth/epk'),
iv: __utils.absPath('./config/server/auth/eiv')
},
/*******************************************************************************
* SSL Certificate, only aplicable when protocol is https
*******************************************************************************/
serverCert: {
certFilePath: __utils.absPath('./config/certs/server/all/server-cert.pem'),
keyFilePath: __utils.absPath('./config/certs/server/all/server-key.pem'),
keyFilePassphrase: ''
},
/*******************************************************************************
* Group Expansion
*******************************************************************************/
groupExpansion: {
enabled: false,
url: 'http://localhost:50505/groupExpansion?username=${user.account}&json=1'
},
/*******************************************************************************
* User Authentication
*******************************************************************************/
auth: { . . . },
permissions: {
default_role: 'reader',
file: __utils.absPath('./config/server/auth/permissions.csv')
},
roles: {
file: __utils.absPath('./config/server/auth/roles.csv')
}
},
} |
allowGroups - Security groups allow to access the user interface, if none, then it is available for anyone
Note |
---|
If auth is none, this will not take effect |
iv - the IV complementing the secret key
Warning |
---|
Recommend always change these values |
file - A CSV file which will be use to kick-start the permissions database, this will only be use if the database still doesn't exist. The format for the CSV is Name, Alias, Account, Role.
Note |
---|
If auth is none, this will not take effect |
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
{
security: {
.
.
.
/*******************************************************************************
* User Authentication
*******************************************************************************/
auth: {
type: 'none',
passport: {
secret: 'SearchTech'
},
oauth2: {
provider: 'google',
callbackUrlDomain: DOMAIN_NAME,
calllbackUrlPort: SERVER_PORT,
google: {
scope: ['profile', 'email'],
clientID: '790123979285-osjbhimrhnbvnaofplavp9auh9tgkq5k.apps.googleusercontent.com', // Client ID
clientSecret: '9RjuURmdon0UePqIbS2wJB9h'
},
// Sample OKTA authentication
// login: [email protected]
// password: Horrible-Dotterel-75
okta: {
domain: 'domain',
callbackUrlDomain: DOMAIN_NAME,
calllbackUrlPort: SERVER_PORT,
scope: ['profile', 'email'],
clientID: 'client-id', // Client ID
clientSecret: 'client-secret'
}
},
saml2: {
provider: 'google', // supported values: google
google: {
entryPoint: 'https://accounts.google.com/o/saml2/idp?idpid=C02oz2242', // replace with value appropriate for your project
issuer: 'nikepoc', // replace with value appropriate for your project
certPath: __utils.absPath('./config/certs/saml2/all/google-saml2.pem'), // replace with value appropriate for your project
attributesMapping: { // key is the property name stored in the SEIA user profile, the value is the property name from the SAML profile
_id: 'nameID',
email: 'nameID',
firstName: 'firstName',
lastName: 'lastName',
groups: 'groups'
}
},
okta: {
entryPoint: 'https://cagsearchdemoseia.okta.com/app/cagsearchdemoorg743328_nikepocalex_1/exkpkxgzlpV0GyoMS356/sso/saml', // replace with value appropriate for your project
issuer: 'nikepoc', // replace with value appropriate for your project
certPath: __utils.absPath('./config/certs/saml2/all/okta-saml2.pem'), // replace with value appropriate for your project
attributesMapping: { // key is the property name stored in the SEIA user profile, the value is the property name from the SAML profile
_id: 'nameID',
email: 'nameID',
firstName: 'firstName',
lastName: 'lastName',
groups: 'groups'
}
}
},
ldap: {
provider: 'apacheds',
apacheds: {
server: {
url: 'ldap://localhost:10389',
bindDN: 'uid=admin, ou=system', // Bind DN or User
bindCredentials: 'secret', // password
searchBase: 'ou=users,dc=esui,dc=com',
searchFilter: '(uid={{username}})',
searchAttributes: ['uid', 'cn', 'sn', 'displayName', 'ou', 'photo']
},
attributesMapping: { // key is the property name stored in the SEIA user profile, the value is the user attribute in LDAP
_id: 'uid', // _id is required
account: 'uid', // account is for roles and group expansion
email: 'uid',
firstName: 'cn',
lastName: 'sn',
name: 'cn',
alias: 'displayName', // if the alias is not given, one is created from the first and last name or roles
groups: 'ou',
photo: 'photo'
}
},
ad: {
server: {
url: 'ldaps://ad.corporate.com:636',
bindDN: 'cn=non-person,ou=system,dc=corp,dc=corporate,dc=com',
bindCredentials: 'secret',
searchBase: 'dc=corp,dc=corporate,dc=com',
searchFilter: '(&(objectcategory=person)(objectclass=user)(|(samaccountname={{username}})(mail={{username}})))',
searchAttributes: ['displayName', 'mail', 'samaccountname'],
tlsOptions: {
ca: [
// fs.readFileSync('/path/to/root_ca_cert.crt')
]
}
},
attributesMapping: { // key is the property name stored in the SEIA user profile, the value is the user attribute in LDAP
_id: 'samaccountname',
account: 'samaccountname', // account is for roles and group expansion
email: 'mail',
firstName: 'givenName',
lastName: 'sn',
groups: 'groups'
}
}
}
},
.
.
.
}
} |
type - Indicate the type of authentication to use, by default is none. Currently Enterprise Search handles 3 authentications oauth2, smal2 and ldap.
Note |
---|
If the type is none, allowGroups will not take effect, as well as permissions |
The attributesMapping in the providers (the ones which have) maps the data collected to a common, the only required properties to map are _id and account, other properties are optional or replaced with a default value