forked from Nike-Inc/cerberus
-
Notifications
You must be signed in to change notification settings - Fork 0
/
cerberus.yaml
292 lines (261 loc) · 12.5 KB
/
cerberus.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
logging.level:
com.nike.cerberus.metrics.LoggingMetricsService: INFO
VALID_WINGTIPS_SPANS: WARN
management:
endpoints:
enabledByDefault: false
web:
basePath: /
pathMapping.health: healthcheck
endpoint:
info.enabled: true
health.enabled: true
mybatis:
mapper-locations: classpath:com/nike/cerberus/mapper/*Mapper.xml
type-aliases-package: com.nike.cerberus.record
environment:
id: prod
configuration:
mapUnderscoreToCamelCase: true
flyway:
schemas: cms
locations: classpath:com/nike/cerberus/migration
# Configure the mysql settings here
jdbc:
driver: com.mysql.jdbc.Driver
url: jdbc:mysql://localhost:3306/cms?useUnicode=true&characterEncoding=utf8&useLegacyDatetimeCode=false&serverTimezone=UTC&useSSL=false
# username: encrypted:secrets-manager!r:some-region!s:some-secret!k:some-key
# password: encrypted:secrets-manager!r:some-region!s:some-secret!k:some-key
c3p0:
initialPoolSize: 80
minPoolSize: 80
maxPoolSize: 400
acquireIncrement: 10
checkoutTimeout: 30000
testConnectionOnCheckin: true
idleConnectionTestPeriod: 300
maxIdleTimeExcessConnections: 4200
maxConnectionAge: 300
preferredTestQuery: SELECT 1
server:
max-http-header-size: 65536
cerberus:
partitions:
awsGlobal:
enabled: true
awsChina:
enabled: false
environmentName: TODO
admin:
# These are aws principal that you want to allow to use the admin API
roles: ~
# The user group that the Cerberus operators belong to, this unlocks admin API perms
group: ~
encryption:
# comma delimited list of the CMKs for a KMS key that the iam role that Cerberus runs as has access to.
# These are normally generated by the lifecycle cli, you should have at least 2 from 2 different regions
cmk.arns: ~
# Data Key Caching for the SDK Crypto Client
# Why you would want to enable this:
# KMS has an account wide API limit for KMS of 1200 RPS.
# Cerberus uses KMS to encrypt and decrypt its data, and by default will make an API call to KMS at least 1 per request.
# Enabling this cache will allow CMS to to skip calls to KMS for repeat reads of the same data.
cache:
enabled: false
encrypt:
maxSize: 1000
maxAgeInSeconds: 60
messageUseLimit: 100
decrypt:
maxSize: 1000
maxAgeInSeconds: 60
# MyBaits Caching
# CMS uses mybatis as its ORM for the mysql data store.
# Enabling this cache will cause CMS to cache certain repeat reads that exceed a configurable threshold from various mappers (Some mappers excluded, Lock mapper for example) for some TTL.
# This will protect the DB from high bursts of repeat reads at the cost of potentially making some of its data eventually consistent.
# Ex: if a secret / property has been cached it will remain there for upto the whole TTL after a new value has been written.
# This cache is not distributed and will be in mem on each instance of CMS.
#
# The way the repeat read threshold works is as follows
#
# Assume the default settings of dataTtlInSeconds=10, repeatReadCounterResetInSeconds=2, repeatReadThreshold=2
# Every time a read occurs on a individual instance of CMS a counter is incremented.
# Every time a fetch from the DB occurs MyBatis calls put on the cache object.
# When the put call happens we check to see if the count has exceeded the repeatReadThreshold threshold, if so cache it for the dataTtlInSeconds ttl, if not don't cache.
# If there hasn't been any reads in repeatReadCounterResetInSeconds seconds the counter is reset.
mybatis.cache:
enabled: false
global:
# Override the global TTL for items after write here, defaults to 10.
dataTtlInSeconds: 10
# Override the the global Repeat Read counter reset interval here
repeatReadCounterResetInSeconds: 2
# Override the global repeat read count threshold here
repeatReadThreshold: 2
# All of the global settings can be overridden for any mapper in resources/com/nike/cerberus/mapper.
# EX: src/main/resources/com/nike/cerberus/mapper/CategoryMapper.xml -> categoryMapper
# Use camelCase for the mapper name
# categoryMapper:
# dataTtlInSeconds: 10
# repeatReadCounterResetInSeconds: 2
# repeatReadThreshold: 2
# Settings for the generation of auth tokens, these are the tokens that are issued to
# principals and are used to interact with the API
auth.token:
generate.length: 64
hash:
iterations: 100
keyLength: 256
algorithm: PBKDF2WithHmacSHA512
# This is the salt to use in the hashing algo, normally generated by the lifecycle cli
# salt: encrypted:secrets-manager!r:some-region!s:some-secret!k:some-key
auth.iam:
token.ttl: 1h
auth.user:
# Toggles whether or not user groups are case sensitive in your Auth Connector impl.
groups.caseSensitive: true
token:
maxRefreshCount: 0 # How often User Principals are allowed to refresh their auth token
ttl: 1h # How long user tokens are valid for.
# You can configure which User Authentication Connector to use here, you must enable one and only one.
connector:
okta:
enabled: false
# apiKey: yourApiKey
# baseUrl: yourOktaBaseUrl
oneLogin:
enabled: false
# clientId: yourClientId
# clientSecret: yourClientSecret
# subdomain: yourSubDomain
auth:
token:
issue-type: session # Can be session or jwt
accept-type: session # Can be session, jwt or all (which is both)
# auth.jwt:
# secret.local.autoGenerate: false # generate jwt secret for local development
# secret.local.enabled: false # set this to true when doing local development
# secret.bucket: jwt-secret-bucket # s3 bucket containing secret material
# With Cerberus 4.+ (Phoenix) We now have officially deprecated and turned off by default KMS Auth
# This was the original way of doing IAM authentication, its complicated, requires Cerberus to run in it's own account
# or in an account were you trust everyone who can create IAM roles and kms key policies.
# It also requires Cerberus users to have a special IAM policy in order to auth.
# STS Auth, is much better and has been made possible by new AWS APIs that have been released since Cerberus was created.
# See: https://engineering.nike.com/cerberus/docs/authentication/aws-iam-sts-authentication#why
# Also See
# https://engineering.nike.com/cerberus/docs/authentication/aws-iam-kms-authentication
# https://engineering.nike.com/cerberus/docs/authentication/aws-iam-sts-authentication
auth.iam.kms:
enabled: false
# This should be the root user for the account that this service will be ran in, so that KMS keys can be managed by that user
rootUserArn: ~
# This should be some sort of role that your team can assume, its ok to re-use the cms role arn here. This will be used when creating the kms keys for kms auth to allow your team to manage them
adminRoleArn: ~
# This should be the role that this service will have as its instance profile when running, this will be used when creating the kms keys for kms auth to allow cerberus to manage them
cmsRoleArn: ~
# When an IAM Principal is deleted externally this makes the KMS key policy invalid, this controls how often Cerberus should check that a policy is valid and attempt to fix it.
policy.validation.interval.millis: 300000
# Enable caching the generated encrypted AWS IAM KMS Auth object, so that burst authentication of the same
# principal does not result in repeat KMS encrypt calls
# Why you would want to enable this:
# KMS has an account wide API limit for KMS of 1200 RPS.
# Cerberus uses KMS to encrypt the auth payload, and by default will make an API call to KMS at least 1 per request.
# Enabling this cache will allow CMS to to skip calls to KMS for repeat authenticates of the same IAM principal.
cache:
enabled: false
maxAgeInSeconds: 10
metricsService:
# If you do not supply your own impl of com.nike.cerberus.metrics.MetricsService on the classpath then the LoggingMetricsService is used.
# You can configure what log level and how frequently to log custom metrics at here. Feel free to contribute a generic impl!
loggingMetricsService:
level: INFO
period: 1
timeUnit: MINUTES
# If you have used the life cycle CLI to generate the S3 bucket and Athena table you can use this engine to have a
# robust audit system that supports sql lookups on SDBs, IP Addresses and principals, etc.
audit.athena:
enabled: false
# bucket: yourS3Bucket
# bucketRegion: yourBucketRegion
# The default audit engine, logs audit events using an regular slf4j logger that goes to the stdout.
audit.logger:
enabled: true
# With Cerberus 4.+ (Phoenix) We now have officially deprecated and turned off by default some endpoints we plan on deleting.
deprecatedEndpoints:
# This has been deprecated for a long time, and we are now turning it off by default so we can delete it soon.
# /v1/safe-deposit-box
safeDepositBox.v1.enabled: false
jobs:
initialDelay: 0
initialDelayTimeUnits: minutes
# Ensures that the KMS datakeys that are used to encrypt data get rotated and that secrets are decrypted
# and re-encrypted with new data-key
dataKeyRotationJob:
enabled: true
numberOfDataKeyToRotatePerJobRun: 120
dataKeyRotationPauseTimeInMillis: 1000
dataKeyRotationIntervalInDays: 90
# Every hour
cronExpression: "0 0 * ? * *"
# Removes expired auth tokens from the database
expiredTokenCleanUpJob:
enabled: true
maxNumberOfTokensToDeletePerJobRun: 2500
numberOfTokensToDeletePerBatch: 1000
batchPauseTimeInMillis: 0
# Every ten minutes
cronExpression: "0 */10 * ? * *"
# Generates drop wizard metrics on the status of Hystrix for monitoring and alerting
hystrixMetricsProcessingJob:
enabled: true
# Every ten seconds
cronExpression: "0/10 * * ? * *"
# This job will generate Key Performance Indicator Metrics (KPIs) for the Cerberus environment and use Drop Wizard to report these Metrics
# By default unless you provide your own reporter impl, these metrics are just logged via an SLF4j Logger.
# Types of metrics that it generates: numberOfUniqueIamRoles, numberOfUniqueOwnerGroups, numberOfUniqueNonOwnerGroups, totalUniqueUserGroups, etc
kpiMetricsProcessingJob:
enabled: true
# Every hour
cronExpression: "0 0 * ? * *"
# JWT
jwtSecretRefreshJob:
enabled: false
# Every minute
cronExpression: "0 * * ? * *"
jwtBlocklistCleanUpJob:
enabled: false
# Every 5 minutes
cronExpression: "30 0/5 * ? * *"
jwtBlocklistRefreshJob:
enabled: false
# Every 10 seconds
cronExpression: "0/10 * * ? * *"
################################################################################################
# This Job require auth.iam.kms.rootUserArn,adminRoleArn,cmsRoleArn to be configured
# This job is now disabled by default since kms auth is disabled by default
#################################################################################################
# When a principal uses the legacy KMS authentication, a KMS key is lazily created for it. This job will
# delete keys that have become in-active, this job is safe as if the principal authenticates again a new key will be lazily created.
inactiveKmsCleanUpJob:
enabled: false
batchPauseTimeInSeconds: 10
deleteKmsKeysOlderThanNDays: 30
# Every day at noon
cronExpression: "0 0 12 * * ?"
################################################################################################
# This Job require auth.iam.kms.rootUserArn,adminRoleArn,cmsRoleArn to be configured
# This job is now disabled by default since kms auth is disabled by default
#################################################################################################
# Deletes orphaned KMS keys, when an principal that has authenticated with Cerberus has been deleted and is
# no longer associated with any SDB any keys that were created for it become orphaned.
# This job will clean those up
orphanedKmsKeyCleanUpJob:
enabled: false
dryMode: false
# Every 15 days at noon
cronExpression: "0 0 12 */15 * ?"
# Don't forget to enable SSL so your traffic is encrypted end to end
#security.requireSsl: true
#server.ssl:
# keyStore: encryptedFile:secrets-manager!r:some-region!s:some-secret
# keyStorePassword: encrypted:secrets-manager!r:some-region!s:some-secret!k:some-key