Configuration Parameters
When Control Center is started, it looks for the configuration parameters in the following order:
-
Java System properties, for example:
export JVM_OPTS="-Dserver.port=3004" -
The
application.propertiesfile in the Control Center root folder. -
The
application.ymlfile in the Control Center root folder.
If the parameter is not found in the above sources, the default value is used.
Use one of the above methods to set the configuration parameters.
Common Properties
| Parameter | Description | Default |
|---|---|---|
account.activation.enabled |
Enables account activation via email. After signing up, users will have to activate their account via email. Requires Mail Server properties. |
false |
account.activation.timeout |
Activation link’s timeout in milliseconds. |
1800000 |
account.activation.send-timeout |
The timeout for sending activation email, in milliseconds. |
180000 |
account.admin.email |
Email address in the administrator’s account. |
|
account.admin.password |
Administrator account’s password. |
|
account.authentication.interval |
The interval, in milliseconds, between login attempts. Increases exponentially based on the number of failed attempts. |
100 |
account.authentication.max-attempts |
The maximum number of failed attempts allowed before preventing login. An empty value means "infinity," which is the default. |
|
account.authentication.max-interval |
The maximum time an account can be locked for, in milliseconds. |
300000 |
account.signup.enabled |
Whether self-signup is enabled. If disabled, the Signup page is hidden in the UI. Only the registered users, as well as LDAP and Open ID Connect users, can sign in. |
true |
compute.grid.task-execution-timeout |
Task execution timeout in milliseconds. |
60000 |
compute.grid.task-pull-timeout |
Task pull timeout in milliseconds. |
60000 |
control.agent.secret-validation.enabled |
Enables cluster secret validation on handshake. |
true |
control.base-url |
Control Center URL for links in notifications. If the frontend and the backend have different hosts/ports, set the frontend URI as a value (for example, https://example.com:1234). |
|
control.browsers.allowed-origins |
Comma-separated allowed origins for WebSocket browsers endpoint. |
|
control.cache.backups |
The number of backups for all partitioned caches, configured via control.repositories.configurations.* properties. |
|
control.license.filestorage |
Enables file watcher for license updates. |
false |
control.license.path |
License monitoring path for file watcher. |
license/control-center-license.xml |
control.metric-collector.limit-enabled |
Enables the metrics. If false, all the metrics are collected from a cluster. Otherwise, metrics are collected on demand. |
true |
control.metric-collector.limit-file-path |
The path to the YAML file with templates of the metrics that must always be collected. Has no effect if limit-enabled is false. |
classpath:metrics.yml |
control.metric.ttl |
Metrics' TTL, after which they are removed (in days). Set to 0 for infinite TTL. |
1 |
control.metric.limit |
The number of metrics allowed per cluster. |
-1 (unlimited) |
control.metric.bufRatio |
Limit coefficient. Allows to temporarily exceed the metric limit, for example set to 1.10 and the limit is 100, once the number of metrics reaches 110, 10 oldest metrics will be deleted. |
1.10 |
control.repositories.auto-migrate-enabled |
Enables automatic migration of internal storage (required for updates). |
false |
control.repositories.configurations.{cacheName}.dataRegionName |
Custom data region for the cache. The property can be used for storing browser sessions (GccSessionCache) in the in-memory data region. |
|
control.repositories.configurations.GccSessionCache.touchExpirationTimeout |
The number of milliseconds that the user session should be kept alive. Default value is 7 days. |
604800000 |
control.repositories.configurations.QuerySessionCache.create-expiration-timeout |
The period (in milliseconds) after which cache entities (key-value pairs) are removed from |
604800000 |
control.repositories.configurations.TaskSessionCache.create-expiration-timeout |
Task session TTL (compute). |
|
control.web-socket.send-buffer-size-limit |
Maximum amount of data to buffer when sending messages to a WebSocket session (in bytes). |
|
server.address |
Network address to which Control Center binds. |
0.0.0.0 |
server.port |
Control Center port. This port is used to access Control Center via a web browser. Clusters connect to this port as well. |
3000 |
Rate Limits
| Parameter | Description | Default |
|---|---|---|
control.rate-limit.ban-duration-seconds |
Duration of the ban in seconds. |
|
control.rate-limit.block-connection-on-detection |
If "true," the cluster is disconnected instead of entering the "limited" state. |
false |
control.rate-limit.candidates |
The number of candidates with top statistics to be banned. |
|
control.rate-limit.computeHardLimit |
Compute hard limit. |
|
control.rate-limit.computeSoftLimit |
Compute soft limit. |
|
control.rate-limit.disconnected-lifetime-seconds |
Lifetime of the rate limit session without connection. |
|
control.rate-limit.hard-limit |
Once this number of messages in the queue is reached, the agents the highest messaging rate are disconnected. |
|
control.rate-limit.lower-threshold |
Count of requests between the previous and the current checks. |
1000 |
control.rate-limit.reconnectBanDuration |
Reconnect ban duration. |
|
control.rate-limit.reconnectRateLimitCount |
Reconnect rate limit. |
|
control.rate-limit.reconnectRateLimitPeriod |
Reconnect rate limit period duration. |
|
control.rate-limit.remove-session-interval-millis |
Scheduled interval for the session removal check, in milliseconds. |
|
control.rate-limit.soft-limit |
Once this number of messages in the queue is reached, all the connected agents are required to reduce the message submission rate. |
|
control.rate-limit.trace-hard-limit |
Once this limit is reached, the cluster will be marked as limited and no traces will be received for the ban duration. |
|
control.rate-limit.trace-soft-limit |
Once this limit is reached, all agents are required to reduce the trace rate. |
|
control.rate-limit.update-interval-millis |
Scheduled interval for the alert check, in milliseconds. |
Sessions
| Parameter | Description | Default |
|---|---|---|
spring.session.cache-name |
The name of the cache for storing web sessions. |
IgniteSessionCache |
spring.session.timeout |
The maximum inactive interval between requests before newly created sessions start getting invalidated (in milliseconds). |
604800000 |
Teams
| Parameter | Description | Default |
|---|---|---|
account.globalTeam.enabled |
If true, automatically creates a team called Global Team, which includes all active users (local or AD/LDAP-managed). |
false |
account.globalTeam.attachCluster |
If true, and if Global Team is enabled, automatically shares all clusters in the environment with that team. |
false |
SSL/TLS
You can enable SSL/TLS to encrypt communication between your cluster and Control Center.
| Parameter | Description | Default |
|---|---|---|
server.ssl.ciphers |
A list of SSL ciphers to use. |
|
server.ssl.client-auth |
Client authentication mode. Requires a trust store. Possible values:
|
|
server.ssl.enabled |
Enables SSL support. Takes effect only when a key store is provided. |
true |
server.ssl.enabled-protocols |
Enabled SSL protocols. |
|
server.ssl.key-alias |
The alias of the SSL certificate in the key store. |
|
server.ssl.key-password |
Password for the SSL certificate. |
|
server.ssl.key-store |
Path to the key store that holds the SSL certificate (typically a jks file). |
|
server.ssl.key-store-password |
Password for the key store. |
|
server.ssl.key-store-provider |
Provider for the key store. |
|
server.ssl.key-store-type |
The type of the key store. |
|
server.ssl.protocol |
The SSL protocol to use. |
TLS |
server.ssl.trust-store |
The trust store that holds SSL certificates. |
|
server.ssl.trust-store-password |
The password for the trust store. |
|
server.ssl.trust-store-provider |
Provider for the trust store. |
|
server.ssl.trust-store-type |
The type of the trust store. |
Mail Server
Control Center requires mail server parameters to send email notification and account confirmation emails.
| Parameter | Description | Default |
|---|---|---|
spring.mail.default-encoding |
Default MimeMessage encoding. |
UTF-8 |
spring.mail.host |
SMTP server host. For instance, |
|
spring.mail.jndi-name |
Session JNDI name. When set, takes precedence over other Session settings. |
|
spring.mail.password |
Login password of the SMTP server. |
|
spring.mail.port |
SMTP server port. |
|
spring.mail.properties.* |
Additional JavaMail Session properties. |
|
spring.mail.protocol |
Protocol used by the SMTP server. |
smtp |
spring.mail.test-connection |
Test that the mail server is available on startup. |
false |
spring.mail.username |
Login user of the SMTP server. |
SMS Provider
Control Center supports SMS alerts via Vonage communication provider.
-
Sign up at https://www.vonage.com/.
-
Get your api key and api secret. See https://developer.nexmo.com/concepts/guides/authentication#api-key-and-secret.
-
Specify the api key and secret in the following properties:
| Parameter | Description |
|---|---|
nexmo.creds.api-key |
The API key. |
nexmo.creds.api-secret |
The API secret. |
nexmo.creds.from |
The name or number the message is sent from. |
Active Directory and LDAP
You can configure the Control Center to integrate with Active Directory or LDAP to store user data externally. As every authentication request leads to Active Directory or LDAP server and no caching is performed, it is possible to log in as a new user once it is created.
Active Directory and LDAP integrations have some limitations that you should be aware of before configuring the Control Center to use them. See the list of limitations below:
-
Users can only be created by adding them to the Active Directory or LDAP server when Active Directory or LDAP integration is enabled. Signing up and creating an admin user with a link from the backend log is not applicable.
-
To become admins, users need to be a part of a special group in Active Directory or LDAP. The group name can be specified using the corresponding configuration properties.
-
The list of users is not displayed on the admin screen when Active Directory or LDAP integration is enabled.
-
Profile information can be modified only on the Active Directory or LDAP server, not through the Control Center interface.
Active Directory
To enable Active Directory authentication, use the following parameters:
| Parameter | Required | Description | Example |
|---|---|---|---|
spring.activedirectory.admin-role |
Optional |
The name of the user group with admin permissions. |
Domain Admins |
spring.activedirectory.domain |
Optional |
The default domain name to be added to the user login (if no domain is specified). |
gridgain.org |
spring.activedirectory.root-dn |
Required |
The distinguished name. |
dc=gridgain,dc=org |
spring.activedirectory.urls |
Required |
Comma-separated server URLs. |
ldap://localhost:389,ldap://localhost:8389 |
LDAP
To enable LDAP authentication, use the following parameters:
| Parameter | Required | Description | Example |
|---|---|---|---|
spring.ldap.admin-role |
Optional |
The name of the user group with admin permissions. |
By default, “admin” |
spring.ldap.base |
Required |
Base path from which all operations should originate. |
dc=gridgain,dc=org |
spring.ldap.bind-authenticator.enabled |
Optional |
Enables authenticator, which binds as a user. |
By default, “false” |
spring.ldap.password-comparison-authenticator.password-attribute-name |
Optional |
Name of the field where the password is stored. |
By default, “userPassword” |
spring.ldap.password-comparison-authenticator.userDnPatterns |
Optional |
Sets the pattern that is used to supply a Distinguished Name for the user. The pattern argument {0} contains the username. |
spring.ldap.password-comparison-authenticator.userDnPatterns[0]="uid={0},ou=people" |
spring.ldap.urls |
Required |
LDAP URLs of the server, separated by comma. |
ldap://localhost:389,ldap://localhost:8389 |
spring.ldap.user-details.groupMemberAttributeName |
Optional |
Name of the multi-valued attribute that holds the DNs of users who are members of a group. |
By default, “uniquemember” |
spring.ldap.user-details.groupRoleAttribute |
Optional |
The ID of the attribute that contains the role name for a group. |
By default, “cn” |
spring.ldap.user-details.groupSearchBase |
Optional |
The Distinguished Name under which groups are stored. |
ou=groups |
spring.ldap.user-details.userSearchBase |
Optional |
The Distinguished Name under which users are stored. |
ou=people |
spring.ldap.user-details.userSearchFilter |
Optional |
The filter expression used in the user search. This is an LDAP search filter (as defined in 'RFC 2254') with optional arguments. |
uid={0} |
OpenID Configuration
You can set up the OpenID authentication as described in the Connecting to OpenID provider section. To enable OpenID authentication, use the following parameters (replace {name} with your provider name):
| Parameter | Required | Description |
|---|---|---|
spring.security.oauth2.client.provider.{name} |
Required |
OpenID provider name. Can be anything, but must be consistent with spring.security.oauth2.client.registration.{name} and the name specified in redirect URI. |
spring.security.oauth2.client.provider.{name}.authorization-uri |
Required |
The endpoint that accepts authorization request. Usually provided in the |
spring.security.oauth2.client.provider.{name}.jwk-set-uri |
Required |
The endpoint that holds public keys used to authorize users. Usually provided in the |
spring.security.oauth2.client.provider.{name}.token-uri |
Required |
The endpoint that receives authorization information and returns authorization token. Usually provided in the |
spring.security.oauth2.client.registration.{name} |
Required |
OpenID provider name. Can be anything, but must be consistent with spring.security.oauth2.client.provider.{name} and the name specified in redirect URI. |
spring.security.oauth2.client.registration.{name}.client-id |
Required |
Client ID for Control Center. Provided when you set up OpenID credentials. |
spring.security.oauth2.client.registration.{name}.client-secret |
Required |
Client secret for Control Center. Provided when you set up OpenID credentials. |
© 2024 GridGain Systems, Inc. All Rights Reserved. Privacy Policy | Legal Notices. GridGain® is a registered trademark of GridGain Systems, Inc.
Apache, Apache Ignite, the Apache feather and the Apache Ignite logo are either registered trademarks or trademarks of The Apache Software Foundation.