yujunjun/OpenMetadata
1
0
Fork 0
mirror of https://github.com/open-metadata/OpenMetadata.git synced 2026-01-05 12:07:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
OpenMetadata/conf/openmetadata.yaml
sonika-shah e53a98f6c0
Fix socket timeout connection issue in Mysql AUT 2 (#24313) 
* Fix socket timeout connection issue in Mysql AUT 2

* update connect time
2025-11-13 17:28:04 +05:30

609 lines
28 KiB
YAML
Raw Blame History

# Copyright 2021 Collate
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
# http://www.apache.org/licenses/LICENSE-2.0
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
clusterName: ${OPENMETADATA_CLUSTER_NAME:-openmetadata}
swagger:
resourcePackage: org.openmetadata.service.resources
assets:
resourcePath: /assets/
uriPath: ${BASE_PATH:-/}
basePath: ${BASE_PATH:-/}
server:
applicationContextPath: ${BASE_PATH:-/}
rootPath: ${BASE_PATH:-/}api/*
applicationConnectors:
- type: http
bindHost: ${SERVER_HOST:-0.0.0.0}
port: ${SERVER_PORT:-8585}
# Jetty Acceptor and Selector threads for high concurrency
acceptorThreads: ${SERVER_ACCEPTOR_THREADS:-2} # 1-2 per CPU core
selectorThreads: ${SERVER_SELECTOR_THREADS:-8} # 2-4 per CPU core
# Connection settings - relaxed for Docker/local development
acceptQueueSize: ${SERVER_ACCEPT_QUEUE_SIZE:-256} # OS-level connection backlog
idleTimeout: ${SERVER_IDLE_TIMEOUT:-60 seconds} # Close idle connections (increased from 30s)
# Buffer sizes for better throughput
outputBufferSize: ${SERVER_OUTPUT_BUFFER_SIZE:-32KiB}
inputBufferSize: ${SERVER_INPUT_BUFFER_SIZE:-8KiB}
maxRequestHeaderSize: ${SERVER_MAX_REQUEST_HEADER_SIZE:-8KiB}
maxResponseHeaderSize: ${SERVER_MAX_RESPONSE_HEADER_SIZE:-8KiB}
headerCacheSize: ${SERVER_HEADER_CACHE_SIZE:-512B} # Cache parsed headers (in bytes)
# Performance settings
useServerHeader: false # Don't send server version header
useDateHeader: true
useForwardedHeaders: ${SERVER_USE_FORWARDED_HEADERS:-false} # Enable if behind proxy
# Data rate limits (prevent slow loris attacks)
minRequestDataPerSecond: ${SERVER_MIN_REQUEST_DATA_RATE:-0B} # 0B = disabled
minResponseDataPerSecond: ${SERVER_MIN_RESPONSE_DATA_RATE:-0B} # 0B = disabled
adminConnectors:
- type: http
bindHost: ${SERVER_HOST:-0.0.0.0}
port: ${SERVER_ADMIN_PORT:-8586}
acceptorThreads: 1 # Admin endpoint needs minimal resources
selectorThreads: 1
# Response compression disabled for maximum throughput
gzip:
enabled: false
maxThreads: ${SERVER_MAX_THREADS:-150}
minThreads: ${SERVER_MIN_THREADS:-100}
idleThreadTimeout: ${SERVER_IDLE_THREAD_TIMEOUT:-1 minute}
enableVirtualThreads: ${SERVER_ENABLE_VIRTUAL_THREAD:-false}
maxQueuedRequests: ${SERVER_REQUEST_QUEUE:-1024}
# Request/Response logging (disable in production for performance)
requestLog:
appenders:
- type: console
threshold: ${REQUEST_LOG_LEVEL:-ERROR} # Only log errors by default
# Above configuration for running http is fine for dev and testing.
# For production setup, where UI app will hit apis through DPS it
# is strongly recommended to run https instead. Note that only
# keyStorePath and keyStorePassword are mandatory properties. Values
# for other properties are defaults
#server:
#applicationConnectors:
# - type: https
# port: 8585
# keyStorePath: ./conf/keystore.jks
# keyStorePassword: changeit
# keyStoreType: JKS
# keyStoreProvider:
# trustStorePath: /path/to/file
# trustStorePassword: changeit
# trustStoreType: JKS
# trustStoreProvider:
# keyManagerPassword: changeit
# needClientAuth: false
# wantClientAuth:
# certAlias: <alias>
# crlPath: /path/to/file
# enableCRLDP: false
# enableOCSP: false
# maxCertPathLength: (unlimited)
# ocspResponderUrl: (none)
# jceProvider: (none)
# validateCerts: true
# validatePeers: true
# supportedProtocols: SSLv3
# supportedCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
# allowRenegotiation: true
# endpointIdentificationAlgorithm: (none)
#adminConnectors:
# - type: https
# port: 8586
# keyStorePath: ./conf/keystore.jks
# keyStorePassword: changeit
# keyStoreType: JKS
# keyStoreProvider:
# trustStorePath: /path/to/file
# trustStorePassword: changeit
# trustStoreType: JKS
# trustStoreProvider:
# keyManagerPassword: changeit
# needClientAuth: false
# wantClientAuth:
# certAlias: <alias>
# crlPath: /path/to/file
# enableCRLDP: false
# enableOCSP: false
# maxCertPathLength: (unlimited)
# ocspResponderUrl: (none)
# jceProvider: (none)
# validateCerts: true
# validatePeers: true
# supportedProtocols: SSLv3
# supportedCipherSuites: TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
# allowRenegotiation: true
# endpointIdentificationAlgorithm: (none)
# Logging settings.
# https://logback.qos.ch/manual/layouts.html#conversionWord
logging:
level: ${LOG_LEVEL:-INFO}
loggers:
org.openmetadata.service.util.OpenMetadataSetup:
level: INFO
appenders:
- type: console
logFormat: "%msg%n"
timeZone: UTC
- type: file
logFormat: "%level [%d{ISO8601,UTC}] [%t] %logger{5} - %msg%n"
layout:
type: json
currentLogFilename: ./logs/openmetadata-operations.log
archivedLogFilenamePattern: ./logs/openmetadata-operations-%d{yyyy-MM-dd}-%i.log.gz
archivedFileCount: 7
timeZone: UTC
maxFileSize: 50MB
appenders:
- type: console
threshold: TRACE
logFormat: "%level [%d{ISO8601,UTC}] [%t] %logger{5} - %msg%n"
timeZone: UTC
- type: file
layout:
type: json
appendLineSeparator: true
filterFactories:
- type: audit-exclude-filter-factory
threshold: TRACE
logFormat: "%level [%d{ISO8601,UTC}] [%t] %logger{5} - %msg%n"
currentLogFilename: ./logs/openmetadata.log
archivedLogFilenamePattern: ./logs/openmetadata-%d{yyyy-MM-dd}-%i.log.gz
archivedFileCount: 7
timeZone: UTC
maxFileSize: 50MB
- type: file
layout:
type: json
appendLineSeparator: true
filterFactories:
- type: audit-only-filter-factory
threshold: TRACE
logFormat: "%level [%d{ISO8601,UTC}] [%t] %logger{5} - %msg%n"
currentLogFilename: ./logs/audit.log
archivedLogFilenamePattern: ./logs/audit-%d{yyyy-MM-dd}-%i.log.gz
archivedFileCount: 25
timeZone: UTC
maxFileSize: 50MB
database:
# the name of the JDBC driver, mysql in our case
driverClass: ${DB_DRIVER_CLASS:-com.mysql.cj.jdbc.Driver}
# the username and password
user: ${DB_USER:-openmetadata_user}
password: ${DB_USER_PASSWORD:-openmetadata_password}
# the JDBC URL; the database is called openmetadata_db
url: jdbc:${DB_SCHEME:-mysql}://${DB_HOST:-localhost}:${DB_PORT:-3306}/${OM_DATABASE:-openmetadata_db}?${DB_PARAMS:-allowPublicKeyRetrieval=true&useSSL=false&serverTimezone=UTC}
# HikariCP Connection Pool Settings - Optimized for Performance
maxSize: ${DB_CONNECTION_POOL_MAX_SIZE:-100} # Increased from 50 for better concurrency
minSize: ${DB_CONNECTION_POOL_MIN_SIZE:-20} # Increased from 10 to reduce connection creation overhead
minimumIdle: ${DB_CONNECTION_POOL_MIN_IDLE:-20} # HikariCP specific minimum idle connections
initialSize: ${DB_CONNECTION_POOL_INITIAL_SIZE:-20} # Start with more connections ready
checkConnectionWhileIdle: ${DB_CONNECTION_CHECK_CONNECTION_WHILE_IDLE:-true}
checkConnectionOnBorrow: ${DB_CONNECTION_CHECK_CONNECTION_ON_BORROW:-false} # Disable for performance
evictionInterval: ${DB_CONNECTION_EVICTION_INTERVAL:-5 minutes}
minIdleTime: ${DB_CONNECTION_MIN_IDLE_TIME:-5 minute}
# JDBC Driver Properties - Critical for Performance
# These work across both PostgreSQL and MySQL drivers
properties:
# HikariCP connection pool settings
connectionTimeout: ${DB_CONNECTION_TIMEOUT:-300000} # 300 seconds
idleTimeout: ${DB_IDLE_TIMEOUT:-600000} # 10 minutes
maxLifetime: ${DB_MAX_LIFETIME:-1800000} # 30 minutes
leakDetectionThreshold: ${DB_LEAK_DETECTION_THRESHOLD:-600000} # 10 minute
keepaliveTime: ${DB_KEEPALIVE_TIME:-0} # 0 = disabled (set to 30000 for Aurora)
validationTimeout: ${DB_VALIDATION_TIMEOUT:-300000} # 300 seconds
# PostgreSQL specific - these are ignored by MySQL driver
prepareThreshold: ${DB_PG_PREPARE_THRESHOLD:-1} # Use prepared statements immediately
preparedStatementCacheQueries: ${DB_PG_PREP_STMT_CACHE_QUERIES:-500} # Cache more statements
preparedStatementCacheSizeMiB: ${DB_PG_PREP_STMT_CACHE_SIZE_MB:-10} # Larger cache
reWriteBatchedInserts: ${DB_PG_REWRITE_BATCHED_INSERTS:-true} # Critical for batch performance
defaultRowFetchSize: ${DB_PG_DEFAULT_ROW_FETCH_SIZE:-1000} # Fetch more rows at once
assumeMinServerVersion: ${DB_PG_ASSUME_MIN_SERVER_VERSION:-12} # Skip version checks
ApplicationName: ${DB_PG_APPLICATION_NAME:-OpenMetadata}
loginTimeout: ${DB_PG_LOGIN_TIMEOUT:-300} # Login timeout in seconds
postgresqlConnectTimeout: ${DB_POSTGRESQL_CONNECT_TIMEOUT:-60} # Connection timeout in seconds
postgresqlSocketTimeout: ${DB_POSTGRESQL_SOCKET_TIMEOUT:-30000} # Socket timeout in seconds (0 = infinite)
# Aurora PostgreSQL specific optimizations
loadBalanceHosts: ${DB_PG_LOAD_BALANCE_HOSTS:-false} # Set to true for Aurora reader endpoints
hostRecheckSeconds: ${DB_PG_HOST_RECHECK_SECONDS:-10} # How often to check host status
targetServerType: ${DB_PG_TARGET_SERVER_TYPE:-primary} # primary, secondary, any, preferSecondary
# MySQL specific - these are ignored by PostgreSQL driver
rewriteBatchedStatements: ${DB_MYSQL_REWRITE_BATCHED_STATEMENTS:-true} # Critical for MySQL batch
cachePrepStmts: ${DB_MYSQL_CACHE_PREP_STMTS:-true}
prepStmtCacheSize: ${DB_MYSQL_PREP_STMT_CACHE_SIZE:-500}
prepStmtCacheSqlLimit: ${DB_MYSQL_PREP_STMT_CACHE_SQL_LIMIT:-2048}
useServerPrepStmts: ${DB_MYSQL_USE_SERVER_PREP_STMTS:-true}
useLocalSessionState: ${DB_MYSQL_USE_LOCAL_SESSION_STATE:-true}
useLocalTransactionState: ${DB_MYSQL_USE_LOCAL_TRANSACTION_STATE:-true}
elideSetAutoCommits: ${DB_MYSQL_ELIDE_SET_AUTO_COMMITS:-true}
maintainTimeStats: ${DB_MYSQL_MAINTAIN_TIME_STATS:-false}
cacheResultSetMetadata: ${DB_MYSQL_CACHE_RESULT_SET_METADATA:-true}
cacheServerConfiguration: ${DB_MYSQL_CACHE_SERVER_CONFIG:-true}
tcpKeepAlive: ${DB_MYSQL_TCP_KEEP_ALIVE:-true}
tcpNoDelay: ${DB_MYSQL_TCP_NO_DELAY:-true}
mysqlConnectTimeout: ${DB_MYSQL_CONNECT_TIMEOUT:-60000} # Connection timeout in milliseconds
mysqlSocketTimeout: ${DB_MYSQL_SOCKET_TIMEOUT:-30000000} # Socket timeout in milliseconds (0 = infinite)
objectStorage:
enabled: false
provider: NOOP
maxFileSize: 5242880
migrationConfiguration:
flywayPath: "./bootstrap/sql/migrations/flyway"
nativePath: "./bootstrap/sql/migrations/native"
extensionPath: ""
# Authorizer Configuration
authorizerConfiguration:
className: ${AUTHORIZER_CLASS_NAME:-org.openmetadata.service.security.DefaultAuthorizer}
containerRequestFilter: ${AUTHORIZER_REQUEST_FILTER:-org.openmetadata.service.security.JwtFilter}
adminPrincipals: ${AUTHORIZER_ADMIN_PRINCIPALS:-[admin]}
allowedEmailRegistrationDomains: ${AUTHORIZER_ALLOWED_REGISTRATION_DOMAIN:-["all"]}
principalDomain: ${AUTHORIZER_PRINCIPAL_DOMAIN:-"open-metadata.org"}
allowedDomains: ${AUTHORIZER_ALLOWED_DOMAINS:-[]}
enforcePrincipalDomain: ${AUTHORIZER_ENFORCE_PRINCIPAL_DOMAIN:-false}
enableSecureSocketConnection : ${AUTHORIZER_ENABLE_SECURE_SOCKET:-false}
useRolesFromProvider: ${AUTHORIZER_USE_ROLES_FROM_PROVIDER:-false}
authenticationConfiguration:
clientType: ${AUTHENTICATION_CLIENT_TYPE:-public}
provider: ${AUTHENTICATION_PROVIDER:-basic}
# This is used by auth provider provide response as either id_token or code
responseType: ${AUTHENTICATION_RESPONSE_TYPE:-id_token}
# This will only be valid when provider type specified is customOidc
providerName: ${CUSTOM_OIDC_AUTHENTICATION_PROVIDER_NAME:-""}
publicKeyUrls: ${AUTHENTICATION_PUBLIC_KEYS:-[http://localhost:8585/api/v1/system/config/jwks]}
tokenValidationAlgorithm: ${AUTHENTICATION_TOKEN_VALIDATION_ALGORITHM:-"RS256"}
authority: ${AUTHENTICATION_AUTHORITY:-https://accounts.google.com}
clientId: ${AUTHENTICATION_CLIENT_ID:-""}
callbackUrl: ${AUTHENTICATION_CALLBACK_URL:-""}
jwtPrincipalClaims: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS:-[email,preferred_username,sub]}
jwtPrincipalClaimsMapping: ${AUTHENTICATION_JWT_PRINCIPAL_CLAIMS_MAPPING:-[]}
enableSelfSignup : ${AUTHENTICATION_ENABLE_SELF_SIGNUP:-true}
# Force secure flag on session cookies even when not using HTTPS directly.
# Enable this when running behind a proxy/load balancer that handles SSL termination.
# Default: false (secure flag only set when HTTPS is detected)
forceSecureSessionCookie: ${FORCE_SECURE_SESSION_COOKIE:-true}
oidcConfiguration:
id: ${OIDC_CLIENT_ID:-""}
type: ${OIDC_TYPE:-""} # google, azure etc.
secret: ${OIDC_CLIENT_SECRET:-""}
scope: ${OIDC_SCOPE:-"openid email profile"}
discoveryUri: ${OIDC_DISCOVERY_URI:-""}
useNonce: ${OIDC_USE_NONCE:-true}
preferredJwsAlgorithm: ${OIDC_PREFERRED_JWS:-"RS256"}
responseType: ${OIDC_RESPONSE_TYPE:-"code"}
disablePkce: ${OIDC_DISABLE_PKCE:-true}
callbackUrl: ${OIDC_CALLBACK:-"http://localhost:8585/callback"}
serverUrl: ${OIDC_SERVER_URL:-"http://localhost:8585"}
clientAuthenticationMethod: ${OIDC_CLIENT_AUTH_METHOD:-"client_secret_post"}
tenant: ${OIDC_TENANT:-""}
maxClockSkew: ${OIDC_MAX_CLOCK_SKEW:-""}
tokenValidity: ${OIDC_OM_REFRESH_TOKEN_VALIDITY:-"3600"} # in seconds
customParams: ${OIDC_CUSTOM_PARAMS:-}
maxAge: ${OIDC_MAX_AGE:-"0"}
prompt: ${OIDC_PROMPT_TYPE:-"consent"}
sessionExpiry: ${OIDC_SESSION_EXPIRY:-"604800"} #7 days
samlConfiguration:
debugMode: ${SAML_DEBUG_MODE:-false}
idp:
entityId: ${SAML_IDP_ENTITY_ID:-""}
ssoLoginUrl: ${SAML_IDP_SSO_LOGIN_URL:-""}
idpX509Certificate: ${SAML_IDP_CERTIFICATE:-""}
authorityUrl: ${SAML_AUTHORITY_URL:-"http://localhost:8585/api/v1/saml/login"}
nameId: ${SAML_IDP_NAME_ID:-"urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress"}
sp:
entityId: ${SAML_SP_ENTITY_ID:-"http://localhost:8585/api/v1/saml/metadata"}
acs: ${SAML_SP_ACS:-"http://localhost:8585/api/v1/saml/acs"}
spX509Certificate: ${SAML_SP_CERTIFICATE:-""}
spPrivateKey: ${SAML_SP_PRIVATE_KEY:-""}
callback: ${SAML_SP_CALLBACK:-"http://localhost:8585/saml/callback"}
security:
strictMode: ${SAML_STRICT_MODE:-false}
validateXml: ${SAML_VALIDATE_XML:-false}
tokenValidity: ${SAML_SP_TOKEN_VALIDITY:-"3600"}
sendEncryptedNameId: ${SAML_SEND_ENCRYPTED_NAME_ID:-false}
sendSignedAuthRequest: ${SAML_SEND_SIGNED_AUTH_REQUEST:-false}
signSpMetadata: ${SAML_SIGNED_SP_METADATA:-false}
wantMessagesSigned: ${SAML_WANT_MESSAGE_SIGNED:-false}
wantAssertionsSigned: ${SAML_WANT_ASSERTION_SIGNED:-false}
wantAssertionEncrypted: ${SAML_WANT_ASSERTION_ENCRYPTED:-false}
keyStoreFilePath: ${SAML_KEYSTORE_FILE_PATH:-""}
keyStoreAlias: ${SAML_KEYSTORE_ALIAS:-""}
keyStorePassword: ${SAML_KEYSTORE_PASSWORD:-""}
ldapConfiguration:
host: ${AUTHENTICATION_LDAP_HOST:-}
port: ${AUTHENTICATION_LDAP_PORT:-}
dnAdminPrincipal: ${AUTHENTICATION_LOOKUP_ADMIN_DN:-""}
dnAdminPassword: ${AUTHENTICATION_LOOKUP_ADMIN_PWD:-""}
userBaseDN: ${AUTHENTICATION_USER_LOOKUP_BASEDN:-""}
groupBaseDN: ${AUTHENTICATION_GROUP_LOOKUP_BASEDN:-""}
roleAdminName: ${AUTHENTICATION_USER_ROLE_ADMIN_NAME:-}
allAttributeName: ${AUTHENTICATION_USER_ALL_ATTR:-}
mailAttributeName: ${AUTHENTICATION_USER_MAIL_ATTR:-}
usernameAttributeName: ${AUTHENTICATION_USER_NAME_ATTR:-}
groupAttributeName: ${AUTHENTICATION_USER_GROUP_ATTR:-}
groupAttributeValue: ${AUTHENTICATION_USER_GROUP_ATTR_VALUE:-}
groupMemberAttributeName: ${AUTHENTICATION_USER_GROUP_MEMBER_ATTR:-}
#the mapping of roles to LDAP groups
authRolesMapping: ${AUTH_ROLES_MAPPING:-""}
authReassignRoles: ${AUTH_REASSIGN_ROLES:-[]}
#optional
maxPoolSize: ${AUTHENTICATION_LDAP_POOL_SIZE:-3}
sslEnabled: ${AUTHENTICATION_LDAP_SSL_ENABLED:-}
truststoreConfigType: ${AUTHENTICATION_LDAP_TRUSTSTORE_TYPE:-TrustAll}
trustStoreConfig:
customTrustManagerConfig:
trustStoreFilePath: ${AUTHENTICATION_LDAP_TRUSTSTORE_PATH:-}
trustStoreFilePassword: ${AUTHENTICATION_LDAP_KEYSTORE_PASSWORD:-}
trustStoreFileFormat: ${AUTHENTICATION_LDAP_SSL_KEY_FORMAT:-}
verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-}
examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-}
hostNameConfig:
allowWildCards: ${AUTHENTICATION_LDAP_ALLOW_WILDCARDS:-}
acceptableHostNames: ${AUTHENTICATION_LDAP_ALLOWED_HOSTNAMES:-[]}
jvmDefaultConfig:
verifyHostname: ${AUTHENTICATION_LDAP_SSL_VERIFY_CERT_HOST:-}
trustAllConfig:
examineValidityDates: ${AUTHENTICATION_LDAP_EXAMINE_VALIDITY_DATES:-true}
jwtTokenConfiguration:
rsapublicKeyFilePath: ${RSA_PUBLIC_KEY_FILE_PATH:-"./conf/public_key.der"}
rsaprivateKeyFilePath: ${RSA_PRIVATE_KEY_FILE_PATH:-"./conf/private_key.der"}
jwtissuer: ${JWT_ISSUER:-"open-metadata.org"}
keyId: ${JWT_KEY_ID:-"Gb389a-9f76-gdjs-a92j-0242bk94356"}
elasticsearch:
searchType: ${SEARCH_TYPE:- "elasticsearch"}
host: ${ELASTICSEARCH_HOST:-localhost}
port: ${ELASTICSEARCH_PORT:-9200}
scheme: ${ELASTICSEARCH_SCHEME:-http}
username: ${ELASTICSEARCH_USER:-""}
password: ${ELASTICSEARCH_PASSWORD:-""}
clusterAlias: ${ELASTICSEARCH_CLUSTER_ALIAS:-""}
truststorePath: ${ELASTICSEARCH_TRUST_STORE_PATH:-""}
truststorePassword: ${ELASTICSEARCH_TRUST_STORE_PASSWORD:-""}
connectionTimeoutSecs: ${ELASTICSEARCH_CONNECTION_TIMEOUT_SECS:-10} # Increased from 5s for Docker networks
socketTimeoutSecs: ${ELASTICSEARCH_SOCKET_TIMEOUT_SECS:-120} # Increased from 60s for slow queries
keepAliveTimeoutSecs: ${ELASTICSEARCH_KEEP_ALIVE_TIMEOUT_SECS:-600}
# Connection pool settings for better load balancing and performance
maxConnTotal: ${ELASTICSEARCH_MAX_CONN_TOTAL:-30} # Total connections across all hosts
maxConnPerRoute: ${ELASTICSEARCH_MAX_CONN_PER_ROUTE:-10} # Max connections per host
batchSize: ${ELASTICSEARCH_BATCH_SIZE:-100}
payLoadSize: ${ELASTICSEARCH_PAYLOAD_BYTES_SIZE:-10485760}
searchIndexMappingLanguage : ${ELASTICSEARCH_INDEX_MAPPING_LANG:-EN}
searchIndexFactoryClassName : org.openmetadata.service.search.SearchIndexFactory
naturalLanguageSearch:
enabled: false
embeddingProvider: ${EMBEDDING_PROVIDER:-bedrock}
providerClass: ${NATURAL_LANGUAGE_SEARCH_PROVIDER_CLASS:-org.openmetadata.service.search.nlq.NoOpNLQService}
bedrock:
region: ${AWS_BEDROCK_REGION:-""}
modelId: ${AWS_BEDROCK_MODEL_ID:-""}
embeddingModelId: ${AWS_BEDROCK_EMBED_MODEL_ID:-""}
embeddingDimension: ${AWS_BEDROCK_EMBEDDING_DIMENSION:-""}
accessKey: ${AWS_BEDROCK_ACCESS_KEY:-""}
secretKey: ${AWS_BEDROCK_SECRET_KEY:-""}
useIamRole: ${AWS_BEDROCK_USE_IAM:-"false"}
eventMonitoringConfiguration:
eventMonitor: ${EVENT_MONITOR:-prometheus} # Possible values are "prometheus", "cloudwatch"
batchSize: ${EVENT_MONITOR_BATCH_SIZE:-10}
pathPattern: ${EVENT_MONITOR_PATH_PATTERN:-["/api/v1/tables/*", "/api/v1/health-check"]}
latency: ${EVENT_MONITOR_LATENCY:-[0.99, 0.90]} # For value p99=0.99, p90=0.90, p50=0.50 etc.
servicesHealthCheckInterval: ${EVENT_MONITOR_SERVICES_HEALTH_CHECK_INTERVAL:-300}
# it will use the default auth provider for AWS services if parameters are not set
# parameters:
# region: ${OM_MONITOR_REGION:-""}
# accessKeyId: ${OM_MONITOR_ACCESS_KEY_ID:-""}
# secretAccessKey: ${OM_MONITOR_ACCESS_KEY:-""}
eventHandlerConfiguration:
eventHandlerClassNames:
- "org.openmetadata.service.events.AuditEventHandler"
- "org.openmetadata.service.events.ChangeEventHandler"
pipelineServiceClientConfiguration:
enabled: ${PIPELINE_SERVICE_CLIENT_ENABLED:-true}
# If we don't need this, set "org.openmetadata.service.clients.pipeline.noop.NoopClient"
className: ${PIPELINE_SERVICE_CLIENT_CLASS_NAME:-"org.openmetadata.service.clients.pipeline.airflow.AirflowRESTClient"}
apiEndpoint: ${PIPELINE_SERVICE_CLIENT_ENDPOINT:-http://localhost:8080}
metadataApiEndpoint: ${SERVER_HOST_API_URL:-http://localhost:8585/api}
ingestionIpInfoEnabled: ${PIPELINE_SERVICE_IP_INFO_ENABLED:-false}
hostIp: ${PIPELINE_SERVICE_CLIENT_HOST_IP:-""}
healthCheckInterval: ${PIPELINE_SERVICE_CLIENT_HEALTH_CHECK_INTERVAL:-300}
# This SSL information is about the OpenMetadata server.
# It will be picked up from the pipelineServiceClient to use/ignore SSL when connecting to the OpenMetadata server.
verifySSL: ${PIPELINE_SERVICE_CLIENT_VERIFY_SSL:-"no-ssl"} # Possible values are "no-ssl", "ignore", "validate"
sslConfig:
certificatePath: ${PIPELINE_SERVICE_CLIENT_SSL_CERT_PATH:-""} # Local path for the Pipeline Service Client
logStorageConfiguration:
type: ${PIPELINE_SERVICE_CLIENT_LOG_TYPE:-"default"} # Possible values are "default", "s3"
enabled: ${PIPELINE_SERVICE_CLIENT_LOG_ENABLED:-false} # Enable it for pipelines deployed in the server
# if type is s3, provide the following configuration
bucketName: ${PIPELINE_SERVICE_CLIENT_LOG_BUCKET_NAME:-""}
# optional path within the bucket to store the logs
prefix: ${PIPELINE_SERVICE_CLIENT_LOG_PREFIX:-""}
enableServerSideEncryption: ${PIPELINE_SERVICE_CLIENT_LOG_SSE_ENABLED:-false}
sseAlgorithm: ${PIPELINE_SERVICE_CLIENT_LOG_SSE_ALGORITHM:-"AES256"} # Allowed values: "AES256" or "aws:kms"
kmsKeyId: ${PIPELINE_SERVICE_CLIENT_LOG_KMS_KEY_ID:-""} # Required only if sseAlgorithm is "aws:kms"
awsConfig:
awsAccessKeyId: ${PIPELINE_SERVICE_CLIENT_LOG_AWS_ACCESS_KEY_ID:-""}
awsSecretAccessKey: ${PIPELINE_SERVICE_CLIENT_LOG_AWS_SECRET_ACCESS_KEY:-""}
awsRegion: ${PIPELINE_SERVICE_CLIENT_LOG_REGION:-""}
awsSessionToken: ${PIPELINE_SERVICE_CLIENT_LOG_AWS_SESSION_TOKEN:-""}
endPointURL: ${PIPELINE_SERVICE_CLIENT_LOG_AWS_ENDPOINT_URL:-""} # port forward localhost:9000 for minio
# Secrets Manager Loader: specify to the Ingestion Framework how to load the SM credentials from its env
# Supported: noop, airflow, env
secretsManagerLoader: ${PIPELINE_SERVICE_CLIENT_SECRETS_MANAGER_LOADER:-"noop"}
# Default required parameters for Airflow as Pipeline Service Client
parameters:
username: ${AIRFLOW_USERNAME:-admin}
password: ${AIRFLOW_PASSWORD:-admin}
timeout: ${AIRFLOW_TIMEOUT:-10}
# If we need to use SSL to reach Airflow
truststorePath: ${AIRFLOW_TRUST_STORE_PATH:-""}
truststorePassword: ${AIRFLOW_TRUST_STORE_PASSWORD:-""}
# no_encryption_at_rest is the default value, and it does what it says. Please read the manual on how
# to secure your instance of OpenMetadata with TLS and encryption at rest.
fernetConfiguration:
fernetKey: ${FERNET_KEY:-jJ/9sz0g0OHxsfxOoSfdFdmk3ysNmPRnH3TUAbz3IHA=}
secretsManagerConfiguration:
secretsManager: ${SECRET_MANAGER:-db} # Possible values are "db", "managed-aws","aws", "managed-aws-ssm", "aws-ssm", "managed-azure-kv", "azure-kv", "in-memory", "gcp", "kubernetes"
prefix: ${SECRET_MANAGER_PREFIX:-""} # Define the secret key ID as /<prefix>/<clusterName>/<key>
tags: ${SECRET_MANAGER_TAGS:-[]} # Add tags to the created resource. Format is `[key1:value1,key2:value2,...]`
# it will use the default auth provider for the secrets' manager service if parameters are not set
parameters:
## For AWS
region: ${OM_SM_REGION:-""}
accessKeyId: ${OM_SM_ACCESS_KEY_ID:-""}
secretAccessKey: ${OM_SM_ACCESS_KEY:-""}
## For Azure Key Vault
clientId: ${OM_SM_CLIENT_ID:-""}
clientSecret: ${OM_SM_CLIENT_SECRET:-""}
tenantId: ${OM_SM_TENANT_ID:-""}
vaultName: ${OM_SM_VAULT_NAME:-""}
## For GCP
projectId: ${OM_SM_PROJECT_ID:-""}
## For Kubernetes
namespace: ${OM_SM_NAMESPACE:-"default"}
kubeconfigPath: ${OM_SM_KUBECONFIG_PATH:-""}
inCluster: ${OM_SM_IN_CLUSTER:-"false"}
health:
delayedShutdownHandlerEnabled: true
shutdownWaitPeriod: 1s
healthChecks:
- name: OpenMetadataServerHealthCheck
critical: true
schedule:
checkInterval: 2500ms
downtimeInterval: 10s
failureAttempts: 2
successAttempts: 1
limits:
enable: ${LIMITS_ENABLED:-false}
className: ${LIMITS_CLASS_NAME:-"org.openmetadata.service.limits.DefaultLimits"}
limitsConfigFile: ${LIMITS_CONFIG_FILE:-""}
web:
uriPath: ${WEB_CONF_URI_PATH:-"/api"}
hsts:
enabled: ${WEB_CONF_HSTS_ENABLED:-false}
maxAge: ${WEB_CONF_HSTS_MAX_AGE:-"365 days"}
includeSubDomains: ${WEB_CONF_HSTS_INCLUDE_SUBDOMAINS:-"true"}
preload: ${WEB_CONF_HSTS_PRELOAD:-"true"}
frame-options:
enabled: ${WEB_CONF_FRAME_OPTION_ENABLED:-false}
option: ${WEB_CONF_FRAME_OPTION:-"SAMEORIGIN"}
origin: ${WEB_CONF_FRAME_ORIGIN:-""}
content-type-options:
enabled: ${WEB_CONF_CONTENT_TYPE_OPTIONS_ENABLED:-false}
xss-protection:
enabled: ${WEB_CONF_XSS_PROTECTION_ENABLED:-false}
on: ${WEB_CONF_XSS_PROTECTION_ON:-true}
block: ${WEB_CONF_XSS_PROTECTION_BLOCK:-true}
csp:
enabled: ${WEB_CONF_XSS_CSP_ENABLED:-false}
policy: ${WEB_CONF_XSS_CSP_POLICY:-"default-src 'self'"}
reportOnlyPolicy: ${WEB_CONF_XSS_CSP_REPORT_ONLY_POLICY:-""}
referrer-policy:
enabled: ${WEB_CONF_REFERRER_POLICY_ENABLED:-false}
option: ${WEB_CONF_REFERRER_POLICY_OPTION:-"SAME_ORIGIN"}
permission-policy:
enabled: ${WEB_CONF_PERMISSION_POLICY_ENABLED:-false}
option: ${WEB_CONF_PERMISSION_POLICY_OPTION:-""}
cache-control: ${WEB_CONF_CACHE_CONTROL:-""}
pragma: ${WEB_CONF_PRAGMA:-""}
operationalConfig:
enable: ${OPERATIONAL_CONFIG_ENABLED:-true}
operationsConfigFile: ${OPERATIONAL_CONFIG_FILE:-"./conf/operations.yaml"}
rdf:
enabled: ${RDF_ENABLED:-false}
baseUri: ${RDF_BASE_URI:-"https://open-metadata.org/"}
storageType: ${RDF_STORAGE_TYPE:-"FUSEKI"}
remoteEndpoint: ${RDF_ENDPOINT:-"http://localhost:3030/openmetadata"}
username: ${RDF_REMOTE_USERNAME:-"admin"}
password: ${RDF_REMOTE_PASSWORD:-"admin"}
dataset: ${RDF_DATASET:-"openmetadata"}
# Cache Configuration
# Caching layer for entity metadata, relationships, and tag usage to reduce database load
# Default: Disabled (uses NoopCacheProvider)
cache:
# Cache provider: none (default) or redis
provider: ${CACHE_PROVIDER:-none}
# TTL (Time To Live) settings in seconds
entityTtlSeconds: ${CACHE_ENTITY_TTL:-172800} # 48 hour for entities
relationshipTtlSeconds: ${CACHE_RELATIONSHIP_TTL:-172800} # 48 hour for relationships
tagTtlSeconds: ${CACHE_TAG_TTL:-172800} # 48 hour for tags
# Redis configuration
redis:
# Redis connection URL
# Standalone: redis://localhost:6379
# AWS ElastiCache: redis://my-cluster.abc123.cache.amazonaws.com:6379
url: ${CACHE_REDIS_URL:-redis://localhost:6379}
authType: ${CACHE_REDIS_AUTH_TYPE:-NONE}
database: ${CACHE_REDIS_DATABASE:-0} # Redis database index (0-15)
# Authentication for standalone Redis
username: ${CACHE_REDIS_USERNAME:-}
passwordRef: ${CACHE_REDIS_PASSWORD:-} # Reference to password in secrets manager
useSSL: ${CACHE_REDIS_USE_SSL:-false}
# Key namespace prefix (useful for multi-tenant deployments)
keyspace: ${CACHE_REDIS_KEYSPACE:-"om:prod"}
# Connection pool settings
poolSize: ${CACHE_REDIS_POOL_SIZE:-64}
connectTimeoutMs: ${CACHE_REDIS_CONNECT_TIMEOUT:-2000}
# AWS ElastiCache IAM Authentication (only if using ElastiCache)
useIamAuth: ${CACHE_REDIS_USE_IAM:-false}
awsRegion: ${CACHE_REDIS_AWS_REGION:-}
awsUseInstanceProfile: ${CACHE_REDIS_AWS_INSTANCE_PROFILE:-true}
# If not using instance profile, provide credentials:
awsAccessKey: ${AWS_ACCESS_KEY_ID:-}
awsSecretKey: ${AWS_SECRET_ACCESS_KEY:-}
tokenRefreshIntervalSeconds: ${CACHE_REDIS_TOKEN_REFRESH:-900} # 15 minutes
Reference in New Issue View Git Blame Copy Permalink