3. Configuration#

This chapter is a reference to all app settings of the Guardian divided by component. These settings can be configured either via the univention-app command line interface or the Univention App center dialog for app settings.

To change the log level for the Management API for example, use the following command:

univention-app configure guardian-management-api --set \
   "guardian-management-api/logging/level=ERROR"

If any of the settings are changed, the application is restarted automatically.

3.1. Guardian Management API#

3.1.1. General#

The General settings category of the Management API in the Univention App center
guardian-management-api/base_url#

Defines the base URL of the API. If unset the URL is generated from hostname and domain name of the server the API is installed on. You must not specify the protocol here as this is set in guardian-management-api/protocol.

guardian-management-api/protocol#

Defines the protocol of the API. Can be either http or https. Default is https.

3.1.2. Logging#

The logging settings category of the Management API in the Univention App center
guardian-management-api/logging/structured#

Can be either True or False. If set to True, the logging output of the Management API is structured as json data.

guardian-management-api/logging/level#

Sets the log level of the application. It can be one of DEBUG, INFO, WARNING, ERROR, CRITICAL.

guardian-management-api/logging/format#

This setting defines the format of the log output if guardian-management-api/logging/structured is set to False. The documentation for configuring the log format can be found here.

3.1.3. CORS#

The CORS settings category of the Management API in the Univention App center
guardian-management-api/cors/allowed-origins#

Comma-separated list of hosts that are allowed to make cross-origin resource sharing (CORS) requests to the server. At a minimum, this must include the host of the Management UI, if installed on a different server.

3.1.4. Authentication#

The authentication settings category of the Management API in the Univention App center
guardian-management-api/oauth/keycloak-uri#

Base URI of the Keycloak server for authentication. If unset the application tries to derive the Keycloak URI from the UCR variable keycloak/server/sso/fqdn or fall back to the domain name of the host the application is installed on.

guardian-management-api/oauth/keycloak-cli-client-secret#

Keycloak client secret.

3.1.5. Authorization#

The authorization settings category of the Management API in the Univention App center
guardian-management-api/authorization_api_url#

URL to the Authorization API. If not set, the URL is generated from hostname and domain name of the server the application is installed on.

3.2. Guardian Authorization API#

The authorization settings category of the Management API in the Univention App center
guardian-authorization-api/bundle_server_url#

URL to the Management API from which to fetch the policy data for decision making. If not set, the URL is generated from hostname and domain name of the server the application is installed on.

3.2.1. Logging#

The authorization settings category of the Management API in the Univention App center
guardian-authorization-api/logging/structured#

Can be either True or False. If set to True, the logging output of the Authorization API is structured as json data.

guardian-authorization-api/logging/level#

Sets the log level of the application. It can be one of DEBUG, INFO, WARNING, ERROR, CRITICAL.

guardian-authorization-api/logging/format#

This setting defines the format of the log output if guardian-authorization-api/logging/structured is set to False. The documentation for configuring the log format can be found here.

3.2.2. CORS#

The authorization settings category of the Management API in the Univention App center
guardian-authorization-api/cors/allowed-origins#

Comma-separated list of hosts that are allowed to make cross-origin resource sharing (CORS) requests to the server. You may need to add third-party apps to this list, if they need to use the Guardian.

3.2.3. UDM#

The authorization settings category of the Management API in the Univention App center
guardian-authorization-api/udm_data/url#

The URL of the UDM REST API for data queries.

guardian-authorization-api/udm_data/username#

Username for authentication against the UDM REST API.

guardian-authorization-api/udm_data/password#

Password for authentication against the UDM REST API.

3.2.4. Authentication#

The authorization settings category of the Management API in the Univention App center
guardian-authorization-api/oauth/keycloak-uri#

Base URI of the Keycloak server for authentication. If unset the application tries to derive the Keycloak URI from the UCR variable keycloak/server/sso/fqdn or fall back to the domain name of the host the application is installed on.

3.3. Guardian Management UI#

The authorization settings category of the Management API in the Univention App center
guardian-management-ui/management-api-url#

URL for the Guardian Management API. If not set, the URL is generated from hostname and domain name.

3.3.1. Authentication#

The authorization settings category of the Management API in the Univention App center
guardian-management-ui/oauth/keycloak-uri#

Base URI of the Keycloak server for authentication. If unset the application tries to derive the Keycloak URI from the UCR variable keycloak/server/sso/fqdn or fall back to the domain name of the host the application is installed on.