4. Configuration#

This section is a reference for all app settings of the Guardian organized by component. Guardian administrators can configure the settings using either the univention-app command or the app settings dialog in the App Center UMC module.

The App Center automatically restarts the application after changing any setting.

For example, to change the log level for the Management API, use the following command:

Listing 4.1 Example: Change log level for Management API#
$ univention-app \
   configure guardian-management-api \
   --set "guardian-management-api/logging/level=ERROR"

You find configuration settings for the following Guardian components at:

4.1. Management API#

This section describes the configuration settings for the Management API.

4.1.1. General#

Fig. 4.1 shows the General settings category of the Management API in the App Center. The available configuration settings and their description follow.

The General settings category of the Management API in the App Center

Fig. 4.1 The General settings category of the Management API in the App Center#

guardian-management-api/base_url#

Defines the base URL of the API. If the value is unset, the Management API generates the URL from hostname and domain name of the UCS system, where you installed it. You mustn’t specify the protocol. guardian-management-api/protocol sets the protocol separately.

guardian-management-api/protocol#

Defines the protocol of the Management API. It can have the value http or https. The default value is https.

4.1.2. Logging#

Fig. 4.2 shows the Logging settings category of the Management API in the App Center. The available configuration settings and their description follow.

The Logging settings category of the Management API in the Univention App Center

Fig. 4.2 The Logging settings category of the Management API in the Univention App Center#

guardian-management-api/logging/structured#

Defines if the logging output of the Management API uses structured JSON data. The value can either be True or False. The default value is False. Set the value to True for structured JSON data.

guardian-management-api/logging/level#

Defines the logging level of the Management API application. The value can be DEBUG, INFO, WARNING, ERROR, CRITICAL. The default value is INFO.

guardian-management-api/logging/format#

This setting defines the format of the logging output, if guardian-management-api/logging/structured has the value False. For the logging output format, see the section The time formatting in the loguru documentation.

4.1.3. Cross-origin resource sharing (CORS)#

Fig. 4.3 shows the CORS settings category of the Management API in the App Center. The available configuration settings and their description follow.

The CORS settings category of the Management API in the Univention App Center

Fig. 4.3 The CORS settings category of the Management API in the Univention App Center#

guardian-management-api/cors/allowed-origins#

Defines a comma-separated list of hosts that the Management API allows to make cross-origin resource sharing (CORS) requests to the server. At a minimum, the setting must include the UCS system where you installed the Management UI, if installed on a different system.

4.1.4. Authentication#

Fig. 4.4 shows the Authentication settings category of the Management API in the App Center. The available configuration settings and their description follow.

The Authentication settings category of the Management API in the Univention App Center

Fig. 4.4 The Authentication settings category of the Management API in the Univention App Center#

guardian-management-api/oauth/keycloak-uri#

Defines the base URI of the Keycloak server for authentication. If unset, the application tries to derive the Keycloak URI from the UCR variable keycloak/server/sso/fqdn or falls back to the domain name of the UCS system where you installed the application.

Changing the Keycloak client secret

The Keycloak client secret that the Management API needs for accessing Keycloak can be changed by modifying /var/lib/univention-appcenter/apps/guardian-management-api/conf/m2m.secret. Afterwards, run univention-app configure guardian-authorization-api and univention-app restart guardian-authorization-api to activate the secret.

4.1.5. Authorization#

Fig. 4.5 shows the Authorization settings category of the Management API in the App Center. The available configuration settings and their description follow.

The Authorization settings category of the Management API in the Univention App Center

Fig. 4.5 The Authorization settings category of the Management API in the Univention App Center#

guardian-management-api/authorization_api_url#

Defines the URL to the Authorization API. If not set, the Management API generates the URL from hostname and domain name of the UCS system where you installed the application.

4.1.6. Other configuration options#

Changing the Keycloak client secret

The Keycloak client secret that the Management API needs for accessing Keycloak can be changed by modifying /var/lib/univention-appcenter/apps/guardian-management-api/conf/m2m.secret. Afterwards, run univention-app configure guardian-authorization-api and univention-app restart guardian-authorization-api to activate the secret.

4.2. Authorization API#

This section describes the configuration settings for the Authorization API.

Fig. 4.6 shows the settings category of the Authorization API in the App Center. The available configuration settings and their description follow.

The Authorization settings category of the Authorization API in the Univention App Center

Fig. 4.6 The Authorization settings category of the Authorization API in the Univention App Center#

guardian-authorization-api/bundle_server_url#

Defines the URL to the Management API from which the Authorization API fetches the policy data for decision making. If not set, the Authorization API generates the URL from hostname and domain name of the UCS system where you installed the application.

4.2.1. Logging#

Fig. 4.7 shows the Logging settings category of the Authorization API in the App Center. The available configuration settings and their description follow.

The *Logging* settings category of the Authorization API in the Univention App Center

Fig. 4.7 The Logging settings category of the Authorization API in the Univention App Center#

guardian-authorization-api/logging/structured#

Defines if the logging output of the Authorization API uses structured JSON data. The value can either be True or False. The default value is False. Set the value to True for structured JSON data.

guardian-authorization-api/logging/level#

Defines the logging level of the Authorization API application. The value can be DEBUG, INFO, WARNING, ERROR, CRITICAL. The default value is INFO.

guardian-authorization-api/logging/format#

This setting defines the format of the logging output, if guardian-authorization-api/logging/structured has the value False. For the logging output format, see the section The time formatting in the loguru documentation.

4.2.2. Cross-origin resource sharing (CORS)#

Fig. 4.8 shows the CORS settings category of the Authorization API in the App Center. The available configuration settings and their description follow.

The CORS settings category of the Authorization API in the Univention App Center

Fig. 4.8 The CORS settings category of the Authorization API in the Univention App Center#

guardian-authorization-api/cors/allowed-origins#

Defines a comma-separated list of hosts that the Authorization API allows to make cross-origin resource sharing (CORS) requests to the server. Add third-party apps to this list, if they need to use the Guardian.

4.2.3. UDM#

Fig. 4.9 shows the UDM settings category of the Authorization API in the App Center. The available configuration settings and their description follow.

The UDM settings category of the Authorization API in the Univention App Center

Fig. 4.9 The UDM settings category of the Authorization API in the Univention App Center#

guardian-authorization-api/udm_data/url#

Defines the URL of the UDM REST API for data queries.

4.2.4. Authentication#

Fig. 4.10 shows the Authentication settings category of the Authorization API in the App Center. The available configuration settings and their description follow.

The Authentication settings category of the Management API in the Univention App Center

Fig. 4.10 The Authentication settings category of the Management API in the Univention App Center#

guardian-authorization-api/oauth/keycloak-uri#

Defines the base URI of the Keycloak server for authentication. If unset, the application tries to derive the Keycloak URI from the UCR variable keycloak/server/sso/fqdn or falls back to the domain name of the UCS system where you installed the application.

4.3. Management UI#

This section describes the configuration settings for the Management UI.

Fig. 4.11 shows the settings category of the Management UI in the App Center. The available configuration settings and their description follow.

The settings of the Management UI in the Univention App Center

Fig. 4.11 The settings of the Management UI in the Univention App Center#

guardian-management-ui/management-api-url#

Defines the URL to the Management API If not set, the Management UI generates the URL from hostname and domain name of the UCS system where you installed the application.

4.3.1. Authentication#

Fig. 4.12 shows the Authentication settings category of the Management UI in the App Center. The available configuration settings and their description follow.

The Authentication settings category of the Management UI in the Univention App Center

Fig. 4.12 The Authentication settings category of the Management UI in the Univention App Center#

guardian-management-ui/oauth/keycloak-uri#

Defines the base URI of the Keycloak server for authentication. If unset, the application tries to derive the Keycloak URI from the UCR variable keycloak/server/sso/fqdn or falls back to the domain name of the UCS system where you installed the application.