02-config.md

Config

The Grid has different config files depending on the service and usage e.g. the Guardian or BBC-specific features. GridConfigLoader.scala loads the configs, which get parsed and turned into a tree of config by a function in this library (https://github.com/lightbend/config) which will recursively merge the trees.

application.conf

The file lists configs that every user and service should have. This file should provide good defaults for grid features where required. This file has the lowest priority and keys will be overridden if set in other files.

Other config files

Other config files will be read from $HOME/.grid/ (when running locally) or /etc/grid (when deployed, as determined by the contents of /etc/grid/stage). For local development, files will be generated by the generate-config script. It is up to the implementor to determine how to load config files onto deployed instances - we at the Guardian currently fetch files from S3 in a UserData script.

This file will be packaged by sbt-native-packager, available once installed on the destination instance and automatically loaded by Play.

Note Currently this is the only file that is loaded at Play's first initialisation. Some play settings will only take effect if set in this file.

<configRoot>/<stage>/common.conf

Anything that's specific to an organisation and to a stage, but is common across all the services. Keys set here will override those set in application.conf but be overridden by the service-specific configs.

<configRoot>/<stage>/<service>.conf

Service-specific configs. These will override all other config files.

Config documentation

Common configuration

Key	Optional	Type	Default
auth.useLocal If true, the AWS client will be configured to be localstack aware Only used in The Guardian’s PermissionsAuthorisationProvider and PandaAuthenticationProvider	True (not needed if using another authentication + authorisation providers)	boolean	false
panda.userDomain Used only in The Guardian’s PandaAuthenticationProvider	True (not needed if using another authentication provider)	string
panda.bucketName The AWS S3 bucket name that contains Used only in The Guardian’s PandaAuthenticationProvider.	True (not needed if using another authentication provider)	string
permissions.bucket The AWS S3 bucket name used in The Guardian’s PermissionsProvider	True (not needed if using another authorisation provider)	string
image.record.download When true any downloads are recorded as usages and usage@platform:download filter appears in the UI.
useReaper Is reaper (image deletion service) supported?	True	boolean
restrictDownload Restrict download of images to users with edit_metadata permission where that user is not the image uploader	True	boolean	false
announcements Notifications and announcements to be sent to users Format: [ (array) { (json object) announceId: (string) the unique id of the announcement - should be unique among all active announcements description: (string) the main text to display in the notification endDate: (string, optional, format="yyyy-mm-dd") the date beyond which the announcement should not be seen, if not present set as today + 1 year url: (string, optional) a link to a page/document providing further details regarding announcement urlText: (string, optional) text to be included in a-tag hyperlink (will revert to default if not present) category: (string) the type of announcement - will control styling and display, Enum=announcement; information; warning; error; success lifespan: (string) the lifecycle behaviour Enum=transient (message disappears on any click etc); session (message must be acknowledged but action NOT stored in client cookie - used for current session messages); persistent (message must be acknowledged and action stored in client cookie - used for long-running announcements) }, ... ]	True	Json Object Array	[]
persistence.identifier Used by the reaper to retain images which have a particular identifier (e.g. picdarUrn for Guardian)	True	string
persistence.onlyTheseCollections Used by the reaper… If not specified, images in any collection are persisted If specified, but empty array, images are not* persisted based on collection at all If specified and non empty, images are persisted based on the listed collections only* (note that it matches any part of the collection path, but its not possible to match an entire nested collection path * but might be persisted based on other persistence criteria.	True (see 1.)	Array	None

Admin tools service

Key	Optional	Type	Default
domain.root	False	string
authentication.providers.machine.config.authKeyStoreBucket		string
aws.local.endpoint		url
thrall.kinesis.stream.name	False	string
thrall.kinesis.lowPriorityStream.name	False	string
es.index.aliases.current	False	string
es.index.aliases.migration	False	string

Auth Service

Key	Optional	Type	Default
domain.root	False	string
authentication.providers.machine.config.authKeyStoreBucket
aws.local.endpoint
thrall.kinesis.stream.name
thrall.kinesis.lowPriorityStream.name
es.index.aliases.current
es.index.aliases.migration
s3.config.bucket
aws.region		string
security.cors.allowedOrigins
metrics.request.enabled		boolean

Collections service

Key	Optional	Type	Default
domain.root
authentication.providers.machine.config.authKeyStoreBucket
aws.local.endpoint
thrall.kinesis.stream.name
thrall.kinesis.lowPriorityStream.name
es.index.aliases.current
es.index.aliases.migration
aws.region
s3.collections.bucket
dynamo.table.collections
dynamo.table.imageCollections
security.cors.allowedOrigins
metrics.request.enabled

Cropper Service

Key	Optional	Type	Default
domain.root
authentication.providers.machine.config.authKeyStoreBucket
aws.local.endpoint
thrall.kinesis.stream.name
thrall.kinesis.lowPriorityStream.name
es.index.aliases.current
es.index.aliases.migration
aws.region
publishing.image.bucket
publishing.image.host
s3.config.bucket
security.cors.allowedOrigins
metrics.request.enabled

Image Loader service

Key	Optional	Type	Default
domain.root
authentication.providers.machine.config.authKeyStoreBucket
aws.local.endpoint
thrall.kinesis.stream.name
thrall.kinesis.lowPriorityStream.name
es.index.aliases.current
es.index.aliases.migration
aws.region
s3.image.bucket
s3.thumb.bucket
s3.quarantine.bucket
s3.config.bucket
dynamo.table.upload.status
security.cors.allowedOrigins
metrics.request.enabled
transcoded.mime.types
upload.quarantine.enabled

Kahuna service

Key	Optional	Type	Default
domain.root
authentication.providers.machine.config.authKeyStoreBucket
aws.local.endpoint
thrall.kinesis.stream.name
thrall.kinesis.lowPriorityStream.name
es.index.aliases.current
es.index.aliases.migration
aws.region
s3.image.bucket
s3.thumb.bucket
s3.quarantine.bucket
s3.config.bucket
dynamo.table.upload.status
security.cors.allowedOrigins
metrics.request.enabled
transcoded.mime.types
upload.quarantine.enabled
showDenySyndicationWarning	true	boolean	false
warningText.denySyndicationHeader	true	string	Syndication denied
scriptsToLoad	true	object[] with each object having properties host path async (optional) permission (optional) shouldLoadWhenIFramed (optional)
security.frameAncestors Additional entries to be added to the frame-ancestors section of the Content-Security-Policy	true	string[]
security.connectSources Additional entries to be added to the connect-src section of the Content-Security-Policy	true	string[]
security.fontSources Additional entries to be added to the font-src section of the Content-Security-Policy	true	string[]

Leases service

Key	Optional	Type	Default
domain.root
authentication.providers.machine.config.authKeyStoreBucket
aws.local.endpoint
thrall.kinesis.stream.name
thrall.kinesis.lowPriorityStream.name
es.index.aliases.current
es.index.aliases.migration
aws.region
dynamo.tablename.leasesTable
security.cors.allowedOrigins
metrics.request.enabled

Media API service

Key	Optional	Type	Default
domain.root
authentication.providers.machine.config.authKeyStoreBucket
aws.local.endpoint
thrall.kinesis.stream.name
thrall.kinesis.lowPriorityStream.name
es.index.aliases.current
es.index.aliases.migration
aws.region
s3.image.bucket
s3.thumb.bucket
s3.config.bucket
s3.usagemail.bucket
es6.url
es6.shards
es6.replicas
quota.store.key
security.cors.allowedOrigins
metrics.request.enabled

Metadata editor service

Key	Optional	Type	Default
domain.root
authentication.providers.machine.config.authKeyStoreBucket
aws.local.endpoint
thrall.kinesis.stream.name
thrall.kinesis.lowPriorityStream.name
es.index.aliases.current
es.index.aliases.migration
aws.region
s3.collections.bucket
dynamo.table.edits
dynamo.globalsecondaryindex.edits.photoshoots
dynamo.table.syndication
indexed.images.sqs.queue.url
security.cors.allowedOrigins
metrics.request.enabled

S3 watcher

Key	Optional	Type	Default
domain.root
authentication.providers.machine.config.authKeyStoreBucket
aws.local.endpoint
thrall.kinesis.stream.name
thrall.kinesis.lowPriorityStream.name
es.index.aliases.current
es.index.aliases.migration
aws.region
loader.uri
auth.key.s3watcher
s3.ingest.bucket
s3.fail.bucket

Thrall service

Key	Optional	Type	Default
domain.root
authentication.providers.machine.config.authKeyStoreBucket
aws.local.endpoint
thrall.kinesis.stream.name
thrall.kinesis.lowPriorityStream.name
es.index.aliases.current
es.index.aliases.migration
aws.region
s3.image.bucket
s3.thumb.bucket
indexed.image.sns.topic.arn
es6.url
es6.shard
es6.replicas
metrics.request.enabled
thrall.projection.parallelism	yes	int	1

Usage service

Key	Optional	Type	Default
domain.root
authentication.providers.machine.config.authKeyStoreBucket
aws.local.endpoint
thrall.kinesis.stream.name
thrall.kinesis.lowPriorityStream.name
es.index.aliases.current
es.index.aliases.migration
aws.region
capi.live.url
capi.apiKey
dynamo.tablename.usageRecordTable
composer.baseUrl
crier.live.arn
crier.preview.arn
crier.preview.name
crier.live.name
app.name
security.cors.allowedOrigins
metrics.request.enabled