itto.ditto-policies-service.3.6.0.source-code.policies.conf Maven / Gradle / Ivy
ditto {
service-name = "policies"
mapping-strategy.implementation = "org.eclipse.ditto.policies.api.PoliciesMappingStrategies"
extensions {
pre-enforcer-provider.extension-config.pre-enforcers = [
"org.eclipse.ditto.policies.enforcement.pre.BlockedNamespacePreEnforcer",
"org.eclipse.ditto.policies.enforcement.pre.CommandWithOptionalEntityPreEnforcer",
"org.eclipse.ditto.policies.enforcement.pre.CreationRestrictionPreEnforcer",
"org.eclipse.ditto.policies.enforcement.pre.PolicyImportsPreEnforcer"
]
signal-transformers-provider.extension-config.signal-transformers = [
"org.eclipse.ditto.policies.service.enforcement.pre.ModifyToCreatePolicyTransformer", // always keep this as first transformer in order to guarantee that all following transformers know that the command is creating a policy instead of modifying it
"org.eclipse.ditto.policies.service.signaltransformation.placeholdersubstitution.PoliciesPlaceholderSubstitution"
]
snapshot-adapter = "org.eclipse.ditto.policies.service.persistence.serializer.PolicyMongoSnapshotAdapter"
}
mongodb {
database = "policies"
database = ${?MONGO_DB_DATABASE}
read-journal {
# additional index which speeds up background (e.g. cleanup) aggregation queries
# seems to be required for MongoDB version >=6, otherwise a lot of read Disk IOPS are needed
should-create-additional-snapshot-aggregation-index-pid-id = false
should-create-additional-snapshot-aggregation-index-pid-id = ${?MONGODB_READ_JOURNAL_SHOULD_CREATE_ADDITIONAL_SNAPSHOT_AGGREGATION_INDEX_PID_ID}
# additional index which speeds up background (e.g. cleanup) aggregation queries
# seems to be required for MongoDB version >=6, otherwise a lot of read Disk IOPS are needed
should-create-additional-snapshot-aggregation-index-pid-sn = false
should-create-additional-snapshot-aggregation-index-pid-sn = ${?MONGODB_READ_JOURNAL_SHOULD_CREATE_ADDITIONAL_SNAPSHOT_AGGREGATION_INDEX_PID_SN}
# additional index which speeds up background (e.g. cleanup) aggregation queries
# seems to be required for MongoDB version >=6, otherwise a lot of read Disk IOPS are needed
should-create-additional-snapshot-aggregation-index-pid-sn-id = false
should-create-additional-snapshot-aggregation-index-pid-sn-id = ${?MONGODB_READ_JOURNAL_SHOULD_CREATE_ADDITIONAL_SNAPSHOT_AGGREGATION_INDEX_PID_SN_ID}
hint-name-filterPidsThatDoesntContainTagInNewestEntry = null
hint-name-filterPidsThatDoesntContainTagInNewestEntry = ${?MONGODB_READ_JOURNAL_HINT_NAME_FILTER_PIDS_THAT_DOESNT_CONTAIN_TAG_IN_NEWEST_ENTRY}
hint-name-listLatestJournalEntries = null
hint-name-listLatestJournalEntries = ${?MONGODB_READ_JOURNAL_HINT_NAME_LIST_LATEST_JOURNAL_ENTRIES}
hint-name-listNewestActiveSnapshotsByBatchPidId = null
hint-name-listNewestActiveSnapshotsByBatchPidId = ${?MONGODB_READ_JOURNAL_HINT_NAME_LIST_NEWEST_ACTIVE_SNAPSHOT_BY_BATCH_PID_ID}
hint-name-listNewestActiveSnapshotsByBatchPid = null
hint-name-listNewestActiveSnapshotsByBatchPid = ${?MONGODB_READ_JOURNAL_HINT_NAME_LIST_NEWEST_ACTIVE_SNAPSHOT_BY_BATCH_PID}
hint-name-listNewestActiveSnapshotsByBatchId = null
hint-name-listNewestActiveSnapshotsByBatchId = ${?MONGODB_READ_JOURNAL_HINT_NAME_LIST_NEWEST_ACTIVE_SNAPSHOT_BY_BATCH_ID}
}
}
persistence.operations.delay-after-persistence-actor-shutdown = 5s
persistence.operations.delay-after-persistence-actor-shutdown = ${?DELAY_AFTER_PERSISTENCE_ACTOR_SHUTDOWN}
policies {
policy {
# the configuration to which duration the "expiry" of a Policy Subject should be rounded up.
# For example:
# * configured to "1s": a received "expiry" is rounded up to the next full second
# * configured to "30s": a received "expiry" is rounded up to the next half minute
# * configured to "1h": a received "expiry" is rounded up to the next full hour
# * configured to "12h": a received "expiry" is rounded up to the next half day
# * configured to "1d": a received "expiry" is rounded up to the next full day
# * configured to "15d": a received "expiry" is rounded up to the next half month
subject-expiry-granularity = 1h
subject-expiry-granularity = ${?POLICY_SUBJECT_EXPIRY_GRANULARITY}
# To which duration the notify-before duration of each subject-expiry is rounded up.
# Minimum value: 1ms
subject-deletion-announcement-granularity = 1m
subject-deletion-announcement-granularity = ${?POLICY_SUBJECT_DELETION_ANNOUNCEMENT_GRANULARITY}
subject-id-resolver = "org.eclipse.ditto.policies.service.persistence.actors.resolvers.DefaultSubjectIdFromActionResolver"
subject-id-resolver = ${?POLICY_SUBJECT_ID_RESOLVER}
activity-check {
# the interval of how long to keep an "inactive" Policy in memory:
inactive-interval = 2h
inactive-interval = ${?POLICY_ACTIVITY_CHECK_INTERVAL}
# the interval of how long to keep a deleted Policy in memory
deleted-interval = 5m
deleted-interval = ${?POLICY_ACTIVITY_CHECK_DELETED_INTERVAL}
}
snapshot {
# the interval when to do snapshot for a Policy which had changes to it
interval = 15m
interval = ${?POLICY_SNAPSHOT_INTERVAL} # may be overridden with this environment variable
# the threshold after how many changes to a Policy to do a snapshot
threshold = 500
threshold = ${?POLICY_SNAPSHOT_THRESHOLD} # may be overridden with this environment variable
}
event {
# define the DittoHeaders to persist when persisting events to the journal
# those can e.g. be retrieved as additional "audit log" information when accessing a historical policy revision
historical-headers-to-persist = [
#"ditto-originator" # who (user-subject/connection-pre-auth-subject) issued the event
#"correlation-id"
]
historical-headers-to-persist = ${?POLICY_EVENT_HISTORICAL_HEADERS_TO_PERSIST}
}
supervisor {
exponential-backoff {
min = 1s
max = 120s
random-factor = 1.0
corrupted-receive-timeout = 600s
}
}
announcement {
grace-period = 4h
grace-period = ${?POLICY_ANNOUNCEMENT_GRACE_PERIOD}
max-timeout = 60s
max-timeout = ${?POLICY_ANNOUNCEMENT_MAX_TIMEOUT}
enable-announcements-when-deleted = true
enable-announcements-when-deleted = ${?POLICY_ENABLE_ANNOUNCEMENTS_WHEN_DELETED}
default-randomization-interval = 5m
default-randomization-interval = ${?POLICY_ANNOUNCEMENT_DEFAULT_RANDOMIZATION_INTERVAL}
exponential-backoff {
# minimum backoff for announcement redelivery
min = 1s
min = ${?POLICY_ANNOUNCEMENT_BACKOFF_MIN}
# maximum backoff for announcement
max = 1h
max = ${?POLICY_ANNOUNCEMENT_BACKOFF_MAX}
# random factor for exponential back-off
# next-backoff = previous-backoff * (1.5 + random-factor * rand(0, 0.5))
random-factor = 1.0
random-factor = ${?POLICY_ANNOUNCEMENT_BACKOFF_RANDOM_FACTOR}
}
}
cleanup {
# enabled configures whether background cleanup is enabled or not
# If enabled, stale "snapshot" and "journal" entries will be cleaned up from the MongoDB by a background process
enabled = true
enabled = ${?CLEANUP_ENABLED}
# history-retention-duration configures the duration of how long to "keep" events and snapshots before being
# allowed to remove them in scope of cleanup.
# If this e.g. is set to 30d - then effectively an event history of 30 days would be available via the read
# journal.
history-retention-duration = 30d
history-retention-duration = ${?CLEANUP_HISTORY_RETENTION_DURATION}
# quiet-period defines how long to stay in a state where the background cleanup is not yet started
# Applies after:
# - starting the service
# - each "completed" background cleanup run (all entities were cleaned up)
quiet-period = 5m
quiet-period = ${?CLEANUP_QUIET_PERIOD}
# interval configures how often a "credit decision" is made.
# The background cleanup works with a credit system and does only generate new "cleanup credits" if the MongoDB
# currently has capacity to do cleanups.
interval = 10s
interval = ${?CLEANUP_INTERVAL}
# timer-threshold configures the maximum database latency to give out credit for cleanup actions.
# If write operations to the MongoDB within the last `interval` had a `max` value greater to the configured
# threshold, no new cleanup credits will be issued for the next `interval`.
# Which throttles cleanup when MongoDB is currently under heavy (write) load.
timer-threshold = 150ms
timer-threshold = ${?CLEANUP_TIMER_THRESHOLD}
# credits-per-batch configures how many "cleanup credits" should be generated per `interval` as long as the
# write operations to the MongoDB are less than the configured `timer-threshold`.
# Limits the rate of cleanup actions to this many per credit decision interval.
# One credit means that the "journal" and "snapshot" entries of one entity are cleaned up each `interval`.
credits-per-batch = 3
credits-per-batch = ${?CLEANUP_CREDITS_PER_BATCH}
# reads-per-query configures the number of snapshots to scan per MongoDB query.
# Configuring this to high values will reduce the need to query MongoDB too often - it should however be aligned
# with the amount of "cleanup credits" issued per `interval` - in order to avoid long running queries.
reads-per-query = 100
reads-per-query = ${?CLEANUP_READS_PER_QUERY}
# writes-per-credit configures the number of documents to delete for each credit.
# If for example one entity would have 1000 journal entries to cleanup, a `writes-per-credit` of 100 would lead
# to 10 delete operations performed against MongoDB.
writes-per-credit = 100
writes-per-credit = ${?CLEANUP_WRITES_PER_CREDIT}
# delete-final-deleted-snapshot configures whether for a deleted entity, the final snapshot (containing the
# "deleted" information) should be deleted or not.
# If the final snapshot is not deleted, re-creating the entity will cause that the recreated entity starts with
# a revision number 1 higher than the previously deleted entity. If the final snapshot is deleted as well,
# recreation of an entity with the same ID will lead to revisionNumber=1 after its recreation.
delete-final-deleted-snapshot = false
delete-final-deleted-snapshot = ${?CLEANUP_DELETE_FINAL_DELETED_SNAPSHOT}
}
}
persistence-ping {
# journal tag to query to find our which PolicyPersistenceActors to ping (always keep alive)
journal-tag = "always-alive"
journal-tag = ${?POLICIES_PERSISTENCE_PING_JOURNAL_TAG}
# initial delay for pinging the PolicyPersistenceActors after the PersistencePingActor has been started.
initial-delay = 0s
initial-delay = ${?POLICIES_PERSISTENCE_PING_INITIAL_DELAY}
# interval for trying to ping all "always-alive" PolicyPersistenceActors
interval = 10m
interval = ${?POLICIES_PERSISTENCE_PING_INTERVAL}
# how many events to read in one query
read-journal-batch-size = 500
read-journal-batch-size = ${?POLICIES_PERSISTENCE_PING_READ_JOURNAL_BATCH_SIZE}
# one of:
# TAGS Elements will be ordered by their tags.
# ID Elements will be ordered by their document ID.
streaming-order = ID
streaming-order = ${?POLICIES_PERSISTENCE_PING_STREAMING_ORDER}
# used to throttle pinging of PolicyPersistenceActors, so that not all PolicyPersistenceActors are recovered at the same time
rate {
frequency = 1s
frequency = ${?POLICIES_PERSISTENCE_PING_RATE_FREQUENCY}
entities = 1
entities = ${?POLICIES_PERSISTENCE_PING_RATE_ENTITIES}
}
}
}
}
pekko {
cluster {
sharding {
role = ${ditto.service-name}
passivation {
# don't passivate shards by default as Ditto AbstractPersistenceActor decides that on its own -
# default is "default-idle-strategy" with "idle-entity.timeout = 120s":
strategy = "off"
}
}
roles = [
"policies",
"policy-announcement-aware",
"blocked-namespaces-aware"
]
}
persistence {
journal.auto-start-journals = [
"pekko-contrib-mongodb-persistence-policies-journal"
]
snapshot-store.auto-start-snapshot-stores = [
"pekko-contrib-mongodb-persistence-policies-snapshots"
]
}
management.health-checks.liveness-checks {
subsystem-health = "org.eclipse.ditto.internal.utils.health.SubsystemHealthCheck"
}
}
pekko-contrib-mongodb-persistence-policies-journal {
class = "pekko.contrib.persistence.mongodb.MongoJournal"
plugin-dispatcher = "policy-journal-persistence-dispatcher"
circuit-breaker {
max-failures = 5 # if an exception during persisting an event/snapshot occurs this often -- a successful write resets the counter
max-failures = ${?BREAKER_MAXTRIES}
call-timeout = 5s # MongoDB Timeouts causing the circuitBreaker to open
call-timeout = ${?BREAKER_TIMEOUT}
reset-timeout = 3s # after this time in "Open" state, the cicuitBreaker is "Half-opened" again
reset-timeout = ${?BREAKER_RESET}
}
overrides {
journal-collection = "policies_journal"
journal-index = "policies_journal_index"
realtime-collection = "policies_realtime"
metadata-collection = "policies_metadata"
metadata-index = "policies_metadata_index"
}
event-adapters {
mongodbobject = "org.eclipse.ditto.policies.service.persistence.serializer.DefaultPolicyMongoEventAdapter"
}
event-adapter-bindings {
"org.eclipse.ditto.base.model.signals.events.Event" = mongodbobject
"org.bson.BsonValue" = mongodbobject
}
}
pekko-contrib-mongodb-persistence-policies-journal-read {
class = "pekko.contrib.persistence.mongodb.MongoReadJournal"
plugin-dispatcher = "policy-journal-persistence-dispatcher"
overrides {
journal-collection = "policies_journal"
journal-index = "policies_journal_index"
realtime-collection = "policies_realtime"
metadata-collection = "policies_metadata"
metadata-index = "policies_metadata_index"
}
}
pekko-contrib-mongodb-persistence-policies-snapshots {
class = "pekko.contrib.persistence.mongodb.MongoSnapshots"
plugin-dispatcher = "policy-snaps-persistence-dispatcher"
circuit-breaker {
max-failures = 5 # if an exception during persisting an event/snapshot occurs this often -- a successful write resets the counter
max-failures = ${?SNAPSHOT_BREAKER_MAXTRIES}
call-timeout = 10s # MongoDB Timeouts causing the circuitBreaker to open
call-timeout = ${?SNAPSHOT_BREAKER_TIMEOUT}
reset-timeout = 6s # after this time in "Open" state, the cicuitBreaker is "Half-opened" again
reset-timeout = ${?SNAPSHOT_BREAKER_RESET}
}
overrides {
snaps-collection = "policies_snaps"
snaps-index = "policies_snaps_index"
}
}
policy-journal-persistence-dispatcher {
type = Dispatcher
# which mailbox to use
mailbox-type = "org.eclipse.ditto.policies.service.persistence.actors.PolicyPersistenceActorMailbox"
mailbox-capacity = 100
executor = "org.eclipse.ditto.internal.utils.metrics.service.executor.InstrumentedForkJoinExecutorServiceConfigurator"
fork-join-executor {
parallelism-min = 4
parallelism-factor = 3.0
parallelism-max = 32
parallelism-max = ${?DEFAULT_DISPATCHER_PARALLELISM_MAX}
}
throughput = 5
}
policy-snaps-persistence-dispatcher {
type = Dispatcher
# which mailbox to use
mailbox-type = "org.eclipse.ditto.policies.service.persistence.actors.PolicyPersistenceActorMailbox"
mailbox-capacity = 100
executor = "org.eclipse.ditto.internal.utils.metrics.service.executor.InstrumentedForkJoinExecutorServiceConfigurator"
fork-join-executor {
parallelism-min = 4
parallelism-factor = 3.0
parallelism-max = 32
parallelism-max = ${?DEFAULT_DISPATCHER_PARALLELISM_MAX}
}
throughput = 5
}
blocked-namespaces-dispatcher {
type = Dispatcher
executor = "org.eclipse.ditto.internal.utils.metrics.service.executor.InstrumentedForkJoinExecutorServiceConfigurator"
fork-join-executor {
# Min number of threads to cap factor-based parallelism number to
parallelism-min = 4
# Parallelism (threads) ... ceil(available processors * factor)
parallelism-factor = 3.0
# Max number of threads to cap factor-based parallelism number to
parallelism-max = 32
parallelism-max = ${?DEFAULT_DISPATCHER_PARALLELISM_MAX}
}
throughput = 5
}
pekko.contrib.persistence.mongodb.mongo {
metadata-index = "akka_persistence_metadata_pid"
collection-cache {
journal {
class = "org.eclipse.ditto.internal.utils.persistence.mongo.DittoMongoCollectionCache"
expire-after-write = 1h // check each collection every hour whether it was created correctly
expire-after-write = ${?MONGO_COLLECTION_CACHE_JOURNAL_TTL}
max-size = 1000 // namespace collections cached per node
max-size = ${?MONGO_COLLECTION_CACHE_JOURNAL_MAX_SIZE}
}
snaps {
class = "org.eclipse.ditto.internal.utils.persistence.mongo.DittoMongoCollectionCache"
expire-after-write = 1h
expire-after-write = ${?MONGO_COLLECTION_CACHE_SNAPS_TTL}
max-size = 1000
max-size = ${?MONGO_COLLECTION_CACHE_JOURNAL_MAX_SIZE}
}
}
}
include "policies-extension.conf"
include file("/opt/ditto/policies-extension.conf")