Skip to content

Config Settings Reference

Jump to bottom
Konstantin Lepeshenkov edited this page Oct 6, 2024 · 7 revisions

The following optional config settings are supported. Depending on the way you run DfMon, you specify them as environment variables, Azure App Service config settings or values in your local.settings.json file.

  • DFM_HUB_NAME - comma-separated list of allowed Task Hubs. Task Hubs from alternative Storage accounts should be specified as my_other_conn_string-my_hub_name.

    WARNING: when this setting is not set, all Task Hubs from all configured Storage Accounts are accessible.

  • DFM_ALLOWED_USER_NAMES - comma-separated list of users, that are allowed to access the endpoint. You typically put emails into there.

    WARNING: if this setting is not set, all authenticated users are allowed. Alternatively you can configure the list of allowed users in your AAD app's configuration.

  • DFM_ALLOWED_APP_ROLES - comma-separated list of allowed AAD App Roles. Once set, only users that's been assigned one of these roles will be allowed to access the endpoint. You typically assign App Roles to users/groups via AAD Enterprise Applications->[your AAD app]->Users and Groups tab in your Azure Portal. Then user's role should appear in the roles claim in their access token. When both DFM_ALLOWED_USER_NAMES and DFM_ALLOWED_APP_ROLES are specified, then both take effect.

  • DFM_ALLOWED_READ_ONLY_APP_ROLES - comma-separated list of AAD App Roles that should be allowed readonly access (only view the data but not make any modifications or execute any commands). The same App Role should not appear both in DFM_ALLOWED_APP_ROLES and DFM_ALLOWED_READ_ONLY_APP_ROLES. Also note that a role falling into DFM_ALLOWED_READ_ONLY_APP_ROLES takes precedence over a role falling into DFM_ALLOWED_APP_ROLES. That is, if a user has both roles, then the readonly one will be applied, and the user will not be able to execute management operations.

  • DFM_MODE - the endpoint's functional mode. Only one value for this setting is currently supported: ReadOnly - this disables all modification operations (related methods will return 403), thus turning the endpoint into a monitoring-only state.

  • DFM_NONCE - the only reasonable value for this setting is i_sure_know_what_i_am_doing. This disables any kind of user authentication. Make sure you know what you are doing.

  • DFM_CLIENT_CONFIG - a JSON, that is being passed to the client UI to adjust its behaviour. So far the only option is supported: {'theme':'dark'} turns the UI into dark color mode.

  • DFM_ALTERNATIVE_CONNECTION_STRING_my_other_conn_string - alternative Storage connection string to monitor Task Hubs from. There can be multiple of these, all prefixed with DFM_ALTERNATIVE_CONNECTION_STRING_. Once configured, Task Hubs from these accounts become available under URLs like https://my-dfm-endpoint/my_other_conn_string-my_hub_name.

  • DFM_USERNAME_CLAIM_NAME - name of the claim to be used for identifying the user (when matching against DFM_ALLOWED_USER_NAMES). By default, preferred_username claim is used for that, but this setting allows to specify some other custom claim.

  • DFM_ROLES_CLAIM_NAME - name of the claim to be used for identifying user's app roles (when matching against DFM_ALLOWED_APP_ROLES). By default, roles claim is used for that, but this setting allows to specify some other custom claim.

  • DFM_INGRESS_ROUTE_PREFIX - should be used in Kubernetes environments with ingress controllers doing URL rewrites. If your DfMon instance is exposed under e.g. https://my-cluster/my-dfmon URL, then you need to set DFM_INGRESS_ROUTE_PREFIX to my-dfmon, so that all requests are routed correctly.

Clone this wiki locally