Security

TLS 

KeyDescriptionDefault
lenses.access.control.allow.methodsHTTP verbs allowed in cross-origin HTTP requestsGET,POST,PUT,DELETE,OPTIONS
lenses.access.control.allow.originAllowed hosts for cross-origin HTTP requests*
lenses.allow.weak.sslAllow https:// with self-signed certificatesfalse
lenses.ssl.keystore.locationThe full path to the keystore file used to enable TLS on Lenses port
lenses.ssl.keystore.passwordPassword for the keystore file
lenses.ssl.key.passwordPassword for the ssl certificate used
lenses.ssl.enabled.protocolsVersion of TLS protocol to useTLSv1.2
lenses.ssl.algorithmX509 or PKIX algorithm to use for TLS terminationSunX509
lenses.ssl.cipher.suitesComma separated list of ciphers allowed for TLS negotiation

LDAP 

LDAP or AD connectivity is optional. All settings are string.

KeyDescriptionDefault
lenses.security.ldap.urlLDAP server URL (TLS, StartTLS and unencrypted supported)
lenses.security.ldap.userLDAP user account. Must be able to list users and their groups. The distinguished name (DN) must be used
lenses.security.ldap.passwordLDAP account password
lenses.security.ldap.baseLDAP base path for querying user accounts. All user accounts that will be able to access Lenses should be under this path
lenses.security.ldap.filterLDAP query filter for matching users. Lenses will request all entries under the base path that satisfy this filter. The result should be unique(&(objectClass=person)(sAMAccountName=<user>))
lenses.security.ldap.plugin.classFull classpath that implements the LDAP query for the user’s groups. You can use the implementation that comes with Lenses if your LDAP setup is supported
lenses.security.ldap.plugin.memberof.keyLDAP user attribute that provides memberOf information. In most implementations the attribute has the same name, so you don’t have to set anything. Used by the default pluginmemberOf
lenses.security.ldap.plugin.group.extract.regexA regular expression to extract a part of the user’s groups. If this part matches a Lenses group, the user will be granted all the permissions of this group. Lenses checks against the list of memberOf attribute values and uses the first regex group that is returned(?i)CN=(\\w+),ou=Groups.*
lenses.security.ldap.plugin.person.name.keyThis key is used by the included LDAP plugin class LdapMemberOfUserGroupPlugin. It expects the LDAP user attribute that provides the full name of the usersn

And additional configuration setting lenses.security.ldap.use.service.user.search when set to true will use the lenses.security.ldap.user account to read the groups of the current logged user. The default behavior (false) uses the current logged user to read group memberships.

SSO SAML 

KeyDescriptionDefault
lenses.security.saml.base.urlLenses HTTPS URL that matches the Service Provider (SP) and part of the Identity Provider (IdP) SAML handshake i.e. https://lenses-dev.example.com
lenses.security.saml.sp.entityidSAML Service Provider (SP) Entity ID for Lenses, used as part of the SAML handshake protocol.
lenses.security.saml.idp.providerThe Identity Provider (IdP) type: azure, google, keycloak, okta, onelogin
lenses.security.saml.idp.metadata.filePath to XML file provided by the Identity Provider. e.g. /path/to/saml-idp.xml
lenses.security.saml.idp.session.lifetime.maxThe maximum “duration since login” to accept from IdP. A SAML safety measure that is usually not used. See the duration syntax.100days
lenses.security.saml.keystore.locationLocation for the Java keystore file to be used for SAML crypto i.e. /path/to/keystore.jks
lenses.security.saml.keystore.passwordPassword for accessing the keystore
lenses.security.saml.key.aliasAlias to use for the private key within the keystore (only required when the keystore has multiple keys)
lenses.security.saml.key.passwordPassword for accessing the private key within the keystore

Kerberos 

KeyDescriptionDefault
lenses.security.kerberos.service.principalThe Kerberos principal for Lenses to use in the SPNEGO form: HTTP/lenses.address@REALM.COM
lenses.security.kerberos.keytabPath to Kerberos keytab with the service principal. It should not be password protected
lenses.security.kerberos.debugEnable Java’s JAAS debugging informationfalse
--
Last modified: November 18, 2024