Enterprise UI Configuration

The Enterprise UI service has some static configuration options that are read from /config/config-ui.yaml inside the UI container image when the system starts up.

The configuration is designed to not require any modification when using the quickstart (docker-compose) or production (Helm) methods of deploying Anchore Enterprise. If modifications are desired, the options, their meanings, and environment overrides are listed below for reference:

  • The (required) license_path key specifies the location of the local system folder containing the license.yaml license file required by the Anchore Enterprise UI web service for product activation. This value can be overridden by using the ANCHORE_LICENSE_PATH environment variable.

    license_path: '/'
    
  • The (required) engine_uri key specifies the address of the Anchore Engine service. The value must be a string containing a properly-formed ‘http’ or ‘https’ URI. This value can be overridden by using the ANCHORE_ENGINE_URI environment variable.

    engine_uri: 'http://engine-api:8228/v1'
    
  • The (required) redis_uri key specifies the address of the Redis service. The value must be a string containing a properly-formed ‘http’, ‘https’, or redis URI. Note that the default configuration uses the REdis Serialization Protocol (RESP). This value can be overridden by using the ANCHORE_REDIS_URI environment variable.

    redis_uri: 'redis://enterprise-ui-redis:6379'
    
  • The (required) appdb_uri key specifies the location and credentials for the postgres DB endpoint used by the UI. The value must contain the host, port, DB user, DB password, and DB name. This value can be overridden by using the ANCHORE_APPDB_URI environment variable.

    appdb_uri: 'postgres://<db-user>:<db-pass>@<db-host>:<db-port>/<db-name>'
    
  • The (required) reports_uri key specifies the address of the Reports service. The value must be a string containing a properly-formed ‘http’ or ‘https’ URI and can be overridden by using the ANCHORE_REPORTS_URI environment variable.

    Note that the presence of an uncommented reports_uri key in this file (even if unset, or set with an invalid value) instructs the Anchore Enterprise UI web service that the Reports feature must be enabled.

    reports_uri: 'http://enterprise-reports:8228/v1'
    
  • The (optional) rbac_uri key specifies the address of the Role-Based Authentication Control (RBAC) service. The value must be a string containing a properly-formed ‘http’ or ‘https’ URI, and can be overridden by using the ANCHORE_RBAC_URI environment variable.

    Note that the presence of an uncommented rbac_uri key in this file (even if unset, or set with an invalid value) instructs the Anchore Enterprise UI web service that the RBAC feature must be enabled. If the RBAC service cannot subsequently be reached by the web service, the communication failure will be handled in the same manner as an Anchore Engine service outage.

    rbac_uri: 'http://enterprise-rbac-manager:8228/v1'
    
  • The (optional) enable_ssl key specifies if SSL operations should be enabled within in the web app runtime. When this value is set to True, secure cookies will be used with a SameSite value of None. The value must be a Boolean, and defaults to False if unset.

    Note: Only enable this property if your UI deployment configured to run within an SSL-enabled environment (for example, behind a reverse proxy, in the presence of signed certs etc.)

    This value can be overridden by using the ANCHORE_ENABLE_SSL environment variable.

    enable_ssl: False
    
  • The (optional) enable_proxy key specifies whether to trust a reverse proxy when setting secure cookies (via the X-Forwarded-Proto header). The value must be a Boolean, and defaults to False if unset. In addition, SSL must be enabled for this to work. This value can be overridden by using the ANCHORE_ENABLE_PROXY environment variable.

    enable_proxy: False
    
  • The (optional) allow_shared_login key specifies if a single set of user credentials can be used to start multiple Anchore Enterprise UI sessions; for example, by multiple users across different systems, or by a single user on a single system across multiple browsers.

    When set to False, only one session per credential is permitted at a time, and logging in will invalidate any other sessions that are using the same set of credentials. If this property is unset, or is set to anything other than a Boolean, the web service will default to True.

    Note that setting this property to False does not prevent a single session from being viewed within multiple tabs inside the same browser. This value can be overridden by using the ANCHORE_ALLOW_SHARED_LOGIN environment variable.

    allow_shared_login: True
    
  • The (optional) redis_flushdb key specifies if the Redis datastore containing user session keys and data is emptied on application startup. If the datastore is flushed, any users with active sessions will be required to re-authenticate.

    If this property is unset, or is set to anything other than a Boolean, the web service will default to True. This value can be overridden by using the ANCHORE_REDIS_FLUSHDB environment variable.

    redis_flushdb: True
    
  • The (optional) custom_links key allows a list of up to 10 external links to be provided (additional items will be excluded). The top-level title key provided the label for the menu (if present, otherwise the string “Custom External Links” will be used instead).

    Each link entry must have a title of greater than 0-length and a valid URI. If either item is invalid, the entry will be excluded.

    custom_links:
      title: Custom External Links
      links:
      - title: Example Link 1
        uri: https://example.com
      - title: Example Link 2
        uri: https://example.com
      - title: Example Link 3
        uri: https://example.com
      - title: Example Link 4
        uri: https://example.com
      - title: Example Link 5
        uri: https://example.com
      - title: Example Link 6
        uri: https://example.com
      - title: Example Link 7
        uri: https://example.com
      - title: Example Link 8
        uri: https://example.com
      - title: Example Link 9
        uri: https://example.com
      - title: Example Link 10
        uri: https://example.com
    
  • The (optional) force_websocket key specifies if the WebSocket protocol must be used for socket message communications. By default, long-polling is initially used to establish the handshake between client and web service, followed by a switch to WS if the WebSocket protocol is supported.

    If this value is unset, or is set to anything other than a Boolean, the web service will default to False.

    This value can be overridden by using the ANCHORE_FORCE_WEBSOCKET environment variable.

    force_websocket: False
    
  • The (optional) authentication_lock keys specify if a user should be temporarily prevented from logging in to an account after one or more failed authentication attempts. For this feature to be enabled, both values must be whole numbers greater than 0. They can be overridden by using the ANCHORE_AUTHENTICATION_LOCK_COUNT and ANCHORE_AUTHENTICATION_LOCK_EXPIRES environment variables.

    The count value represents the number of failed authentication attempts allowed to take place before a temporary lock is applied to the username. The expires value represents, in seconds, how long the lock will be applied for.

    Note that, for security reasons, when this feature is enabled it will be applied to any submitted username, regardless of whether the user exists.

    authentication_lock:
      count: 5
        expires: 300
    
  • The (optional) enable_add_repositories key specifies if repositories can be added via the application interface by either administrative users or standard users. In the absence of this key, the default is True. When enabled, this property also suppresses the availability of the Watch Repository toggle associated with any repository entries displayed in the Artifact Analysis view.

    Note that in the absence of one or all of the properties, the default is also True. Thus, this key, and a child key corresponding to an account type (that is itself explicitly set to False) must be set for the feature to be disabled for that account.

    enable_add_repositories:
      admin: True
      standard: True
    
  • The (optional) ldap_timeout and ldap_connect_timeout keys respectively specify the time (in milliseconds) the LDAP client should let operations stay alive before timing out, and the time (in milliseconds) the LDAP client should wait before timing out on TCP connections. Each value must be a whole number greater than 0.

    When these values are unset (or set incorrectly) the app will fall back to using a default value of 6000 milliseconds. The same default is used when the keys are not enabled.

    These value can be overridden by using the ANCHORE_LDAP_AUTH_TIMEOUT and ANCHORE_LDAP_AUTH_CONNECT_TIMEOUT environment variables.

    ldap_timeout: 6000
    ldap_connect_timeout: 6000
    
  • The (optional) custom_message key allows you to provide a message that will be displayed on the application login page below the Username and Password fields. The key value must be an object that contains:

    • A title key, whose string value provides a title for the message—which can be up to 100 characters
    • A message key, whose string value is the message itself—which can be up to 500 characters
    custom_message:
      title:
        "Title goes here..."
      message:
        "Message goes here..."
    

    Note: Both title and message values must be present and contain at least 1 character for the message box to be displayed. If either value exceeds the character limit, the string will be truncated with an ellipsis.

  • The (optional) log_level key allows you to set the descriptive detail of the application log output. The key value must be a string selected from the following priority-ordered list:

    • error
    • warn
    • info
    • http
    • debug

    Once set, each level will automatically include the output for any levels above it—for example, info will include the log output for details at the warn and error details, whereas error will only show error output.

    This value can be overridden by using the ANCHORE_LOG_LEVEL environment variable. When no level is set, either within this configuration file or by the environment variable, a default level of http is used.

    log_level: 'http'
    
  • The (optional) enrich_inventory_view key allows you to set whether the Kubernetes feature should aggregate and include compliance and vulnerability data from the reports service. Setting this key to be False can increase performance on high-volume systems.

    This value can be overridden by using the ANCHORE_ENRICH_INVENTORY_VIEW environment variable. When no flag is set, either within this configuration file or by the environment variable, a default setting of True is used.

    enrich_inventory_view: True
    
  • The (optional) enable_prometheus_metrics key enables exporting monitoring metrics to Prometheus. The metrics are made available on the /metrics endpoint.

    This value can be overridden by using the ANCHORE_ENABLE_METRICS environment variable. When no flag is set, either within this configuration file or by the environment variable, a default setting of False is used.

    enable_prometheus_metrics: False
    

NOTE: The latest default UI configuration file can always be extracted from the Enterprise UI container to review the latest options, environment overrides and descriptions of each option using the following process:

# docker login
# docker pull docker.io/anchore/enterprise-ui:latest
# docker create --name aui docker.io/anchore/enterprise-ui:latest
# docker cp aui:/config/config-ui.yaml /tmp/my-config-ui.yaml
# docker rm aui
# cat /tmp/my-config-ui.yaml
...
...
Last modified June 6, 2023