Enterprise UI Configuration
The Enterprise UI service has some static configuration options that are read
from /config/config-ui.yaml
inside the UI container image when the system
starts up.
The configuration is designed to not require any modification when using the quickstart (docker compose) or production (Helm) methods of deploying Anchore Enterprise. If modifications are desired, the options, their meanings, and environment overrides are listed below for reference:
The (required)
license_path
key specifies the location of the local system folder containing thelicense.yaml
license file required by the Anchore Enterprise UI web service for product activation. This value can be overridden by using theANCHORE_LICENSE_PATH
environment variable.license_path: '/'
The (required)
enterprise_uri
key specifies the address of the Anchore Enterprise service. The value must be a string containing a properly-formed ‘http’ or ‘https’ URI. This value can be overridden by using theANCHORE_ENTERPRISE_URI
environment variable.enterprise_uri: 'http://api:8228/v2'
The (required)
redis_uri
key specifies the address of the Redis service. The value must be a string containing a properly-formed ‘http’, ‘https’, orredis
URI. Note that the default configuration uses the REdis Serialization Protocol (RESP). This value can be overridden by using theANCHORE_REDIS_URI
environment variable.redis_uri: 'redis://ui-redis:6379'
The (required)
appdb_uri
key specifies the location and credentials for the postgres DB endpoint used by the UI. The value must contain the host, port, DB user, DB password, and DB name. This value can be overridden by using theANCHORE_APPDB_URI
environment variable.appdb_uri: 'postgres://<db-user>:<db-pass>@<db-host>:<db-port>/<db-name>'
The (required)
reports_uri
key specifies the address of the Reports service. The value must be a string containing a properly-formed ‘http’ or ‘https’ URI and can be overridden by using theANCHORE_REPORTS_URI
environment variable.Note that the presence of an uncommented
reports_uri
key in this file (even if unset, or set with an invalid value) instructs the Anchore Enterprise UI web service that the Reports feature must be enabled.reports_uri: 'http://reports:8228/v2'
The (optional)
enable_ssl
key specifies if SSL operations should be enabled within in the web app runtime. When this value is set toTrue
, secure cookies will be used with aSameSite
value ofNone
. The value must be a Boolean, and defaults toFalse
if unset.Note: Only enable this property if your UI deployment configured to run within an SSL-enabled environment (for example, behind a reverse proxy, in the presence of signed certs etc.)
This value can be overridden by using the
ANCHORE_ENABLE_SSL
environment variable.enable_ssl: False
The (optional)
enable_proxy
key specifies whether to trust a reverse proxy when setting secure cookies (via theX-Forwarded-Proto
header). The value must be a Boolean, and defaults toFalse
if unset. In addition, SSL must be enabled for this to work. This value can be overridden by using theANCHORE_ENABLE_PROXY
environment variable.enable_proxy: False
The (optional)
allow_shared_login
key specifies if a single set of user credentials can be used to start multiple Anchore Enterprise UI sessions; for example, by multiple users across different systems, or by a single user on a single system across multiple browsers.When set to
False
, only one session per credential is permitted at a time, and logging in will invalidate any other sessions that are using the same set of credentials. If this property is unset, or is set to anything other than a Boolean, the web service will default toTrue
.Note that setting this property to
False
does not prevent a single session from being viewed within multiple tabs inside the same browser. This value can be overridden by using theANCHORE_ALLOW_SHARED_LOGIN
environment variable.allow_shared_login: True
The (optional)
redis_flushdb
key specifies if the Redis datastore containing user session keys and data is emptied on application startup. If the datastore is flushed, any users with active sessions will be required to re-authenticate.If this property is unset, or is set to anything other than a Boolean, the web service will default to
True
. This value can be overridden by using theANCHORE_REDIS_FLUSHDB
environment variable.redis_flushdb: True
The (optional)
custom_links
key allows a list of up to 10 external links to be provided (additional items will be excluded). The top-leveltitle
key provided the label for the menu (if present, otherwise the string “Custom External Links” will be used instead).Each link entry must have a title of greater than 0-length and a valid URI. If either item is invalid, the entry will be excluded.
custom_links: title: Custom External Links links: - title: Example Link 1 uri: https://example.com - title: Example Link 2 uri: https://example.com - title: Example Link 3 uri: https://example.com - title: Example Link 4 uri: https://example.com - title: Example Link 5 uri: https://example.com - title: Example Link 6 uri: https://example.com - title: Example Link 7 uri: https://example.com - title: Example Link 8 uri: https://example.com - title: Example Link 9 uri: https://example.com - title: Example Link 10 uri: https://example.com
The (optional)
force_websocket
key specifies if the WebSocket protocol must be used for socket message communications. By default, long-polling is initially used to establish the handshake between client and web service, followed by a switch to WS if the WebSocket protocol is supported.If this value is unset, or is set to anything other than a Boolean, the web service will default to
False
.This value can be overridden by using the
ANCHORE_FORCE_WEBSOCKET
environment variable.force_websocket: False
The (optional)
authentication_lock
keys specify if a user should be temporarily prevented from logging in to an account after one or more failed authentication attempts. For this feature to be enabled, both values must be whole numbers greater than0
. They can be overridden by using theANCHORE_AUTHENTICATION_LOCK_COUNT
andANCHORE_AUTHENTICATION_LOCK_EXPIRES
environment variables.The
count
value represents the number of failed authentication attempts allowed to take place before a temporary lock is applied to the username. Theexpires
value represents, in seconds, how long the lock will be applied for.Note that, for security reasons, when this feature is enabled it will be applied to any submitted username, regardless of whether the user exists.
authentication_lock: count: 5 expires: 300
The (optional)
enable_add_repositories
key specifies if repositories can be added via the application interface by either administrative users or standard users. In the absence of this key, the default isTrue
. When enabled, this property also suppresses the availability of the Watch Repository toggle associated with any repository entries displayed in the Artifact Analysis view.Note that in the absence of one or all of the properties, the default is also
True
. Thus, this key, and a child key corresponding to an account type (that is itself explicitly set toFalse
) must be set for the feature to be disabled for that account.enable_add_repositories: admin: True standard: True
The (optional)
ldap_timeout
andldap_connect_timeout
keys respectively specify the time (in milliseconds) the LDAP client should let operations stay alive before timing out, and the time (in milliseconds) the LDAP client should wait before timing out on TCP connections. Each value must be a whole number greater than0
.When these values are unset (or set incorrectly) the app will fall back to using a default value of
6000
milliseconds. The same default is used when the keys are not enabled.These value can be overridden by using the
ANCHORE_LDAP_AUTH_TIMEOUT
andANCHORE_LDAP_AUTH_CONNECT_TIMEOUT
environment variables.ldap_timeout: 6000 ldap_connect_timeout: 6000
The (optional)
custom_message
key allows you to provide a message that will be displayed on the application login page below the Username and Password fields. The key value must be an object that contains:- A
title
key, whose string value provides a title for the message—which can be up to100
characters - A
message
key, whose string value is the message itself—which can be up to500
characters
custom_message: title: "Title goes here..." message: "Message goes here..."
Note: Both
title
andmessage
values must be present and contain at least1
character for the message box to be displayed. If either value exceeds the character limit, the string will be truncated with an ellipsis.- A
The (optional)
log_level
key allows you to set the descriptive detail of the application log output. The key value must be a string selected from the following priority-ordered list:error
warn
info
http
debug
Once set, each level will automatically include the output for any levels above it—for example,
info
will include the log output for details at thewarn
anderror
details, whereaserror
will only show error output.This value can be overridden by using the
ANCHORE_LOG_LEVEL
environment variable. When no level is set, either within this configuration file or by the environment variable, a default level ofhttp
is used.log_level: 'http'
The (optional)
enrich_inventory_view
key allows you to set whether the Kubernetes feature should aggregate and include compliance and vulnerability data from the reports service. Setting this key to beFalse
can increase performance on high-volume systems.This value can be overridden by using the
ANCHORE_ENRICH_INVENTORY_VIEW
environment variable. When no flag is set, either within this configuration file or by the environment variable, a default setting ofTrue
is used.enrich_inventory_view: True
The (optional)
enable_prometheus_metrics
key enables exporting monitoring metrics to Prometheus. The metrics are made available on the /metrics endpoint.This value can be overridden by using the
ANCHORE_ENABLE_METRICS
environment variable. When no flag is set, either within this configuration file or by the environment variable, a default setting ofFalse
is used.enable_prometheus_metrics: False
NOTE: The latest default UI configuration file can always be extracted from the Enterprise UI container to review the latest options, environment overrides and descriptions of each option using the following process:
# docker login
# docker pull docker.io/anchore/enterprise-ui:latest
# docker create --name aui docker.io/anchore/enterprise-ui:latest
# docker cp aui:/config/config-ui.yaml /tmp/my-config-ui.yaml
# docker rm aui
# cat /tmp/my-config-ui.yaml
...
...
Last modified September 9, 2024