2.6. The Config File¶
privacyIDEA reads its configuration from different locations:
default configuration from the module
privacyidea/config.py
then from the config file
/etc/privacyidea/pi.cfg
if it exists and thenfrom the file specified in the environment variable
PRIVACYIDEA_CONFIGFILE
.export PRIVACYIDEA_CONFIGFILE=/your/config/file
The configuration is overwritten and extended in each step. I.e. values define
in privacyidea/config.py
that are not redefined in one of the other config files, stay the same.
You can create a new config file (either /etc/privacyidea/pi.cfg
) or any other
file at any location and set the environment variable.
The file should contain the following contents:
# The realm, where users are allowed to login as administrators
SUPERUSER_REALM = ['super', 'administrators']
# Your database
SQLALCHEMY_DATABASE_URI = 'sqlite:////etc/privacyidea/data.sqlite'
# This is used to encrypt the auth_token
SECRET_KEY = 't0p s3cr3t'
# This is used to encrypt the admin passwords
PI_PEPPER = "Never know..."
# This is used to encrypt the token data and token passwords
PI_ENCFILE = '/etc/privacyidea/enckey'
# This is used to sign the audit log
PI_AUDIT_KEY_PRIVATE = '/home/cornelius/src/privacyidea/private.pem'
PI_AUDIT_KEY_PUBLIC = '/home/cornelius/src/privacyidea/public.pem'
# PI_AUDIT_MODUL = <python audit module>
# PI_AUDIT_SQL_URI = <special audit log DB uri>
# PI_LOGFILE = '....'
# PI_LOGLEVEL = 20
# PI_INIT_CHECK_HOOK = 'your.module.function'
# PI_CSS = '/location/of/theme.css'
# PI_UI_DEACTIVATED = True
Note
The config file is parsed as python code, so you can use variables to set the path and you need to take care for indentations.
SQLALCHEMY_DATABASE_URI
defines the location of your database.
You may want to use the MySQL database or Maria DB. There are two possible
drivers, to connect to this database. Please read MySQL database connect string.
The SUPERUSER_REALM
is a list of realms, in which the users get the role
of an administrator.
PI_INIT_CHECK_HOOK
is a function in an external module, that will be
called as decorator to token/init
and token/assign
. This function
takes the request
and action
(either “init” or “assing”) as an
arguments and can modify the request or raise an exception to avoid the
request being handled.
There are three config entries, that can be used to define the logging. These
are PI_LOGLEVEL
, PI_LOGFILE
, PI_LOGCONFIG
. These are described in
Debugging and Logging.
You can use PI_CSS
to define the location of another cascading style
sheet to customize the look and fell. Read more at Themes.
Note
If you ever need passwords being logged in the log file, you may
set PI_LOGLEVEL = 9
, which is a lower log level than logging.DEBUG
.
Use this setting with caution and always delete the logfiles!
privacyIDEA digitally signs the responses. You can disable this using the
parameter PI_NO_RESPONSE_SIGN
. Set this to True to suppress the
response signature.
You can set PI_UI_DEACTIVATED = True
to deactivate the privacyIDEA UI.
This can be interesting if you are only using the command line client or your
own UI and you do not want to present the UI to the user or the outside world.
Note
The API calls are all still accessable, i.e. privacyIDEA is technically fully functional.
2.6.1. Audit parameters¶
PI_AUDIT_MODULE
lets you specify an alternative auditing module. The
default which is shipped with privacyIDEA is
privacyidea.lib.auditmodules.sqlaudit
. There is no need to change this,
unless you know exactly what you are doing.
You can change the servername of the privacyIDEA node, which will be logged
to the audit log using the variable PI_AUDIT_SERVERNAME
.
You can run the database for the audit module on another database or even
server. For this you can specify the database URI via PI_AUDIT_SQL_URI
.
PI_AUDIT_TRUNCATE = True
lets you truncate audit entries, that to the length
of the database fields.
In certain cases when you experiencing problems you may use the parameters
PI_AUDIT_POOL_SIZE
and PI_AUDIT_POOL_RECYCLE
.