diff --git a/doc/tooling/tcm/_images/tcm_ui_acl.png b/doc/tooling/tcm/_images/tcm_ui_acl.png index 0f64965437..08466b0cb0 100644 Binary files a/doc/tooling/tcm/_images/tcm_ui_acl.png and b/doc/tooling/tcm/_images/tcm_ui_acl.png differ diff --git a/doc/tooling/tcm/_images/tcm_ui_add_ons.png b/doc/tooling/tcm/_images/tcm_ui_add_ons.png new file mode 100644 index 0000000000..104f39a5bf Binary files /dev/null and b/doc/tooling/tcm/_images/tcm_ui_add_ons.png differ diff --git a/doc/tooling/tcm/_images/tcm_ui_audit_log.png b/doc/tooling/tcm/_images/tcm_ui_audit_log.png index e2f3094781..e37d453b74 100644 Binary files a/doc/tooling/tcm/_images/tcm_ui_audit_log.png and b/doc/tooling/tcm/_images/tcm_ui_audit_log.png differ diff --git a/doc/tooling/tcm/_images/tcm_ui_cluster_metrics.png b/doc/tooling/tcm/_images/tcm_ui_cluster_metrics.png index 5ce828d3dc..5141b43778 100644 Binary files a/doc/tooling/tcm/_images/tcm_ui_cluster_metrics.png and b/doc/tooling/tcm/_images/tcm_ui_cluster_metrics.png differ diff --git a/doc/tooling/tcm/_images/tcm_ui_cluster_migrations.png b/doc/tooling/tcm/_images/tcm_ui_cluster_migrations.png index 4457877266..7ff4b1efc2 100644 Binary files a/doc/tooling/tcm/_images/tcm_ui_cluster_migrations.png and b/doc/tooling/tcm/_images/tcm_ui_cluster_migrations.png differ diff --git a/doc/tooling/tcm/_images/tcm_ui_instance_explorer.png b/doc/tooling/tcm/_images/tcm_ui_instance_explorer.png index e1c66a850e..84fa7d01bf 100644 Binary files a/doc/tooling/tcm/_images/tcm_ui_instance_explorer.png and b/doc/tooling/tcm/_images/tcm_ui_instance_explorer.png differ diff --git a/doc/tooling/tcm/_images/tcm_ui_tcm_metrics.png b/doc/tooling/tcm/_images/tcm_ui_tcm_metrics.png index 8d69e8a6a7..eb7fbc8658 100644 Binary files a/doc/tooling/tcm/_images/tcm_ui_tcm_metrics.png and b/doc/tooling/tcm/_images/tcm_ui_tcm_metrics.png differ diff --git a/doc/tooling/tcm/_images/tcm_ui_tuples.png b/doc/tooling/tcm/_images/tcm_ui_tuples.png index c3a8d39c19..04cf5a6015 100644 Binary files a/doc/tooling/tcm/_images/tcm_ui_tuples.png and b/doc/tooling/tcm/_images/tcm_ui_tuples.png differ diff --git a/doc/tooling/tcm/_images/tcm_ui_user_settings.png b/doc/tooling/tcm/_images/tcm_ui_user_settings.png index 6d70d9c93f..9e54972972 100644 Binary files a/doc/tooling/tcm/_images/tcm_ui_user_settings.png and b/doc/tooling/tcm/_images/tcm_ui_user_settings.png differ diff --git a/doc/tooling/tcm/_images/tcm_ui_users.png b/doc/tooling/tcm/_images/tcm_ui_users.png index 446116823c..d8e1158642 100644 Binary files a/doc/tooling/tcm/_images/tcm_ui_users.png and b/doc/tooling/tcm/_images/tcm_ui_users.png differ diff --git a/doc/tooling/tcm/tcm_access_control/tcm_access_control_rbac.rst b/doc/tooling/tcm/tcm_access_control/tcm_access_control_rbac.rst index ca45072581..f915056548 100644 --- a/doc/tooling/tcm/tcm_access_control/tcm_access_control_rbac.rst +++ b/doc/tooling/tcm/tcm_access_control/tcm_access_control_rbac.rst @@ -412,3 +412,24 @@ The following cluster permissions are available in |tcm|: * - ``cluster.metrics`` - View cluster metrics + + * - ``cluster.config.security`` + - View and edit settings on the **Security** tab + + * - ``cluster.user.read`` + - View users and roles of the cluster on the Users tab on the instance page + + * - ``cluster.user.write`` + - Create, edit, and delete users and roles of the cluster on the **Users** tab on the **Instance page** + + * - ``cluster.migrations.read`` + - View information about loaded and applied migrations on the **Migrations** tab + + * - ``cluster.migrations.write`` + - Create, edit, and apply migrations + + * - ``cluster.tcf.read`` + - View information about TCF clusters and their status on the **TCF** tab + + * - ``cluster.tcf.write`` + - Modify TCF configuration settings and switch cluster states on the **TCF** tab diff --git a/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst b/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst index fd02ae5f48..f12a46ad8a 100644 --- a/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst +++ b/doc/tooling/tcm/tcm_access_control/tcm_ldap_auth.rst @@ -101,6 +101,7 @@ Define the general configuration settings: * **Automatically add non-existent users**. By default, |tcm| automatically saves LDAP user information to its :ref:`backend store ` upon their first login. Turn the toggle off if you don't want to save users from this LDAP server. + If the parameter is disabled, the user must be added manually in TCM on the **Users** tab, and the authentication method must be set to LDAP. .. _tcm_ldap_auth_config_connect: @@ -122,7 +123,7 @@ LDAP queries To define how |tcm| queries the LDAP server for user authentication and authorization, fill in the fields of the **Queries** step: -- **Query user** and **Query password**. Credentials of the LDAP user on behalf +- (Optional fields) **Query user** and **Query password**. Credentials of the LDAP user on behalf of which all LDAP queries are executed: a distinguished name (DN) and a password. Example DN: @@ -163,7 +164,7 @@ fill in the fields of the **Queries** step: - (Optional) **Template query**. A template for querying the LDAP server for the DN. This way is used if **Template DN** is not provided. -- **Group query template**. A template for querying groups to which a user belongs +- (Optional) **Group query template**. A template for querying groups to which a user belongs for authorization purposes. Learn more in :ref:`tcm_ldap_auth_config_permissions`. Example: diff --git a/doc/tooling/tcm/tcm_audit_log.rst b/doc/tooling/tcm/tcm_audit_log.rst index 936f297700..a08ea12269 100644 --- a/doc/tooling/tcm/tcm_audit_log.rst +++ b/doc/tooling/tcm/tcm_audit_log.rst @@ -37,9 +37,15 @@ For details, see :ref:`Viewing audit log `. Enabling audit logging ---------------------- -To enable audit logging in |tcm|, go to **Audit settings** and click **Enable**. +You can enable and configure the audit log in two ways: -To additionally send audit log events to the standard output, click **Send to stdout**. +* in the TCM UI +* in the TCM configuration YAML file + +To enable audit logging in |tcm| UI, go to **Audit settings** and click **Enable**. To additionally send audit log events to the standard output, click **Send to stdout**. + +You can also pre-configure audit logging during the first TCM launch by setting options in the TCM configuration file (tcm.yaml) +through the :ref:`initial-settings.auditlog ` parameter. .. _tcm_audit_log_config: @@ -56,7 +62,7 @@ Writing to a file To write |tcm| audit logs to a file: 1. Go to **Audit settings** and select the **file** protocol. -2. Specify the name of the audit log file. The file appears in the |tcm| working directory. +2. Specify the name of the audit log file. The file will be saved in the directory specified by the user, which can be either absolute or relative. The file appears in the |tcm| working directory. 3. Configure the log files rotation: the maximum file size and age, and the number of files to store simultaneously. 4. (Optional) Enable compression of audit log files. diff --git a/doc/tooling/tcm/tcm_configuration.rst b/doc/tooling/tcm/tcm_configuration.rst index 93ce3aaad1..d603ec7c61 100644 --- a/doc/tooling/tcm/tcm_configuration.rst +++ b/doc/tooling/tcm/tcm_configuration.rst @@ -68,13 +68,10 @@ The example below shows a fragment of a |tcm| configuration file: # a fragment of a YAML configuration file cluster: # top-level group - on-air-limit: 4096 connection-rate-limit: 512 tarantool-timeout: 10s tarantool-ping-timeout: 5s http: # top-level group - basic-auth: # nested group - enabled: false network: tcp host: 127.0.0.1 port: 8080 diff --git a/doc/tooling/tcm/tcm_configuration_reference.rst b/doc/tooling/tcm/tcm_configuration_reference.rst index b60668faec..f5eab61c20 100644 --- a/doc/tooling/tcm/tcm_configuration_reference.rst +++ b/doc/tooling/tcm/tcm_configuration_reference.rst @@ -21,6 +21,8 @@ There are the following groups of |tcm| configuration parameters: - :ref:`mode ` - :ref:`feature ` - :ref:`initial-settings ` +- :ref:`migrations ` +- :ref:`default-cluster ` .. _tcm_configuration_reference_cluster: @@ -40,6 +42,14 @@ Tarantool clusters. - :ref:`sharding-index ` - :ref:`skew-time ` - :ref:`fragmentation-threshold ` +- :ref:`connectivity-check-timeout ` +- :ref:`backoff-initial-delay ` +- :ref:`backoff-max-delay ` +- :ref:`backoff-failure-threshold ` +- :ref:`connection-pool-check-timeout ` +- :ref:`watcher-retry-delay ` +- :ref:`stats-max-space-length ` +- :ref:`stats-timeout ` .. _tcm_configuration_reference_cluster_connection-rate-limit: @@ -166,6 +176,102 @@ Tarantool clusters. | Environment variable: TCM_CLUSTER_FRAGMENTATION_THRESHOLD | Command-line option: ``--cluster.fragmentation-threshold`` +.. _tcm_configuration_reference_cluster_connectivity_check_timeout: + +.. confval:: cluster.connectivity-check-timeout + + The maximum time to wait for a response from a cluster node during availability check. If the node does not respond within this time, the check is considered failed. + + | + | Type: time.Duration + | Default: 3s + | Environment variable: TCM_CLUSTER_CONNECTIVITY_CHECK_TIMEOUT + | Command-line option: ``--cluster.connectivity-check-timeout`` + +.. _tcm_configuration_reference_cluster_backoff_initial_delay: + +.. confval:: cluster.backoff-initial-delay + + The initial delay before the first retry attempt to reconnect to a node after failure. Used to reduce load during frequent failures. + + | + | Type: time.Duration + | Default: 1s + | Environment variable: TCM_CLUSTER_BACKOFF_INITIAL_DELAY + | Command-line option: ``--cluster.backoff-initial-delay`` + +.. _tcm_configuration_reference_cluster_backoff_max_delay: + +.. confval:: cluster.backoff-max-delay + + The maximum delay between reconnect attempts. After reaching this delay, it stops increasing. + + | + | Type: time.Duration + | Default: 30s + | Environment variable: TCM_CLUSTER_BACKOFF_MAX_DELAY + | Command-line option: ``--cluster.backoff-max-delay`` + +.. _tcm_configuration_reference_cluster_backoff_failure_threshold: + +.. confval:: cluster.backoff-failure-threshold + + The number of failed connection attempts after which TCM stops further attempts and marks the node as unavailable. + + | + | Type: int + | Default: 3 + | Environment variable: TCM_CLUSTER_BACKOFF_FAILURE_THRESHOLD + | Command-line option: ``--cluster.backoff-failure-threshold`` + +.. _tcm_configuration_reference_cluster_connection_pool_check_timeout: + +.. confval:: cluster.connection-pool-check-timeout + + The maximum time to wait for a connection response from the pool to a cluster node. Used to verify the connection validity. + + | + | Type: time.Duration + | Default: 3s + | Environment variable: TCM_CLUSTER_CONNECTION_POOL_CHECK_TIMEOUT + | Command-line option: ``--cluster.connection-pool-check-timeout`` + +.. _tcm_configuration_reference_cluster_watcher_retry_delay: + +.. confval:: cluster.watcher-retry-delay + + The delay between reconnect attempts to the watch system after a failure. + + | + | Type: time.Duration + | Default: 1s + | Environment variable: TCM_CLUSTER_WATCHER_RETRY_DELAY + | Command-line option: ``--cluster.watcher-retry-delay`` + +.. _tcm_configuration_reference_cluster_stats_max_space_length: + +.. confval:: cluster.stats-max-space-length + + The maximum number of records in the statistics buffer that will be stored before sending or processing. + + | + | Type: int + | Default: 10000 + | Environment variable: TCM_CLUSTER_STATS_MAX_SPACE_LENGTH + | Command-line option: ``--cluster.stats-max-space-length`` + +.. _tcm_configuration_reference_cluster_stats_timeout: + +.. confval:: cluster.stats-timeout + + The maximum time to wait for a response from a node when querying statistics. If the node does not respond within this time, the query is considered failed. + + | + | Type: time.Duration + | Default: 1m + | Environment variable: TCM_CLUSTER_STATS_TIMEOUT + | Command-line option: ``--cluster.stats-timeout`` + .. _tcm_configuration_reference_http: http @@ -189,6 +295,7 @@ The ``http`` group defines parameters of HTTP connections between |tcm| and clie - :ref:`http.websession-cookie.secure ` - :ref:`http.websession-cookie.http-only ` - :ref:`http.websession-cookie.same-site ` +- :ref:`http.websession-cookie.cleanup-period ` - :ref:`http.cors.enabled ` - :ref:`http.cors.allowed-origins ` - :ref:`http.cors.allowed-methods ` @@ -199,7 +306,7 @@ The ``http`` group defines parameters of HTTP connections between |tcm| and clie - :ref:`http.tls.enabled ` - :ref:`http.tls.cert-file ` - :ref:`http.tls.key-file ` -- :ref:`http.tls.server ` +- :ref:`http.tls.server ` - :ref:`http.tls.min-version ` - :ref:`http.tls.max-version ` - :ref:`http.tls.curve-preferences ` @@ -458,6 +565,18 @@ The ``http`` group defines parameters of HTTP connections between |tcm| and clie | Environment variable: TCM_HTTP_WEBSESSION_COOKIE_SAME_SITE | Command-line option: ``---http.websession-cookie.same-site`` +.. _tcm_configuration_reference_http_websession-cookie_cleanup-period: + +.. confval:: http.websession-cookie.cleanup-period + + Interval between cleanup runs for expired sessions. A session is considered expired if it hasn't been updated for the duration specified in the `http.websession-cookie.ttl` variable. + + | + | Type: time.Duration + | Default value: 2m0s + | Environment variable: TCM_HTTP_WEBSESSION_COOKIE_CLEANUP_PERIOD + | Command-line flag: ``--http.websession-cookie.cleanup-period`` + .. _tcm_configuration_reference_http_cors_enabled: .. confval:: http.cors.enabled @@ -597,17 +716,17 @@ The ``http`` group defines parameters of HTTP connections between |tcm| and clie | Environment variable: TCM_HTTP_TLS_KEY_FILE | Command-line option: ``--http.tls.key-file`` -.. _tcm_configuration_reference_http_tls_server: +.. _tcm_configuration_reference_http_tls_server_name: -.. confval:: http.tls.server +.. confval:: http.tls.server-name The TLS server. | | Type: string | Default: "" - | Environment variable: TCM_HTTP_TLS_SERVER - | Command-line option: ``--http.tls.server`` + | Environment variable: TCM_HTTP_TLS_SERVER_NAME + | Command-line option: ``--http.tls.server-name`` .. _tcm_configuration_reference_http_tls_min-version: @@ -3013,3 +3132,186 @@ See also :ref:`tcm_configuration_initial`. | | Type: string | Default: "" + +.. _tcm_configuration_reference_initial_auditlog: + +.. confval:: initial-settings.auditlog + + Audit log settings, including output to console, file, syslog, and event filtering. + +.. _tcm_configuration_reference_initial_auditlog_enabled: + +.. confval:: initial-settings.auditlog.enabled + + Enables or disables audit logging. + + | + | Type: bool + | Default: false + +.. _tcm_configuration_reference_initial_auditlog_stdout: + +.. confval:: initial-settings.auditlog.stdout + + Enables output of audit logs to standard output (stdout). + + | + | Type: bool + | Default: false + +.. _tcm_configuration_reference_initial_auditlog_protocol: + +.. confval:: initial-settings.auditlog.protocol + + Specifies the output method for audit logs. Possible values: `file`, `syslog`. + + | + | Type: string + | Default: file + +.. _tcm_configuration_reference_initial_auditlog_file_output: + +.. confval:: initial-settings.auditlog.file.output + + Path to the file where audit logs will be written. The file will appear in the TCM working directory. The user running TCM must have read and write permissions to the specified directory. + + | + | Type: string + | Default: "" + +.. _tcm_configuration_reference_initial_auditlog_file.max-size: + +.. confval:: initial-settings.auditlog.file.max-size + + Maximum file size in megabytes before rotation. + + | + | Type: int + | Default: 0 + +.. _tcm_configuration_reference_initial_auditlog_file.max-backups: + +.. confval:: initial-settings.auditlog.file.max-backups + + Maximum number of backup files to keep. + + | + | Type: int + | Default: 0 + +.. _tcm_configuration_reference_initial_auditlog_file.max-age: + +.. confval:: initial-settings.auditlog.file.max-age + + Maximum number of days to keep logs. + + | + | Type: int + | Default: 0 + +.. _tcm_configuration_reference_initial_auditlog_file.compress: + +.. confval:: initial-settings.auditlog.file.compress + + Enables compression of backup log files. + + | + | Type: bool + | Default: false + +.. _tcm_configuration_reference_initial_auditlog_syslog_protocol: + +.. confval:: initial-settings.auditlog.syslog.protocol + + Syslog protocol. Possible values: `udp`, `tcp`. + + | + | Type: string + | Default: udp + +.. _tcm_configuration_reference_initial_auditlog_syslog_output: + +.. confval:: initial-settings.auditlog.syslog.output + + Syslog server address and port. + + | + | Type: string + | Default: "" + +.. _tcm_configuration_reference_initial_auditlog_syslog_priority: + +.. confval:: initial-settings.auditlog.syslog.priority + + Syslog message priority level. + + | + | Type: string + | Default: "" + +.. _tcm_configuration_reference_initial_auditlog_syslog_facility: + +.. confval:: initial-settings.auditlog.syslog.facility + + Syslog facility (category) for messages. + + | + | Type: string + | Default: "" + +.. _tcm_configuration_reference_initial_auditlog_syslog_timeout: + +.. confval:: initial-settings.auditlog.syslog.timeout + + Maximum timeout for syslog server response. + + | + | Type: time.Duration + | Default: 2s + +.. _tcm_configuration_reference_initial_auditlog_syslog_filters: + +.. confval:: initial-settings.auditlog.syslog.filters + + List of filters applied to audit events. Filters allow including or excluding specific types of events. + + | + | Type: string + | Default: [] + + +.. _tcm_configuration_reference_migrations: + +migrations +---------- + +Section `migrations` contains settings for migrations. + +.. _tcm_configuration_reference_migrations_duration: + +.. confval:: migrations.duration + + Maximum time allowed for long-running migrations to prevent interruption, set by default. + + | + | Type: time.Duration + | Default value: 6m0s + + +.. _tcm_configuration_reference_default-cluster: + +default-cluster +--------------- + +Section `default-cluster` controls the default cluster. + +.. _tcm_configuration_reference_default-cluster_option: + +.. confval:: default-cluster + + Whether the default cluster (Default cluster) is automatically created. + + | + | Type: string + | Possible values: true or false + | Default value: true diff --git a/doc/tooling/tcm/tcm_connect_clusters.rst b/doc/tooling/tcm/tcm_connect_clusters.rst index 8e8c031cf3..6e934e03ac 100644 --- a/doc/tooling/tcm/tcm_connect_clusters.rst +++ b/doc/tooling/tcm/tcm_connect_clusters.rst @@ -103,6 +103,7 @@ follow these steps: * The URIs of the configuration storage instances. * The credentials for accessing the configuration storage. * The SSL/TLS parameters if the connection encryption is enabled on the storage. + * Optionally, add prefix for TDB worker nodes. 4. Provide the credentials for accessing the cluster: a Tarantool user's name, their password, and SSL parameters in case :ref:`traffic encryption ` diff --git a/doc/tooling/tcm/tcm_ui_overview.rst b/doc/tooling/tcm/tcm_ui_overview.rst index f425a7c899..2990146aa2 100644 --- a/doc/tooling/tcm/tcm_ui_overview.rst +++ b/doc/tooling/tcm/tcm_ui_overview.rst @@ -149,6 +149,8 @@ It provides a set of tabs for performing actions on the selected Tarantool insta - **Users** tab: manage Tarantool :ref:`users and roles ` on the instance - **Funcs**: manage and call stored functions - **Metrics**: view instance metrics +- **Warnings**: view warnings that occurred on the instance. The tab is displayed when there are warnings on the instance +- **Errors**: view errors that occurred on the instance. The tab is displayed when there are errors on the instance The instance page has an **Actions** menu at the top that allows you to: @@ -754,6 +756,18 @@ The **TCM metrics** tab provides access to the |tcm| metrics. :width: 700 :alt: TCM metrics page +.. _tcm_ui_tools_add_ons: + +Add-ons +~~~~~~~~~~~ + +The Add-ons page displays the loaded extensions for TCM. + +.. image:: _images/tcm_ui_add_ons.png + :align: left + :width: 700 + :alt: Add-ons page + .. _tcm_ui_settings: Settings @@ -825,3 +839,4 @@ This dialog includes the following tabs: - **API tokens** tab: generate and delete :ref:`API tokens ` - **Sessions** tab: view and revoke your user sessions - **About** tab: view |tcm| information about switch between development and production modes +- **Authentication methods** tab: change the authentication method