If you can't find the product or version you're looking for, visit support.ataccama.com/downloads

Configuring Anomaly Detection

Table of Contents

General Configuration
Health
Logging
Retrying
On-Start Behavior
gRPC Client
- Authentication
- TLS/mTLS
gRPC Server
- Authentication
- TLS/mTLS
Security Headers
Parallelism
Internal and Properties Encryption
Anomaly Detector

The following properties configure the Anomaly Detector microservice and are provided either through the Configuration Service or in the configuration file anomaly-detection-anomaly-detector/etc/application.properties.

General Configuration

Property Data Type Description

Property	Data Type	Description
`ataccama.client.connection.config-service.grpc.port`	Number	The gRPC port of the server where the Configuration Service is running. Default value: `null`.
`ataccama.client.connection.config-service.host`	String	The IP address or the URL of the server where the Configuration Service is running. Default value: `null`.
`ataccama.config-service.heartbeat-interval`	Number	Defines the minimum amount of time after which the microservices signal to the Configuration Service that they are alive. Expressed in seconds. Default value: `30`.
`ataccama.config-service.refresh-interval`	Number	Defines the minimum amount of time after which the microservices send a new request to retrieve properties from the Configuration Service. Expressed in seconds. Default value: `30`.
`ataccama.one.apyc.config.etc-location`	String	The path to the `etc/application.properties` file. Default value: `${ataccama.path.etc}/application.properties`.
`ataccama.one.apyc.config.location`	String	The location of the default `application.properties` file. The default value of this property can be overwritten only through environment variables, otherwise the change is ignored. Default value: `${ataccama.path.lib}/application.properties`.
`ataccama.path.doc`	String	The location of the `doc` folder of the microservice. Default value: `${ataccama.path.root}/doc`.
`ataccama.path.etc`	String	The location of the `etc` folder of the microservice. The `etc/application.properties` path is relative to this path. The default value of this property can be overwritten only through environment variables and the default `application.properties` file. Otherwise, the change is ignored, which can lead to unexpected behavior. Default value: `${ataccama.path.root}/etc`.
`ataccama.path.lib`	String	The location of the `lib` folder of the microservice. The default `application.properties` path is relative to this path. The default value of this property can be overwritten only through environment variables, otherwise the change is ignored. Default value: `${ataccama.path.root}/lib`.
`ataccama.path.log`	String	The location of the `log` folder of the microservice. Default value: `${ataccama.path.root}/log`.
`ataccama.path.migrations`	String	The location of the `migrations` folder of the microservice. Default value: `${ataccama.path.lib}/migrations`.
`ataccama.path.root`	String	The location of the root folder of the microservice. Some configuration paths are defined relatively to this path. The default value of this property can be overwritten only through environment variables, otherwise the change is ignored. Default value: `.`.
`ataccama.path.tmp`	String	The location of the `tmp` folder of the microservice. Default value: `${ataccama.path.root}/temp`.

ataccama.client.connection.config-service.grpc.port

Number

The gRPC port of the server where the Configuration Service is running.

Default value: null.

ataccama.client.connection.config-service.host

String

The IP address or the URL of the server where the Configuration Service is running.

Default value: null.

ataccama.config-service.heartbeat-interval

Number

Defines the minimum amount of time after which the microservices signal to the Configuration Service that they are alive. Expressed in seconds.

Default value: 30.

ataccama.config-service.refresh-interval

Number

Defines the minimum amount of time after which the microservices send a new request to retrieve properties from the Configuration Service. Expressed in seconds.

Default value: 30.

ataccama.one.apyc.config.etc-location

String

The path to the etc/application.properties file.

Default value: ${ataccama.path.etc}/application.properties.

ataccama.one.apyc.config.location

String

The location of the default application.properties file. The default value of this property can be overwritten only through environment variables, otherwise the change is ignored.

Default value: ${ataccama.path.lib}/application.properties.

ataccama.path.doc

String

The location of the doc folder of the microservice.

Default value: ${ataccama.path.root}/doc.

ataccama.path.etc

String

The location of the etc folder of the microservice. The etc/application.properties path is relative to this path. The default value of this property can be overwritten only through environment variables and the default application.properties file. Otherwise, the change is ignored, which can lead to unexpected behavior.

Default value: ${ataccama.path.root}/etc.

ataccama.path.lib

String

The location of the lib folder of the microservice. The default application.properties path is relative to this path. The default value of this property can be overwritten only through environment variables, otherwise the change is ignored.

Default value: ${ataccama.path.root}/lib.

ataccama.path.log

String

The location of the log folder of the microservice.

Default value: ${ataccama.path.root}/log.

ataccama.path.migrations

String

The location of the migrations folder of the microservice.

Default value: ${ataccama.path.lib}/migrations.

ataccama.path.root

String

The location of the root folder of the microservice. Some configuration paths are defined relatively to this path. The default value of this property can be overwritten only through environment variables, otherwise the change is ignored.

Default value: ..

ataccama.path.tmp

String

The location of the tmp folder of the microservice.

Default value: ${ataccama.path.root}/temp.

Health

Property Data Type Description

Property	Data Type	Description
`ataccama.one.apyc.heartbeat_timeout`	Number	The timeout period during which the microservice and its subcomponents need to report as running, otherwise the whole microservice becomes unhealthy and its status changes to `DOWN`. The microservice also proactively shuts itself down when it registers such a situation. Default value: `120`.

ataccama.one.apyc.heartbeat_timeout

Number

The timeout period during which the microservice and its subcomponents need to report as running, otherwise the whole microservice becomes unhealthy and its status changes to DOWN. The microservice also proactively shuts itself down when it registers such a situation.

Default value: 120.

Logging

Property Data Type Description

Property	Data Type	Description
`ataccama.logging.json-console-appender`	Boolean	Enables JSON console appender. Only one console appender can be enabled at a time.
`ataccama.logging.json-file-appender`	Boolean	Enables JSON file appender. Only one file appender can be enabled at a time.
`ataccama.logging.plain-text-console-appender`	Boolean	Enables plain text console appender. Only one console appender can be enabled at a time.
`ataccama.logging.plain-text-file-appender`	Boolean	Enables plain text file appender. Only one file appender can be enabled at a time.
`ataccama.one.apyc.logging.compression`	String	A compression or archive format to which log files should be converted when they are closed. Default value: `zip`.
`ataccama.one.apyc.logging.filename`	String	The name of the file used by the file appender. Default value: `${ataccama.path.log}/{self.microservice_id.module_name}_{self.microservice_id.microservice_name}.log`.
`ataccama.one.apyc.logging.rotation`	String	Indicates how often the current log file should be closed and a new one started. Default value: `4 days`.
`root.level`	String	The minimum severity level starting from which logged messages are sent to the sink. Default value: `INFO`.

ataccama.logging.json-console-appender

Boolean

Enables JSON console appender. Only one console appender can be enabled at a time.

ataccama.logging.json-file-appender

Boolean

Enables JSON file appender. Only one file appender can be enabled at a time.

ataccama.logging.plain-text-console-appender

Boolean

Enables plain text console appender. Only one console appender can be enabled at a time.

ataccama.logging.plain-text-file-appender

Boolean

Enables plain text file appender. Only one file appender can be enabled at a time.

ataccama.one.apyc.logging.compression

String

A compression or archive format to which log files should be converted when they are closed.

Default value: zip.

ataccama.one.apyc.logging.filename

String

The name of the file used by the file appender.

Default value: ${ataccama.path.log}/{self.microservice_id.module_name}_{self.microservice_id.microservice_name}.log.

ataccama.one.apyc.logging.rotation

String

Indicates how often the current log file should be closed and a new one started.

Default value: 4 days.

root.level

String

The minimum severity level starting from which logged messages are sent to the sink.

Default value: INFO.

Retrying

Property Data Type Description

Property	Data Type	Description
`ataccama.one.apyc.retrying.stop.kwargs`	String	Controls retrying of gRPC and graphQL communication attempts. The property determines when retrying stops. By default, retrying stops after 6 attempts in total, out of which 5 are retries. Default value: `{"max_attempt_number": 6}`.
`ataccama.one.apyc.retrying.stop.type`	String	Controls retrying of gRPC and graphQL communication attempts. The property determines which approach is used to stop retrying. For more information, see the Tenacity API Reference, Stop Functions section. Default value: `stop_after_attempt`.
`ataccama.one.apyc.retrying.wait.kwargs`	String	Controls retrying of gRPC and graphQL communication attempts. The property is used to calculate the duration of waiting periods between retries. For more information about how waiting periods between unsuccessful attempts are managed, see the Tenacity API Reference, Wait Functions section. Default value: `{"multiplier": 0.16, "exp_base": 2}`.
`ataccama.one.apyc.retrying.wait.type`	String	Controls retrying of gRPC and graphQL communication attempts. The property determines which approach is used when waiting. For more information about how waiting periods between unsuccessful attempts are managed, see the Tenacity API Reference, Wait Functions section. Default value: `wait_exponential`.

ataccama.one.apyc.retrying.stop.kwargs

String

Controls retrying of gRPC and graphQL communication attempts. The property determines when retrying stops. By default, retrying stops after 6 attempts in total, out of which 5 are retries.

Default value: {"max_attempt_number": 6}.

ataccama.one.apyc.retrying.stop.type

String

Controls retrying of gRPC and graphQL communication attempts. The property determines which approach is used to stop retrying. For more information, see the Tenacity API Reference, Stop Functions section.

Default value: stop_after_attempt.

ataccama.one.apyc.retrying.wait.kwargs

String

Controls retrying of gRPC and graphQL communication attempts. The property is used to calculate the duration of waiting periods between retries. For more information about how waiting periods between unsuccessful attempts are managed, see the Tenacity API Reference, Wait Functions section.

Default value: {"multiplier": 0.16, "exp_base": 2}.

ataccama.one.apyc.retrying.wait.type

String

Controls retrying of gRPC and graphQL communication attempts. The property determines which approach is used when waiting. For more information about how waiting periods between unsuccessful attempts are managed, see the Tenacity API Reference, Wait Functions section.

Default value: wait_exponential.

On-Start Behavior

Property Data Type Description

Property	Data Type	Description
`ataccama.one.apyc.onstart.health.response-timeout`	Number	Sets for how many seconds the microservice waits after requesting health information about its dependencies, for example, when the Recommender waits for the Neighbors or the Autocomplete waits for MMM. For more information, see the Requests Developer Interface Documentation, section about the `timeout` parameter. Default value: `5`.
`ataccama.one.apyc.onstart.retrying.wait.kwargs`	String	Defines the behavior of the microservice while it waits on a dependency before starting. Keyword arguments (kwargs) are the arguments used to construct an instance of the specified wait type. In this case, the keyword argument sets the duration of waiting intervals. Default value: `{"wait": 2.5}`.
`ataccama.one.apyc.onstart.retrying.wait.type`	String	Defines the behavior of the microservice while it waits on a dependency before starting. Currently, the microservice either waits to receive information about the health of the dependency or the database readiness (typically, this means waiting for the database to start and for MMM to create the tables needed). The property defines how waiting periods are managed between unsuccessful attempts to verify the readiness of the dependency. For a list of other available wait types, see the Tenacity API Reference, Wait Functions section. Default value: `wait_fixed`.

ataccama.one.apyc.onstart.health.response-timeout

Number

Sets for how many seconds the microservice waits after requesting health information about its dependencies, for example, when the Recommender waits for the Neighbors or the Autocomplete waits for MMM. For more information, see the Requests Developer Interface Documentation, section about the timeout parameter.

Default value: 5.

ataccama.one.apyc.onstart.retrying.wait.kwargs

String

Defines the behavior of the microservice while it waits on a dependency before starting. Keyword arguments (kwargs) are the arguments used to construct an instance of the specified wait type. In this case, the keyword argument sets the duration of waiting intervals.

Default value: {"wait": 2.5}.

ataccama.one.apyc.onstart.retrying.wait.type

String

Defines the behavior of the microservice while it waits on a dependency before starting. Currently, the microservice either waits to receive information about the health of the dependency or the database readiness (typically, this means waiting for the database to start and for MMM to create the tables needed). The property defines how waiting periods are managed between unsuccessful attempts to verify the readiness of the dependency. For a list of other available wait types, see the Tenacity API Reference, Wait Functions section.

Default value: wait_fixed.

gRPC Client

Property Data Type Description

Property	Data Type	Description
`ataccama.client.grpc.properties.max-message-size`	String	Limits the size of messages that the gRPC client can process. Default value: `1GB`. Accepted units: `B` (bytes), `KB` (kilobytes), `MB` (megabytes), `GB` (gigabytes), `TB` (terabytes). If no unit is specified, `KB` is used.

ataccama.client.grpc.properties.max-message-size

String

Limits the size of messages that the gRPC client can process.

Default value: 1GB.

Accepted units: B (bytes), KB (kilobytes), MB (megabytes), GB (gigabytes), TB (terabytes). If no unit is specified, KB is used.

Authentication

Property Data Type Description

Property	Data Type	Description
`ataccama.authentication.internal.jwt.generator.key`	String	The private key of the microservice used to generate tokens for internal JWT authentication.
`ataccama.authentication.internal.jwt.generator.token-expiration`	Number	Defines the amount of time after which the token generated by the internal JWT generator expires. Expressed in seconds. Default value: `900`.

ataccama.authentication.internal.jwt.generator.key

String

The private key of the microservice used to generate tokens for internal JWT authentication.

ataccama.authentication.internal.jwt.generator.token-expiration

Number

Defines the amount of time after which the token generated by the internal JWT generator expires. Expressed in seconds.

Default value: 900.

TLS/mTLS

Property Data Type Description

Property	Data Type	Description
`ataccama.client.connection`	String	All client TLS options can be specified per connection. To set any TLS option for a specific client connection, configure the same set of properties as for the global client TLS configuration (properties with the `ataccama.client.tls` prefix). Depending on your setup, use one of the following prefixes: `ataccama.client.connection.<connection_name>.tls` for specifying TLS for connections using any communication protocol (gRPC and HTTP). `ataccama.client.connection.<connection_name>.grpc.tls` for specifying TLS for connections using the gRPC communication protocol. `ataccama.client.connection.<connection_name>.http.tls` for specifying TLS for connections using the HTTP communication protocol. If an option is not specified for the given client connection, global client TLS options are applied. Default value: `null`.
`ataccama.client.grpc.tls`	String	All client TLS options can be specified directly for gRPC client. To set any TLS option for a gRPC client, configure the same set of properties as for the global client TLS configuration (properties with the `ataccama.client.tls` prefix), but use the prefix `ataccama.client.grpc.tls` instead. If an option is not specified for the gRPC client, global client TLS options are applied. Default value: `null`.
`ataccama.client.http.tls`	String	All client TLS options can be specified directly for HTTP client. To set any TLS option for a HTTP client, configure the same set of properties as for the global client TLS configuration (properties with the `ataccama.client.tls` prefix), but use the prefix `ataccama.client.http.tls` instead. If an option is not specified for the HTTP client, global client TLS options are applied. Default value: `null`.
`ataccama.client.tls.enabled`	Boolean	Defines whether the gRPC and HTTP clients should use TLS when communicating with the servers. Default value: `False`.
`ataccama.client.tls.key-alias`	String	The private key name specified in the provided keystore that is used for TLS. Does not work with `PKCS12` format. To avoid unexpected behavior, use `PKCS12` with only one private key. Default value: `null`.
`ataccama.client.tls.key-password`	String	The password for the private key of the gRPC and HTTP clients. Used if the private key is encrypted. Does not work with `PKCS12` format. To avoid unexpected behavior, use `PKCS12` only with a non-encrypted private key. Default value: `null`.
`ataccama.client.tls.key-store`	String	Points to the keystore containing private and public key certificates that are used by the gRPC and HTTP clients. For example, `file:${ataccama.path.etc}/key-store.pkcs12`. Default value: `null`.
`ataccama.client.tls.key-store-password`	String	The password for the keystore. Used if the keystore is encrypted. Default value: `null`.
`ataccama.client.tls.key-store-type`	String	The type of the keystore. Possible types are `PKCS12`, `JKS`, and `JCEKS`. Default value: `null`.
`ataccama.client.tls.mtls`	Boolean	Defines whether the gRPC and HTTP clients should use mTLS when communicating with the servers. Default value: `False`.
`ataccama.client.tls.trust-all`	Boolean	Defines whether the gRPC and HTTP clients should verify the certificate of the server with which they communicate. Default value: `False`.
`ataccama.client.tls.trust-store`	String	Points to the truststore with all the trusted certification authorities (CAs) used in gRPC and HTTP TLS communication. Used only when `tls.trust-all` is disabled. For example, `file:${ataccama.path.etc}/trust-store.pkcs12`. Default value: `null`.
`ataccama.client.tls.trust-store-password`	String	The password for the truststore. Used if the truststore is encrypted. Default value: `null`.
`ataccama.client.tls.trust-store-type`	String	The type of the truststore. Possible types are `PKCS12` and `JCEKS`. Default value: `null`.

ataccama.client.connection

String

All client TLS options can be specified per connection. To set any TLS option for a specific client connection, configure the same set of properties as for the global client TLS configuration (properties with the ataccama.client.tls prefix). Depending on your setup, use one of the following prefixes:

ataccama.client.connection.<connection_name>.tls for specifying TLS for connections using any communication protocol (gRPC and HTTP).
ataccama.client.connection.<connection_name>.grpc.tls for specifying TLS for connections using the gRPC communication protocol.
ataccama.client.connection.<connection_name>.http.tls for specifying TLS for connections using the HTTP communication protocol. If an option is not specified for the given client connection, global client TLS options are applied.

Default value: null.

ataccama.client.grpc.tls

String

All client TLS options can be specified directly for gRPC client. To set any TLS option for a gRPC client, configure the same set of properties as for the global client TLS configuration (properties with the ataccama.client.tls prefix), but use the prefix ataccama.client.grpc.tls instead. If an option is not specified for the gRPC client, global client TLS options are applied.

Default value: null.

ataccama.client.http.tls

String

All client TLS options can be specified directly for HTTP client. To set any TLS option for a HTTP client, configure the same set of properties as for the global client TLS configuration (properties with the ataccama.client.tls prefix), but use the prefix ataccama.client.http.tls instead. If an option is not specified for the HTTP client, global client TLS options are applied.

Default value: null.

ataccama.client.tls.enabled

Boolean

Defines whether the gRPC and HTTP clients should use TLS when communicating with the servers.

Default value: False.

ataccama.client.tls.key-alias

String

The private key name specified in the provided keystore that is used for TLS. Does not work with PKCS12 format. To avoid unexpected behavior, use PKCS12 with only one private key.

Default value: null.

ataccama.client.tls.key-password

String

The password for the private key of the gRPC and HTTP clients. Used if the private key is encrypted. Does not work with PKCS12 format. To avoid unexpected behavior, use PKCS12 only with a non-encrypted private key.

Default value: null.

ataccama.client.tls.key-store

String

Points to the keystore containing private and public key certificates that are used by the gRPC and HTTP clients. For example, file:${ataccama.path.etc}/key-store.pkcs12.

Default value: null.

ataccama.client.tls.key-store-password

String

The password for the keystore. Used if the keystore is encrypted.

Default value: null.

ataccama.client.tls.key-store-type

String

The type of the keystore. Possible types are PKCS12, JKS, and JCEKS.

Default value: null.

ataccama.client.tls.mtls

Boolean

Defines whether the gRPC and HTTP clients should use mTLS when communicating with the servers.

Default value: False.

ataccama.client.tls.trust-all

Boolean

Defines whether the gRPC and HTTP clients should verify the certificate of the server with which they communicate.

Default value: False.

ataccama.client.tls.trust-store

String

Points to the truststore with all the trusted certification authorities (CAs) used in gRPC and HTTP TLS communication. Used only when tls.trust-all is disabled. For example, file:${ataccama.path.etc}/trust-store.pkcs12.

Default value: null.

ataccama.client.tls.trust-store-password

String

The password for the truststore. Used if the truststore is encrypted.

Default value: null.

ataccama.client.tls.trust-store-type

String

The type of the truststore. Possible types are PKCS12 and JCEKS.

Default value: null.

gRPC Server

Property Data Type Description

Property	Data Type	Description
`ataccama.server.grpc.properties.max-message-size`	String	Limits the size of messages that the gRPC server can process. Default value: `1GB`. Accepted units: `B` (bytes), `KB` (kilobytes), `MB` (megabytes), `GB` (gigabytes), `TB` (terabytes). If no unit is specified, `KB` is used.

ataccama.server.grpc.properties.max-message-size

String

Limits the size of messages that the gRPC server can process.

Default value: 1GB.

Accepted units: B (bytes), KB (kilobytes), MB (megabytes), GB (gigabytes), TB (terabytes). If no unit is specified, KB is used.

Authentication

Property Data Type Description

Property	Data Type	Description
`ataccama.authentication.grpc.basic.enable`	Boolean	Enables basic authentication on the gRPC server. If enabled, Keycloak becomes a mandatory dependency - it needs to be running before the microservice starts. Default value: `true`.
`ataccama.authentication.grpc.bearer.enable`	Boolean	Enables bearer authentication on the gRPC server. If enabled, Keycloak becomes a mandatory dependency - it needs to be running before the microservice starts. Default value: `true`.
`ataccama.authentication.grpc.internal.jwt.enable`	Boolean	Enables internal JWT token authentication on the gRPC server. Default value: `true`.
`ataccama.authentication.http.acl.default-allow`	Boolean	If set to `false`, access to any HTTP endpoint is restricted for all users. You can explicitly allow access to an endpoint based on user roles, which is configured using the property `ataccama.authentication.http.acl.endpoints`. Default value: `true`.
`ataccama.authentication.http.acl.endpoints`	String	Used for securing HTTP endpoints based on user or module roles. The role comparison is case-insensitive. For example, to allow only users with `ADMIN` role to access the Prometheus endpoint, use the following two properties: `ataccama.authentication.http.acl.endpoints.prometheus-endpoint.endpoint-filter=["/actuator/prometheus"] ataccama.authentication.http.acl.endpoints.prometheus-endpoint.allowed-roles=["ADMIN"]` Default value: `null`.
`ataccama.authentication.http.basic.enable`	Boolean	Enables basic authentication on the HTTP server. If enabled, Keycloak becomes a mandatory dependency - it needs to be running before the microservice starts. Default value: `true`.
`ataccama.authentication.http.basic.endpoint-filter`	String	Ant-style patterns that filter which HTTP endpoints have basic authentication enabled. To separate multiple patterns, use a semicolon (`;`). Default value: `/**`.
`ataccama.authentication.http.bearer.enable`	Boolean	Enables bearer authentication on the HTTP server. If enabled, Keycloak becomes a mandatory dependency - it needs to be running before the microservice starts. Default value: `true`.
`ataccama.authentication.http.bearer.endpoint-filter`	String	Ant-style patterns that filter which HTTP endpoints have bearer authentication enabled. To separate multiple patterns, use a semicolon (`;`). Default value: `/**`.
`ataccama.authentication.http.internal.jwt.enable`	Boolean	Enables internal JWT token authentication on the HTTP server. Default value: `true`.
`ataccama.authentication.http.internal.jwt.endpoint-filter`	String	Ant-style patterns that filter which HTTP endpoints have internal JWT authentication enabled. To separate multiple patterns, use a semicolon (`;`). Default value: `/**`.
`ataccama.authentication.http.public-endpoint-restriction-filter`	String	Ant-style patterns that filter which public HTTP endpoints should be protected. If configured, these endpoints are no longer publicly available and authentication is required. To separate multiple patterns, use a semicolon (`;`). Default value: `null`.
`ataccama.authentication.internal.jwt.impersonation-role`	String	The role used for validating that a service sending a request to the microservice can impersonate another user. Default value: `IMPERSONATION`.
`ataccama.authentication.keycloak.realm`	String	The name of the Keycloak realm. Used when requesting an access token during authorization.
`ataccama.authentication.keycloak.server-url`	String	The URL of the server where Keycloak is running.
`ataccama.authentication.keycloak.token.audience`	String	The expected recipients of the Keycloak token. Used to validate the access (bearer) token obtained from Keycloak. If the value is `null`, the audience is not verified. Default value: `null`.
`ataccama.authentication.keycloak.token.client-id`	String	The client token identifier of the microservice. Used when requesting an access token during authorization.
`ataccama.authentication.keycloak.token.expected-algorithm`	String	The expected algorithm that was used to sign the access (bearer) token obtained from Keycloak. Default value: `RS256`.
`ataccama.authentication.keycloak.token.issuer`	String	The issuer of the Keycloak token. Used to validate the access (bearer) token obtained from Keycloak. If the value is `null`, the issuer is not verified. Default value: `${ataccama.authentication.keycloak.server-url}/realms/${ataccama.authentication.keycloak.realm}`.
`ataccama.authentication.keycloak.token.key-cache-min-time-between-request`	Number	Defines the minimum amount of time between two consecutive requests for Keycloak certificates during which Keycloak is not asked for new certificates. This acts as a prevention against DDoS attacks with an unknown key. Expressed in seconds. Default value: `5`.
`ataccama.authentication.keycloak.token.key-cache-ttl`	Number	Defines how long the public certificates from Keycloak are cached on the microservice side. If this time is exceeded, new certificates are fetched from Keycloak before the microservice makes an attempt to authenticate. If this time is not exceeded, but the public certificate for the key parsed from the authentication attempt was not found in the cache, new certificates are fetched from Keycloak and authentication is attempted again. Expressed in seconds. Default value: `300`.
`ataccama.authentication.keycloak.token.secret`	String	The secret key of the microservice client. Used when requesting an access token during authorization.
`ataccama.one.platform.deployments`	String	The deployment settings with public JWT keys for other modules communicating with the microservice. The following fields are available: `module`, `uri`, `roles`: Required fields for deployment. These fields are used to create the service identity during authentication. `fingerprint`, `content`: Required fields for the JWT key. `is-revoked`: Optional. Used for revoking the corresponding JWT key, typically through the Configuration Service, in case the key was compromised. Example settings for MMM: `ataccama.one.platform.deployments.mmm-be.module=<;value> ataccama.one.platform.deployments.mmm-be.uri=<;value> ataccama.one.platform.deployments.mmm-be.security.roles=<;value> ataccama.one.platform.deployments.mmm-be.security.jwt-keys.mmm-key.fingerprint=<;value> ataccama.one.platform.deployments.mmm-be.security.jwt-keys.mmm-key.content=<;value> ataccama.one.platform.deployments.mmm-be.security.jwt-keys.mmm-key.is-revoked=false` Default value: `null`.

ataccama.authentication.grpc.basic.enable

Boolean

Enables basic authentication on the gRPC server. If enabled, Keycloak becomes a mandatory dependency - it needs to be running before the microservice starts.

Default value: true.

ataccama.authentication.grpc.bearer.enable

Boolean

Enables bearer authentication on the gRPC server. If enabled, Keycloak becomes a mandatory dependency - it needs to be running before the microservice starts.

Default value: true.

ataccama.authentication.grpc.internal.jwt.enable

Boolean

Enables internal JWT token authentication on the gRPC server.

Default value: true.

ataccama.authentication.http.acl.default-allow

Boolean

If set to false, access to any HTTP endpoint is restricted for all users. You can explicitly allow access to an endpoint based on user roles, which is configured using the property ataccama.authentication.http.acl.endpoints.

Default value: true.

ataccama.authentication.http.acl.endpoints

String

Used for securing HTTP endpoints based on user or module roles. The role comparison is case-insensitive. For example, to allow only users with ADMIN role to access the Prometheus endpoint, use the following two properties:

ataccama.authentication.http.acl.endpoints.prometheus-endpoint.endpoint-filter=["/actuator/prometheus"]
ataccama.authentication.http.acl.endpoints.prometheus-endpoint.allowed-roles=["ADMIN"]

Default value: null.

ataccama.authentication.http.basic.enable

Boolean

Enables basic authentication on the HTTP server. If enabled, Keycloak becomes a mandatory dependency - it needs to be running before the microservice starts.

Default value: true.

ataccama.authentication.http.basic.endpoint-filter

String

Ant-style patterns that filter which HTTP endpoints have basic authentication enabled. To separate multiple patterns, use a semicolon (;).

Default value: /**.

ataccama.authentication.http.bearer.enable

Boolean

Enables bearer authentication on the HTTP server. If enabled, Keycloak becomes a mandatory dependency - it needs to be running before the microservice starts.

Default value: true.

ataccama.authentication.http.bearer.endpoint-filter

String

Ant-style patterns that filter which HTTP endpoints have bearer authentication enabled. To separate multiple patterns, use a semicolon (;).

Default value: /**.

ataccama.authentication.http.internal.jwt.enable

Boolean

Enables internal JWT token authentication on the HTTP server.

Default value: true.

ataccama.authentication.http.internal.jwt.endpoint-filter

String

Ant-style patterns that filter which HTTP endpoints have internal JWT authentication enabled. To separate multiple patterns, use a semicolon (;).

Default value: /**.

ataccama.authentication.http.public-endpoint-restriction-filter

String

Ant-style patterns that filter which public HTTP endpoints should be protected. If configured, these endpoints are no longer publicly available and authentication is required. To separate multiple patterns, use a semicolon (;).

Default value: null.

ataccama.authentication.internal.jwt.impersonation-role

String

The role used for validating that a service sending a request to the microservice can impersonate another user.

Default value: IMPERSONATION.

ataccama.authentication.keycloak.realm

String

The name of the Keycloak realm. Used when requesting an access token during authorization.

ataccama.authentication.keycloak.server-url

String

The URL of the server where Keycloak is running.

ataccama.authentication.keycloak.token.audience

String

The expected recipients of the Keycloak token. Used to validate the access (bearer) token obtained from Keycloak. If the value is null, the audience is not verified.

Default value: null.

ataccama.authentication.keycloak.token.client-id

String

The client token identifier of the microservice. Used when requesting an access token during authorization.

ataccama.authentication.keycloak.token.expected-algorithm

String

The expected algorithm that was used to sign the access (bearer) token obtained from Keycloak.

Default value: RS256.

ataccama.authentication.keycloak.token.issuer

String

The issuer of the Keycloak token. Used to validate the access (bearer) token obtained from Keycloak. If the value is null, the issuer is not verified.

Default value: ${ataccama.authentication.keycloak.server-url}/realms/${ataccama.authentication.keycloak.realm}.

ataccama.authentication.keycloak.token.key-cache-min-time-between-request

Number

Defines the minimum amount of time between two consecutive requests for Keycloak certificates during which Keycloak is not asked for new certificates. This acts as a prevention against DDoS attacks with an unknown key. Expressed in seconds.

Default value: 5.

ataccama.authentication.keycloak.token.key-cache-ttl

Number

Defines how long the public certificates from Keycloak are cached on the microservice side. If this time is exceeded, new certificates are fetched from Keycloak before the microservice makes an attempt to authenticate. If this time is not exceeded, but the public certificate for the key parsed from the authentication attempt was not found in the cache, new certificates are fetched from Keycloak and authentication is attempted again. Expressed in seconds.

Default value: 300.

ataccama.authentication.keycloak.token.secret

String

The secret key of the microservice client. Used when requesting an access token during authorization.

ataccama.one.platform.deployments

String

The deployment settings with public JWT keys for other modules communicating with the microservice. The following fields are available:

module, uri, roles: Required fields for deployment. These fields are used to create the service identity during authentication.
fingerprint, content: Required fields for the JWT key.
is-revoked: Optional. Used for revoking the corresponding JWT key, typically through the Configuration Service, in case the key was compromised. Example settings for MMM:

ataccama.one.platform.deployments.mmm-be.module=<;value>
ataccama.one.platform.deployments.mmm-be.uri=<;value>
ataccama.one.platform.deployments.mmm-be.security.roles=<;value>
ataccama.one.platform.deployments.mmm-be.security.jwt-keys.mmm-key.fingerprint=<;value>
ataccama.one.platform.deployments.mmm-be.security.jwt-keys.mmm-key.content=<;value>
ataccama.one.platform.deployments.mmm-be.security.jwt-keys.mmm-key.is-revoked=false

Default value: null.

TLS/mTLS

Property Data Type Description

Property	Data Type	Description
`ataccama.server.grpc.tls`	String	All server TLS options can be specified directly for gRPC server. To set any TLS option for a gRPC server, configure the same set of properties as for the global server TLS configuration (properties with the `ataccama.server.tls` prefix), but use the prefix `ataccama.server.grpc.tls` instead. If an option is not specified for the gRPC server, global server TLS options are applied. Default value: `null`.
`ataccama.server.http.tls`	String	All server TLS options can be specified directly for HTTP server. To set any TLS option for an HTTP server, configure the same set of properties as for the global server TLS configuration (properties with the `ataccama.server.tls` prefix), but use the prefix `ataccama.server.http.tls` instead. If an option is not specified for the HTTP server, global server TLS options are applied. Default value: `null`.
`ataccama.server.tls.allow-generate`	Boolean	Defines whether the gRPC and HTTP servers should generate their self-signed certificate. The private key is saved to a location specified by `ataccama.server.tls.private-key` and the certificate to a location specified by `ataccama.server.tls.cert-chain`. Default value: `false`.
`ataccama.server.tls.cert-chain`	String	The path to the generated certificate of the gRPC and HTTP servers. For example, `file:${ataccama.path.etc}/server.crt`. Default value: `null`.
`ataccama.server.tls.enabled`	Boolean	Defines whether the gRPC and HTTP servers should use TLS authentication. Default value: `false`.
`ataccama.server.tls.key-alias`	String	The private key name specified in the provided keystore that is used for TLS. Does not work with `PKCS12` format. To avoid unexpected behavior, use `PKCS12` with only one private key. Default value: `null`.
`ataccama.server.tls.key-password`	String	The password for the private key of the gRPC and HTTP servers. Used if the private key is encrypted. Does not work with `PKCS12` format. To avoid unexpected behavior, use `PKCS12` only with a non-encrypted private key. Default value: `null`.
`ataccama.server.tls.key-store`	String	Points to the keystore containing private and public key certificates that are used by the gRPC and HTTP servers. For example, `file:${ataccama.path.etc}/key-store.pkcs12`. Default value: `null`.
`ataccama.server.tls.key-store-password`	String	The password for the keystore. Used if the keystore is encrypted. Default value: `null`.
`ataccama.server.tls.key-store-type`	String	The type of the keystore. Possible types are `PKCS12`, `JKS`, and `JCEKS`. Default value: `null`.
`ataccama.server.tls.mtls`	String	Defines whether the gRPC and HTTP servers require clients to be authenticated. Possible values are `NONE`, `OPTIONAL`, `REQUIRED`. Can be set to `REQUIRED` only if `ataccama.server.tls.trust-store` is specified as well. Default value: `OPTIONAL`.
`ataccama.server.tls.private-key`	String	The path to the generated private key of the gRPC and HTTP servers. For example, `file:${ataccama.path.etc}/server.key`. Default value: `null`.
`ataccama.server.tls.trust-store`	String	Points to the truststore with all the trusted certification authorities (CAs) used in the gRPC and HTTP TLS communication. For example, `file:${ataccama.path.etc}/trust-store.pkcs12`. Default value: `null`.
`ataccama.server.tls.trust-store-password`	String	The password for the truststore. Used if the truststore is encrypted. Default value: `null`.
`ataccama.server.tls.trust-store-type`	String	The type of the truststore. Possible types are `PKCS12` and `JCEKS`. Default value: `null`.

ataccama.server.grpc.tls

String

All server TLS options can be specified directly for gRPC server. To set any TLS option for a gRPC server, configure the same set of properties as for the global server TLS configuration (properties with the ataccama.server.tls prefix), but use the prefix ataccama.server.grpc.tls instead. If an option is not specified for the gRPC server, global server TLS options are applied.

Default value: null.

ataccama.server.http.tls

String

All server TLS options can be specified directly for HTTP server. To set any TLS option for an HTTP server, configure the same set of properties as for the global server TLS configuration (properties with the ataccama.server.tls prefix), but use the prefix ataccama.server.http.tls instead. If an option is not specified for the HTTP server, global server TLS options are applied.

Default value: null.

ataccama.server.tls.allow-generate

Boolean

Defines whether the gRPC and HTTP servers should generate their self-signed certificate. The private key is saved to a location specified by ataccama.server.tls.private-key and the certificate to a location specified by ataccama.server.tls.cert-chain.

Default value: false.

ataccama.server.tls.cert-chain

String

The path to the generated certificate of the gRPC and HTTP servers. For example, file:${ataccama.path.etc}/server.crt.

Default value: null.

ataccama.server.tls.enabled

Boolean

Defines whether the gRPC and HTTP servers should use TLS authentication.

Default value: false.

ataccama.server.tls.key-alias

String

The private key name specified in the provided keystore that is used for TLS. Does not work with PKCS12 format. To avoid unexpected behavior, use PKCS12 with only one private key.

Default value: null.

ataccama.server.tls.key-password

String

The password for the private key of the gRPC and HTTP servers. Used if the private key is encrypted. Does not work with PKCS12 format. To avoid unexpected behavior, use PKCS12 only with a non-encrypted private key.

Default value: null.

ataccama.server.tls.key-store

String

Points to the keystore containing private and public key certificates that are used by the gRPC and HTTP servers. For example, file:${ataccama.path.etc}/key-store.pkcs12.

Default value: null.

ataccama.server.tls.key-store-password

String

The password for the keystore. Used if the keystore is encrypted.

Default value: null.

ataccama.server.tls.key-store-type

String

The type of the keystore. Possible types are PKCS12, JKS, and JCEKS.

Default value: null.

ataccama.server.tls.mtls

String

Defines whether the gRPC and HTTP servers require clients to be authenticated. Possible values are NONE, OPTIONAL, REQUIRED. Can be set to REQUIRED only if ataccama.server.tls.trust-store is specified as well.

Default value: OPTIONAL.

ataccama.server.tls.private-key

String

The path to the generated private key of the gRPC and HTTP servers. For example, file:${ataccama.path.etc}/server.key.

Default value: null.

ataccama.server.tls.trust-store

String

Points to the truststore with all the trusted certification authorities (CAs) used in the gRPC and HTTP TLS communication. For example, file:${ataccama.path.etc}/trust-store.pkcs12.

Default value: null.

ataccama.server.tls.trust-store-password

String

The password for the truststore. Used if the truststore is encrypted.

Default value: null.

ataccama.server.tls.trust-store-type

String

The type of the truststore. Possible types are PKCS12 and JCEKS.

Default value: null.

Security Headers

Property Data Type Description

Property	Data Type	Description
`ataccama.one.security.header.Strict-Transport-Security`	String	The value of the HTTP Strict-Transport-Security (HSTS) response header. Used only when HTTPS is enabled. Informs browsers that the resource should only be accessed using the HTTPS protocol. Default value: `max-age=31536000; includeSubDomains; preload`.

ataccama.one.security.header.Strict-Transport-Security

String

The value of the HTTP Strict-Transport-Security (HSTS) response header. Used only when HTTPS is enabled. Informs browsers that the resource should only be accessed using the HTTPS protocol.

Default value: max-age=31536000; includeSubDomains; preload.

Parallelism

Property Data Type Description

Property	Data Type	Description
`ataccama.one.apyc.parallelism.blas`	Number	An alternative way of overriding the number of parallel threads spawned by low-level calculations that are used by machine learning algorithms. If the value is set to `0`, all CPU cores run without hyper-threads. If the value is not set (`null`), other properties are not overridden. Relies on the static OpenBLAS API and might be ignored depending on the compilation options for the OpenBLAS library. When this property is set, OpenBLAS gives it higher priority compared to `ataccama.one.apyc.parallelism.omp`. This is intended only for exceptional cases and should not be used otherwise. Default value: `null`.
`ataccama.one.apyc.parallelism.jobs`	Number	The number of parallel threads or processes spawned by high-level machine learning algorithms with explicit job management. If the value is set to `0`, all CPU cores run without hyper-threads. If the value is not set (`null`), the library default settings are applied. Use this option together with `ataccama.one.apyc.parallelism.omp`. For more information, see the Sizing Guidelines. Default value: `1`.
`ataccama.one.apyc.parallelism.omp`	Number	The number of parallel threads spawned by low-level calculations that are used by high-level machine learning algorithms. If the value is set to `0`, all CPU cores run without hyper-threads. If the value is not set (`null`), the library default settings are applied. The property relies on the static OpenBLAS API and OpenMP API, which have a lower overhead than the dynamic API used by the property `ataccama.one.apyc.parallelism.threads`. When this property is set, the OpenBLAS library gives it lower priority compared to `ataccama.one.apyc.parallelism.blas`. Several low-level libraries other than OpenBLAS and LAPACK, as well as libraries that use OpenMP, respect this option as well. Use this option together with `ataccama.one.apyc.parallelism.jobs`. For more information, see the Sizing Guidelines. Default value: `1`.
`ataccama.one.apyc.parallelism.threads`	Number	An alternative way of setting the number of parallel threads spawned by low-level calculations that are used by machine learning algorithms. If the value is set to `0`, all CPU cores run without hyper-threads. If the value is not set (`null`), the dynamic API is not used. Relies on the dynamic OpenBLAS API, which has a higher overhead than the static API used by `ataccama.one.apyc.parallelism.omp`. When this property is set, OpenBLAS gives it higher priority compared to `ataccama.one.apyc.parallelism.omp` and `ataccama.one.apyc.parallelism.blas`. The dynamic API is intended only for exceptional cases and should not be used otherwise. Default value: `null`.

ataccama.one.apyc.parallelism.blas

Number

An alternative way of overriding the number of parallel threads spawned by low-level calculations that are used by machine learning algorithms. If the value is set to 0, all CPU cores run without hyper-threads. If the value is not set (null), other properties are not overridden. Relies on the static OpenBLAS API and might be ignored depending on the compilation options for the OpenBLAS library. When this property is set, OpenBLAS gives it higher priority compared to ataccama.one.apyc.parallelism.omp. This is intended only for exceptional cases and should not be used otherwise.

Default value: null.

ataccama.one.apyc.parallelism.jobs

Number

The number of parallel threads or processes spawned by high-level machine learning algorithms with explicit job management. If the value is set to 0, all CPU cores run without hyper-threads. If the value is not set (null), the library default settings are applied. Use this option together with ataccama.one.apyc.parallelism.omp. For more information, see the Sizing Guidelines.

Default value: 1.

ataccama.one.apyc.parallelism.omp

Number

The number of parallel threads spawned by low-level calculations that are used by high-level machine learning algorithms. If the value is set to 0, all CPU cores run without hyper-threads. If the value is not set (null), the library default settings are applied. The property relies on the static OpenBLAS API and OpenMP API, which have a lower overhead than the dynamic API used by the property ataccama.one.apyc.parallelism.threads. When this property is set, the OpenBLAS library gives it lower priority compared to ataccama.one.apyc.parallelism.blas. Several low-level libraries other than OpenBLAS and LAPACK, as well as libraries that use OpenMP, respect this option as well. Use this option together with ataccama.one.apyc.parallelism.jobs. For more information, see the Sizing Guidelines.

Default value: 1.

ataccama.one.apyc.parallelism.threads

Number

An alternative way of setting the number of parallel threads spawned by low-level calculations that are used by machine learning algorithms. If the value is set to 0, all CPU cores run without hyper-threads. If the value is not set (null), the dynamic API is not used. Relies on the dynamic OpenBLAS API, which has a higher overhead than the static API used by ataccama.one.apyc.parallelism.omp. When this property is set, OpenBLAS gives it higher priority compared to ataccama.one.apyc.parallelism.omp and ataccama.one.apyc.parallelism.blas. The dynamic API is intended only for exceptional cases and should not be used otherwise.

Default value: null.

Internal and Properties Encryption

Property Data Type Description

Property	Data Type	Description
`internal.encryption.key-store`	String	Points to the keystore containing the symmetric key that is used to decrypt properties with `I` context, for example: `file:${ataccama.path.etc}/key-store.pkcs12`. Default value: `null`.
`internal.encryption.key-store-password`	String	The password for the keystore. Used if the keystore is encrypted. To use an empty password, set the value to an empty string (`""`). Default value: `null`.
`internal.encryption.key-store-password-file`	String	The single-line file containing the password for the keystore. When reading the file, UTF-8 encoding is assumed. Used if the keystore is encrypted. If specified, the property overrides the value of `internal.encryption.key-store-password`. Default value: `null`.
`internal.encryption.key-store-type`	String	The type of the keystore. Possible types are `PKCS12`, `JKS`, and `JCEKS`. Default value: `null`.
`properties.encryption.key-store`	String	Points to the keystore containing the symmetric key that is used to decrypt properties with `P` context, for example, `file:${ataccama.path.etc}/key-store.pkcs12`. Default value: `null`.
`properties.encryption.key-store-password`	String	The password for the keystore. Used if the keystore is encrypted. To use an empty password, set the value to an empty string (`""`). Default value: `null`.
`properties.encryption.key-store-password-file`	String	The single-line file containing the password for the keystore. When reading the file, UTF-8 encoding is assumed. Used if the keystore is encrypted. If specified, the property overrides the value of `properties.encryption.key-store-password`. Default value: `null`.
`properties.encryption.key-store-type`	String	The type of the keystore. Possible types are `PKCS12`, `JKS`, and `JCEKS`. Default value: `null`.

internal.encryption.key-store

String

Points to the keystore containing the symmetric key that is used to decrypt properties with I context, for example: file:${ataccama.path.etc}/key-store.pkcs12.

Default value: null.

internal.encryption.key-store-password

String

The password for the keystore. Used if the keystore is encrypted. To use an empty password, set the value to an empty string ("").

Default value: null.

internal.encryption.key-store-password-file

String

The single-line file containing the password for the keystore. When reading the file, UTF-8 encoding is assumed. Used if the keystore is encrypted. If specified, the property overrides the value of internal.encryption.key-store-password.

Default value: null.

internal.encryption.key-store-type

String

The type of the keystore. Possible types are PKCS12, JKS, and JCEKS.

Default value: null.

properties.encryption.key-store

String

Points to the keystore containing the symmetric key that is used to decrypt properties with P context, for example, file:${ataccama.path.etc}/key-store.pkcs12.

Default value: null.

properties.encryption.key-store-password

String

The password for the keystore. Used if the keystore is encrypted. To use an empty password, set the value to an empty string ("").

Default value: null.

properties.encryption.key-store-password-file

String

Default value: null.

properties.encryption.key-store-type

String

The type of the keystore. Possible types are PKCS12, JKS, and JCEKS.

Default value: null.

Anomaly Detector

Property Data Type Description

Property	Data Type	Description
`ataccama.one.anomaly-detection.anomaly-detector.force-isolation-forest-on-all-features`	Boolean	If set to `true`, anomaly detection Isolation Forest algorithm is run on all features individually, even when the category is not anomalous. Default value: `false`.
`ataccama.one.anomaly-detection.anomaly-detector.grpc.server.listen-address`	String	The network address to which the Anomaly Detector gRPC server should bind. Default value: `0.0.0.0`.
`ataccama.one.anomaly-detection.anomaly-detector.grpc.server.port`	Number	The port where the gRPC interface of the Anomaly Detector microservice is running. Default value: `8547`.
`ataccama.one.anomaly-detection.anomaly-detector.http.server.listen-address`	String	The network address to which the Anomaly Detector HTTP server should bind. Default value: `0.0.0.0`.
`ataccama.one.anomaly-detection.anomaly-detector.http.server.port`	Number	The HTTP port where the Anomaly Detector microservice is running. Default value: `8047`.
`ataccama.one.anomaly-detection.anomaly-detector.max-history-length`	Number	The maximum number of catalog item profile versions fetched from MMM on which anomaly detection is run. If the total number of profile versions in MMM exceeds the value set for this property, the versions are retrieved starting from the most recent. For example, if there are 30 profile versions in MMM and the property is set to 100, all 30 versions are fetched. However, if there are 200 profile versions in MMM and the value provided is 100, the last 100 profile versions are retrieved. Default value: `100`.

ataccama.one.anomaly-detection.anomaly-detector.force-isolation-forest-on-all-features

Boolean

If set to true, anomaly detection Isolation Forest algorithm is run on all features individually, even when the category is not anomalous.

Default value: false.

ataccama.one.anomaly-detection.anomaly-detector.grpc.server.listen-address

String

The network address to which the Anomaly Detector gRPC server should bind.

Default value: 0.0.0.0.

ataccama.one.anomaly-detection.anomaly-detector.grpc.server.port

Number

The port where the gRPC interface of the Anomaly Detector microservice is running.

Default value: 8547.

ataccama.one.anomaly-detection.anomaly-detector.http.server.listen-address

String

The network address to which the Anomaly Detector HTTP server should bind.

Default value: 0.0.0.0.

ataccama.one.anomaly-detection.anomaly-detector.http.server.port

Number

The HTTP port where the Anomaly Detector microservice is running.

Default value: 8047.

ataccama.one.anomaly-detection.anomaly-detector.max-history-length

Number

The maximum number of catalog item profile versions fetched from MMM on which anomaly detection is run. If the total number of profile versions in MMM exceeds the value set for this property, the versions are retrieved starting from the most recent. For example, if there are 30 profile versions in MMM and the property is set to 100, all 30 versions are fetched. However, if there are 200 profile versions in MMM and the value provided is 100, the last 100 profile versions are retrieved.

Default value: 100.

Was this page useful?