OKA Parameter Reference
Here are all the parameters that can be configured to customize the OKA.
They can be specified in the ${OKA_INSTALL_DIR}/config/oka/oka.yaml file:
Core Settings
secret_key:"yourawesomeksecretkey"A secret key. This is used to provide cryptographic signing, and should be set to a unique, unpredictable value.allowed_hosts:[localhost, 127.0.0.1]A list of the host/domain names as string that this OKA site can serve.csrf_trusted_origins:[]A list of the host/domain names as string (must start withhttp://orhttps://) that will be trusted when serving OKA through a proxy. See Django documentation for more info.authentication_method:OKAOne or more authentication methods, tried in the order listed. Accepts a single value or a list. When multiple methods are configured, OKA tries each in sequence and grants access on the first success. This allows, for example, LDAP accounts for regular users alongside local OKA accounts for application/service accounts that must not expire.OKA: Native OKA authentication against the local user database.LDAP: Authentication via an LDAP/Active Directory server (see LDAP). Requires theldapsection to be configured.HTTP: HTTP-based authentication via an external identity provider (see HTTP). Must be used alone — cannot be combined withOKAorLDAP. In HTTP mode the entire authentication flow is delegated to a reverse proxy / SSO provider; OKA’s own login form is bypassed and mixing sources is not supported.
Warning
HTTPis mutually exclusive with all other methods. ConfiguringHTTPalongsideOKAorLDAPwill raise a configuration error at startup.Examples:
# Single method (default) authentication_method: OKA # LDAP primary, OKA as fallback for local service accounts authentication_method: [LDAP,OKA] # OKA primary, LDAP as secondary authentication_method: [OKA,LDAP] # HTTP-based SSO — must be used alone authentication_method: HTTP
license_file: The absolute path (a string) to the license file. By default OKA will be searching for"${OKA_INSTALL_DIR}/license/oka.lic".base_url:"http://localhost"The base URL of the OKA instance. Used by internal services such as Playwright (PDF report generation) to navigate OKA pages. In production this must point to nginx (usually"http://localhost"or"https://localhost") so that static files (CSS, JS) are served correctly.Note
If PDF reports appear without styling, verify that this URL serves static files. A direct connection to OKA (by default on port 8000) bypasses nginx and will not serve CSS/JS in production.
debug:true | falseA Boolean that turns on/off debug mode.oka_user: User running the OKA processes.
Databases
PostgreSQL
postgresql:name:"oka_db"Name of the PostgreSQL database for OKA.user:"oka"PostgreSQL username for OKA.password:"okapwd"PostgreSQL password for the OKA user.host:"localhost"Host of PostgreSQL database.port:5432Port PostgreSQL is listening on.
Elasticsearch
Note
See documentation
elasticsearch:hosts:["http://127.0.0.1:9200","http://api@domain:9200"]One or more Elasticsearch URL for master nodes with protocol scheme. Accepts a single value or a list.api_key: A secure key to allow access to Elasticsearch. Support either raw"<id>:<api_key>"or base64 of previous string.user: A string to specify the username to used when attempting to connect to Elasticsearch.password: A string to specify the password to used when attempting to connect to Elasticsearch.ssl_show_warn:falseA boolean that specify whether or not to show warning upon SSL connection.verify_certs:falseA boolean to specify whether or not certificate will be verified.ca_cert_path: A path to the Certificate Authority (CA) certificate.client_cert_path: A path to the TLS client certificate file.client_key_path: A path to the TLS client key file.
Note
OKA currently support secure connection to Elasticsearch through the use of either
user/passwordor, the specification of anapi_key. For configuration that contain both parameters,api_keywill take precedence over theuser/passwordcombination if set.For instruction on how to setup secure connection for your Elasticsearch see FAQ: How can we configure a secure connection?.
Warning
OKA will require prileges to handle its indexes without any limitation. Current suggested configuration would be to set “privileges”:[“all”] for index control.
Caching
session_timeout:3600An integer value used to specify how long before a user is automatically logged out of OKA (in seconds).cache_duration:10800Cache duration in seconds.main_cache:backend: Backend and location of the main cache. Default is set on DatabaseCache.location: Cache location/table name for the backend.
REST API
rest_api:access_token_lifetime:1An integer value used to determine how many days the access token lifetime will be valid.refresh_token_lifetime:30An integer value used to determine how many days the refresh token lifetime will be valid.
Celery
celery:broker_url:"amqp://localhost"A string value used to specify the URL of the broker that will be used by Celery.
Feature Flags
features:block_admin_panel:falseA boolean used to block admin panel access.block_custom_dataenhancer:falseA boolean used to block the use of “custom” Data Enhancer.block_category_buttons:falseA boolean used to block the switch performance / cost / energy buttons.block_forgot_password:falseA boolean used to block the forgot password button.block_cron_scheduled_task:trueA boolean used to block scheduled task from running automatically by default in cron mode when they are created.allowed_js_ingestion_type:"*"Comma separated values used to specify the available ingestion types options provided to the user while creating a cluster."LOCAL": Local job scheduler command execution"FILE": Local reading of file(s)"FORWARDED_PWD": Command execution remotely forwarded through SSH, login with a password"FORWARDED_KEYFILE": Command execution remotely forwarded through SSH, login with an ssh key file"*": Select any of the previous type when creating a cluster.
Example
Below is an example of oka.yaml configuration.
oka.yaml
1# Core settings 2oka_user: oka_user 3secret_key: yourinstallsecretkey 4allowed_hosts: 5 - localhost 6 - 127.0.0.1 7csrf_trusted_origins: [] 8# Single method (default). Use a list for multiple methods tried in order, 9# e.g. "[LDAP,OKA]" to authenticate via LDAP first with OKA as fallback for local accounts. 10authentication_method: OKA 11license_file: /opt/oka/license/license.lic 12debug: false 13 14# Database configuration 15postgresql: 16 name: oka_db 17 user: oka 18 password: okapwd 19 host: localhost 20 port: 5432 21 22# Elasticsearch configuration 23elasticsearch: 24 hosts: 25 - http://127.0.0.1:9200 26 - http://10.0.0.3:8080 27 ssl_show_warn: false 28 verify_certs: false 29 api_key: "id:key" 30 user: null 31 password: null 32 ca_cert_path: null 33 client_cert_path: null 34 client_key_path: null 35 36# Celery configuration 37celery: 38 broker_url: amqp://localhost 39 40 41# REST API configuration 42rest_api: 43 access_token_lifetime: 1 44 refresh_token_lifetime: 365 45 46# Feature flags 47features: 48 block_admin_panel: false 49 block_custom_dataenhancer: false 50 block_category_buttons: false 51 block_forgot_password: false 52 block_cron_scheduled_task: true 53 allowed_js_ingestion_type: '*' 54 55 56# Session and cache 57session_timeout: 3600 58cache_duration: 10800 59main_cache: 60 backend: django.core.cache.backends.db.DatabaseCache 61 location: oka_cache_table 62 63# LDAP configuration (optional, uncomment if using LDAP authentication) 64# ldap: 65# server_uri: ldap://ldap.example.com 66# bind_dn: cn=admin,dc=example,dc=com 67# bind_password: ldappassword 68# search_base: ou=users,dc=example,dc=com 69# username_field: mail 70# groups: 71# search_base: ou=Group,dc=example,dc=com 72# search_filterstr: (objectClass=group) 73# required: "cn=enabled,ou=groups,dc=example,dc=com;cn=also_enabled,ou=groups,dc=example,dc=com"