Configuration File
HarperDB is configured through a YAML file called harperdb-config.yaml
located in the HarperDB root directory (by default this is a directory named hdb
located in the home directory of the current user).
Some configuration will be populated by default in the config file on install, regardless of whether it is used.
Using the Configuration File and Naming Conventions
The configuration elements in harperdb-config.yaml
use camelcase: operationsApi
.
To change a configuration value edit the harperdb-config.yaml
file and save any changes. HarperDB must be restarted for changes to take effect.
Alternately, configuration can be changed via environment and/or command line variables or via the API. To access lower level elements, use underscores to append parent/child elements (when used this way elements are case insensitive):
Note: Component configuration cannot be added or updated via CLI or ENV variables.
Importing installation configuration
To use a custom configuration file to set values on install, use the CLI/ENV variable HDB_CONFIG
and set it to the path of your custom configuration file.
To install HarperDB overtop of an existing configuration file, set HDB_CONFIG
to the root path of your install <ROOTPATH>/harperdb-config.yaml
Configuration Options
http
http
sessionAffinity
- Type: string; Default: null
HarperDB is a multi-threaded server designed to scale to utilize many CPU cores with high concurrency. Session affinity can help improve the efficiency and fairness of thread utilization by routing multiple requests from the same client to the same thread. This provides a fairer method of request handling by keeping a single user contained to a single thread, can improve caching locality (multiple requests from a single user are more likely to access the same data), and can provide the ability to share information in-memory in user sessions. Enabling session affinity will cause subsequent requests from the same client to be routed to the same thread.
To enable sessionAffinity
, you need to specify how clients will be identified from the incoming requests. If you are using HarperDB to directly serve HTTP requests from users from different remote addresses, you can use a setting of ip
. However, if you are using HarperDB behind a proxy server or application server, all the remote ip addresses will be the same and HarperDB will effectively only run on a single thread. Alternately, you can specify a header to use for identification. If you are using basic authentication, you could use the "Authorization" header to route requests to threads by the user's credentials. If you have another header that uniquely identifies users/clients, you can use that as the value of sessionAffinity. But be careful to ensure that the value does provide sufficient uniqueness and that requests are effectively distributed to all the threads and fully utilizing all your CPU cores.
compressionThreshold
- Type: number; Default: 1200 (bytes)
For HTTP clients that support (Brotli) compression encoding, responses that are larger than than this threshold will be compressed (also note that for clients that accept compression, any streaming responses from queries are compressed as well, since the size is not known beforehand).
cors
- Type: boolean; Default: true
Enable Cross Origin Resource Sharing, which allows requests across a domain.
corsAccessList
- Type: array; Default: null
An array of allowable domains with CORS
headersTimeout
- Type: integer; Default: 60,000 milliseconds (1 minute)
Limit the amount of time the parser will wait to receive the complete HTTP headers with.
maxHeaderSize
- Type: integer; Default: 16394
The maximum allowed size of HTTP headers in bytes.
keepAliveTimeout
- Type: integer; Default: 30,000 milliseconds (30 seconds)
Sets the number of milliseconds of inactivity the server needs to wait for additional incoming data after it has finished processing the last response.
port
- Type: integer; Default: 9926
The port used to access the component server.
securePort
- Type: integer; Default: null
The port the HarperDB component server uses for HTTPS connections. This requires a valid certificate and key.
timeout
- Type: integer; Default: Defaults to 120,000 milliseconds (2 minutes)
The length of time in milliseconds after which a request will timeout.
mlts
- Type: boolean | object; Default: false
This can be configured to enable mTLS based authentication for incoming connections. If enabled with default options (by setting to true
), the client certificate will be checked against the certificate authority specified with tls.certificateAuthority
. And if the certificate can be properly verified, the connection will authenticate users where the user's id/username is specified by the CN
(common name) from the client certificate's subject
, by default.
You can also define specific mTLS options by specifying an object for mtls with the following (optional) properties which may be included:
user
- Type: string; Default: Common Name
This configures a specific username to authenticate as for mTLS connections. If a user
is defined, any authorized mTLS connection (that authorizes against the certificate authority) will be authenticated as this user. This can also be set to null
, which indicates that no authentication is performed based on the mTLS authorization. When combined with required: true
, this can be used to enforce that users must have authorized mTLS and provide credential-based authentication.
required
- Type: boolean; Default: false
This can be enabled to require client certificates (mTLS) for all incoming MQTT connections. If enabled, any connection that doesn't provide an authorized certificate will be rejected/closed. By default, this is disabled, and authentication can take place with mTLS or standard credential authentication.
or
threads
threads
The threads
provides control over how many threads, how much heap memory they may use, and debugging of the threads:
count
- Type: number; Default: One less than the number of logical cores/processors
The threads.count
option specifies the number of threads that will be used to service the HTTP requests for the operations API and custom functions. Generally, this should be close to the number of CPU logical cores/processors to ensure the CPU is fully utilized (a little less because HarperDB does have other threads at work), assuming HarperDB is the main service on a server.
debug
- Type: boolean | object; Default: false
This enables debugging. If simply set to true, this will enable debugging on the main thread on port 9229 with the 127.0.0.1 host interface. This can also be an object for more debugging control.
debug.port
- The port to use for debugging the main thread debug.startingPort
- This will set up a separate port for debugging each thread. This is necessary for debugging individual threads with devtools. debug.host
- Specify the host interface to listen on debug.waitForDebugger
- Wait for debugger before starting
maxHeapMemory
- Type: number;
This specifies the heap memory limit for each thread, in megabytes. The default heap limit is a heuristic based on available memory and thread count.
replication
replication
The replication
section configures HarperDB replication, which is used to create HarperDB clusters and replicate data between the instances.
hostname
- Type: string;
The hostname of the current HarperDB instance.
url
- Type: string;
The URL of the current HarperDB instance.
databases
- Type: string/array; Default: "*" (all databases)
Configure which databases to replicate. This can be a string for all database or an array for specific databases.
routes
- Type: array;
An array of routes to connect to other nodes. Each element in the array can be either a string or an object with hostname
and port
properties.
port
- Type: integer; Default: 9925 (the operations API port operationsApi.port
)
The port to use for replication connections.
securePort
- Type: integer;
The port to use for secure replication connections.
enableRootCAs
- Type: boolean; Default: true
When true, HarperDB will verify certificates against the Node.js bundled CA store. The bundled CA store is a snapshot of the Mozilla CA store that is fixed at release time.
clustering
using NATS
clustering
using NATSThe clustering
section configures the NATS clustering engine, this is used to replicate data between instances of HarperDB.
Note: There exist two ways to create clusters and replicate data in HarperDB. One option is to use native HarperDB replication over Websockets. The other option is to use NATS to facilitate the cluster.
Clustering offers a lot of different configurations, however in a majority of cases the only options you will need to pay attention to are:
clustering.enabled
Enable the clustering processes.clustering.hubServer.cluster.network.port
The port other nodes will connect to. This port must be accessible from other cluster nodes.clustering.hubServer.cluster.network.routes
The connections to other instances.clustering.nodeName
The name of your node, must be unique within the cluster.clustering.user
The name of the user credentials used for Inter-node authentication.
enabled
- Type: boolean; Default: false
Enable clustering.
Note: If you enabled clustering but do not create and add a cluster user you will get a validation error. See user
description below on how to add a cluster user.
clustering.hubServer.cluster
Clustering’s hubServer
facilitates the HarperDB mesh network and discovery service.
name
- Type: string, Default: harperdb
The name of your cluster. This name needs to be consistent for all other nodes intended to be meshed in the same network.
port
- Type: integer, Default: 9932
The port the hub server uses to accept cluster connections
routes
- Type: array, Default: null
An object array that represent the host and port this server will cluster to. Each object must have two properties port
and host
. Multiple entries can be added to create network resiliency in the event one server is unavailable. Routes can be added, updated and removed either by directly editing the harperdb-config.yaml
file or by using the cluster_set_routes
or cluster_delete_routes
API endpoints.
host
- Type: string
The host of the remote instance you are creating the connection with.
port
- Type: integer
The port of the remote instance you are creating the connection with. This is likely going to be the clustering.hubServer.cluster.network.port
on the remote instance.
clustering.hubServer.leafNodes
port
- Type: integer; Default: 9931
The port the hub server uses to accept leaf server connections.
clustering.hubServer.network
port
- Type: integer; Default: 9930
Use this port to connect a client to the hub server, for example using the NATs SDK to interact with the server.
clustering.leafServer
Manages streams, streams are ‘message stores’ that store table transactions.
port
- Type: integer; Default: 9940
Use this port to connect a client to the leaf server, for example using the NATs SDK to interact with the server.
routes
- Type: array; Default: null
An object array that represent the host and port the leaf node will directly connect with. Each object must have two properties port
and host
. Unlike the hub server, the leaf server will establish connections to all listed hosts. Routes can be added, updated and removed either by directly editing the harperdb-config.yaml
file or by using the cluster_set_routes
or cluster_delete_routes
API endpoints.
host
- Type: string
The host of the remote instance you are creating the connection with.
port
- Type: integer
The port of the remote instance you are creating the connection with. This is likely going to be the clustering.hubServer.cluster.network.port
on the remote instance.
clustering.leafServer.streams
maxAge
- Type: integer; Default: null
The maximum age of any messages in the stream, expressed in seconds.
maxBytes
- Type: integer; Default: null
The maximum size of the stream in bytes. Oldest messages are removed if the stream exceeds this size.
maxMsgs
- Type: integer; Default: null
How many messages may be in a stream. Oldest messages are removed if the stream exceeds this number.
path
- Type: string; Default: <ROOTPATH>/clustering/leaf
The directory where all the streams are kept.
maxConsumeMsgs
- Type: integer; Default: 100
The maximum number of messages a consumer can process in one go.
maxIngestThreads
- Type: integer; Default: 2
The number of HarperDB threads that are delegated to ingesting messages.
logLevel
- Type: string; Default: error
Control the verbosity of clustering logs.
There exists a log level hierarchy in order as trace
, debug
, info
, warn
, and error
. When the level is set to trace
logs will be created for all possible levels. Whereas if the level is set to warn
, the only entries logged will be warn
and error
. The default value is error
.
nodeName
- Type: string; Default: null
The name of this node in your HarperDB cluster topology. This must be a value unique from the rest of the cluster node names.
Note: If you want to change the node name make sure there are no subscriptions in place before doing so. After the name has been changed a full restart is required.
tls
Transport Layer Security default values are automatically generated on install.
certificate
- Type: string; Default: <ROOTPATH>/keys/certificate.pem
Path to the certificate file.
certificateAuthority
- Type: string; Default: <ROOTPATH>/keys/ca.pem
Path to the certificate authority file.
privateKey
- Type: string; Default: <ROOTPATH>/keys/privateKey.pem
Path to the private key file.
insecure
- Type: boolean; Default: true
When true, will skip certificate verification. For use only with self-signed certs.
republishMessages
- Type: boolean; Default: false
When true, all transactions that are received from other nodes are republished to this node's stream. When subscriptions are not fully connected between all nodes, this ensures that messages are routed to all nodes through intermediate nodes. This also ensures that all writes, whether local or remote, are written to the NATS transaction log. However, there is additional overhead with republishing, and setting this is to false can provide better data replication performance. When false, you need to ensure all subscriptions are fully connected between every node to every other node, and be aware that the NATS transaction log will only consist of local writes.
verify
- Type: boolean; Default: true
When true, hub server will verify client certificate using the CA certificate.
user
- Type: string; Default: null
The username given to the cluster_user
. All instances in a cluster must use the same clustering user credentials (matching username and password).
Inter-node authentication takes place via a special HarperDB user role type called cluster_user
.
The user can be created either through the API using an add_user
request with the role set to cluster_user
, or on install using environment variables CLUSTERING_USER=cluster_person
CLUSTERING_PASSWORD=pass123!
or CLI variables harperdb --CLUSTERING_USER cluster_person
--CLUSTERING_PASSWORD
pass123!
localStudio
localStudio
The localStudio
section configures the local HarperDB Studio, a GUI for HarperDB hosted on the server. A hosted version of the HarperDB Studio with licensing and provisioning options is available at https://studio.harperdb.io. Note, all database traffic from either localStudio
or HarperDB Studio is made directly from your browser to the instance.
enabled
- Type: boolean; Default: false
Enabled the local studio or not.
logging
logging
The logging
section configures HarperDB logging across all HarperDB functionality. This includes standard text logging of application and database events as well as structured data logs of record changes. Logging of application/database events are logged in text format to the ~/hdb/log/hdb.log
file (or location specified by logging.root
).
In addition, structured logging of data changes are also available:
auditLog
- Type: boolean; Default: false
Enabled table transaction logging.
To access the audit logs, use the API operation read_audit_log
. It will provide a history of the data, including original records and changes made, in a specified table.
file
- Type: boolean; Default: true
Defines whether to log to a file.
auditRetention
- Type: string|number; Default: 3d
This specifies how long audit logs should be retained.
level
- Type: string; Default: warn
Control the verbosity of text event logs.
There exists a log level hierarchy in order as trace
, debug
, info
, warn
, error
, fatal
, and notify
. When the level is set to trace
logs will be created for all possible levels. Whereas if the level is set to fatal
, the only entries logged will be fatal
and notify
. The default value is error
.
console
- Type: boolean; Default: true
Controls whether console.log and other console.* calls (as well as another JS components that writes to process.stdout
and process.stderr
) are logged to the log file. By default, these are logged to the log file, but this can be disabled.
root
- Type: string; Default: <ROOTPATH>/log
The path where the log files will be written.
rotation
Rotation provides the ability for a user to systematically rotate and archive the hdb.log
file. To enable interval
and/or maxSize
must be set.
Note: interval
and maxSize
are approximates only. It is possible that the log file will exceed these values slightly before it is rotated.
enabled
- Type: boolean; Default: false
Enables logging rotation.
compress
- Type: boolean; Default: false
Enables compression via gzip when logs are rotated.
interval
- Type: string; Default: null
The time that should elapse between rotations. Acceptable units are D(ays), H(ours) or M(inutes).
maxSize
- Type: string; Default: null
The maximum size the log file can reach before it is rotated. Must use units M(egabyte), G(igabyte), or K(ilobyte).
path
- Type: string; Default: <ROOTPATH>/log
Where to store the rotated log file. File naming convention is HDB-YYYY-MM-DDT-HH-MM-SSSZ.log
.
stdStreams
- Type: boolean; Default: false
Log HarperDB logs to the standard output and error streams.
auditAuthEvents
logFailed
- Type: boolean; Default: false
Log all failed authentication events.
Example: [error] [auth-event]: {"username":"admin","status":"failure","type":"authentication","originating_ip":"127.0.0.1","request_method":"POST","path":"/","auth_strategy":"Basic"}
logSuccessful
- Type: boolean; Default: false
Log all successful authentication events.
Example: [notify] [auth-event]: {"username":"admin","status":"success","type":"authentication","originating_ip":"127.0.0.1","request_method":"POST","path":"/","auth_strategy":"Basic"}
authentication
authentication
The authentication section defines the configuration for the default authentication mechanism in HarperDB.
authorizeLocal
- Type: boolean; Default: true
This will automatically authorize any requests from the loopback IP address as the superuser. This should be disabled for any HarperDB servers that may be accessed by untrusted users from the same instance. For example, this should be disabled if you are using a local proxy, or for general server hardening.
cacheTTL
- Type: number; Default: 30000
This defines the length of time (in milliseconds) that an authentication (a particular Authorization header or token) can be cached.
enableSessions
- Type: boolean; Default: true
This will enable cookie-based sessions to maintain an authenticated session. This is generally the preferred mechanism for maintaining authentication in web browsers as it allows cookies to hold an authentication token securely without giving JavaScript code access to token/credentials that may open up XSS vulnerabilities.
operationTokenTimeout
- Type: string; Default: 1d
Defines the length of time an operation token will be valid until it expires. Example values: https://github.com/vercel/ms.
refreshTokenTimeout
- Type: string; Default: 1d
Defines the length of time a refresh token will be valid until it expires. Example values: https://github.com/vercel/ms.
operationsApi
operationsApi
The operationsApi
section configures the HarperDB Operations API.
All the operationsApi
configuration is optional. Any configuration that is not provided under this section will default to the http
configuration section.
network
cors
- Type: boolean; Default: true
Enable Cross Origin Resource Sharing, which allows requests across a domain.
corsAccessList
- Type: array; Default: null
An array of allowable domains with CORS
domainSocket
- Type: string; Default: <ROOTPATH>/hdb/operations-server
The path to the Unix domain socket used to provide the Operations API through the CLI
headersTimeout
- Type: integer; Default: 60,000 milliseconds (1 minute)
Limit the amount of time the parser will wait to receive the complete HTTP headers with.
keepAliveTimeout
- Type: integer; Default: 5,000 milliseconds (5 seconds)
Sets the number of milliseconds of inactivity the server needs to wait for additional incoming data after it has finished processing the last response.
port
- Type: integer; Default: 9925
The port the HarperDB operations API interface will listen on.
securePort
- Type: integer; Default: null
The port the HarperDB operations API uses for HTTPS connections. This requires a valid certificate and key.
timeout
- Type: integer; Default: Defaults to 120,000 milliseconds (2 minutes)
The length of time in milliseconds after which a request will timeout.
tls
This configures the Transport Layer Security for HTTPS support.
certificate
- Type: string; Default: <ROOTPATH>/keys/certificate.pem
Path to the certificate file.
certificateAuthority
- Type: string; Default: <ROOTPATH>/keys/ca.pem
Path to the certificate authority file.
privateKey
- Type: string; Default: <ROOTPATH>/keys/privateKey.pem
Path to the private key file.
componentsRoot
componentsRoot
componentsRoot
- Type: string; Default: <ROOTPATH>/components
The path to the folder containing the local component files.
rootPath
rootPath
rootPath
- Type: string; Default: home directory of the current user
The HarperDB database and applications/API/interface are decoupled from each other. The rootPath
directory specifies where the HarperDB application persists data, config, logs, and Custom Functions.
storage
storage
writeAsync
- Type: boolean; Default: false
The writeAsync
option turns off disk flushing/syncing, allowing for faster write operation throughput. However, this does not provide storage integrity guarantees, and if a server crashes, it is possible that there may be data loss requiring restore from another backup/another node.
caching
- Type: boolean; Default: true
The caching
option enables in-memory caching of records, providing faster access to frequently accessed objects. This can incur some extra overhead for situations where reads are extremely random and don't benefit from caching.
compression
- Type: boolean; Default: true
The compression
option enables compression of records in the database. This can be helpful for very large records in reducing storage requirements and potentially allowing more data to be cached. This uses the very fast LZ4 compression algorithm, but this still incurs extra costs for compressing and decompressing.
compression.dictionary
Type: number; Default: null
Path to a compression dictionary file
compression.threshold
Type: number; Default: Either 4036
or if storage.pageSize
provided storage.pageSize - 60
Only entries that are larger than this value (in bytes) will be compressed.
compactOnStart
- Type: boolean; Default: false
When true
all non-system databases will be compacted when starting HarperDB, read more here.
compactOnStartKeepBackup
- Type: boolean; Default: false
Keep the backups made by compactOnStart.
maxTransactionQueueTime
- Type: time; Default: 45s
The maxTransactionQueueTime
specifies how long the write queue can get before write requests are rejected (with a 503).
noReadAhead
- Type: boolean; Default: false
The noReadAhead
option advises the operating system to not read ahead when reading from the database. This provides better memory utilization for databases with small records (less than one page), but can degrade performance in situations where large records are used or frequent range queries are used.
prefetchWrites
- Type: boolean; Default: true
The prefetchWrites
option loads data prior to write transactions. This should be enabled for databases that are larger than memory (although it can be faster to disable this for smaller databases).
path
- Type: string; Default: <rootPath>/schema
The path
configuration sets where all database files should reside.
Note: This configuration applies to all database files, which includes system tables that are used internally by HarperDB. For this reason if you wish to use a non default path
value you must move any existing schemas into your path
location. Existing schemas is likely to include the system schema which can be found at <rootPath>/schema/system
.
pageSize
- Type: number; Default: Defaults to the default page size of the OS
Defines the page size of the database.
tls
tls
The section defines the certificates, keys, and settings for Transport Layer Security (TLS) for HTTPS and TLS socket support. This is used for both the HTTP and MQTT protocols. The tls
section can be a single object with the settings below, or it can be an array of objects, where each object is a separate TLS configuration. By using an array, the TLS configuration can be used to define multiple certificates for different domains/hosts (negotiated through SNI).
certificate
- Type: string; Default: <ROOTPATH>/keys/certificate.pem
Path to the certificate file.
certificateAuthority
- Type: string; Default: <ROOTPATH>/keys/ca.pem
Path to the certificate authority file.
privateKey
- Type: string; Default: <ROOTPATH>/keys/privateKey.pem
Path to the private key file.
ciphers
- Type: string;
Allows specific ciphers to be set.
If you want to define multiple certificates that are applied based on the domain/host requested via SNI, you can define an array of TLS configurations. Each configuration can have the same properties as the root TLS configuration, but can (optionally) also have an additional host
property to specify the domain/host that the certificate should be used for:
Note that a tls
section can also be defined in the operationsApi
section, which will override the root tls
section for the operations API.
mqtt
mqtt
The MQTT protocol can be configured in this section.
port
- Type: number; Default: 1883
This is the port to use for listening for insecure MQTT connections.
securePort
- Type: number; Default: 8883
This is the port to use for listening for secure MQTT connections. This will use the tls
configuration for certificates.
webSocket
- Type: boolean; Default: true
This enables access to MQTT through WebSockets. This will handle WebSocket connections on the http port (defaults to 9926), that have specified a (sub) protocol of mqtt
.
requireAuthentication
- Type: boolean; Default: true
This indicates if authentication should be required for establishing an MQTT connection (whether through MQTT connection credentials or mTLS). Disabling this allows unauthenticated connections, which are then subject to authorization for publishing and subscribing (and by default tables/resources do not authorize such access, but that can be enabled at the resource level).
mlts
- Type: boolean | object; Default: false
This can be configured to enable mTLS based authentication for incoming connections. If enabled with default options (by setting to true
), the client certificate will be checked against the certificate authority specified in the tls
section. And if the certificate can be properly verified, the connection will authenticate users where the user's id/username is specified by the CN
(common name) from the client certificate's subject
, by default.
You can also define specific mTLS options by specifying an object for mtls with the following (optional) properties which may be included:
user
- Type: string; Default: Common Name
This configures a specific username to authenticate as for mTLS connections. If a user
is defined, any authorized mTLS connection (that authorizes against the certificate authority) will be authenticated as this user. This can also be set to null
, which indicates that no authentication is performed based on the mTLS authorization. When combined with required: true
, this can be used to enforce that users must have authorized mTLS and provide credential-based authentication.
required
- Type: boolean; Default: false
This can be enabled to require client certificates (mTLS) for all incoming MQTT connections. If enabled, any connection that doesn't provide an authorized certificate will be rejected/closed. By default, this is disabled, and authentication can take place with mTLS or standard credential authentication.
certificateAuthority
- Type: string; Default: Path from tls.certificateAuthority
This can define a specific path to use for the certificate authority. By default, certificate authorization checks against the CA specified at tls.certificateAuthority
, but if you need a specific/distinct CA for MQTT, you can set this.
For example, you could specify that mTLS is required and will authenticate as "user-name":
databases
databases
The databases
section is an optional configuration that can be used to define where database files should reside down to the table level. This configuration should be set before the database and table have been created. The configuration will not create the directories in the path, that must be done by the user.
To define where a database and all its tables should reside use the name of your database and the path
parameter.
To define where specific tables within a database should reside use the name of your database, the tables
parameter, the name of your table and the path
parameter.
This same pattern can be used to define where the audit log database files should reside. To do this use the auditPath
parameter.
Setting the database section through the command line, environment variables or API
When using command line variables,environment variables or the API to configure the databases section a slightly different convention from the regular one should be used. To add one or more configurations use a JSON object array.
Using command line variables:
Using environment variables:
Using the API:
Components
<name-of-component>
- Type: string
The name of the component. This will be used to name the folder where the component is installed and must be unique.
package
- Type: string
A reference to your component package.This could be a remote git repo, a local folder/file or an NPM package. HarperDB will add this package to a package.json file and call npm install
on it, so any reference that works with that paradigm will work here.
Read more about npm install here
port
- Type: number Default: whatever is set in http.port
The port that your component should listen on. If no port is provided it will default to http.port
Last updated