mirror of
https://github.com/infiniflow/ragflow.git
synced 2026-03-18 13:20:03 +08:00
184388879d
### What problem does this PR solve? Enterprise deployments that use an external Identity Provider (e.g., Microsoft Entra ID, Okta, Keycloak) need the ability to enforce SSO-only authentication by hiding the email/password login form. Currently, the login page always shows the password form alongside OAuth buttons, with no way to disable it. This PR adds a `disable_password_login` configuration option under the existing `authentication` section in `service_conf.yaml`. When set to `true`, the login page only displays configured OAuth/SSO buttons and hides the email/password form, "Remember me" checkbox, and "Sign up" link. The flag can be set via: - `service_conf.yaml` (`authentication.disable_password_login: true`) - Environment variable (`DISABLE_PASSWORD_LOGIN=true`) Default behavior is unchanged (`false`). ### Behavior | `disable_password_login` | OAuth configured | Result | |---|---|---| | `false` (default) | No | Standard email/password form | | `false` | Yes | Email/password form + SSO buttons below | | `true` | Yes | **SSO buttons only** (no form, no sign up link) | | `true` | No | Empty card (admin should configure OAuth first) | ### Type of change - [x] New Feature (non-breaking change which adds functionality) ### Files changed (5) 1. `docker/service_conf.yaml.template` — added `disable_password_login: false` under authentication 2. `common/settings.py` — added `DISABLE_PASSWORD_LOGIN` global variable and loader in `init_settings()` 3. `common/config_utils.py` — fixed `TypeError` in `show_configs()` when authentication section contains non-dict values (e.g., booleans) 4. `api/apps/system_app.py` — exposed `disablePasswordLogin` flag in `/config` endpoint 5. `web/src/pages/login/index.tsx` — conditionally render password form based on config flag; OAuth buttons always render when channels exist --------- Co-authored-by: Ahmad Intisar <ahmadintisar@Ahmads-MacBook-M4-Pro.local>
172 lines
5.2 KiB
Plaintext
172 lines
5.2 KiB
Plaintext
ragflow:
|
|
host: ${RAGFLOW_HOST:-0.0.0.0}
|
|
http_port: 9380
|
|
admin:
|
|
host: ${RAGFLOW_HOST:-0.0.0.0}
|
|
http_port: 9381
|
|
mysql:
|
|
name: '${MYSQL_DBNAME:-rag_flow}'
|
|
user: '${MYSQL_USER:-root}'
|
|
password: '${MYSQL_PASSWORD:-infini_rag_flow}'
|
|
host: '${MYSQL_HOST:-mysql}'
|
|
port: ${MYSQL_PORT:-3306}
|
|
max_connections: 900
|
|
stale_timeout: 300
|
|
max_allowed_packet: ${MYSQL_MAX_PACKET:-1073741824}
|
|
minio:
|
|
user: '${MINIO_USER:-rag_flow}'
|
|
password: '${MINIO_PASSWORD:-infini_rag_flow}'
|
|
host: '${MINIO_HOST:-minio}:9000'
|
|
bucket: '${MINIO_BUCKET:-}'
|
|
prefix_path: '${MINIO_PREFIX_PATH:-}'
|
|
# optional: set to true for HTTPS (SSL/TLS). Used by MinIO client and health check.
|
|
# secure: ${MINIO_SECURE:-false}
|
|
# optional: set to false to allow self-signed certificates (e.g. in development).
|
|
# verify: ${MINIO_VERIFY:-true}
|
|
es:
|
|
hosts: 'http://${ES_HOST:-es01}:9200'
|
|
username: '${ES_USER:-elastic}'
|
|
password: '${ELASTIC_PASSWORD:-infini_rag_flow}'
|
|
os:
|
|
hosts: 'http://${OS_HOST:-opensearch01}:9201'
|
|
username: '${OS_USER:-admin}'
|
|
password: '${OPENSEARCH_PASSWORD:-infini_rag_flow_OS_01}'
|
|
infinity:
|
|
uri: '${INFINITY_HOST:-infinity}:23817'
|
|
postgres_port: 5432
|
|
db_name: 'default_db'
|
|
oceanbase:
|
|
scheme: 'oceanbase' # set 'mysql' to create connection using mysql config
|
|
config:
|
|
db_name: '${OCEANBASE_DOC_DBNAME:-test}'
|
|
user: '${OCEANBASE_USER:-root@ragflow}'
|
|
password: '${OCEANBASE_PASSWORD:-infini_rag_flow}'
|
|
host: '${OCEANBASE_HOST:-oceanbase}'
|
|
port: ${OCEANBASE_PORT:-2881}
|
|
seekdb:
|
|
scheme: 'oceanbase' # SeekDB is the lite version of OceanBase
|
|
config:
|
|
db_name: '${SEEKDB_DOC_DBNAME:-ragflow_doc}'
|
|
user: '${SEEKDB_USER:-root}'
|
|
password: '${SEEKDB_PASSWORD:-infini_rag_flow}'
|
|
host: '${SEEKDB_HOST:-seekdb}'
|
|
port: ${SEEKDB_PORT:-2881}
|
|
redis:
|
|
db: 1
|
|
username: '${REDIS_USERNAME:-}'
|
|
password: '${REDIS_PASSWORD:-infini_rag_flow}'
|
|
host: '${REDIS_HOST:-redis}:6379'
|
|
user_default_llm:
|
|
default_models:
|
|
embedding_model:
|
|
api_key: 'xxx'
|
|
base_url: 'http://${TEI_HOST}:80'
|
|
# postgres:
|
|
# name: '${POSTGRES_DBNAME:-rag_flow}'
|
|
# user: '${POSTGRES_USER:-rag_flow}'
|
|
# password: '${POSTGRES_PASSWORD:-infini_rag_flow}'
|
|
# host: '${POSTGRES_HOST:-postgres}'
|
|
# port: 5432
|
|
# max_connections: 100
|
|
# stale_timeout: 30
|
|
# s3:
|
|
# access_key: 'access_key'
|
|
# secret_key: 'secret_key'
|
|
# region: 'region'
|
|
# endpoint_url: 'endpoint_url'
|
|
# bucket: 'bucket'
|
|
# prefix_path: 'prefix_path'
|
|
# signature_version: 'v4'
|
|
# addressing_style: 'path'
|
|
# oss:
|
|
# access_key: '${ACCESS_KEY}'
|
|
# secret_key: '${SECRET_KEY}'
|
|
# endpoint_url: '${ENDPOINT}'
|
|
# region: '${REGION}'
|
|
# bucket: '${BUCKET}'
|
|
# prefix_path: '${OSS_PREFIX_PATH}'
|
|
# signature_version: 's3'
|
|
# addressing_style: 'virtual'
|
|
# azure:
|
|
# auth_type: 'sas'
|
|
# container_url: 'container_url'
|
|
# sas_token: 'sas_token'
|
|
# azure:
|
|
# auth_type: 'spn'
|
|
# account_url: 'account_url'
|
|
# client_id: 'client_id'
|
|
# secret: 'secret'
|
|
# tenant_id: 'tenant_id'
|
|
# container_name: 'container_name'
|
|
# The OSS object storage uses the MySQL configuration above by default. If you need to switch to another object storage service, please uncomment and configure the following parameters.
|
|
# opendal:
|
|
# scheme: 'mysql' # Storage type, such as s3, oss, azure, etc.
|
|
# config:
|
|
# oss_table: 'opendal_storage'
|
|
# user_default_llm:
|
|
# factory: 'BAAI'
|
|
# api_key: 'backup'
|
|
# base_url: 'backup_base_url'
|
|
# default_models:
|
|
# chat_model:
|
|
# name: 'qwen2.5-7b-instruct'
|
|
# factory: 'xxxx'
|
|
# api_key: 'xxxx'
|
|
# base_url: 'https://api.xx.com'
|
|
# embedding_model:
|
|
# name: 'bge-m3'
|
|
# rerank_model: 'bge-reranker-v2'
|
|
# asr_model:
|
|
# model: 'whisper-large-v3' # alias of name
|
|
# image2text_model: ''
|
|
# oauth:
|
|
# oauth2:
|
|
# display_name: "OAuth2"
|
|
# client_id: "your_client_id"
|
|
# client_secret: "your_client_secret"
|
|
# authorization_url: "https://your-oauth-provider.com/oauth/authorize"
|
|
# token_url: "https://your-oauth-provider.com/oauth/token"
|
|
# userinfo_url: "https://your-oauth-provider.com/oauth/userinfo"
|
|
# redirect_uri: "https://your-app.com/v1/user/oauth/callback/oauth2"
|
|
# oidc:
|
|
# display_name: "OIDC"
|
|
# client_id: "your_client_id"
|
|
# client_secret: "your_client_secret"
|
|
# issuer: "https://your-oauth-provider.com/oidc"
|
|
# scope: "openid email profile"
|
|
# redirect_uri: "https://your-app.com/v1/user/oauth/callback/oidc"
|
|
# github:
|
|
# type: "github"
|
|
# icon: "github"
|
|
# display_name: "Github"
|
|
# client_id: "your_client_id"
|
|
# client_secret: "your_client_secret"
|
|
# redirect_uri: "https://your-app.com/v1/user/oauth/callback/github"
|
|
# authentication:
|
|
# client:
|
|
# switch: false
|
|
# http_app_key:
|
|
# http_secret_key:
|
|
# site:
|
|
# switch: false
|
|
# disable_password_login: false
|
|
# permission:
|
|
# switch: false
|
|
# component: false
|
|
# dataset: false
|
|
# smtp:
|
|
# mail_server: ""
|
|
# mail_port: 465
|
|
# mail_use_ssl: true
|
|
# mail_use_tls: false
|
|
# mail_username: ""
|
|
# mail_password: ""
|
|
# mail_default_sender:
|
|
# - "RAGFlow" # display name
|
|
# - "" # sender email address
|
|
# mail_frontend_url: "https://your-frontend.example.com"
|
|
# tcadp_config:
|
|
# secret_id: '${TENCENT_SECRET_ID}'
|
|
# secret_key: '${TENCENT_SECRET_KEY}'
|
|
# region: '${TENCENT_REGION}'
|