Configuration

This section describes the next steps after the installation has been performed.

This section makes frequent references to the main XDM configuration file. Make sure to familiarize yourself with the location, and the syntax rules for this file which are described under The main XDM configuration file.

License key

XDM needs a valid XDM version 3 license key to run.

The license key must be stored in a file called license.txt inside the XDM core configuration directory. The path to this directory is specified in the docker-compose.yml file. By default, XDM uses the directory xdm-config.

Create a new file license.txt in the xdm-config directory, then copy the contents of the license key into this file. This license key is provided by UBS Hainer GmbH.

Database configuration

XDM uses a PostgreSQL database to store information about its configuration. This includes the defined tasks, the history of task executions, your environment configuration, your user configuration, the cached object-containers, etc.

The default configuration starts a PostgreSQL database used for persistent storage. This is configured in the docker-compose.yml file.

If you prefer to use a different PostgreSQL system for your as administration database, you need to perform the following steps:

To set the seed, you must edit the file docker-compose.yml. In the section services→core-server→environment, add the following line:

  1. Edit the file docker-compose.yml.

  2. Add the following parameters to the section services→core-server/dataflow-server→environment in order to configure the location and credentials for the administration database:

admin.db.url=<your-jdbc-url>
admin.db.schema=<your-schema>
admin.db.user=<your-database-user>
admin.db.password=<your-database-password>
admin.db.driver=org.postgresql.Driver
admin.db.dialect=org.hibernate.dialect.PostgreSQL81Dialect
admin.db.url

:noindex: Specifies the JDBC URL of the PostgreSQL database that you want to use as administration database.

admin.db.schema

:noindex: Specifies the schema name. This is set to public by default.

admin.db.user

:noindex: Specifies the username that is used to access the database.

admin.db.password

:noindex: Specifies the password that is used to access the database.

The specified parameters must be added to both services core-server and dataflow-server

Creating database tables

By default, XDM automatically creates the administration tables and sequences in the specified database system if they do not exist yet. XDM also automatically migrates its administration tables to the latest version if it is necessary. Every time XDM starts, it will generate the DDL for all tables and sequences that are missing or changed and store it in the file 'admin-db-diff.sql' inside the data directory. Since this file is newly generated at each start, it only contains the latest changes made to the administration database. With this file, users can inspect the changes made to the database compared to the previously installed version.

The automatic creation and migration of the administration database can be disabled, as described in disable automatic database migration. But in this case, the administrator has to migrate the database himself with the generated 'admin-db-diff.sql' file. This file contains the SQL statements executed by the migration system. It is also possible that the database skips some migration steps that XDM would take at startup, which are too complicated to describe as plain SQL statements.

Database user

The user ID used to create these tables and sequences is specified by the parameter admin.db.user. This parameter is located in the file docker-compose.yml in the section services→core-server→environment.

The specified user ID must have the privilege to create tables and sequences inside the database.

Disable automatic database migration

To disable the automatic creation of the administration tables, edit the file docker-compose.yml, and specify the following line:

xdm.core.liquibase.enabled=false

After changing this setting, you must restart the XDM core service.

JDBC driver configuration

XDM uses the JDBC API to access the source and target databases of your tasks. You must provide suitable JDBC version 4.0 (or higher) drivers for all database systems that you plan to use as the source or target for XDM tasks.

XDM will search for JDBC drivers in the directory xdm-config/jdbc-drivers. Copy all required JDBC driver .jar files into this directory.

You can download JDBC drivers for different relational database systems on the websites of the respective database vendors. The following table shows the file names that are typically used by the database vendors. Note that vendors can choose different file names for future releases of their JDBC drivers.

XDM has a Postgres JDBC driver included in the distribution. This driver is used by default. It’s not necessary to add an extra Postgres JDBC driver to the driver directory.
Table 1. Typical JDBC driver file names(s) for different database systems
Database system Driver file name(s)

Db2 for Linux, UNIX, and Windows

db2jcc4.jar

Db2 for z/OS

db2jcc4.jar and db2jcc_license_cisuz.jar

Oracle

ojdbc7.jar

PostgreSQL

postgresql-<version>.jar

Microsoft SQL Server

mssql-jdbc-<version>.jre11.jar

MySQL

mysql-connector-java-<version>.jar

MariaDB

mariadb-java-client-<version>.jar

Google Big Query

GoogleBigQueryJDBC42.jar plus additional dependencies
When a new driver was added to the driver directory, the docker-composer of XDM must be restarted to register the new driver in XDM.

JDBC Driver configuration for Google Big Query

For being able to use the JDBC driver for Google Big Query that was mentioned above, it is necessary to add some additional dependencies. You can either add them directly into the driver directory or build a super JAR that consists of the actual JDBC driver for Google Big Query and all other necessary dependencies. The latter is recommended. The dependencies that have to be included are listed below.

  • google-api-client from group com.google.api-client (version 2.2.0)

  • google-auth-library-oauth2-http from group com.google.auth (version 1.16.0 or higher)

  • google-http-client-jackson2 from group com.google.http-client (version 1.43.1 or higher)

  • google-api-services-bigquery from group com.google.apis (version v2-rev20230210-2.0.0)

  • google-api-services-iamcredentials from group com.google.apis (version v1-rev20211203-2.0.0)

  • gax from group com.google.api (version 2.23.3 or higher)

  • google-cloud-bigquerystorage from group com.google.cloud (version 2.34.0)

  • guava from group com.google.guava (version 31.1-jre or higher)

  • avro from group org.apache.avro (version 1.11.1)

  • joda-time from group joda-time (version 2.12.5)

Driver directory

The directory where XDM searches for JDBC drivers can be configured with the property xdm.core.jdbc-driver-dir. The default directory is /xdm/config/jdbc-drivers/ which is used when no other value is specified. When changing the default, it must be specified in the environment sections of both, core and dataflow server. The following configuration shows the default setting.

xdm.core.jdbc-driver-dir=/xdm/config/jdbc-drivers/

Additional drivers to load

The property xdm.core.registered-jdbc-driver specifies a comma separated list of additional JDBC driver names to load. This property can only be used in the environment section of the dataflow server and the default is an empty list. IBM’s AS400 and IMS drivers are always implicitly added to this list. Specifying driver names is only necessary if the driver can not be automatically loaded, as it is the case for the two IBM drivers. The following line shows how a driver with the fully qualified name org.vendor.jdbc.someDriverName would be added to the list.

xdm.core.registered-jdbc-driver=org.vendor.jdbc.someDriverName

Certificate based authentication

In order to establish an encrypted connection via SSL, it is necessary to install single certificates or a complete certificate-chain. All installed certificates will be used by the core-server, dataflow-server and xdm-runner (batch parts). With the certificates XDM is able to establish an encrypted connection using a certificate to a database or authentication server.

Installation of certificates

The certificates must be located in a directory /xdm/certs/ which is mounted by XDM.

docker-compose

To do this, the following volume must be added to volumes in the docker-compose.yml for core-server and dataflow-server:

- <your-certificate-folder>:/xdm/certs/

Replace the variable <your-certificate-folder> in the above with the name of the folder that contains your certificates.

Verify imported certificates

The certificates get imported through the entry point script at the startup of the core-server, dataflow-server and xdm-runner. Check the logs of the respective service to verify that the certificates have been imported successfully. Check for the following log entry:

File '<file-name>' successfully installed as certificate '<certificate-alias>'.

Installation of certificates for microservices

Microservices like KafkaSource and KafkaSink may also use certificates, e.g, when the connection to the Kafka broker requires encryption. The installation for these services is similar to the other services (like the core-server) by using a volume mount for the certificates.

But there are two additional requirements:

  1. You should use a separate host directory for the volume mount. This avoids conflicts because the microservices use a different method to import the certificates.

  2. An additional file is needed in the same folder as the the certificates, which is described below.

This file must be named type and must have the content ca-certificates. Finally, in the environment section of the service a new entry SERVICE_BINDING_ROOT must be added. The complete configuration may look like the following:

environment:
  - SERVICE_BINDING_ROOT=/bindings
volumes:
  - <microservice-certificate-folder>:/bindings/certs

As an example, this is a valid content of the folder which is specified by <microservice-certificate-folder>

$ ls -1
ca.crt
type
$ cat type
ca-certificates
$ cat ca.crt
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

User management

Each user that intends to work with XDM needs to a username and a password. Username and password validation can either be performed by an LDAP server, OpenID provider or by using the internal user management of XDM.

LDAP configuration

XDM can use an LDAP server to authenticate users. The LDAP server controls which users exist and how they have to authenticate. The LDAP server also controls what roles a user is a member of.

To configure the connection to LDAP, you need to edit the file docker_compose.yml and add the following parameters to the section services→core-server:

ldap.url=ldap://<hostname>:<port>/<base_db>
ldap.search_filter=<filter>
ldap.search_base=<directory>
ldap.manager.user=<username>
ldap.manager.password=<password>
ldap.url

:noindex: Set <hostname> and <port> to the host name and port of your LDAP server. Set <base_db> to the distinguished name of the entry that is starting point of the search. You can use the ldaps protocol instead of ldap. Example: ldap://ldap.mycompany.com:389/dc=mycompany,dc=com

ldap.search_filter

:noindex: The search filter for the users. Example: uid={0}

ldap-search_base

:noindex: The LDAP directory from which each search will start. If left empty, searches can take longer. Typically, cn=Users is a good value for search_base.

ldap.manager.user

:noindex: The username for the LDAP server, if it requires a login

ldap.manager.password

:noindex: The password for the LDAP server, if it requires a login.

Optionally, you can also define the following group search properties:

ldap.group.search_base=<base>
ldap.group.search_filter=<filters>
ldap.group.search_base

:noindex: Defines the part of the directory tree, under which group searches should be performed.

ldap.group.search_filter

:noindex: The filter that is used to search for group membership. The default is uniqueMember={0}.

Details on the use of these properties can be found in the Spring LDAP documentation.

If you specify the username and password for the LDAP server in a plain text file, you should restrict access to this file using the access control mechanisms of your operating system to prevent unauthorized users from accessing the file.

To test your settings, you can use the ldapsearch utility. This utility is available in all Microsoft Windows Enterprise versions, and under Linux.

Use this command:

ldapsearch -x -h <ldap_host> -p <ldap_port> -D "<ldap_admin_user>" -w
"<ldap_admin_password>" -b "<base_dn>" "(cn=<user_name_to_lookup>)"

This command will establish a connection to the specified LDAP and retrieve information about the user specified under <user_name_to_lookup>.

SSL/TLS Configuration

In order to establish an encrypted connection via SSL to an LDAP server, further configuration is necessary. For this, one or more certificate is required for the client (core-server) to establish a connection to the LDAP server. The installation of certificates see chapter installation of certificates.

Example

Invoke the following command in a shell:

ldapsearch -x -h ldap.mycompany.com -p 3268 -D "myldapuser" -w "myldappassword" -b "dc=intranet,dc=mycompany,dc=com" "(cn=demouser)"

The result might look similar to this:

CN=demouser,CN=Users,DC=intranet,DC=mycompany,DC=com
objectClass=top
objectClass=person
objectClass=organizationalPerson
objectClass=user
cn=demouser
distinguishedName=CN=demouser,CN=Users,DC=intranet,DC=mycompany,DC=com
instanceType=4
whenCreated=20150729072952.0Z
whenChanged=20150729072952.0Z
displayName=demouser
uSNCreated=8201
memberOf=CN=Users,CN=Builtin,DC=intranet,DC=mycompany,DC=com
uSNChanged=8201
name=demouser
objectGUID=NOT ASCII
userAccountControl=544
primaryGroupID=513
objectSid=NOT ASCII
sAMAccountName=demouser
sAMAccountType=805306368
objectCategory=CN=Person,CN=Schema,CN=Configuration,DC=intranet,DC=mycompany,DC=com
dSCorePropagationData=20150729073055.0Z
dSCorePropagationData=16010101000001.0Z

To get all the necessary groups for a user, the group search base and group search filter need to be set. Those filters should return a list of all groups in the LDAP the user belongs to, and the groups that should be used for group related permission settings in XDM.

The ldapsearch utility can be used as follows for a group search:

ldapsearch -h ldap.mycompany.com -p 3268 -D "myldapuser" -w "myldappassword" -b "dc=intranet,dc=mycompany,dc=com" "(&(&(objectClass=group)(member=CN=U123456,OU=Users,dc=intranet,dc=mycompany,dc=com))(name=XDM*))"

This searches for all groups the user U123456 belongs to, and the group name starts with XDM

Internal user management

XDM offers a built-in user management system that allows you to maintain the usernames, passwords, and roles in a plain text file. Each line represents a separate user and must have the following format:

<user_name>;{<hash_method>}<password>;<roles>;<full_name>;<email>
user_name

Specifies the name of the user.

hash_method

Specifies the hash method for the password. This must be one of the following values:

  • argon2 - Argon2 password hash

  • bcrypt - BCrypt password hash

  • ldap - LDAP SHA password hash

  • MD4 - MD4 password hash

  • MD5 - MD5 password hash

  • noop - Plain text

  • SHA-1 - SHA-1 password hash

  • SHA-256 - SHA-256 password hash

    password

    Specifies the hash sum of the password of the user. The password must be hashed with the previously specified hash method.

    roles

    Specifies a list of roles for that user. These roles can be used later while granting permissions.

    full_name

    The full name of the user. This property is used to identify the user in the graphical user interface. The full name is displayed in the user settings and is used to synchronize the display name of a permission recipient.

    This field is optional, but required if the e-mail is to be specified.

    email

    The e-mail address of the user. The e-mail address can be accessed in the various Java Scripts / Groovy scripts.

    This field is optional, but required if the full name of the user is to be specified.

Setup

The user file must be created in the XDM configuration directory.

If you manage the credentials of the XDM users in a plain text file, you should restrict access to this file using the access control mechanisms of your operating system to prevent unauthorized users from accessing the file.

After you have created the text file, add a new parameter file.user to the configuration file docker-compose.yml by adding the parameter to the section services→core-server→environment.

Example

The following example defines a user with the name hugo, and the password test. An MD5 hash of the password is used. This user has the role ADMIN.

Assume that the name of the file that stores the usernames, passwords and roles is my-users.txt, and that it is located in the directory /xdm/config. To register that file, add the following line to the file docker-compose.yml to the section services→core-server→environment.:

file.user=/xdm/config/my-users.txt

The file my-users.txt contains the following line:

hugo;{MD5}098f6bcd4621d373cade4e832627b4f6;ADMIN,EDITOR
To obtain the MD5 hash of the password test, you can execute the following command in a Linux or UNIX shell that has access to the md5sum program: echo -n test | md5sum.
Furthermore, echo -n test | openssl dgst -md5 will also show the MD5 hash value of the password. Replacing md5 with another hash, sha256 for example, shows the hash value using this hash.

OpenID connect authentication configuration

XDM supports the user authentication with an external OpenID Connect provider. XDM forwards login requests to the configured OpenID Connect provider and the user needs to log in at that system. After a successful login the OpenID system redirects to XDM. These settings must be configured with options that are described in this section.

As a prerequisite for using an OpenID provider with XDM, some information must be set and defined in the provider. Here the corresponding client to be used for the authentication within XDM must be defined and configured.

Parallel to the OpenID Connect authentication, the internal user management or LDAP authentication can also be used. When only OpenID Connect authentication should be used, it is possible to deactivate the internal user management by setting the internal user management property file.user to an empty value.

To configure the connection to an OpenID Connect provider, you need to edit the file docker_compose.yml. Add the following lines to environment in the core-server configuration block.

environment:
- [...]
- spring.security.oauth2.client.registration.<provider>.client-id=<your client id>
- spring.security.oauth2.client.registration.<provider>.client-name=<your client name>
- spring.security.oauth2.client.registration.<provider>.redirect-uri=<your xdm uri>
- spring.security.oauth2.client.registration.<provider>.client-secret=<your client secret>
- spring.security.oauth2.client.registration.<provider>.scope=openid
- spring.security.oauth2.client.registration.<provider>.authorization-grant-type=authorization_code

- spring.security.oauth2.client.provider.<provider>.issuer-uri=<your issuer uri>
- spring.security.oauth2.client.provider.<provider>.user-name-attribute=<preferred user name attribure>
- spring.security.oauth2.client.provider.<provider>.user-info-uri=<your user info URI>
- spring.security.oauth2.client.provider.<provider>.jwk-set-uri=<your JWKS URI>
- spring.security.oauth2.client.provider.<provider>.token-uri=<your token URI>
- spring.security.oauth2.client.provider.<provider>.authorization-uri=<your authorization URI>
client-id

:noindex: The ID that uniquely identifies the client.

client-name

:noindex: A descriptive name used for the client. The name is displayed in the login page.

redirect-uri

:noindex:

The client’s registered redirect URI that the authorization server redirects the end-user’s user-agent to, after the end-user has authenticated and authorized access to the client. Typically, this is set to <base-url>/api/login/oauth2/code/<provider-name> where <base-url> is the base URL of your XDM installation.

client-secret

:noindex: Client specific secret. If not specified, it’s supposed to be a public OpenID Connect provider.

scope

:noindex: Sets the scope used for the client. Must be openid for the OpenID Connect protocol.

authorization-grant-type

:noindex: Authorization grant type specifies the method that the client uses to obtain an access token. Valid values are:

  • authorization_code

  • client_credentials

  • jwt_bearer

  • password

  • refresh_token

issuer-uri

:noindex: The URI used to initially configure a ClientRegistration using discovery of an OpenID Connect provider’s configuration endpoint.

user-name-attribute

:noindex: The name of the attribute returned by the ID-token or by the UserInfo response that references the name or identifier of the end-user. Common values are: name, preferred_username, given_name or family_name.

user-info-uri

:noindex: The URI for the user info endpoint which provides additional details about the user.

jwk-set-uri

:noindex: The URI for the JSON Web Key (JWK) Set endpoint.

token-uri

:noindex: The URI for the token endpoint.

authorization-uri

:noindex: The URI for the authorization endpoint.

xdm.core.ui.serverUri

:noindex: The base URL of your XDM installation. This is the URL that users will use to access XDM in their web browser.

The Spring Security properties are prefixed with spring.security.oauth2.client.registration, followed by the client name and the name of the client property. The client name represents the name specified in the OpenID Connect provider.

The provider has to embed the user role names inside the access token resource_access or realm_access claims within a list of strings named roles. When using the resource_access, claim the entity roles must be embedded in a sub-entry whose name is defined by the value of the azp entity.

Microsoft’s Azure Active Directory deploys the roles within the ID-token.

Each role name has to be written in uppercase prefixed with ROLE_. This prefix is a requirement of the spring security framework and won’t be visible to users who will see only the role name without this prefix. If the provider doesn’t define a role for a user, no default role is specified.

Example access token content with the definition of three roles:

{
  ...
  "azp": "xdm",
  ...
  "realm_access": {
    "roles": [
      "ROLE_GLOBAL_ADMIN"
    ]
  },
  ...
  "resource_access": {
    "xdm": {
      "roles": [
        "ROLE_XDM_ADMIN",
        "ROLE_OTHER"
      ]
    }
  },
  ...
}

The redirect URI must be a valid link to which a browser can redirect after a successful login.

Example: https://xdm-ui:4280

Example configuration for the identity and access management client Keycloak:

environment:
- [...]
- spring.security.oauth2.client.registration.keycloak.client-id=xdm
- spring.security.oauth2.client.registration.keycloak.client-name=Keycloak
- spring.security.oauth2.client.registration.keycloak.scope=openid
- spring.security.oauth2.client.registration.keycloak.redirect-uri=https://xdm-ui:4280/api/login/oauth2/code/keycloak
- spring.security.oauth2.client.provider.keycloak.issuer-uri=https://keycloak.dev/auth/realms/xdm-test
- spring.security.oauth2.client.provider.keycloak.user-name-attribute=preferred_username
- xdm.core.ui.serverUri=https://xdm-ui:4280
If the OpenID provider and also a context path is configured, you need to change the ` xdm.core.ui.serverUri` accordingly. For example, if the context path is set to /xdm/, adjust ` xdm.core.ui.serverUri` in the core-service section to https://xdm-ui:4280/xdm/ and the redirect-uri to https://xdm-ui:4280/xdm/api/login/oauth2/code/keycloak.

To set the XDM credential panel to be visible initially if an OpenID Provider is configured for an XDM installation, add the following line in the section services→web-ui→environment:

always_open_login_panel=true

User name

LDAP and OpenID authenticators provide additional user information upon successful login. This information can be used to adapt the username to a more meaningful value. By default, the 'givenName' property is used, but the following properties can also be used:

LDAP attributes:

carLicense, departmentNumber, description, destinationIndicator, displayName, employeeNumber, givenName, homePhone, homePostalAddress, initials, mail, mobile, o, ou, postalAddress, postalCode, roomNumber, sn, street, telephoneNumber, title, uid

OAuth2 claims:

birthdate, email, family_name, gender, given_name, locale, middle_name, name, nickname, picture, preferred_username, profile, updated_at, website, zoneinfo

Obviously, not all possible properties will provide a better username. Furthermore, it depends on the authentication provider which properties are available and have a value.

When another property instead of the default should be used, add the key xdm.user.full-name-property in the section services→core-server→environment and specify the property name. The following line will change the displayed username to the user’s family name:

xdm.user.full-name-property=family_name

Login group

Specifies a role to which the usage of XDM will be limited. This property enables the administrator to define a list of roles, which will restrict the access to XDM. In order to use XDM, an authorized user has to be a member of one of these roles. By default, all authorized users are able to use XDM.

Example

With the following property definition all authorized users have to be a member of either XDM_USER_GROUP or XDM_TESTER_GROUP.

xdm.required-user-role=XDM_USER_GROUP,XDM_TESTER_GROUP

Configuring unauthorized user login message

This setting controls the message that is displayed if a user tried to log in, that is not a member of the roles specified by the property xdm.required-user-role. By default, the following message will be displayed: Missing one of the following roles: <roles set in xdm.required-user-role>

Example

With the following property definition, all unauthorized users will get the following message on the login screen: Login has currently been restricted to Admins only. XDM_USER_GROUP,XDM_TESTER_GROUP

This message is always extended by all roles that were specified in the environment variable 'xdm.required-user-role'.

xdm.required-user-role.message="Login has currently been restricted to Admins only."

Configuring the administrative role

Adjust the name of the administrator role

Sets the names of the administrator role. The default name of the administrator role is ADMIN. When specifying multiple administrator roles, then use a comma separated list. This can be set to conform to your naming conventions. Every user who is in one or more of the roles in this list, will receive administrative privileges in XDM.

Example

To change the name of the administrator role to SYSADM, the following line must be added to docker-compose.yml and specify the following parameter in the section services→core-server→environment:

xdm.core.admin.role=SYSADM

Adjust the permissions for the administrator role

Users that have administrative privileges in XDM can read and create all XDM objects and can grant privileges to other non-administrative users. The privileges of the administrative users can be customized with this property. One or more entries of the following options can be specified:

Privilege Description

READ

Allows administrators to see objects in lists, to see details about objects, and to request a data shop order.

WRITE

Allows administrators to modify attributes of an object.

DELETE

Allows administrators to delete an object.

CREATE

Allows administrators to create new objects in a list.

EXECUTE

Allows administrators to execute or schedule a task or workflow template, and to place a data shop order.

ADMINISTRATION

Allows administrators to grant permissions for an object to other users.

SOURCE USAGE

Allows an environment or a connection to be used as the source of a task.

TARGET USAGE

Allows an environment or a connection to be used as the target of a task.

BROWSE

For connections only. Allows administrators to see the contents of tables in the schema browser, and in the output of XDM tasks that provide a data preview.

APPLY SQL

For connections only. Allows administrators to execute SQL statements for tables in the schema browser, and in the output of XDM tasks that provide a data preview.

DIAGNOSE

For task templates, tasks, workflow templates and workflows only. Allows users to see diagnostic data like stage outputs or batch reports.

SCRIPT

For credentials only. Allows the usage of this credential in a task stage hook.

MODIFY DATA

For data reservation only. Allows modification of a data reservation.
Example

To adjust the permissions for the admin role, the following line must be added to docker-compose.yml. Please add the line in the section services→core-server→environment and specify the permissions of the admin role.

In this example, the admin role permissions have been limited to read and administration. So any user who has the admin privileges can only read any object and assign rights to other non-administrative users.

xdm.admin-default-permissions=READ,ADMINISTRATION

Data shop purchaser role

Specifies the role, of which the members will be treated as data shop users. These users don’t need full access to all functions of XDM and will receive a customized UI with which they can more easily order test data and see the results of their orders. When specifying multiple purchaser roles, then use a comma separated list.

The system property xdm.core.purchaser.role must be specified in the docker-compose.yml file of the XDM installation. Please add the line in the section services→core-server→environment and specify the role of the data shop users.

All users in this role are only able to use the web interface with reduced functionality. See description of purchaser layout for more details and recommended permission settings for data shop purchaser users.

xdm.core.purchaser.role=<purchaser-role-name>

Adjust the permissions for the purchaser role

The permissions of the purchaser users can be adjusted with this property. The default setting of the property is READ and DELETE. This property is applied when a user from the purchaser role requests a data shop. The permissions set in the property are applied to the resulting execution. One or more entries of the following options can be separated by comma:

Privilege Description

READ

Allows purchaser to see objects in lists, to see details about objects, and to request a data shop order.

WRITE

Allows purchaser to modify attributes of an object.

DELETE

Allows purchaser to delete an object.

ADMINISTRATION

Allows purchaser to grant permissions for an object to other users.

BROWSE

For connections only. Allows purchaser to see the contents of tables in the schema browser, and in the output of XDM tasks that provide a data preview.

DIAGNOSE

For task templates, tasks, workflow templates and workflows only. Allows purchaser to see diagnostic data like stage outputs or batch reports.
Example

To adjust the permissions for the purchaser role, the following line must be added to docker-compose.yml. Please add the line in the section services→core-server→environment and specify the permissions of the purchaser role.

In this example, the read permissions are set for all executions executed by a purchaser user.

xdm.purchaser-default-permissions=READ

System object role

Specifies a role, that will be able to see and use the pre-defined matchers, comparable fields, and modification methods, that XDM ships with. By default, access to these pre-defined entities is restricted to the system, and only users with administrative permissions are able to see, use and change them.

Users that are a member of the specified role will be able to see and use the pre-defined matchers, comparable fields, and modification methods, however they will not be able to change them. These objects can only be changed by users with administrative permissions.

To allow read access from a different role, customize the docker-compose.yml file and specify the following parameter in the services→core-server→environment section:

xdm.core.system-objects.role=<user-role-name>

Time zone

This property specifies the timezone of the XDM docker containers. The default is Europe/Berlin. If the XDM installation should use a different time zone specify one of the following values:

Table 2. Time zone names (not exhaustive)
Name Description

UTC

Coordinated Universal Time

US/Pacific

United States Pacific Time (UTC-08:00)

US/Mountain

United States Mountain Time (UTC-07:00)

US/Central

United States Central Time (UTC-06:00)

US/Eastern

United States Eastern Time (UTC-05:00)

Europe/London

Western European Time (UTC+00:00)

Europe/Berlin

Central European Time (UTC+01:00)

Europe/Vilnius

Eastern European Time (UTC+02:00)

Asia/Tel_Aviv

Israel Standard Time (UTC+02:00)

Asia/Tokyo

Japan Standard Time (UTC+09:00)

To use a different time zone, specify the TZ parameter in the docker-compose.yml file as follows:

- TZ=<time_zone>
To display the current time zone of a Linux or UNIX server, run the following command in a shell: cat /etc/timezone

If the above customization don’t change the timezone of the XDM containers it might be necessary to mount the /etc/localtime file of the host system to the docker containers. This is only possible on UNIX systems.

The docker-compose.yml file already contains this volume for the core-server, dataflow-server and xdm-ui container. You just need to remove the comments in front of the volume specification, e.g.:

volumes:
  - /etc/localtime:/etc/localtime:ro

HTTP settings

Changing the TCP port

By default, the XDM user interface is accessible on TCP port 4280, which is the default port for the HTTP protocol.

To change the TCP port number for the XDM user interface, edit the file docker-compose.yml and locate the section services → web-ui → ports. The value of this parameter is a list of port mappings that contains one entry. This entry is a string, enclosed in apostrophes, that contains the external and the internal port numbers, separated by a colon.

The internal port number is 80 and must not be changed. The default value for the external port number is 4280. You can change the external port number to any value that does not cause conflicts with other services that are running on the same system.

Example

To change the TCP port number for the XDM user interface to 4281, change the entry so that it looks like this:

    web-ui:
        [...]
        ports:
            - '4281:80'

Using SSL encryption

Using Self-Signed Certificates

XDM uses the HTTP protocol both for the interactive web interface and for the internal communication between the different modules of the product. In addition to standard HTTP, it is also possible to use the encrypted HTTPS protocol.

It is recommended to use HTTPS in a productive environment. To set up HTTPS, you need to configure a certificate store (key store) for the server. The following example illustrates how to create a PKCS key store using the Java keytool command:

keytool -genkey -alias xdm3 -storetype PKCS12 -keyalg RSA -keysize 2048 -keystore xdm3-keystore.p12 -validity 3650 -ext "SAN:c=IP:127.0.0.1,DNS:localhost,DNS:dataflow-server,DNS:core-server"

After creating the key store edit the docker-compose.yaml file and add the following SSL configuration in core-serverenvironment and dataflow-serverenvironment.The value of the parameter ssl.key-store-password must be set to the password that you entered when the key store was created.

server.ssl.key-store=/xdm/config/xdm3-keystore.p12
server.ssl.key-store-password=mypassword
server.ssl.keyStoreType=PKCS12
server.ssl.keyAlias=xdm3
spring.cloud.dataflow.client.skip-ssl-validation=true
server.ssl.key-store

The path to the root key store on the execution server

server.ssl.key-store-password

The key store password specified during key store creation

server.ssl.keyStoreType

The type of the key store. PKCS12 is the standard format.

server.ssl.keyAlias

If the key store was created with the keytool command, this must be the value of the -alias parameter. If the key store was created with OpenSSL, then this is the value of the -name parameter in the command.

spring.cloud.dataflow.client.skip-ssl-validation

Using this parameter, the dataflow server will accept any (self-signed) SSL certificate.

The generated file xdm3-keystore.p12 must be copied into the mounted volume /xdm/config.

Using HTTPS for internal communication

To enable the HTTPS protocol for the internal communication between the XDM modules, edit the file docker-compose.yml. You must change the protocol from http to https in three locations:

  1. services → core-server → environment → spring.cloud.dataflow.client.serverUri

  2. services → web_ui → environment → xdm_core_serverUri

  3. services → dataflow_server → environment → xdm_core_serverUri

Using HTTPS for the web interface

The internal web server of the UI image is pre-configured to serve HTTP on port 80 and HTTPS on port 443 using a self-signed certificate.

These ports can be configured using the environment variables http_port and https_port.

To enable the HTTPS protocol for the XDM web interface, edit the file docker-compose.yml and make the following changes:

  1. Under services → web-ui → ports, change the internal port number from 80 to 443 (port 443 is the default port for the HTTPS protocol. If desired, you can use a different port number). The internal port number will be different if you changed https_port.

To replace the default certificate with a certificate matching your internal names, make the following change: . Under services → web-ui → volumes, mount the volume that contains the key and certificate file. The mount point must be /xdm/certificates. You may have to add the section volumes if it does not exist yet.

Example

A complete setup for the section web-ui in the file docker-compose.yml might look as follows:

web-ui:
        image: docker.ubs-hainer.com/xdm3-ui
        ports:
            - '4280:443'
        environment:
            - TZ=Europe/Berlin
            - xdm_core_serverUri=http://core-server:8000/api/
            - https_key_file=/xdm/certificates/xdm.key
            - https_certificate_file=/xdm/certificates/xdm.crt
        depends_on:
            - core-server
        volumes:
            - ./certificates:/xdm/certificates

The local directory ./certificates must contain the key file xdm.key and the certificate file xdm.crt.

AI Assistance Configuration

The AI Assistance service provides support to users by writing scripts like modification methods in XDM, by using a LLM.

To use the AI assistance features of XDM, the AI assistance service must be configured in the docker-compose.yml file.

ai-assistance:
        image: docker.ubs-hainer.com/xdm3-ai-assistance:latest
        environment:
            - TZ=Europe/Berlin
            - spring.ai.openai.api-key=<openai-api-key>
To use this feature, the AI_ASSISTANCE component must be licensed.

Environment Names and Colors

Name

Sets the environment name for the XDM installation. Each XDM installation can have a specific environment name that is displayed in the UI. This makes it easier to differentiate between different XDM installations, for example for a production and test environment.

To set the environment name for an XDM installation, edit the file docker-compose.yml. In the section services→web-ui→environment, add the following line:

environment_name=<environment-name>

Color

Set the primary color of the XDM UI. It is recommended to use a different coloring for the different XDM installations. This setting can have the following options:

  • violet

  • red

  • blue

  • gray

  • green

The columns above are predefined colors working fine with other colors and texts in the UI.

Alternatively, you can use a valid CSS color definition, see Color palette and Color syntax for more information. Please consider that the text for the menu entries is always white, so the color should be chosen accordingly. For color names from CSS that are equal to the predefined colors, the predefined colors will be used. Use RGB or hex code color definitions for custom colors.

Additionally, the secondary column, which is used for the background of the side menu footer, can be set using CSS color definitions with the variable secondary_environment_color. The default secondary color is black.

To set the environment color for an XDM installation, edit the file docker-compose.yml. In the section services→web-ui→environment, add the following line:

environment_color=<environment-color>

Internal contact

The About page which is accessible via the System menu on the right-hand side of the head bar shows both the version number and the contact details for UBS Hainer support. UBS Hainer is shown as vendor on this page and also per default in prompts in dialogs.

If an internal contact person from the own company is to be contacted first before UBS Hainer support in the event of problems, this can be defined via an environment variable. This contact person is then also linked if there is a prompt in a dialog, for example in the task execution export, to contact them If problems occur.

To set the internal contact information for an XDM installation, edit the file docker-compose.yml. In the section services→web-ui→environment, add the following line:

contact_information=<team-name> <br> <mail-or-link>

The internal contact information supports Markdown to layout the text.

Example

contact_information=My Team <br> help@myteam.com

Serving under a context path

Depending on the environment in which XDM is running, it might be desirable to configure a context path under which the XDM user interface can be accessed.

The context path must start with a forward slash but must not end with a forward slash. It is also possible to configure multiple path elements.

If XDM is installed on the machine testdataserver, uses SSL encryption with the default port, and the context path is set to /xdm, then the user interface can be accessed under the following URL:

https://testdataserver/xdm/
Accessing the user interface will only work if a forward slash is present at the end of the URL.

To set a context path, edit the file docker-compose.yml. In the section services→web-ui→environment and add the following line:

xdm_context_path=xdm/

When using openID authentication, the context path must also be set in the OpenID connect authentication configuration.

JSON Web Token (JWT)

XDM uses JSON Web Tokens to authorize users of the HTTP REST end points.

Token expiration time

Login token

Specifies how many minutes the JWT token is valid. This token is generated by XDM, After a user has logged in. By default, the expiration time is 120 minutes.

To change the expiration time for JSON Web Tokens that XDM uses, edit the file docker-compose.yml, add the following parameters to the section services → core-server → environment:

xdm.core.jwt.token.expire-time=<expiration-time>

Execution token

Specifies the expiration time of the execution token. This is used to authenticate executions between core and dataflow. The default expiration time of this JWT is 1440 minutes.

To change the valid time for JSON Web Tokens that XDM uses, edit the file docker-compose.yml, add the following parameters to the section services → core-server → environment:

xdm.jwt.token-valid-time=<expiration-time>

The expiration time is specified in minutes.

Secret

Specifies the secret, with which the JWT token is generated and encrypted.

To change the secret for JSON Web Tokens that XDM uses, edit the file docker-compose.yml, add the following parameters to the section services → core-server → environment:

xdm.core.jwt.secret=<your-secret>
The secret must have at least 32 characters.

After changing the secret, you must restart the XDM core service for the change to take effect. After restarting the core service, all generated JWT tokens will be encrypted with the new secret.

Once a secret has been assigned for the JWT, it should not be changed since scheduled tasks use tokens for communication between the core server and the dataflow server. These tokens are created at the time when the task is scheduled. If the secret is changed, the already scheduled task will run into an error.

Password encryption

Specifies a seed that is used to encrypt passwords.

XDM stores users and passwords. These credentials are used during a task execution to authorize against source and target database systems.

By default, the passwords are not encrypted, but rather stored as plain text in the XDM admin database.

After the seed was specified, XDM will encrypt all existing passwords stored in the database after a restart of the XDM core service. All newly created passwords will be encrypted automatically.

If the seed is changed, all previously stored passwords become invalid.

To set the seed, you must edit the file docker-compose.yml. In the section services→core-server→environment, add the following line:

xdm.core.security.seed=<your-seed>

In the section of services→dataflow-server→environment, add the following line:

xdm.core.security.seed=<your-seed>

Once the seed is set in the docker-compose.yml file, XDM will encrypt all existing passwords stored in the database after a reboot. All newly created passwords will be encrypted automatically.

If the seed is changed, all previously stored passwords become invalid.

Activity stream maximal days

By default, XDM shows all changes within the last 60 days using the activity stream. However, this period can be customized.

To customize the maximum period, you must edit the file docker-compose.yml. In the section services→core-server→environment, add the following line:

xdm.activity-stream.max-days=<days>

Data type conversion

By default, scripts which use custom parameters of type boolean or number represent them as strings. For example, to compare a boolean custom parameter, users have to use an expression like:

booleanCustomParameter == 'true'

When activated, these custom parameters now are of the corresponding type and can be treated as such in the scripts. The expression above can now be:

booleanCustomParameter == true

Data type conversion is activated by placing the following line in the environment section of both core- and dataflow-server:

xdm.core.data-type-conversion=true
Existing scripts which use custom parameters of type boolean or number, may not work properly after data type conversion has been enabled and should be checked in order to maintain functionality.

Installation of lookup tables

If you want to use the masking feature of XDM, you need to install the XDM lookup tables. These lookup tables provide a pre-defined set of first and last names, addresses and banking information. The lookup tables are used by the pre-defined XDM masking methods.

Follow these steps to install the lookup tables:

  1. Download the lookup tables from https://products.ubs-hainer.com/downloads/XDM3/Lookup-Tables-2.3.232/XDM3_Lookup_Tables.zip

  2. Unzip the downloaded file. The ZIP file contains the file h2:default.mv.db.

  3. Create a mapping table container in XDM. To do this, go to the mapping table container list in the user interface and click on Create

  4. Now enter the name XDM Lookup Table for the mapping table container and the variable name lookupTable to use the default configuration of the downloadable configuration examples in the user manual.

  5. The credential required is one with the user sa and an empty password. If you have already created one, select it. Otherwise, create one by pressing the + button.

  6. Now open the object by clicking Create and edit. You can now upload the actual mapping table using the Upload button. To do this, click on Upload and select the previously downloaded and unpacked h2:default.mv.db and upload it. This may take a moment depending on the size of the file and the network speed.

  7. When the upload is complete, save the mapping table container object.

Automatic cleanup of old files

XDM can automatically delete task and workflow executions and associated work files. You can specify a retention period, after which log files and other files associated with a specific execution are deleted.

By default, the automatic cleanup function is not enabled. To activate the automatic cleanup function, edit the file docker-compose.yml.

In the section services→core-server→environment, add the following line:

xdm.core.executionRetentionPeriod=<duration>

Syntax for time periods

Time can be specified in XDM as a duration or as a period. A duration is used when the user has to specify a shorter time range in the size of minutes, hours or days. Periods define longer time ranges in days, months or years. Both are based on the ISO 8601 format.

Syntax for time duration

The duration has the following syntax:

P<n>DT<n>H<n>M<n>S

The 'P' designator is required at the beginning of the expression. After it the expression <n>'D' can be placed but this is optional. The following section has to begin with a 'T' and starts the definition of a time. If there is no time section, the 'D' section must be provided. A time has to be specified by hours, minutes and seconds and at least one of them must be given if the 'T' is present. The order of the sections is important and must not be interchanged. Skipping sections is allowed.

<n> must be replaced by the value for each of the date and time elements that follow the <n>. Leading zeros are not required.

  • P is the duration designator (for period) placed at the start of the duration representation.

    • D is the day designator that follows the value for the number of days.

  • T is the time designator that precedes the time components of the representation.

    • H is the hour designator that follows the value for the number of hours.

    • M is the minute designator that follows the value for the number of minutes.

    • S is the second designator that follows the value for the number of seconds.

Table 3. Sample settings
Value Result

P5D

5 days

PT3H

3 hours

PT4M

4 minutes

P2DT3H4M

2 days, 3 hours, and 4 minutes

More details can be found at the Java API documentation of the Duration.parse() method.

Syntax for time period

The period has the following syntax:

P<n>Y<n>M<n>W<n>D

The 'P' designator is required at the beginning of the expression. After it there are 4 sections, each consisting of a number and a suffix. At least one of these sections must be specified. The order of the sections is important and must not be interchanged. Skipping sections is allowed.

In the expression above, <n> must be replaced by the value for each of the date and time elements that follow the <n>. Leading zeros are not required.

  • P is the duration designator (for period) placed at the start of the duration representation.

    • Y is the year designator that follows the value for the number of years.

    • M is the month designator that follows the value for the number of months.

    • W is the week designator that follows the value for the number of weeks.

    • D is the day designator that follows the value for the number of days.

Table 4. Sample settings
Value Result

P2Y

2 years

P3M

3 months

P4W

4 weeks

P5D

5 days

P1Y2M3W4D

1 year, 2 months, 3 weeks and 4 days

More details can be found at the Java API documentation of the Period.parse() method.

For very short retention periods, it is possible that the cleanup process for a task execution is triggered before the task execution has finished. In this case, XDM will wait for the task to finish before attempting to clean up again.

By default, the wait time before another cleanup attempt is made is 10 seconds. The wait time in seconds can be customized by specifying the following parameter:

xdm.core.cleanupWaitTime=<seconds>

When a task or a task template is deleted, the default behavior of XDM is to retain the task work files and logs. If you want XDM to delete these files when a task or a task template is deleted, specify the following parameter:

xdm.core.cleanup-executions-on-task-delete=true

If the parameter is missing, or if it is set to false, XDM will not delete any task work files or logs when a task or a task template is deleted.

Limit the number of concurrent running tasks

XDM allows parallel execution of tasks, hence several processes run on the dataflow server at the same time. Since the computing capacity of the dataflow server is not unlimited, the maximum number of parallel running tasks should be restricted.

Specify the parameter to limit the number of concurrent running tasks. It controls how many tasks can run simultaneously. As soon as more task executions are triggered than the maximum allowed, the surplus tasks are collected in a queue and processed sequentially as capacity allows.

This parameter must be specified in the docker-compose.yml file. It must be set in the environment section of the core-server.

The default value for the parameter is 5. A value of 0 indicates that no task executions are queued. In this case each task execution is executed immediately.

Due to technical reasons, the maximum number of concurrent tasks in the dataflow server is 20. Therefore, the maximum value for this parameter is 20. A higher value has no effect on the number of parallel executed tasks and can lead to dataflow aborts. 
xdm.core.execution.concurrent-tasks=<tasks>

Depending on this parameter, the following parameter must be set in the dataflow server configuration. It controls the number of open connections from the dataflow service to the admin database. Each active execution requires one open connection. As a general rule, use the number of concurrent tasks + 5.

For example, if the parameter xdm.core.execution.concurrent-tasks is set to 10 the value of the maximumPoolSize should be 15.

spring.datasource.hikari.maximumPoolSize=15

Define the execution cleanup process interval

The executionRetentionPeriod setting defines a period of time that controls how long an execution should be kept after it is automatically deleted. This setting can be configured globally, at template level or for specific tasks/workflows.

The cron expression controls the execution of the process that cleans up the expired executions. It specifies what time the process that deletes old executions runs. All executions older than the specified executionRetentionPeriod will be deleted by this process.

By default, the cleanup process runs every day at midnight. The default cron expression is 0 0 0 * * ?.

xdm.execution.cleanup-cron=0 0 0 * * ?
Task executions waiting in the queue are lost after restarting the dataflow server.

Specify the polling interval

The Dataflow Server periodically checks whether a task is still running. The waiting time between these periods can be set using the following parameter:

xdm.core.execution.polling-interval=<seconds>

The parameter <seconds> specifies how many seconds the process waits between the checks. By default, this parameter is set to 5 seconds.

This parameter only needs to be adjusted in rare cases. By default, a value of 5 seconds is sufficient to check whether a task is still running or not. The parameter should be set to a lower value if a large number of fast running tasks are to be executed and the waiting time for the user should be reduced.

Pre-execution checking from workflows

Every time before an execution starts, a pre-execution check will be executed to determine whether the task is correctly configured or not. This check can be deactivated for tasks started from workflows with the following boolean parameter:

xdm.execution.workflow-pre-check=false

Accessible tables for Task Execution Report SQL statements

The SQL statement of a task execution report is executed against XDM’s internal database, which might be a potential security risk if all available tables are accessible. Therefore, the property xdm.core.execution-report-table-whitelist defines which tables may be accessed.

If the above property is not explicitly set, only the tables task_execution_table_statistics, task_execution_classification_term_data and classification_term can be accessed by default. If it is set to an empty value, it permits access to all internal tables for task execution reports. Otherwise, a comma separated list of table names will define the accessible tables. If a report SQL statement tries to access more than the allowed tables, the execution step Generate reports won’t generate a report, but instead it will write a warning message to the step log.

To override the property’s default value, it must be defined for the dataflow service. Edit the file docker-compose.yml. In the section services→dataflow-server→environment, add the respective information.

For example, if the user should only be able to access the tables task_execution_table_statistics, file and connection the property must have the following value:

xdm.core.execution-report-table-whitelist=task_execution_table_statistics,file,connection

Session Logging

XDM persists the logged-in sessions in its administration database. Therefore, it is possible to query information about users and this information also gets archived. The following property defines how long this information is kept. This value defaults to 30 days. When specifying another value, this value has to follow the syntax for a duration.

xdm.core.session.keepExpiredSessionsFor=P30D

Define the event execution log cleanup process interval

The executionLogRetentionPeriod setting defines a period of time that controls how long an event execution log should be kept after it is automatically deleted. This setting can be configured for specific events.

The cron expression controls the execution of the process that cleans up the expired event execution logs. It specifies what time the process that deletes old event execution logs. All event execution logs older than the specified executionLogRetentionPeriod will be deleted by this process.

By default, the cleanup process runs every day at midnight. The default cron expression is 0 0 0 * * ?.

xdm.event.cleanup-cron=0 0 0 * * ?

Memory settings

Configure memory for task executions

Each XDM task execution runs as a standalone program that is executed within the dataflow docker container. By default, each execution uses a quarter of the available memory from the docker container. For example, if the dataflow container can use up to 2 GB memory, each task execution will have 500 MB by default.

In some situations this setting is not sufficient, for example if a large RLP extract task needs more than a quarter of the available memory. This setting can be changed via the parameter 'ANT_OPTS' in the docker-compose.yml file using the following environment variable in the dataflow-server section:

    environment:
        # print used environment variables in task stage output
        - XDM_SHOW_PROCESS_DEBUG=true
        # setting absolute memory usage
        - ANT_OPTS=-Xmx800m
        [...]

In this example each task execution would have up to 800 MB memory.

Alternatively the memory allocation can be set relatively:

    environment:
        # setting relative memory usage
        - ANT_OPTS=-XX:MaxRAMPercentage=50
        [...]
Please keep in mind that the memory of the dataflow server is shared between the dataflow server and each task execution. If you assign too much memory for each task executions it might lead to out of memory errors if too many tasks are executed in parallel.

Logging

The XDM services write log information to the output of the respective docker containers. The detail of the log can be configured using environment parameters.

UI Logging

By default, the xdm-ui container writes information on server events into the docker log. User specific information is written into the browser console on the client. The client log can be configured to be visible on the docker log.

There are three parameters to configure the logging:

browser_log_level

This specifies the log level for the browser console for each individual client. The default is Info.

local_log_level

This specifies the log level for the browser storage for each individual client. The default is Info.

nginx_log_level

This specifies the log level for message written to the docker log from each client. The default is Off.

Possible log levels are:

Off No log messages are displayed

Fatal Messages are displayed for events blocking a workflow.

Error Messages are displayed that cause missing information, but the workflow may continue.

Warn Messages are displayed that indicate possible problems.

Info Messages are displayed informing about the usage of the UI.

Verbose Message are displayed helping to debug.

All All Messages are displayed.

Every level includes all levels listed above.

Example

An example configuration in a docker-compose configuration for the xdm-ui looks like this:

        environment:
            [...]
            - browser_log_level=Info
            - local_log_level=Info
            - nginx_log_level=Warn
When activating nginx_log_level the log is stored in the path /var/log/nginx. The files are automatically rotated. If you want to persist the logs, consider to mount the path /var/log/nginx to a persistent storage.

Inspecting the log

The log message can be viewed in the user interface. The browser console can be found in the development tools of the respective browser. The local log is visible inside the interface under Client Log in the User Settings. This shows all messages logged in the local instance of the UI. A collection of all messages connecting to the same web-ui service is visible under Client System Log in the System Settings.

Cross-service logging for task executions

XDM makes it possible to summarize logs of a task execution using the loki service and it is possible to trace calls and their execution time using the tempo service.

Both services are configured in the docker-compose.yaml file under the loki and tempo sections.

services:
  loki:
    image: docker.ubs-hainer.com/grafana/loki:3.1.0
    environment:
      - JAEGER_AGENT_HOST=tempo
      - JAEGER_ENDPOINT=http://tempo:14268/api/traces
      - JAEGER_SAMPLER_TYPE=const
      - JAEGER_SAMPLER_PARAM=1
JAEGER_AGENT_HOST

Tracing agent host name

JAEGER_ENDPOINT

Tracing HTTP endpoint for sending spans directly to a collector.

JAEGER_SAMPLER_TYPE

Instantiate the type of sampling for the tracer

JAEGER_SAMPLER_PARAM

The corresponding parameter of the JAEGER_SAMPLER_TYPE

services:
  tempo:
    image: docker.ubs-hainer.com/xdm3-tempo:latest
    volumes:
     - ./tempo-data:/tmp/data

After the two services have been set, the following properties must be set in the environment section of dataflow-server, graph-store, webservice-extract-source and webservice-apply-sink:

- xdm_loki_serverUri=http://loki:3100
- xdm_tempo_zipkin_serverUri=http://tempo:9411

If you use the grafana service, it is possible to display the information collected by the two services via the dashboard Logs, Traces, Metrics. To do this, the following properties must be specified in the environment section of the grafana service.

- TEMPO_URL=http://tempo:3200
- LOKI_URL=http://loki:3100

Docker Service Logging

For all services that are deployed with the XDM installation, the logs are available in the docker logs. For the following services, the log level can be changed as described below:

  • core-server

  • dataflow-server

  • file-sink

  • generator-source

  • graph-store

  • modification-processor

  • webservice-extract-source

  • webservice-apply-sink

The default log level of these services is INFO and can be changed by setting environment variables.

One possibility is to set the root log level, which affects all components of the service. This can be done with environment variable logging.level.root. The possible values for the variable are: TRACE, DEBUG, INFO, WARN, ERROR, FATAL, or OFF.

It is also possible to set the log level for individual components. For example, to set the log level of the authentication, you can set the environment variable logging.level.org.springframework.security in the core-server service. If you want to increase the log level of other specific components, you can contact UBS Hainer Support to get more information.

The way to set this variable depends on your installation method of XDM.

Docker Installation

Set the environment variable in the docker-compose.yml file like that:

environment:
  - logging.level.root=DEBUG

Kubernetes Installation

Set the environment variable in the values.yaml file like that:

environment:
    logging.level.root: DEBUG

Configuration as Code (CasC)

XDM can be configured to use a Git repository as source. The repository is used to populate the objects of the XDM installation. XDM continuously monitors the Git repository and automatically applies any changes on the Git files to the XDM installation. In this case XDM objects can not only be created via manual clicks in the UI, but also via the code in Git.

Git configurations are written in YAML files. These can be written manually or generated by an export via the UI. The structure of the file tree, within the Git repository, is up to the user. XDM will parse all YAML files recursively over all directories. The user can create a single YAML file for each object, or combine objects within one file. The dependencies between the YAML files will be resolved by XDM before the files are applied to the XDM installation.

CasC enables the operators of an XDM installation to automatically set up a defined set of objects. Manual synchronization of several XDM installations is not necessary. Test and production instances are kept in a consistent state through the Git configuration.

XDM will only track changes to YAML files. If other files are committed to Git, XDM will not process them. If scripts, e.g. for workflows, hooks, environments, etc. are stored in separate files and are not part of the YAML file, you need to make an additional change to the lastChangedDate field in the corresponding YAML file. Otherwise, XDM will not take this change into account.

Configuration

To enable to Configuration as Code the following settings must be specified in the docker-compose.yml file. The settings must be specified in the environment section of the core-server:

xdm.core.environment-id

Defines an id or a name of the XDM environment. This id is used to identify environment-specific properties or cascignore files.

xdm.casc.url

:noindex: Specifies the URL of the Git repository. This repository must be accessible via HTTP or HTTPS.

xdm.casc.user

:noindex: The user ID used to clone the Git repository. This setting is not required, if the git clone command does not require authentication.

xdm.casc.password

:noindex: The password of the Git user. This setting is not required, if no user is required, or the user does not require a password for authentication.

xdm.casc.cron

:noindex: A cron expression controls the interval at which the Git repository should be checked for changes. More details of the cron syntax can be found under Scheduling.

xdm.casc.owner

:noindex: Specifies an XDM user that will be the owner of all created objects in the XDM installation. These include all objects that are created by the Configuration as Code process. The specified username must exist in the used authentication provider. For example, if the XDM installation uses LDAP as authentication provider, the user must exist in the LDAP system.

This feature cannot be used with an Open ID based authentication provider like KeyCloak. These systems do not allow retrieval of the group membership for a specific user. The roles are required to check whether the respective user is allowed to create or overwrite objects in the XDM installation.

The specified user needs permissions for list and for creating all types of objects.

For more information how to create a list access permission, see the section list access permissions.

If the created objects should be shared with other users, appropriate permission must be granted to the set of users or role. The permission(s) can be specified in the YAML file of the respective object.
xdm.casc.path

:noindex: Specifies the directory path in the Git repository that should be monitored. This setting is optional. If the setting is not specified, XDM will monitor and apply all changes made in the Git repository. If a path is specified, XDM will only monitor and apply changes made in the specified directory.

xdm.casc.branch

:noindex: Specifies the branch that should be monitored. XDM will only apply changes that are committed to that specific branch. By default, this is set to master.

xdm.casc.directory

:noindex: The local directory, in which XDM will clone the Git repository, and continuously monitor it. By default, the directory /xdm/data/casc is used. The /xdm/data directory should be mounted to an external directory, or persistent volume. Otherwise, a full clone of the Git repository is performed each time the core-server is restarted.

The configuration will start a scheduled job inside the XDM server. The job will check for new commits every time it is executed. All objects contained in changed files will be imported. The output of the import operation will be listed in the user interface under System Settings / System Configuration / Scheduled Jobs in the Configuration as Code entry.

All configuration objects in the configuration as code repository must reference objects that are itself part of the configuration as code repository. It is not possible to reference objects, that are part of the XDM instance, but not listed inside the configuration as code repository.

If the import process fails, the errors will be listed in the output of the scheduled job Configuration as Code. The scheduled job will be paused automatically and will not run until the scheduled job is resumed. If the issue is due to a broken object definition in the repository, an additional commit may be pushed to the repository to fix the problem. When the scheduled job is resumed all configuration changes of both commits will be processed.

Properties

Properties are defined in files which have to be located in the root directory. Global properties need to be defined in a file named casc.properties. Environment-dependent properties can be put in a separate file which must be named like casc-<ENVIRONMENT_ID>.properties. The later ones will possibly overwrite global properties.

Property definition

Property files have to contain the properties with one property per line and each property will be written as a key=value entry.

Using properties

YML files can use the properties by writing #{param:PROPERTY_NAME}. During the import of the YML files contained in the CasC repository, all occurrences of a property will be replaced by the concrete value of the property.

When using environment-dependent properties, please ensure that all properties are available for all environments. Either by defining all used properties in all environment-dependent property files or by the definition of default values in the global properties file. Another option is to only import these YAML-files on environments where the used property is defined. Exclusion of files is explained in the chapter Filtering of YML files.

Filtering of YML files

When using the repository for different environments, it’s possible that not every XDM-object is needed in every environment.

For instance, environments can be differentiated by databases they use. Therefore, in an environment that only uses Postgres database connections other connection types should not be imported.

This can be achieved by using cascignore-<ENVIRONMENT_ID>-files, inspired by the .gitignore-file mechanism. It is also possible to define global cascignore-files, which will be used on every import. For details how to define the files to ignore, see the Git documentation on gitignore. Typically, absolute paths are defined in the cascignore-file. Such an entry must be prefixed with

<xdm.casc.directory>/<xdm.casc.path>/<Path to file>

Files matching a pattern in a cascignore-file or cascignore-<ENVIRONMENT_ID>-file will not be imported.

Example

Suppose you have the following structure of your Git repository:

Root
|_ Projects
  |_ Git
    |_ Documentation
    |_ Scripts
    |_ XDM
      |_ CasC
        |_ Connection
          |_ Postgres
            |_ Admin DB.yaml
        |_ Credential
          |_ Admin Credential.yaml
        |_ File
          |_ AFile.yaml

The contents of /Projects/Git/ is managed by Git. Then a valid configuration for CasC could be:

xdm.casc.directory=/Projects/Git
xdm.casc.path=/XDM/CasC

With this configuration XDM monitors the directory /Projects/Git/XDM/CasC/ and its sub-directories for changes. In this example you want to exclude the import of the file AFile.yaml for all environments (globally). Then you have to create a file /Projects/Git/XDM/CasC/cascignore with the following contents:

/Projects/Git/XDM/CasC/File/AFile.yaml

Central search configuration

XDM’s central search is particularly suitable for navigating quickly between objects. You are not limited to the name of the XDM objects. The central search also allows you to search for the description or certain properties of objects. The content provided in the source code of task stage hooks or workflow templates can also be used in the search.

To configure the central search, the following properties must first be added to the docker-compose.yml in the environment of the core.

xdm.core.global.search.enabled

Activates the central search in XDM.

xdm.core.global.search.port

Specifies the port of the server running XDM’s central search.

xdm.core.global.search.hostname

Specifies the host name of the server running XDM’s central search. When using docker, this is the name of the service running the elasticsearch.

xdm.core.global.search.password

Specifies the password for the built-in elastic search user.

XDM’s central search is realized with Elasticsearch. To make this possible, an additional service, which provides an Elasticsearch docker container, must be included in the docker-compose.yml. This service then indexes the XDM objects to provide the actual search function.

The service should be configured as below:

elasticsearch:
    image: docker.ubs-hainer.com/elasticsearch:7.17.21
    ports:
      - "9200:9200"
    volumes:
      - elasticsearch-volume:/usr/share/elasticsearch/data:rw
    environment:
      - discovery.type=single-node
      - cluster.name=elasticsearch
      - node.name=es1
      - xpack.security.enabled=true
      - ELASTIC_PASSWORD=<The password for the built-in user>

Additionally, it is necessary to add the volume elasticsearch-volume under section volumes to the docker-compose.yml.

Grafana configuration

Grafana is a cross-platform open source application for graphical representation of data from various data sources such as PostgreSQL or Prometheus.

The Grafana service uses tables of XDM’s admin database as a data source.

This data source is configured in the docker-compose.yml file, under the section grafana.

services:
  grafana:
    image: docker.ubs-hainer.com/xdm3-grafana:latest
POSTGRES_URL

Specifies the host name, and port of the server running XDM’s administration database. When using docker, this is the name of the service running the admin database.

POSTGRES_DATABASE

Specifies the name of the administration database.

POSTGRES_USER

Specifies a username for database access.

POSTGRES_PASSWORD

Specifies the password for the user.

PROMETHEUS_URL

Specifies the url for the prometheus service.

GF_SERVER_ROOT_URL

Specifies the complete Grafana URL but is only needed when XDM is served from a context path!

Grafana requires a user to read the administration database. For security reasons, this user should have read-only access to the database.

The following example shows the relevant part of the default docker-compose.yml file. Here, XDM can be accessed under the context path xdm, so the Grafana configuration also has to include this context path. Without using a context path, the URL would become http://report-dashboard:3000/reports/.

environment:
   - POSTGRES_URL=xdm-db:5432
   - POSTGRES_DATABASE=xdm
   - POSTGRES_USER=xdmro
   - POSTGRES_PASSWORD=xdmR0password
   - PROMETHEUS_URL=http://prometheus:9090
   - GF_SERVER_ROOT_URL=%(protocol)s://%(domain)s:%(http_port)s/xdm/reports/
The built-in data source for Grafana can only be used with a PostgreSQL database. Other administration databases need a special setup.

Specify postgres data source jsonData

Optionally, it is possible to configure the values for jsonData yourself for the built-in data source of the administration database. By default, the sslmode is set to disabled and the postgresVersion to version 12. More details how to configure a PostgresQL data source can be found here.

To configure your own jsonData values, the following must be added to the environment section of Grafana

environment:
   - POSTGRES_JSON_DATA="{\"sslmode\":\"disable\",\"postgresVersion\":1200}"

Core configuration for using Grafana

Since XDM provides a link for reaching Grafana and both services share the user management, XDM needs to know how to reach Grafana. Therefore, the following settings are needed in the environment section of the core-server.

xdm.core.grafana.serverUri

Defines the URL of the Grafana service. This URL has to include the context path and always ends with reports/.

The following example shows the relevant part of the default docker-compose.yml file. Here, XDM can be accessed under the context path xdm, so the Grafana configuration also has to include this context path. Without using a context path, the URL would become http://report-dashboard:3000/reports/.

environment:
   - xdm.core.grafana.serverUri=http://report-dashboard:3000/xdm/reports/

Web UI configuration for using Grafana

There will be a link from the user interface to the Grafana dashboard. Therefore, the following settings are needed in the environment section of the web-ui.

xdm_grafana_serverUri

Defines the URL of the Grafana service including the port.

The following example shows the relevant part of the default docker-compose.yml file.

environment:
   - xdm_grafana_serverUri=http://report-dashboard:3000

Customizing Grafana

In XDM Grafana is running as a docker container, so it is not possible to customize Grafana via the grafana.ini file like described in the documentation, because the grafana.ini file is packed in the docker image and can not directly be customized. But each of the properties from the grafana.ini file can be set a environment variable in the docker-compose.yaml file or the helm charts of the Kubernetes installation.

This works like the following schema shows:

GF_<SECTION>_<KEY>
GF_ – Always at the beginning.
<SECTION> – The name of the section in square brackets from grafana.ini (e.g., [smtp], [auth.google], [server]).
<KEY> – The specific setting key within that section (e.g., host, user, root_url).

Details:

  • Everything is written in UPPERCASE letters.

  • Any dots (.) or dashes (-) are replaced by underscores (_).

  • For compound keys like root_url, just convert to uppercase: ROOT_URL

Example how to customize an SMTP server in Grafana

This example in Grafana’s documentation shows how to customize an alert notification via email: Configure email for alert notifications

The following example shows how the SMTP server can be customized via the environment variables:

environment:
   - GF_SMTP_ENABLED=true
   - GF_SMTP_HOST=smtp.example.com:587
   - GF_SMTP_USER=youruser@example.com
   - GF_SMTP_PASSWORD=your_password
   - GF_SMTP_SKIP_VERIFY=false         # may be true for self signed certificates
   - GF_SMTP_FROM_ADDRESS=grafana@example.com
   - GF_SMTP_FROM_NAME=Grafana
   # Optional (required at some STMP servers):
   - GF_SMTP_EHLO_IDENTITY=grafana.example.com

Prometheus configuration

Prometheus is a data/metric collector service. It stores metric values over time that can later be visualized by the reporting service of XDM3. Prometheus collects metrics from the java virtual machine (JVM) and from the Spring services that is running the XDM3 core and dataflow server.

The service has to be configured in the docker-compose.yml file.

If you are using HTTPS for internal communication, change the CORE_URL and DATAFLOW_URL to https. 
services:
    prometheus:
        image: docker.ubs-hainer.com/xdm3-prometheus:latest
    environment:
        - CORE_URL=http://core-server:8000
        - DATAFLOW_URL=http://dataflow-server:9393
CORE_URL

Specifies the url for the core server.

DATAFLOW_URL

Specifies the url for the dataflow server.

Loki configuration

Loki is a log aggregation system developed by Grafana Labs, designed to work seamlessly alongside Prometheus. Unlike traditional log systems, Loki indexes only metadata (labels), not the full log content. Logs are grouped into streams based on these labels.

Configuring a retention period for Loki

Loki allows users to configure a retention period which tells Loki to delete old logs after their age reaches beyond the specified value. This value can be set within the docker-compose file in the 'loki' service.

This feature is disabled by default. To enable it, simply add the environment variable and set its value to true:

services:
  loki:
    image: docker.ubs-hainer.com/xdm3-loki:latest
    environment:
        - RETENTION_ENABLED=true
If the RETENTION_ENABLED variable is set to true, then the LOKI_RETENTION_PERIOD variable is used with its default (1 week) or overwritten value.

If you encounter permission problems while setting up the retention period, you can try the following command within the loki-data folder:

sudo chown -R 10001:10001 .

(make sure to include the . )
This command ensures that the contents of the volume of the loki service can be accessed by changing the user of that volume to the standard loki user (10001).

Other environment variables in the loki service can be configured to set different options for the retention period:

# the age at when the logs should be deleted
# default: 1w (1 week)
- LOKI_RETENTION_PERIOD=1w
The value of the LOKI_RETENTION_PERIOD should have at least the same time span as the execution token. This token specifies how long a session of an execution will be active. The loki logs should at least be kept for as long as the executions can be run. 
# how often compaction/retention is applied
# default: 10m (10 minutes)
- COMPACTION_INTERVAL=10m

# the delay after which marked chunks will be deleted
# default: 5m (5 minutes)
- RETENTION_DELETE_DELAY=5m
When changing the retention period, make sure to use a value that is equal to or higher than '24h'. Loki is not able to automatically delete logs newer than 24 hours.

Configuring additional options for Loki

If you wish to include additional configurations for loki, you can add these variables as well:

# how many tail requests can be sent to loki simultaniously
# default: 20
- LOKI_MAX_CONCURRENT_TAIL_REQUESTS=20

# the maximum size for receiving messages
# default: 8388608 (8MiB)
- LOKI_MAX_RECV_MSG_SIZE=8388608

# the maximum size for sending messages
# default: 8388608 (8MiB)
- LOKI_MAX_SEND_MSG_SIZE=8388608

These variables are optional, meaning if you leave them out, their default value will be used instead.

Markup configuration

Overview

To improve system security and prevent the injection and execution of potentially harmful code, the platform now restricts the use of markup or HTML code in announcement texts, data shop descriptions, and the information page by default. This behavior is governed by a system property that allows administrators to enable or disable markup support as needed.

Default Behavior

By default, the system treats any markup or HTML code as plain text. This means that any HTML tags or markdown-like syntax entered in announcement or description fields will not be rendered or interpreted, but instead shown as-is.

This approach helps prevent:

  • Cross-site scripting (XSS) vulnerabilities

  • Misuse of HTML for layout manipulation

  • Injection of malicious scripts

Enabling Markup Support

To explicitly allow markup or HTML rendering, administrators can set the following system property:

web-ui:
  environment:
    - allowMarkdownDescription=true

This feature is disabled by default. To enable it, simply add the environment variable (unless this parameter is already listed) and set its value to true.

Once this property is set to true, the system will permit and render HTML/markup content in:

  • Announcements

  • Data shop descriptions

  • XDM Information pages

Enabling this feature reintroduces the use of a rendering library that interpret HTML/markup. This can increase the risk of code injection if user input is not properly validated.

Security Considerations

When allowMarkdownDescriptions is disabled, the vulnerable rendering library is not used, providing a higher level of protection.

When enabled, ensure only trusted users have the ability to create or edit content containing markup/HTML.

Always sanitize user input when markup is allowed.

Use Cases

Disabled (default): Secure environments where user input should be strictly treated as text.

Enabled: Internal systems or trusted environments where enriched formatting is needed (e.g., links, bold text, lists).

Recommendations

Keep allowMarkdownDescriptions set to false unless HTML/markup rendering is explicitly required.

Document internal policies for using markup if enabling this feature and educate content editors about potential security risks associated with HTML content.
Restrict the group of users who can create content — especially announcements — to the absolute minimum necessary.