Skip to main content

mz_adapter_types/
dyncfgs.rs

1// Copyright Materialize, Inc. and contributors. All rights reserved.
2//
3// Use of this software is governed by the Business Source License
4// included in the LICENSE file.
5//
6// As of the Change Date specified in that file, in accordance with
7// the Business Source License, use of this software will be governed
8// by the Apache License, Version 2.0.
9
10//! Dyncfgs used by the adapter layer.
11
12use std::time::Duration;
13
14use mz_dyncfg::{Config, ConfigSet};
15
16pub const ALLOW_USER_SESSIONS: Config<bool> = Config::new(
17    "allow_user_sessions",
18    true,
19    "Whether to allow user roles to create new sessions. When false, only system roles will be permitted to create new sessions.",
20);
21
22// Slightly awkward with the WITH prefix, but we can't start with a 0..
23pub const WITH_0DT_DEPLOYMENT_MAX_WAIT: Config<Duration> = Config::new(
24    "with_0dt_deployment_max_wait",
25    // One year, which in practice makes it so we never cut over when not
26    // hydrated. To prevent cutting over unilaterally when there is an issue.
27    Duration::from_hours(365 * 24),
28    "How long to wait at most for clusters to be hydrated, when doing a zero-downtime deployment.",
29);
30
31pub const WITH_0DT_DEPLOYMENT_DDL_CHECK_INTERVAL: Config<Duration> = Config::new(
32    "with_0dt_deployment_ddl_check_interval",
33    Duration::from_secs(5 * 60),
34    "How often to check for DDL changes during zero-downtime deployment.",
35);
36
37pub const ENABLE_0DT_DEPLOYMENT_PANIC_AFTER_TIMEOUT: Config<bool> = Config::new(
38    "enable_0dt_deployment_panic_after_timeout",
39    false,
40    "Whether to panic if the maximum wait time is reached but preflight checks have not succeeded.",
41);
42
43pub const WITH_0DT_DEPLOYMENT_CAUGHT_UP_CHECK_INTERVAL: Config<Duration> = Config::new(
44    // The feature flag name is historical.
45    "0dt_deployment_hydration_check_interval",
46    Duration::from_secs(10),
47    "Interval at which to check whether clusters are caught up, when doing zero-downtime deployment.",
48);
49
50pub const WITH_0DT_CAUGHT_UP_CHECK_ALLOWED_LAG: Config<Duration> = Config::new(
51    "with_0dt_caught_up_check_allowed_lag",
52    Duration::from_secs(60),
53    "Maximum allowed lag when determining whether collections are caught up for 0dt deployments.",
54);
55
56pub const WITH_0DT_CAUGHT_UP_CHECK_CUTOFF: Config<Duration> = Config::new(
57    "with_0dt_caught_up_check_cutoff",
58    Duration::from_secs(2 * 60 * 60), // 2 hours
59    "Collections whose write frontier is behind 'now' by more than the cutoff are ignored when doing caught-up checks for 0dt deployments.",
60);
61
62pub const ENABLE_0DT_CAUGHT_UP_REPLICA_STATUS_CHECK: Config<bool> = Config::new(
63    "enable_0dt_caught_up_replica_status_check",
64    true,
65    "Enable checking for crash/OOM-looping replicas during 0dt caught-up checks. Emergency break-glass flag to disable this feature if needed.",
66);
67
68// TODO(aljoscha): Remove this break-glass flag after a couple of releases, once
69// the sustained-health gate has proven itself in production. It only exists as a
70// fleet-wide automatic revert to the prior "caught-up implies ready" behavior.
71pub const ENABLE_0DT_CAUGHT_UP_STABILITY_CHECK: Config<bool> = Config::new(
72    "enable_0dt_caught_up_stability_check",
73    true,
74    "Require clusters to stay caught-up and healthy for a stability period before being considered ready during 0dt deployments. Emergency break-glass flag: disabling reverts to treating a caught-up cluster as ready with no replica-health requirement, which differs from setting the stability period to zero (a zero period still requires all replicas to be healthy).",
75);
76
77pub const WITH_0DT_CAUGHT_UP_CHECK_STABILITY_PERIOD: Config<Duration> = Config::new(
78    "with_0dt_caught_up_check_stability_period",
79    Duration::from_secs(10 * 60), // 10 minutes
80    "How long a cluster must continuously be caught-up and have all replicas healthy before it is considered ready to cut over during a 0dt deployment.",
81);
82
83/// Enable logging of statement lifecycle events in mz_internal.mz_statement_lifecycle_history.
84pub const ENABLE_STATEMENT_LIFECYCLE_LOGGING: Config<bool> = Config::new(
85    "enable_statement_lifecycle_logging",
86    true,
87    "Enable logging of statement lifecycle events in mz_internal.mz_statement_lifecycle_history.",
88);
89
90/// Enable installation of introspection subscribes.
91pub const ENABLE_INTROSPECTION_SUBSCRIBES: Config<bool> = Config::new(
92    "enable_introspection_subscribes",
93    true,
94    "Enable installation of introspection subscribes.",
95);
96
97/// Enable sending subscribes down the new frontend-peek path.
98pub const ENABLE_FRONTEND_SUBSCRIBES: Config<bool> = Config::new(
99    "enable_frontend_subscribes",
100    true,
101    "Enable sending subscribes down the new frontend-peek path.",
102);
103
104/// The plan insights notice will not investigate fast path clusters if plan optimization took longer than this.
105pub const PLAN_INSIGHTS_NOTICE_FAST_PATH_CLUSTERS_OPTIMIZE_DURATION: Config<Duration> = Config::new(
106    "plan_insights_notice_fast_path_clusters_optimize_duration",
107    // Looking at production values of the mz_optimizer_e2e_optimization_time_seconds metric, most
108    // optimizations run faster than 10ms, so this should still work well for most queries. We want
109    // to avoid the case where an optimization took just under this value and there are lots of
110    // clusters, so the extra delay to produce the plan insights notice will take the optimization
111    // time * the number of clusters longer.
112    Duration::from_millis(10),
113    "Enable plan insights fast path clusters calculation if the optimize step took less than this duration.",
114);
115
116/// Whether to use an expression cache on boot.
117pub const ENABLE_EXPRESSION_CACHE: Config<bool> = Config::new(
118    "enable_expression_cache",
119    true,
120    "Use a cache to store optimized expressions to help speed up start times.",
121);
122
123/// Whether to enable password authentication.
124pub const ENABLE_PASSWORD_AUTH: Config<bool> = Config::new(
125    "enable_password_auth",
126    false,
127    "Enable password authentication.",
128);
129
130/// OIDC issuer URL.
131pub const OIDC_ISSUER: Config<Option<&'static str>> =
132    Config::new("oidc_issuer", None, "OIDC issuer URL.");
133
134/// OIDC audience (client IDs). When empty, audience validation is skipped.
135/// Validates that the JWT's `aud` claim contains at least one of these values.
136/// It is insecure to skip validation because it is the only
137/// mechanism preventing attackers from authenticating using a JWT
138/// issued by a dummy application, but from the same identity provider.
139pub const OIDC_AUDIENCE: Config<fn() -> serde_json::Value> = Config::new(
140    "oidc_audience",
141    || serde_json::json!([]),
142    "OIDC audience (client IDs). A JSON array of strings. When empty, audience validation is skipped.",
143);
144
145/// OIDC authentication claim to use as username
146pub const OIDC_AUTHENTICATION_CLAIM: Config<&'static str> = Config::new(
147    "oidc_authentication_claim",
148    "sub",
149    "OIDC authentication claim to use as username.",
150);
151
152/// Whether OIDC group-to-role sync is enabled.
153/// When true, JWT group claims are used to sync role memberships on login.
154pub const OIDC_GROUP_ROLE_SYNC_ENABLED: Config<bool> = Config::new(
155    "oidc_group_role_sync_enabled",
156    false,
157    "Enable OIDC JWT group-to-role membership sync on login.",
158);
159
160/// The JWT claim path that contains group memberships. May be a bare claim
161/// name (e.g. `groups`) or a dot-separated path into nested objects (e.g.
162/// `customClaims.groups`).
163pub const OIDC_GROUP_CLAIM: Config<&'static str> = Config::new(
164    "oidc_group_claim",
165    "groups",
166    "JWT claim path containing group memberships for role sync. Supports dot-separated paths into nested objects (e.g. customClaims.groups).",
167);
168
169/// Whether to reject login when group sync fails (strict/fail-closed mode).
170/// When false (default), sync failures are logged but login proceeds (fail-open).
171pub const OIDC_GROUP_ROLE_SYNC_STRICT: Config<bool> = Config::new(
172    "oidc_group_role_sync_strict",
173    false,
174    "When true, reject login if OIDC group-to-role sync fails (fail-closed).",
175);
176
177pub const PERSIST_FAST_PATH_ORDER: Config<bool> = Config::new(
178    "persist_fast_path_order",
179    false,
180    "If set, send queries with a compatible literal constraint or ordering clause down the Persist fast path.",
181);
182
183/// Whether to enforce that S3 Tables connections are in the same region as the Materialize
184/// environment.
185pub const ENABLE_S3_TABLES_REGION_CHECK: Config<bool> = Config::new(
186    "enable_s3_tables_region_check",
187    false,
188    "Whether to enforce that S3 Tables connections are in the same region as the environment.",
189);
190
191/// Whether the MCP agent endpoint is enabled.
192pub const ENABLE_MCP_AGENT: Config<bool> = Config::new(
193    "enable_mcp_agent",
194    true,
195    "Whether the MCP agent HTTP endpoint is enabled. When false, requests to /api/mcp/agent return 503 Service Unavailable.",
196);
197
198/// Whether the MCP agent query tool is enabled.
199/// When false, the `query` tool is hidden from tools/list and calls to it return an error.
200/// Agents can still use `get_data_products` and `get_data_product_details`.
201pub const ENABLE_MCP_AGENT_QUERY_TOOL: Config<bool> = Config::new(
202    "enable_mcp_agent_query_tool",
203    true,
204    "Whether the MCP agent query tool is enabled. When false, the query tool is not advertised and calls to it are rejected. Agents can still discover and inspect data products.",
205);
206
207/// Whether the MCP agent read_data_product tool is enabled.
208/// When false, the `read_data_product` tool is hidden from tools/list and calls to it return an error.
209/// The `query` tool is the general-purpose alternative for reading data products.
210pub const ENABLE_MCP_AGENT_READ_DATA_PRODUCT_TOOL: Config<bool> = Config::new(
211    "enable_mcp_agent_read_data_product_tool",
212    true,
213    "Whether the MCP agent read_data_product tool is enabled. When false, the read_data_product tool is not advertised and calls to it are rejected. Agents can use the query tool to read data products.",
214);
215
216/// Whether the MCP developer endpoint is enabled.
217pub const ENABLE_MCP_DEVELOPER: Config<bool> = Config::new(
218    "enable_mcp_developer",
219    true,
220    "Whether the MCP developer HTTP endpoint is enabled. When false, requests to /api/mcp/developer return 503 Service Unavailable.",
221);
222
223/// Whether the MCP developer query tool is enabled.
224/// When false, the `query` tool is hidden from tools/list and calls to it return an error.
225/// Developers can still use `query_system_catalog`.
226pub const ENABLE_MCP_DEVELOPER_QUERY_TOOL: Config<bool> = Config::new(
227    "enable_mcp_developer_query_tool",
228    true,
229    "Whether the MCP developer query tool is enabled. When false, the query tool is not advertised and calls to it are rejected. Developers can still use query_system_catalog.",
230);
231
232/// Whether the external metrics endpoint on environmentd is enabled.
233pub const ENABLE_PUBLIC_METRICS_ENDPOINT: Config<bool> = Config::new(
234    "enable_public_metrics_endpoint",
235    true,
236    "Whether the external metrics endpoint on environmentd is enabled. When false, requests return 503.",
237);
238
239/// Maximum size (in bytes) of MCP tool response content after JSON serialization.
240/// Responses exceeding this limit are rejected with a clear error telling the
241/// agent to narrow its query. Keeps responses within LLM context window limits.
242pub const MCP_MAX_RESPONSE_SIZE: Config<usize> = Config::new(
243    "mcp_max_response_size",
244    1_000_000,
245    "Maximum size in bytes of MCP tool response content. Responses exceeding this limit are rejected with an error telling the agent to narrow its query.",
246);
247
248/// Maximum time an MCP request may run before it is aborted and a timeout
249/// error is returned to the client.
250pub const MCP_REQUEST_TIMEOUT: Config<Duration> = Config::new(
251    "mcp_request_timeout",
252    Duration::from_secs(60),
253    "Maximum time an MCP request may run before it is aborted with a timeout error.",
254);
255
256/// Maximum size (in bytes) of a webhook request body, measured after
257/// decompression. Requests whose body exceeds this limit are rejected with
258/// HTTP 413. Applies only to the webhook route; other HTTP routes use a
259/// separate static limit.
260pub const WEBHOOK_MAX_REQUEST_SIZE_BYTES: Config<usize> = Config::new(
261    "webhook_max_request_size_bytes",
262    // Matches `MAX_REQUEST_SIZE`, the static limit the other environmentd HTTP routes use.
263    5 * 1024 * 1024,
264    "The maximum size in bytes of a webhook request body, measured after decompression.",
265);
266
267/// Number of user IDs to pre-allocate in a batch. Pre-allocating IDs avoids
268/// a persist write + oracle call per DDL statement.
269pub const USER_ID_POOL_BATCH_SIZE: Config<u32> = Config::new(
270    "user_id_pool_batch_size",
271    512,
272    "Number of user IDs to pre-allocate in a batch for DDL operations.",
273);
274
275/// OIDC client ID for the web console.
276pub const CONSOLE_OIDC_CLIENT_ID: Config<&'static str> = Config::new(
277    "console_oidc_client_id",
278    "",
279    "OIDC client ID for the web console.",
280);
281
282/// Space-separated OIDC scopes requested by the web console.
283pub const CONSOLE_OIDC_SCOPES: Config<&'static str> = Config::new(
284    "console_oidc_scopes",
285    "",
286    "Space-separated OIDC scopes requested by the web console.",
287);
288
289/// Interval at which to collect per-object arrangement size snapshots for the history table.
290pub const ARRANGEMENT_SIZE_HISTORY_COLLECTION_INTERVAL: Config<Duration> = Config::new(
291    "arrangement_size_history_collection_interval",
292    // Disabled by default until https://github.com/MaterializeInc/materialize/pull/37455 lands.
293    Duration::ZERO,
294    "Interval at which to collect and snapshot per-object arrangement sizes \
295     into mz_internal.mz_object_arrangement_size_history.",
296);
297
298/// How long to retain per-object arrangement size history.
299pub const ARRANGEMENT_SIZE_HISTORY_RETENTION_PERIOD: Config<Duration> = Config::new(
300    "arrangement_size_history_retention_period",
301    Duration::from_hours(7 * 24),
302    "How long to retain rows in mz_internal.mz_object_arrangement_size_history.",
303);
304
305/// How frequently the catalog `*_info` metrics (`mz_object_info`,
306/// `mz_cluster_info`, …) are reconciled with the catalog. A zero duration
307/// disables reconciliation.
308pub const CATALOG_INFO_METRICS_RECONCILE_INTERVAL: Config<Duration> = Config::new(
309    "catalog_info_metrics_reconcile_interval",
310    Duration::from_secs(30),
311    "How frequently to reconcile the catalog `*_info` metrics with the catalog. A zero duration disables reconciliation.",
312);
313
314/// Server-side `statement_timeout` to set on Postgres/CRDB connections used by
315/// the Postgres/CRDB timestamp oracle. A zero value leaves the statement
316/// timeout unset.
317pub const PG_TIMESTAMP_ORACLE_STATEMENT_TIMEOUT: Config<Duration> = Config::new(
318    "pg_timestamp_oracle_statement_timeout",
319    crate::timestamp_oracle::DEFAULT_PG_TIMESTAMP_ORACLE_STATEMENT_TIMEOUT,
320    "The server-side statement timeout to set on Postgres/CRDB connections used by the \
321    Postgres/CRDB timestamp oracle. A value of zero leaves the statement timeout unset.",
322);
323
324/// Whether per-cluster and per-replica scoped system parameters are evaluated.
325/// Off by default: the parameter sync loop evaluates no cluster/replica
326/// contexts and resolution falls back to the environment-wide value everywhere
327/// (the pre-scoped behavior). Enabling it (e.g. from LaunchDarkly) turns on
328/// scoped evaluation without a deploy.
329pub const ENABLE_SCOPED_SYSTEM_PARAMETERS: Config<bool> = Config::new(
330    "enable_scoped_system_parameters",
331    false,
332    "Whether per-cluster and per-replica scoped system parameters are evaluated and applied.",
333);
334
335/// Top-level gate for the cluster controller. When on, the controller owns the
336/// managed-cluster replica set and the legacy paths (the graceful 3-stage
337/// machine and `cluster_scheduling.rs`) are bypassed. The replica set cannot
338/// have two writers, so this is a clean switch, not a per-strategy toggle.
339pub const ENABLE_CLUSTER_CONTROLLER: Config<bool> = Config::new(
340    "enable_cluster_controller",
341    false,
342    "Whether the cluster controller owns the managed-cluster replica set. When false, the legacy scheduling and graceful-reconfiguration paths run instead.",
343);
344
345/// Cadence of the cluster controller's reconcile tick.
346///
347/// Replaces `cluster_check_scheduling_policies_interval` once the controller is
348/// the sole owner; while the controller is dark both intervals exist.
349pub const CLUSTER_CONTROLLER_TICK_INTERVAL: Config<Duration> = Config::new(
350    "cluster_controller_tick_interval",
351    Duration::from_secs(5),
352    "How often the cluster controller runs a reconcile tick.",
353);
354
355/// Whether a config-shape `ALTER CLUSTER` returns immediately, with the
356/// controller converging in the background, or blocks the session on a
357/// wait-shim until the reconfiguration completes or its deadline passes.
358///
359/// Only consulted while [`ENABLE_CLUSTER_CONTROLLER`] is on, when the
360/// controller owns the reconfiguration.
361pub const ENABLE_BACKGROUND_ALTER_CLUSTER: Config<bool> = Config::new(
362    "enable_background_alter_cluster",
363    false,
364    "Whether a config-shape ALTER CLUSTER returns immediately (true) or the session blocks on a wait-shim over the durable reconfiguration record (false).",
365);
366
367/// The reconfiguration deadline written when a config-shape `ALTER CLUSTER`
368/// omits `WITH (WAIT ...)`. What happens when the deadline passes un-hydrated is
369/// the record's `on_timeout` action.
370pub const DEFAULT_CLUSTER_RECONFIGURATION_TIMEOUT: Config<Duration> = Config::new(
371    "default_cluster_reconfiguration_timeout",
372    Duration::from_secs(60 * 60 * 24),
373    "The reconfiguration deadline written when a config-shape ALTER CLUSTER omits WITH (WAIT ...).",
374);
375
376/// Adds the full set of all adapter `Config`s.
377pub fn all_dyncfgs(configs: ConfigSet) -> ConfigSet {
378    configs
379        .add(&ALLOW_USER_SESSIONS)
380        .add(&ENABLE_CLUSTER_CONTROLLER)
381        .add(&CLUSTER_CONTROLLER_TICK_INTERVAL)
382        .add(&ENABLE_BACKGROUND_ALTER_CLUSTER)
383        .add(&DEFAULT_CLUSTER_RECONFIGURATION_TIMEOUT)
384        .add(&WITH_0DT_DEPLOYMENT_MAX_WAIT)
385        .add(&WITH_0DT_DEPLOYMENT_DDL_CHECK_INTERVAL)
386        .add(&ENABLE_0DT_DEPLOYMENT_PANIC_AFTER_TIMEOUT)
387        .add(&WITH_0DT_DEPLOYMENT_CAUGHT_UP_CHECK_INTERVAL)
388        .add(&WITH_0DT_CAUGHT_UP_CHECK_ALLOWED_LAG)
389        .add(&WITH_0DT_CAUGHT_UP_CHECK_CUTOFF)
390        .add(&ENABLE_0DT_CAUGHT_UP_REPLICA_STATUS_CHECK)
391        .add(&ENABLE_0DT_CAUGHT_UP_STABILITY_CHECK)
392        .add(&WITH_0DT_CAUGHT_UP_CHECK_STABILITY_PERIOD)
393        .add(&ENABLE_STATEMENT_LIFECYCLE_LOGGING)
394        .add(&ENABLE_INTROSPECTION_SUBSCRIBES)
395        .add(&ENABLE_FRONTEND_SUBSCRIBES)
396        .add(&PLAN_INSIGHTS_NOTICE_FAST_PATH_CLUSTERS_OPTIMIZE_DURATION)
397        .add(&ENABLE_EXPRESSION_CACHE)
398        .add(&ENABLE_PASSWORD_AUTH)
399        .add(&OIDC_ISSUER)
400        .add(&OIDC_AUDIENCE)
401        .add(&OIDC_AUTHENTICATION_CLAIM)
402        .add(&OIDC_GROUP_ROLE_SYNC_ENABLED)
403        .add(&OIDC_GROUP_CLAIM)
404        .add(&OIDC_GROUP_ROLE_SYNC_STRICT)
405        .add(&PERSIST_FAST_PATH_ORDER)
406        .add(&ENABLE_S3_TABLES_REGION_CHECK)
407        .add(&ENABLE_MCP_AGENT)
408        .add(&ENABLE_MCP_AGENT_QUERY_TOOL)
409        .add(&ENABLE_MCP_AGENT_READ_DATA_PRODUCT_TOOL)
410        .add(&ENABLE_MCP_DEVELOPER)
411        .add(&ENABLE_MCP_DEVELOPER_QUERY_TOOL)
412        .add(&ENABLE_PUBLIC_METRICS_ENDPOINT)
413        .add(&MCP_MAX_RESPONSE_SIZE)
414        .add(&MCP_REQUEST_TIMEOUT)
415        .add(&WEBHOOK_MAX_REQUEST_SIZE_BYTES)
416        .add(&USER_ID_POOL_BATCH_SIZE)
417        .add(&CONSOLE_OIDC_CLIENT_ID)
418        .add(&CONSOLE_OIDC_SCOPES)
419        .add(&ARRANGEMENT_SIZE_HISTORY_COLLECTION_INTERVAL)
420        .add(&ARRANGEMENT_SIZE_HISTORY_RETENTION_PERIOD)
421        .add(&CATALOG_INFO_METRICS_RECONCILE_INTERVAL)
422        .add(&PG_TIMESTAMP_ORACLE_STATEMENT_TIMEOUT)
423        .add(&ENABLE_SCOPED_SYSTEM_PARAMETERS)
424}