Skip to main content

mz_adapter_types/
dyncfgs.rs

1// Copyright Materialize, Inc. and contributors. All rights reserved.
2//
3// Use of this software is governed by the Business Source License
4// included in the LICENSE file.
5//
6// As of the Change Date specified in that file, in accordance with
7// the Business Source License, use of this software will be governed
8// by the Apache License, Version 2.0.
9
10//! Dyncfgs used by the adapter layer.
11
12use std::time::Duration;
13
14use mz_dyncfg::{Config, ConfigSet};
15
16pub const ALLOW_USER_SESSIONS: Config<bool> = Config::new(
17    "allow_user_sessions",
18    true,
19    "Whether to allow user roles to create new sessions. When false, only system roles will be permitted to create new sessions.",
20);
21
22// Slightly awkward with the WITH prefix, but we can't start with a 0..
23pub const WITH_0DT_DEPLOYMENT_MAX_WAIT: Config<Duration> = Config::new(
24    "with_0dt_deployment_max_wait",
25    // One year, which in practice makes it so we never cut over when not
26    // hydrated. To prevent cutting over unilaterally when there is an issue.
27    Duration::from_hours(365 * 24),
28    "How long to wait at most for clusters to be hydrated, when doing a zero-downtime deployment.",
29);
30
31pub const WITH_0DT_DEPLOYMENT_DDL_CHECK_INTERVAL: Config<Duration> = Config::new(
32    "with_0dt_deployment_ddl_check_interval",
33    Duration::from_secs(5 * 60),
34    "How often to check for DDL changes during zero-downtime deployment.",
35);
36
37pub const ENABLE_0DT_DEPLOYMENT_PANIC_AFTER_TIMEOUT: Config<bool> = Config::new(
38    "enable_0dt_deployment_panic_after_timeout",
39    false,
40    "Whether to panic if the maximum wait time is reached but preflight checks have not succeeded.",
41);
42
43pub const WITH_0DT_DEPLOYMENT_CAUGHT_UP_CHECK_INTERVAL: Config<Duration> = Config::new(
44    // The feature flag name is historical.
45    "0dt_deployment_hydration_check_interval",
46    Duration::from_secs(10),
47    "Interval at which to check whether clusters are caught up, when doing zero-downtime deployment.",
48);
49
50pub const WITH_0DT_CAUGHT_UP_CHECK_ALLOWED_LAG: Config<Duration> = Config::new(
51    "with_0dt_caught_up_check_allowed_lag",
52    Duration::from_secs(60),
53    "Maximum allowed lag when determining whether collections are caught up for 0dt deployments.",
54);
55
56pub const WITH_0DT_CAUGHT_UP_CHECK_CUTOFF: Config<Duration> = Config::new(
57    "with_0dt_caught_up_check_cutoff",
58    Duration::from_secs(2 * 60 * 60), // 2 hours
59    "Collections whose write frontier is behind 'now' by more than the cutoff are ignored when doing caught-up checks for 0dt deployments.",
60);
61
62pub const ENABLE_0DT_CAUGHT_UP_REPLICA_STATUS_CHECK: Config<bool> = Config::new(
63    "enable_0dt_caught_up_replica_status_check",
64    true,
65    "Enable checking for crash/OOM-looping replicas during 0dt caught-up checks. Emergency break-glass flag to disable this feature if needed.",
66);
67
68// TODO(aljoscha): Remove this break-glass flag after a couple of releases, once
69// the sustained-health gate has proven itself in production. It only exists as a
70// fleet-wide automatic revert to the prior "caught-up implies ready" behavior.
71pub const ENABLE_0DT_CAUGHT_UP_STABILITY_CHECK: Config<bool> = Config::new(
72    "enable_0dt_caught_up_stability_check",
73    true,
74    "Require clusters to stay caught-up and healthy for a stability period before being considered ready during 0dt deployments. Emergency break-glass flag: disabling reverts to treating a caught-up cluster as ready with no replica-health requirement, which differs from setting the stability period to zero (a zero period still requires all replicas to be healthy).",
75);
76
77pub const WITH_0DT_CAUGHT_UP_CHECK_STABILITY_PERIOD: Config<Duration> = Config::new(
78    "with_0dt_caught_up_check_stability_period",
79    Duration::from_secs(10 * 60), // 10 minutes
80    "How long a cluster must continuously be caught-up and have all replicas healthy before it is considered ready to cut over during a 0dt deployment.",
81);
82
83/// Enable logging of statement lifecycle events in mz_internal.mz_statement_lifecycle_history.
84pub const ENABLE_STATEMENT_LIFECYCLE_LOGGING: Config<bool> = Config::new(
85    "enable_statement_lifecycle_logging",
86    true,
87    "Enable logging of statement lifecycle events in mz_internal.mz_statement_lifecycle_history.",
88);
89
90/// Enable installation of introspection subscribes.
91pub const ENABLE_INTROSPECTION_SUBSCRIBES: Config<bool> = Config::new(
92    "enable_introspection_subscribes",
93    true,
94    "Enable installation of introspection subscribes.",
95);
96
97/// Enable sending subscribes down the new frontend-peek path.
98pub const ENABLE_FRONTEND_SUBSCRIBES: Config<bool> = Config::new(
99    "enable_frontend_subscribes",
100    true,
101    "Enable sending subscribes down the new frontend-peek path.",
102);
103
104/// The plan insights notice will not investigate fast path clusters if plan optimization took longer than this.
105pub const PLAN_INSIGHTS_NOTICE_FAST_PATH_CLUSTERS_OPTIMIZE_DURATION: Config<Duration> = Config::new(
106    "plan_insights_notice_fast_path_clusters_optimize_duration",
107    // Looking at production values of the mz_optimizer_e2e_optimization_time_seconds metric, most
108    // optimizations run faster than 10ms, so this should still work well for most queries. We want
109    // to avoid the case where an optimization took just under this value and there are lots of
110    // clusters, so the extra delay to produce the plan insights notice will take the optimization
111    // time * the number of clusters longer.
112    Duration::from_millis(10),
113    "Enable plan insights fast path clusters calculation if the optimize step took less than this duration.",
114);
115
116/// Whether to use an expression cache on boot.
117pub const ENABLE_EXPRESSION_CACHE: Config<bool> = Config::new(
118    "enable_expression_cache",
119    true,
120    "Use a cache to store optimized expressions to help speed up start times.",
121);
122
123/// Whether to enable password authentication.
124pub const ENABLE_PASSWORD_AUTH: Config<bool> = Config::new(
125    "enable_password_auth",
126    false,
127    "Enable password authentication.",
128);
129
130/// OIDC issuer URL.
131pub const OIDC_ISSUER: Config<Option<&'static str>> =
132    Config::new("oidc_issuer", None, "OIDC issuer URL.");
133
134/// OIDC audience (client IDs). When empty, audience validation is skipped.
135/// Validates that the JWT's `aud` claim contains at least one of these values.
136/// It is insecure to skip validation because it is the only
137/// mechanism preventing attackers from authenticating using a JWT
138/// issued by a dummy application, but from the same identity provider.
139pub const OIDC_AUDIENCE: Config<fn() -> serde_json::Value> = Config::new(
140    "oidc_audience",
141    || serde_json::json!([]),
142    "OIDC audience (client IDs). A JSON array of strings. When empty, audience validation is skipped.",
143);
144
145/// OIDC authentication claim to use as username
146pub const OIDC_AUTHENTICATION_CLAIM: Config<&'static str> = Config::new(
147    "oidc_authentication_claim",
148    "sub",
149    "OIDC authentication claim to use as username.",
150);
151
152/// Whether OIDC group-to-role sync is enabled.
153/// When true, JWT group claims are used to sync role memberships on login.
154pub const OIDC_GROUP_ROLE_SYNC_ENABLED: Config<bool> = Config::new(
155    "oidc_group_role_sync_enabled",
156    false,
157    "Enable OIDC JWT group-to-role membership sync on login.",
158);
159
160/// The JWT claim path that contains group memberships. May be a bare claim
161/// name (e.g. `groups`) or a dot-separated path into nested objects (e.g.
162/// `customClaims.groups`).
163pub const OIDC_GROUP_CLAIM: Config<&'static str> = Config::new(
164    "oidc_group_claim",
165    "groups",
166    "JWT claim path containing group memberships for role sync. Supports dot-separated paths into nested objects (e.g. customClaims.groups).",
167);
168
169/// Whether to reject login when group sync fails (strict/fail-closed mode).
170/// When false (default), sync failures are logged but login proceeds (fail-open).
171pub const OIDC_GROUP_ROLE_SYNC_STRICT: Config<bool> = Config::new(
172    "oidc_group_role_sync_strict",
173    false,
174    "When true, reject login if OIDC group-to-role sync fails (fail-closed).",
175);
176
177pub const PERSIST_FAST_PATH_ORDER: Config<bool> = Config::new(
178    "persist_fast_path_order",
179    false,
180    "If set, send queries with a compatible literal constraint or ordering clause down the Persist fast path.",
181);
182
183/// Whether to enforce that S3 Tables connections are in the same region as the Materialize
184/// environment.
185pub const ENABLE_S3_TABLES_REGION_CHECK: Config<bool> = Config::new(
186    "enable_s3_tables_region_check",
187    false,
188    "Whether to enforce that S3 Tables connections are in the same region as the environment.",
189);
190
191/// Whether the MCP agent endpoint is enabled.
192pub const ENABLE_MCP_AGENT: Config<bool> = Config::new(
193    "enable_mcp_agent",
194    true,
195    "Whether the MCP agent HTTP endpoint is enabled. When false, requests to /api/mcp/agent return 503 Service Unavailable.",
196);
197
198/// Whether the MCP agent query tool is enabled.
199/// When false, the `query` tool is hidden from tools/list and calls to it return an error.
200/// Agents can still use `get_data_products` and `get_data_product_details`.
201pub const ENABLE_MCP_AGENT_QUERY_TOOL: Config<bool> = Config::new(
202    "enable_mcp_agent_query_tool",
203    true,
204    "Whether the MCP agent query tool is enabled. When false, the query tool is not advertised and calls to it are rejected. Agents can still discover and inspect data products.",
205);
206
207/// Whether the MCP agent read_data_product tool is enabled.
208/// When false, the `read_data_product` tool is hidden from tools/list and calls to it return an error.
209/// The `query` tool is the general-purpose alternative for reading data products.
210pub const ENABLE_MCP_AGENT_READ_DATA_PRODUCT_TOOL: Config<bool> = Config::new(
211    "enable_mcp_agent_read_data_product_tool",
212    true,
213    "Whether the MCP agent read_data_product tool is enabled. When false, the read_data_product tool is not advertised and calls to it are rejected. Agents can use the query tool to read data products.",
214);
215
216/// Whether the MCP developer endpoint is enabled.
217pub const ENABLE_MCP_DEVELOPER: Config<bool> = Config::new(
218    "enable_mcp_developer",
219    true,
220    "Whether the MCP developer HTTP endpoint is enabled. When false, requests to /api/mcp/developer return 503 Service Unavailable.",
221);
222
223/// Whether the MCP developer query tool is enabled.
224/// When false, the `query` tool is hidden from tools/list and calls to it return an error.
225/// Developers can still use `query_system_catalog`.
226pub const ENABLE_MCP_DEVELOPER_QUERY_TOOL: Config<bool> = Config::new(
227    "enable_mcp_developer_query_tool",
228    true,
229    "Whether the MCP developer query tool is enabled. When false, the query tool is not advertised and calls to it are rejected. Developers can still use query_system_catalog.",
230);
231
232/// Whether the external metrics endpoint on environmentd is enabled.
233pub const ENABLE_PUBLIC_METRICS_ENDPOINT: Config<bool> = Config::new(
234    "enable_public_metrics_endpoint",
235    true,
236    "Whether the external metrics endpoint on environmentd is enabled. When false, requests return 503.",
237);
238
239/// Maximum size (in bytes) of MCP tool response content after JSON serialization.
240/// Responses exceeding this limit are rejected with a clear error telling the
241/// agent to narrow its query. Keeps responses within LLM context window limits.
242pub const MCP_MAX_RESPONSE_SIZE: Config<usize> = Config::new(
243    "mcp_max_response_size",
244    1_000_000,
245    "Maximum size in bytes of MCP tool response content. Responses exceeding this limit are rejected with an error telling the agent to narrow its query.",
246);
247
248/// Maximum size (in bytes) of a webhook request body, measured after
249/// decompression. Requests whose body exceeds this limit are rejected with
250/// HTTP 413. Applies only to the webhook route; other HTTP routes use a
251/// separate static limit.
252pub const WEBHOOK_MAX_REQUEST_SIZE_BYTES: Config<usize> = Config::new(
253    "webhook_max_request_size_bytes",
254    // Matches `MAX_REQUEST_SIZE`, the static limit the other environmentd HTTP routes use.
255    5 * 1024 * 1024,
256    "The maximum size in bytes of a webhook request body, measured after decompression.",
257);
258
259/// Number of user IDs to pre-allocate in a batch. Pre-allocating IDs avoids
260/// a persist write + oracle call per DDL statement.
261pub const USER_ID_POOL_BATCH_SIZE: Config<u32> = Config::new(
262    "user_id_pool_batch_size",
263    512,
264    "Number of user IDs to pre-allocate in a batch for DDL operations.",
265);
266
267/// OIDC client ID for the web console.
268pub const CONSOLE_OIDC_CLIENT_ID: Config<&'static str> = Config::new(
269    "console_oidc_client_id",
270    "",
271    "OIDC client ID for the web console.",
272);
273
274/// Space-separated OIDC scopes requested by the web console.
275pub const CONSOLE_OIDC_SCOPES: Config<&'static str> = Config::new(
276    "console_oidc_scopes",
277    "",
278    "Space-separated OIDC scopes requested by the web console.",
279);
280
281/// Interval at which to collect per-object arrangement size snapshots for the history table.
282pub const ARRANGEMENT_SIZE_HISTORY_COLLECTION_INTERVAL: Config<Duration> = Config::new(
283    "arrangement_size_history_collection_interval",
284    // Disabled by default until https://github.com/MaterializeInc/materialize/pull/37455 lands.
285    Duration::ZERO,
286    "Interval at which to collect and snapshot per-object arrangement sizes \
287     into mz_internal.mz_object_arrangement_size_history.",
288);
289
290/// How long to retain per-object arrangement size history.
291pub const ARRANGEMENT_SIZE_HISTORY_RETENTION_PERIOD: Config<Duration> = Config::new(
292    "arrangement_size_history_retention_period",
293    Duration::from_hours(7 * 24),
294    "How long to retain rows in mz_internal.mz_object_arrangement_size_history.",
295);
296
297/// How frequently the catalog `*_info` metrics (`mz_object_info`,
298/// `mz_cluster_info`, …) are reconciled with the catalog. A zero duration
299/// disables reconciliation.
300pub const CATALOG_INFO_METRICS_RECONCILE_INTERVAL: Config<Duration> = Config::new(
301    "catalog_info_metrics_reconcile_interval",
302    Duration::from_secs(30),
303    "How frequently to reconcile the catalog `*_info` metrics with the catalog. A zero duration disables reconciliation.",
304);
305
306/// Server-side `statement_timeout` to set on Postgres/CRDB connections used by
307/// the Postgres/CRDB timestamp oracle. A zero value leaves the statement
308/// timeout unset.
309pub const PG_TIMESTAMP_ORACLE_STATEMENT_TIMEOUT: Config<Duration> = Config::new(
310    "pg_timestamp_oracle_statement_timeout",
311    crate::timestamp_oracle::DEFAULT_PG_TIMESTAMP_ORACLE_STATEMENT_TIMEOUT,
312    "The server-side statement timeout to set on Postgres/CRDB connections used by the \
313    Postgres/CRDB timestamp oracle. A value of zero leaves the statement timeout unset.",
314);
315
316/// Whether per-cluster and per-replica scoped system parameters are evaluated.
317/// Off by default: the parameter sync loop evaluates no cluster/replica
318/// contexts and resolution falls back to the environment-wide value everywhere
319/// (the pre-scoped behavior). Enabling it (e.g. from LaunchDarkly) turns on
320/// scoped evaluation without a deploy.
321pub const ENABLE_SCOPED_SYSTEM_PARAMETERS: Config<bool> = Config::new(
322    "enable_scoped_system_parameters",
323    false,
324    "Whether per-cluster and per-replica scoped system parameters are evaluated and applied.",
325);
326
327/// Top-level gate for the cluster controller. When on, the controller owns the
328/// managed-cluster replica set and the legacy paths (the graceful 3-stage
329/// machine and `cluster_scheduling.rs`) are bypassed. The replica set cannot
330/// have two writers, so this is a clean switch, not a per-strategy toggle.
331pub const ENABLE_CLUSTER_CONTROLLER: Config<bool> = Config::new(
332    "enable_cluster_controller",
333    false,
334    "Whether the cluster controller owns the managed-cluster replica set. When false, the legacy scheduling and graceful-reconfiguration paths run instead.",
335);
336
337/// Cadence of the cluster controller's reconcile tick.
338///
339/// Replaces `cluster_check_scheduling_policies_interval` once the controller is
340/// the sole owner; while the controller is dark both intervals exist.
341pub const CLUSTER_CONTROLLER_TICK_INTERVAL: Config<Duration> = Config::new(
342    "cluster_controller_tick_interval",
343    Duration::from_secs(5),
344    "How often the cluster controller runs a reconcile tick.",
345);
346
347/// Adds the full set of all adapter `Config`s.
348pub fn all_dyncfgs(configs: ConfigSet) -> ConfigSet {
349    configs
350        .add(&ALLOW_USER_SESSIONS)
351        .add(&ENABLE_CLUSTER_CONTROLLER)
352        .add(&CLUSTER_CONTROLLER_TICK_INTERVAL)
353        .add(&WITH_0DT_DEPLOYMENT_MAX_WAIT)
354        .add(&WITH_0DT_DEPLOYMENT_DDL_CHECK_INTERVAL)
355        .add(&ENABLE_0DT_DEPLOYMENT_PANIC_AFTER_TIMEOUT)
356        .add(&WITH_0DT_DEPLOYMENT_CAUGHT_UP_CHECK_INTERVAL)
357        .add(&WITH_0DT_CAUGHT_UP_CHECK_ALLOWED_LAG)
358        .add(&WITH_0DT_CAUGHT_UP_CHECK_CUTOFF)
359        .add(&ENABLE_0DT_CAUGHT_UP_REPLICA_STATUS_CHECK)
360        .add(&ENABLE_0DT_CAUGHT_UP_STABILITY_CHECK)
361        .add(&WITH_0DT_CAUGHT_UP_CHECK_STABILITY_PERIOD)
362        .add(&ENABLE_STATEMENT_LIFECYCLE_LOGGING)
363        .add(&ENABLE_INTROSPECTION_SUBSCRIBES)
364        .add(&ENABLE_FRONTEND_SUBSCRIBES)
365        .add(&PLAN_INSIGHTS_NOTICE_FAST_PATH_CLUSTERS_OPTIMIZE_DURATION)
366        .add(&ENABLE_EXPRESSION_CACHE)
367        .add(&ENABLE_PASSWORD_AUTH)
368        .add(&OIDC_ISSUER)
369        .add(&OIDC_AUDIENCE)
370        .add(&OIDC_AUTHENTICATION_CLAIM)
371        .add(&OIDC_GROUP_ROLE_SYNC_ENABLED)
372        .add(&OIDC_GROUP_CLAIM)
373        .add(&OIDC_GROUP_ROLE_SYNC_STRICT)
374        .add(&PERSIST_FAST_PATH_ORDER)
375        .add(&ENABLE_S3_TABLES_REGION_CHECK)
376        .add(&ENABLE_MCP_AGENT)
377        .add(&ENABLE_MCP_AGENT_QUERY_TOOL)
378        .add(&ENABLE_MCP_AGENT_READ_DATA_PRODUCT_TOOL)
379        .add(&ENABLE_MCP_DEVELOPER)
380        .add(&ENABLE_MCP_DEVELOPER_QUERY_TOOL)
381        .add(&ENABLE_PUBLIC_METRICS_ENDPOINT)
382        .add(&MCP_MAX_RESPONSE_SIZE)
383        .add(&WEBHOOK_MAX_REQUEST_SIZE_BYTES)
384        .add(&USER_ID_POOL_BATCH_SIZE)
385        .add(&CONSOLE_OIDC_CLIENT_ID)
386        .add(&CONSOLE_OIDC_SCOPES)
387        .add(&ARRANGEMENT_SIZE_HISTORY_COLLECTION_INTERVAL)
388        .add(&ARRANGEMENT_SIZE_HISTORY_RETENTION_PERIOD)
389        .add(&CATALOG_INFO_METRICS_RECONCILE_INTERVAL)
390        .add(&PG_TIMESTAMP_ORACLE_STATEMENT_TIMEOUT)
391        .add(&ENABLE_SCOPED_SYSTEM_PARAMETERS)
392}