The AllegroGraph server is the running program which manages the various AllegroGraph repositories (also occasionally referred to as triple-stores or databases). The server must be set up as described in Server Installation.
This document describes server configuration below and server control further below.
All directives for AllegroGraph 8.4.1 are listed in this document. Most but not all can be used in earlier versions. The version in which the directive was added is shown for each case (versions prior to 7.0.0 are not specified exactly). If you are using a version earlier than 8.4.1 (but using this version of the documentation) the directives added after the version you are using cannot be used.
Argument notationThe directives that go in the configuration file generally require an argument. We generally show the type of argument expected. Here are some common argument types:
BOOLEAN: allowable values are yes and no (and also y, t, true, or 1 for yes and n, nil, false or 0 for no). Values are case-insensitive.
PATHNAME: a pathname, usually to a directory and usually an absolute pathname.
FILE-PATHNAME: a pathname (usually absolute) of a file.
INTEGER: an integer indicating the number permitted (such as for Backends) or a numeric label (such as for Port). Negative integers and 0 are not allowed unless the description says otherwise.
TIME: a non-negative integer, which can be labeled with a units indicator. An unlabeled integer is interpreted as a number of seconds. Units indicators are 's', 'h', and 'd', meaning seconds, hours, and days. So 100 and 100s both mean one hundred seconds, 25h is twenty-five hours and 3d is three days.
REGEXP: a regular expression. Regular expression syntax is described here. Regular expressions can be specified to make case-insensitive matches.
VALUE: a value specified in the directive description.
Some directives (usually those identifying things) can be specified multiple times meaning any of the specified values can be used. The directive description will say whether it can be specified more than once. A few directives can have multiple values on one line, usually comma separated.
Directive values must not be quoted. Spaces are not allowed in directive values.
Server configurationThe AllegroGraph server requires a configuration file in order to start up. Usually, this file is specified using the --config command-line argument. A minimal file could look like this:
SettingsDirectory /tmp/ag4/settings
SuperUser test:xyzzy
<RootCatalog>
Main /tmp/ag4/root
</RootCatalog> An AllegroGraph configuration file consists of a set of top-level directives, and one or more catalog definitions. The syntax is straight-forward: directives (both top-level and within a catalog definition) consist of an alphanumeric word, whitespace, and then the value of the directive. Indentation is ignored and trailing whitespace is removed. A directive can span multiple lines. Catalog definitions are delimited by pseudo-XML markers like <RootCatalog>.
Each line of the configuration file is processed this way:
# anywhere on the line and extends to the end of the line. However the hash character can be escaped using a backslash as in \# in which case the \# is replaced by # and the hash character is considered part of the directive on the line.Some examples of using # and \:
# full line comment
24000-30000 # port range
one two \ # line will continue on next line
three four # comment on second line
this \# is a hash character # shows hash character which results in these three directives being processed by the configuration parser:
24000-30000
one two three four
this # is a hash character Each directive defining a parameter must be on its own single line (or multiple lines joined by backslashes as described above). Specifying more than one parameter on a single line will result in an error, or, possibly, in the first parameter being defined incorrectly and the remaining ones on the line not being defined at all.
The directories named in this file must either already exist and be writeable by the user running the server, or that user must be able to create them himself. You'll usually not want to use temporary paths as in the example, of course.
Note about SuperUser and AuthPolicyFor users of an external password utility like LDAP, the agraph.cfg directive
SuperUser test:xyzzy will create the test account and give it the internal password of xyzzy however that password can never be used if you specify AuthPolicy as external-token or token-external or external.
Any relative path in the config file is initially resolved with respect to the directory containing the config file. If you specify another directory using the BaseDir directive, all subsequent relative paths are resolved relative to that directory. BaseDir can be specified as often as you like and can itself be a relative pathname (which will be resolved with using the BaseDir value in use, or, if not previously specified, with respect to the directory containing the config file). If BaseDir is specified multiple times, relative pathnames in other directives are resolved with respect to the most recent BaseDir value.
BaseDir PATHNAME
SettingsDirectory PATHNAME
AccessLogEnabled BOOLEAN
yes/no) that can be used to enable logging of successful HTTP(S) requests to a dedicated log file. (Added in version 7.0.0 or before.)
AccessLogDir PATHNAME
LogDir. (Added in version 7.0.0 or before.)
AccessLogFilePattern VALUE
strftime style directives, to set up log rotation for the HTTP access log. The pattern may contain spaces. Default is access-%Y%m%d.log containing year, month and date. (Added in version 7.0.0 or before.)
AccessLogEntryFormat VALUE
agraph.log. The logged value for unsupported directives (e.g. %l) is a dash: -. The default format is the NCSA extended/combined log format:
%h - %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i" AllowHTTP BOOLEAN
yes/no) that can be used to turn off HTTP access to the server. Default is yes. (Added in version 7.0.0 or before.) Clients usually interact with the AllegroGraph server using either HTTP or HTTPS or both. This is true of Webview as well as Java and Python clients. The agtool program will use the direct lisp interface if possible otherwise it will use HTTP or HTTPS. For security reasons you may wish to disable HTTP access and only permit HTTPS access. In this case you specify 'no' for this switch and also specify an SSLPort (see the section Top-level directives for SSL client certificate authentication). However in order for the direct lisp interface clients (such as agtool) to connect to the server a very limited HTTP webserver is always running inside the server. This webserver serves only two URLs and returns public information available via ps and netstat. Thus it's not a security concern that HTTP is used.
AllowIP IP-ADDRESSES
(Added in version 7.0.0 or before.) The value of the option must be a string containing one or more comma-separated IP address blocks in CIDR notation. The symbol any can be used instead of 0.0.0.0/0 notation.
Patterns can be either accepting or denying (prefixed with !) and are matched in the specified order, so less restrictive patterns must be included later in the list than denials which they include (see the second example, where 127.13.0.0 will be denied even though the list ends with any). Examples:
# Accept only loopback connections:
AllowIP 127.0.0.0/8, !any
# Accept any IP addresses except 127.13.0.0/16 range,
# unless it's 127.13.13.13:
AllowIP 127.13.13.13, !127.13.0.0/16, any Auditing BOOLEAN
yes/no) that can be used to turn on auditing. Default is no. (Added in version 7.0.0 or before.)
Backends INTEGER
BackendMaxIdle INTEGER
BriefBacktrace TRUE-OR-FALSE
true (default is false), only the function names will be included in the backtrace and argument information will be suppressed. This will make debugging the error more difficult but sensitive data (such as passwords) which might have been passed as arguments will then not appear in the log. (Added in version 7.0.0 or before.)
StaleDNSEntryRetainTime SECONDS
DisableGruff BOOLEAN
false), Gruff cannot be invoked from AGWebView. See also the MaxGruffProcesses directive. (Added in version 7.0.0 or before.)
EvalAllowed BOOLEAN
yes (the default), then the Evaluate arbitrary code permission bits are in effect. If it is no, then arbitrary code evaluation is disabled for all users (including superuser) regardless of the value of a user's actual permissions. (Added in version 7.0.0 or before.)
HostName HOST
localhost to listen only locally. (Added in version 7.0.0 or before.)
HTTPProxy VALUE
HTTPNoProxy VALUE
HTTPProxy directive, this parameter can be used to list exceptions. HTTP requests made by the server to domains that match one of the suffixes specified with HTTPNoProxy are never proxied. HTTPNoProxy can be specified multiple times, for example:
HTTPNoProxy mydomain.com
HTTPNoProxy otherdomain.com With the above configuration, requests made by the server for mydomain.com, otherdomain.com, sub.mydomain.com or notmydomain.com will not be proxied.
IP addresses can be specified and they are subject to the same string suffix matching rule as domain names are. Crucially, that means that a request made for a particular domain name will not match a rule that specified an IP address even if the domain name resolves to the IP address. It is usually the best to use entire IP addresses:
HTTPNoProxy 192.168.0.1 localhost and 127.0.0.1 are never proxied.
HttpTrace FILE-PATHNAME
HttpTrace directive is supplied, it is the name of the log file to which HTTP traffic is to be dumped. Relative pathnames are with respect to the log directory specified by the LogDir directive. If this HttpTrace directive is specified and HttpTraceOptions (see just below) is not specified, tracing is done using the default HttpTraceOptions. See also the --http-trace-options command line argument. (Added in version 7.0.0 or before.)
HttpTraceOptions OPTIONS
HttpTrace directive is specified, tracing will be done with the information requested by this directive being written to the file specified by HttpTrace. The value of this directive should be a comma separated list of options. Options starting with the character + turn on the corresponding log category. Those starting with - turn them off (allowing you to enable a general category, like +all and disable specific items thus enabled, like -proxy). max-message-size=NUMBER causes truncation of entries after NUMBER characters. The default value of this directive is +xmit,max-message-size=1000. The available log categories are listed in the Debugging section
HTTPWorkers INTEGER
Backends above) plus anticipated frontend sessions (used, for example, by Webview). Too few workers may cause long-running requests (like opening a repository) to delay other concurrent requests. (Added in version 7.0.0 or before.)
HTTPKeepAliveTimeout INTEGER
LicenseWarnInAdvance NON-NEGATIVE-INTEGER
LogDir PATHNAME
MaxGruffProcesses POSITIVE-INTEGER
MemoryCheckWhen VALUE
name:value where name can be query, transaction or time and value must be a number of items to run between checks (for query and transaction) or a delay in seconds (for time). (Added in version 7.0.0 or before.)
MemoryReleaseThreshold INTEGER
3g), megabytes (e.g. 3000m), kilobytes (e.g. 3000000k) or bytes (e.g. 3000000000). (Added in version 7.0.0 or before.)
PidFile FILE-PATHNAME
Port INTEGER
10035. If you do not want to allow access with HTTP, you must specify a value for SSLPort (see the section Top-level directives for SSL client certificate authentication) and also specify AllowHTTP to no. The value of Port can be overridden by the --port argument to agraph-control (and the --port argument to the agraph program). (Added in version 7.0.0 or before.)
QueryResultsLimit NUMBER
QueryResultsCacheSize NUMBER
allowCachingResults query option documentation for more details. The default value is 1000. (Added in version 8.0.0.)
QueryResultsCacheStorageSize INTEGER
allowCachingResults query option documentation for more details. The default value is 1G. (Added in version 8.0.0.)
QueryOption NAME=VALUE
QueryOption NAME=VALUE PREFIX franzOption_NAME: <franz:VALUE> QueryOption logQuery=yes PREFIX franzOption_logQuery: <franz:yes> QueryOption openaiApiKey: sk-XXXXXXXXXXXIJKlmnOpQ3RstvVWxyZABcD4eFG5jiJKlmno
QueryOption serpApiKey: XXXXXXXXXX4b15627d34b5859c76d17038d791c26e38f161e1234567e9>
QueryOption profileQuery=time
QueryOption profileQuery=space
QueryOption chunkProcessingAllowed=yes
ReplicationPorts INTEGER-RANGE
RunAs USERNAME
agraph). (Added in version 7.0.0 or before.)
SecureMMR BOOLEAN
SecureMMR in its configuration file.
SlowQueryLogThreshold NUMBER
NUMBER milliseconds, log information about the query to the log file (or to the file named by SlowQueryLogFile if specified). An example when SlowQueryLogThreshold is 1:
Slow query (1.261700 msec): select ?s { ?s ?p ?o . } limit 100000 slowQueryLogThreshold will set the threshold for a specific query. See Query Options in SPARQL Reference.
SlowQueryLogFile PATHNAME
SlowQueryLogThreshold just above) will be written to PATHNAME rather than the regular log file if this option is specified. Relative pathnames are with respect to the log directory specified by the LogDir directive. (Added in version 7.0.0 or before.)
SMTPHost ID SMTP-CONFIGURATION
(Added in version 7.0.0 or before.) Defines a named SMTP configuration for use by AllegroGraph features that support email notification, such as auditing and the event scheduler. Multiple SMTPHost definitions are allowed.
ID is a name that is used with other configuration options to specify the SMTP host being defined. SMTP-CONFIGURATION associates with ID a server, a login name and other information. For example, the following defines the SMTPHost with ID gmail:
SMTPHost gmail \
server="smtp.gmail.com", ssl=true, starttls=false,\
from="[email protected]", login="[email protected]", \
password="somepassword" SMTPHost:
server (string): the hostname or IP address of the server (example: "smtp.gmail.com", or "127.0.0.1"). This is a required parameter.
port (integer): defaults 25 for non-SSL, 465 for SSL (example: port=993)
ssl (boolean): defaults to false (example: ssl=true)
starttls (boolean): defaults to false (example: starttls=true)
from (string): the email address to which the From: header of emails sent via this SMTPHost will be set. This is a required parameter.
login (string): the user on the remote server (example: login="[email protected]")
password (string): the password corresponding to login.
password-command (string): a string suitable to be executed as a shell command. The specified command should output a single line containing the password to stdout. This is intended to avoid storing plaintext passwords in the configuration file.
SPARQLBaseURL URL
SuperUser NAME:PASSWORD
name:password format. The server will ensure, on startup, that a superuser with this name and password exists. Note that this means anyone that can read your configuration file has full access to the server. It is recommended to use the server setup script to create a superuser instead, or if you do use this directive, remove it after the first run of the server has created the user. (Added in version 7.0.0 or before.)
TempDir PATHNAME
/tmp). (Added in version 7.0.0 or before.)
TransactionSemantics VALUE
sesame-2.6 (the default) or sesame-2.7. It controls whether a new transaction is started automatically or an explicit begin is necessary. See Transaction handling semantics for more information. (Added in version 7.0.0 or before.)
UseLicensedCores BOOLEAN
true (default is false) ensures that no more than that number of cores will be used. If on startup you get an error message saying like the following:
Starting server failed: The machine has more cores (4) than the number of licensed cores (1). Specify "UseLicensedCores true" in agraph.cfg in order to have AllegroGraph use only the licensed number of cores. See these links for details: https://franz.com/agraph/support/documentation/server-installation.html#licensekey https://franz.com/agraph/support/documentation/daemon-config.html#uselicensedcores
XMLVersion 1.0-or-1.1
1.1. Specify XMLVersion 1.0 if you wish AllegroGraph to use XML 1.0. See also the Lisp function serialize-rdf/xml and the Lisp variable *serializer-xml-version*. (Added in version 7.2.0.)
A session is a user-specific connection to the AllegroGraph server. Because it is controlled by a single user, it can be transactional (changes are not permanently added to the database until committed and rollbacks are supported) and it is suitable for loading user-specific scripts. Sessions can also access several stores in a federation.
Sessions can only be created by users who have permission to start sessions (see Managing Users for information on user permissions).
Those users can start sessions from the New WebView Repository Menu/AGWebView or from the page displayed by Utilities menu | Sessions (in both new and traditional WebView), using the HTTP/REST interface, in Python), and in Java.
The following configuration directives affect sessions:
SessionHost VALUE
SessionPorts INTEGER-RANGE
8000-8020. Defines the ports that will be used for sessions. Useful when these need to be opened in a firewall or similar. When not specified, random ports will be used. (Added in version 7.0.0 or before.)
UseMainPortForSessions BOOLEAN
yes/no). If yes then the AllegroGraph process listening on the main port will act as a proxy for all requests for session processes. This helps to avoid firewall problems when using sessions, as only the main port needs to be exposed in this case. (Added in version 7.1.0.)
The next two directives control how long a session can be idle before it is terminated by the system. When starting a session with traditional AGWebView (described here), a timeout cannot be specified, so the value of DefaultSessionTimeout is the idle timeout for any AGWebView session. Starting in New WebView (see New WebView Repository Menu) does allow specification of timeouts when the session is created on the Utilities | Sessions page. Idle timeouts can be specified for sessions started with the HTTP/REST interface, Python, or Java (in all cases setting the lifetime parameter/argument). The value specified must be less or equal to than the MaximumSessionTimeout. Neither DefaultSessionTimeout nor MaximumSessionTimeout can be determined programmatically so users should ask the database administrator for those values if needed.
DefaultSessionTimeout INTEGER
MaximumSessionTimeout INTEGER
In addition to authenticating remote users via HTTP Basic authentication, users can also be authenticated using SSL certificates. See the comments about authenticating users in the introduction of the Security Implementation document.
The following directives are used to enable SSL client authentication. See the SSL/TLS Quick Start document for details on specifying an SSL/TLS connection to the AllegroGraph server.
SSLCertificate FILE-PATHNAME
SSLPort is set. (Added in version 7.0.0 or before.)
SSLPort INTEGER
SSLPort can be overridden by the --sslport argument to agraph-control (and the --sslport argument to the agraph program). (Added in version 7.0.0 or before.)
SSLCAFile FILE-PATHNAME
SSLCRLFile FILE-PATHNAME
SSLClientAuthUsernameField VALUE
Subject: C=US, ST=California, L=Oakland, O=Franz Inc., OU=Developers,
CN=Joe Smith, [email protected] SSLClientAuthUsernameField setting).
SSLClientAuthRequired BOOLEAN
SSLProtocol VALUE
tlsv1+.
SSLCipherSuite STRING
(Added in version 7.0.0 or before.) A string as described in https://www.openssl.org/docs/man1.0.2/apps/ciphers.html. This string specifies the list of ciphers that the AllegroGraph server is willing to use for incoming SSL connections.
The default value, taken from this guide: https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/, is
"ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS" RedirectHTTPOnHTTPS BOOLEAN
yes (default is no) HTTP requests sent to the AllegroGraph SSLPort will result in a 301 Moved Permanently response with the location set to the HTTPS version of the URL. If SSLPort is not set, this directive has no effect. (Added in version 8.2.0.)
These directives are used to specify site specific information about available LLMs. LLMs are described in the Large Language Models and Vector Databases document. Much LLM information is already hardwired in AllegroGraph and need not be configured in the agraph.cfg file but Ollama details (see the Ollama support document) cannnot be hardwired in as the location of the server will be different for each AllegroGraph installation.
AllegroGraph in version 8.3.0 (and later) is able to work with OpenAI and Ollama LLMs. More will be added in the future and if need be the configuration directives available in agraph.cfg will change.
The LLM configuration option is specified using a different format than most configuration options: it is an XML specification similar to catalog definitions rather than the CONFIG-DIRECTIVE-NAME value format used for most directives. Our example, which you can adapt to your specific needs, shows what information is needed.
This directive was added in release 8.3.0. At this time the only LLM configuration directive you'll need to add is for Ollama. Here is an example of such a directive:
<llm ollama>
chatModel llama3.1
chatModel mistral
chatModel qwen2
embedderModel llama3.1
embedderModel mistral
embedderModel qwen2
scheme http
host demo1
port 11434
embedder ollama
</llm> The Ollama server (running on the specified host, demo1 in our example) will only support the models installed so those must be listed. There are two types of models with potentially different names (but with the same names in our example). A chatModel is used when you send a prompt string to the LLM and it responds with a response string. See A quick example in the Ollama document for an example. There are links there to descriptions on scheme, host, and port.
An embedderModel is used to compute an embedding vector from a text string. Vector triple stores use embedder models as described in the Vector Storage Features in AllegroGraph document. When you fill out the WebView dialog for specifying a vector db (see vector-dbs-and-rag.html#Creating-a-vector-database), ollama is the Embedder and one of the specified embedderModels is the Model.
External authentication uses an external service to verify user credentials. Note that all user data (permissions, etc) is stored locally, so in order to be able to authenticate a user externally, a user with the same name must already exist on a given AG server.
The only external authentication protocols currently supported are LDAP and OAuth/OIDC.
AuthPolicy AUTH-POLICY
LDAPAuth LDAP-CONFIGURATION
(Added in version 7.0.0 or before.) Defines an LDAP configuration which will be used to connect to an external LDAP server to perform user authentication. Note that LDAP authentication can only be used if AuthPolicy option contains the word external (such as external, external-internal, token-external etc.)
The LDAP configuration requires a host and port (optionally, with SSL support) and a username template to construct the username that will be used in bind operation.
Here is an example LDAP configuration:
LDAPAuth \
server="ldap://ldap.example.com:389", \
username-template="cn={},dc=example,dc=com" LDAPAuth:
server (string): the URI of the LDAP server. The URI scheme must be either ldap for regular connection or ldaps for SSL connection. Port is optional and defaults to 389 if the scheme is ldap or 636 if the scheme is ldaps. Examples: ldap://ldap.example.com, ldaps://ad.example.com:10636. This is a required parameter.
username-template (string): the template for constructing the LDAP username from the AG username. Must contain a username marker "{}" which will be replaced with AG username during an authentication attempt. An example LDAPAuth value for an Active Directory service would be:
LDAPAuth \
server="ldap://ad.example.com", \
username-template="{}@ad.example.com connection-timeout (integer): timeout in seconds for LDAP connection. Defaults to 10.
cache-timeout (integer): caching period in seconds of the LDAP user's password hash to avoid constant authentication requests to the LDAP server. Defaults to 1800 (30 minutes). Only successful authentication attempts are cached.
OAuth OAUTH-CONFIGURATION
This directive was added in release 8.3.0. Defines an OAuth/OIDC configuration which will be used to execute the supported OAuth flows. Currently only the Authorization Code flow is supported. In addition to this option, in order to enable OAuth/OIDC authentication AuthPolicy must contain the word external (such as external, external-internal, token-external etc.)
This directive supports Single Sign-on and Sign-off.
Here is an example of OAuth configuration:
OAuth server="http://auth.example.com:4444", \
authorize-endpoint="/oauth2/auth", \
token-endpoint="/oauth2/token", \
jwks-uri="http://auth.example.com:4444/.well-known/keys.json", \
jws-algorithms="RS256, RS512", \
client-id="cc8b0524-ad95-47e8-977d-f3a70e5279a1", \
client-secret="J-k64I.gIC9xD9OM7d9bczKDJ5", \
scope="openid", \
username-claim="sub", \
username-regexp="^(.*)@.*", \
username-substitution="\\1", \
pkce=yes, \
front-channel-logout=yes, \
back-channel-logout=yes, \
explicit-id-token-type="JWT", \
explicit-logout-token-type="logout+jwt" OAuth directive:
server (string): the base URI of the OAuth server. This value must match the iss (issuer) claim in an ID token. Use *-endpoint options to specify required paths. If endpoints cannot be expressed as paths relative to the server URI, absolute URIs can be used instead. This is a required parameter.
authorize-endpoint (string): the URI of the endpoint on the server where the user should be redirected to initiate the authentication process. If it starts with /, it will be treated as a path relative to the server URI and will be concatenated with it to get the absolute URI of the endpoint. Otherwise it will be treated as an absolute URI of the endpoint. This is a required parameter.
token-endpoint (string): the URI of the endpoint on the server used to exchange the authorization code for the token in the OAuth Authorization Code flow. If it starts with /, it will be treated as a path relative to the server URI and will be concatenated with it to get the absolute URI of the endpoint. Otherwise it will be treated as an absolute URI of the endpoint. This is a required parameter.
jwks-uri (string): the URI of the JWKS file. AllegroGraph performs offline validation of ID tokens and expects to find keys for JWT signature verification at this URI. If it starts with /, it will be treated as a path relative to the server URI and will be concatenated with it to get the absolute URI of the endpoint. Otherwise it will be treated as an absolute URI of the endpoint. This is a required parameter.
jws-algorithms (string): comma-separated list of JWS signature algorithms allowed in JWT tokens. Token signed with unsupported or disallowed algorithms are considered invalid. Supported algorithms are HS256, HS384, HS512, RS256, RS384, RS512 and none. HMAC-SHA2 algorithms (HS256, HS384 and HS512) expect the value of the client-secret to be used as key. Default value is "RS256, RS384, RS512".
client-id (string) and client-secret (string): client credentials obtained when registering AllegroGraph server as a client for the authentication service.
scope (string): a string containing space-separated scopes that will be requested. The default value is "openid". openid must be included as one of the values in any string list supplied as the value of this argument.
username-claim (string): the claim in the OIDC ID Token returned by the token-endpoint which will be used to compute the username of the internal AllegroGraph user. Defaults to sub.
username-regexp (string): the regular expression for matching groups in the username-claim string which are then used in username-substitution to construct the actual username. In the example above, username-regexp captures a part of the sub claim that comes before @ character in an email. username-susbstitution just takes this captured group without any modifications. Note that ` character is used as an escape character in the option values, so a common notation for the first group (\1) becomes \1`. By default both options are unspecified meaning that the value of the username-claim will be used as is.
pkce (boolean, yes/no): if true, PKCE will be used. Default is no.
front-channel-logout (boolean, yes/no): if true, OIDC Front-Channel Logout is enabled. Default is yes. Note that front-channel logout requires HTTPS. Also note that front-channel logout relies on a user-agent (typically a browser) to provide information about login session to AllegroGrash in the form of a cookie, so if this is enabled, AllegroGraph sets authentication cookie with SameSite=None. Finally, note that, to our knowledge, front-channel logout does not work out-of-the-box on Firefox and requires changing a preference value (search for "firefox cookie behavior" in a web search engine). AllegroGraph's front-channel logout HTTP endpoint is GET /oauth/logout.
back-channel-logout (boolean, yes/no): if true, OIDC Back-Channel Logout is enabled. Default is yes. Note that in back-channel relies on direct HTTP communication between authorization service and AllegroGraph server, so the former must be accessible from the latter. Note that AllegroGraph's back-channel logout expects session to be specified via the sid (session ID) claim in the ID Token and the corresponding Logout Token. AllegroGraph's back-channel logout HTTP endpoint is POST /oauth/logout.
explicit-id-token-type (string): an explicit type (typ header assertion) of the ID Token, which is not required by the OpenID Connect spec, but may be useful for preventing using Logout tokens for logging in. Default is "" (empty string), which means that the check will be disabled. Note that if both this value and the value of explicit-logout-token-type (see below) are non-empty strings (i.e. both checks are enabled) than the types must be exactly the same as those values, but if only one check is enabled, than the other token's type will still be checked to be strictly different from the value of the enabled check. For example, if ID token type is "" and Logout Token type is "logout+jwt" (the default), the Logout Token type will be checked to be "logout+jwt", and ID Token type will be checked to be anything but "logout+jwt". To completely disable any checks, both values must be set to "".
explicit-logout-token-type (string): an explicit type (typ header assertion) of the Logout Token to be checked during token validation, as recommended by the OpenID Connect spec. Default is "logout+jwt". The value "" (empty string) can be used to disable verification. See the `explicit-id-token-type note above for the details on how this value relates to the ID Token type.
AllegroGraph expects auth service to respond with JSON.
Username can currently only be extracted from the OIDC ID Token, hence the required openid scope.
User record with the given username must already exist on the AllegroGraph server for the OIDC authentication flow to work.
ID tokens generated by the authorization server to which the configuration points can be directly used for authenticating API calls. The process of obtaining ID tokens depends on your authorization system. Use the value provided where <token> appears in the examples just below.
ID token can be sent as one of these two HTTP headers:
Authorization: Bearer <ID-token> Authorization: Basic base64(<username>:<ID-token>) Bearer authorization scheme is preferable because it does not need username to specified, but the Basic form is still useful for compatibility because it allows using ID tokens in place of a regular password in tools that automatically handle credentials in URIs as Basic HTTP authorization headers. This may be convenient in e.g. curl to avoid adding the authorization header manually:
curl http://<user>:<ID-token>@host:10035/repositories/repo/... agtool, where the user does not have control over the underlying HTTP authorization header:
agtool load <user>:<ID-token>@host:10035/repo data.ttl
AuditEventsToEmail VALUE
(Added in version 7.0.0 or before.) A directive that instructs the system to send notification emails to a specified address when various audit events occur. This option can be specified multiple times to cause emails to be sent to multiple addresses.
The format for this directive is
AuditEventsToEmail to="email", [smtphost="smtp-host-name"], \
events="comma-separated events" Where smtp-host-name is the name of the SMTPHost definition to be used and email is an email address. If only one SMTPHost is defined, this option can be left unspecified. Events can be any audit events (see Audit event types).
For example, here is a valid specification, assuming an SMTPHost named gmail has been defined:
AuditEventsToEmail to="[email protected]", smtphost="gmail", \
events="expirePassword,addUser,deleteUser" SMPHost defined, smtphost can be left unspecified:
AuditEventsToEmail to="[email protected]", \
events="expirePassword,addUser,deleteUser" AccountExpiry
AccountUnsuspendTimeout
MaxFailedLogins. (Added in version 7.0.0 or before.)
LoginTimeout
10s, 5m, 1h). If set, AGWebView login sessions are timed out after this amount of idle time. The default is no timeout. (Added in version 7.0.0 or before.)
MaxFailedLogins
AccountUnsuspendTimeout is set. (Added in version 7.0.0 or before.)
PasswordChangeAllowed
yes/no) that can be used to control whether users can change their own password. The default is yes. If no, then only superuser can change passwords. (Added in version 7.0.0 or before.)
PasswordExpiry
PasswordExpiryGrace
PasswordMinLength
PasswordMinUppercaseChars
PasswordMinDigitChars
PasswordMinSpecialChars
SuperUserCanAccessAllData
yes/no) that controls whether superuser bypasses normal permission checks for triples data. If it is on (the default), then superuser will have read/write access to all repositories. If it is turned off, then superuser needs to be granted access to repositories. This is most useful when auditing is enabled and any change to user permissions is logged. (Added in version 7.0.0 or before.)
The event scheduler, described in the Event Scheduler document, allows users to schedule times when a script should be run. The scripts can be run once or repeated regularly. These two configuration options should be set for the scheduler to work. The first must be set in order that a script file to run can be found. The second must be set if one wants emails sent reporting that a script ran or failed to run. Emails sent when a script runs successfully also contain the output of the script.
SchedulerDir DIRECTORY
SchedulerSMTPConfig SMTP-ID
These top-level directives affect multi-master replication clusters, described in the Multi-master Replication document. The first, MaximumBackupAge, specifies how old backups of the controlling instance are allowed to be.
MaximumBackupAge
s (for seconds), m (for minutes), h (for hours), or d (for days). The default is 3600 (i.e. one hour). When asked to grow a cluster an existing backup of the controlling instance is used unless it's older than this MaximumBackupAge in which case a new backup is made. See the section Controlling instance backups and MaximumBackupAge for more information on this directive. (Added in version 7.0.0 or before.)
The other settings affect how replication cluster instances are kept in sync. These latter directives specify the default values of these setting and the values may be overridden by commands which create a replication cluster and settings can also be changed once a replication cluster exists. The meaning and effect of a setting is described in the Instance Settings section of the Multi-master Replication document. Changing the settings after a cluster has been created is also described in that section. The directives are:
durability
distributedTransactionTimeout
transactionLatencyCount
transactionLatencyTimeout
While processing a query, backend processes may allocate memory from the operating system. When a previously allocated memory area is no longer used, the processes normally do not return it to the operating system, in hopes of reusing it for subsequent queries. However, it may be advantageous to periodically return idle memory to the operating system. The MemoryCheckWhen and MemoryReleaseThreshold configuration parameters allow for this.
Note that while returning memory to the OS makes memory available to other processes, it also incurs the overhead of minor page faults on subsequent allocations in the same process.
Each shared backend and dedicated session tracks its own memory usage. When a check is made the resident set size (RSS) of the backend or session process is compared to MemoryReleaseThreshold. If the RSS is greater than MemoryReleaseThreshold then an effort is made to give back as much memory to the OS as possible.
Since this kind of check is fairly expensive, performing it too often can have a detrimental effect on overall performance. The MemoryCheckWhen directive specifies under what circumstances it should be done. Let's see a couple of examples.
Perform memory check after every 7 queries:
MemoryCheckWhen query:7 Perform memory check after every 2 transactions:
MemoryCheckWhen transaction:2 Perform memory check every 10 seconds:
MemoryCheckWhen time:10 Finally, a complete configuration that would check whether the memory was above the threshold every 10 seconds and after every 2 transactions:
MemoryReleaseThreshold 2g
MemoryCheckWhen time:10
MemoryCheckWhen transaction:2 Note that MemoryReleaseThreshold must be specified whenever MemoryCheckWhen is. If neither of two are specified, then no checks are ever performed.
Memory lockingYou can lock indexes and/or the string table into memory if desired. This improves performance but can lead to problems if memory is tight. This can be done with the agtool memory-lock (and memory-unlock) commands. Run
% agtool memory-lock --help
for further information.
CORS directivesCORS (Cross-Origin Resource Sharing), if enabled, allows scripts run on a web page from one server to make HTTP requests to the (different) server where AllegroGraph is running. CORS is not enabled by default because if not configured properly, it can introduce security holes. The following directives enable CORS limited as the various options allow. A general tutorial on CORS is available at http://www.html5rocks.com/en/tutorials/cors/. See here in the REST/HTTP interface document for more information.
You may want to use CORS to communicate with the AllegroGraph server if you are writing a web application that will be accessing AllegroGraph but will not be served from the same domain that the server uses. This image shows a possible configuration:
CORS support is enabled if the configuration file contains at least one of the following directives: CorsAllowAll, CorsAllowOrigin, CorsAllowRegex.
The following configuration file directives are used to configure CORS:
CorsAllowAll BOOLEAN
yes, values for CorsAllowOrigin and CorsAllowRegex are ignored. The default is no. (Added in version 7.0.0 or before.)
CorsAllowOrigin DOMAIN
CorsAllowRegex REGEX
The following directives affect how CORS requests are handled when they are allowed.
CorsUrlRegex REGEX
CorsAllowMethods METHOD-LIST
DELETE GET OPTIONS PATCH POST PUT. (Added in version 7.0.0 or before.)
CorsAllowMethod METHOD
CorsAllowMethods (defined above). The CorsAllowMethod directive can be specified multiple times. (Added in version 7.0.0 or before.)
CorsAllowHeaders HEADERS-LIST
Accept Accept-encoding Authorization Content-type Dnt Origin User-agent
CorsAllowHeader HEADER
CorsAllowHeaders (defined above). This directive can be specified multiple times. (Added in version 7.0.0 or before.)
CorsExposeHeaders HEADER-LIST
CorsExposeHeader HEADER
CorsExposeHeaders (defined above). This directive can be specified multiple times. (Added in version 7.0.0 or before.)
CorsPreflightMaxAge INTEGER
Access-Control-Max-Age will not be sent. (Added in version 7.0.0 or before.)
CorsAllowCredentials BOOLEAN
Catalogs are locations on disk where AllegroGraph keeps its repositories. These locations are specified in the configuration file, along with some optional default settings for stores in the catalogs. Most of the time, you will want to specify all catalogs directly in the configuration file, but it is also possible to enable dynamic catalogs, which can be created and deleted either using the agtool catalogs tool or through the HTTP interface (as described in HTTP Protocol - SPARQL Endpoint).
Catalog definitions in the server configuration files serve as templates for creating databases. The parameters defined in the catalog definition will be copied to the database when it is created. Changes to the catalog definition do not influence the settings of existing databases. In order to modify parameters of existing databases, the file 'parameters.dat' in the database 'Main' directory must be edited and the database be restarted.
There are three types of catalog definitions that can occur in an AllegroGraph configuration file: special catalogs (root, system and fedshard catalogs), named catalogs, and a dynamic catalog specification. The first was seen in the example above (<RootCatalog> ... </RootCatalog>), and is used to determine where stores live that do not have a catalog specified. Named catalog specifications look similar:
<Catalog temporary>
Main /tmp/catalog
</Catalog> The first entry specifies the catalog name, temporary in the example. Catalog names can contain any characters except slashes, backslashes, colons, and tildes.
The catalog name can then be used to specify the catalog when creating or accessing repositories.
The names root, system and fedshard are reserved and may not be used in a Catalog directive. These three catalogs must be defined in every server and if not found in the configuration file they will be created automatically by the server.
The catalog directives of the root catalog are found within between <RootCatalog> and </RootCatalog> in the configuration file.
The system catalog is where AllegroGraph records information about the operation of the server. It can be given catalog directives in the configuration file between the directives <SystemCatalog> and </SystemCatalog>.
The fedshard catalog is reserved for storing metadata for fedshard repositories and not the data itself so very little disk space is required. The only catalog directive recognized in the configuration of the fedshard catalog is the Main catalog directive specifying the directory to be used to store the directories holding metadata for each fedshard repository. This Main directive for the fedshard repositories can be specified between the <FedshardCatalog> and </FedshardCatalog> directives in the configuration file.
Finally, a dynamic catalog definition is used to provide the settings for catalogs created over HTTP. If no dynamic catalog is defined, this feature is disabled.
<DynamicCatalogs>
Main /tmp/dynamic
</DynamicCatalogs> The directory (as well as any other catalog directories, see below) given for dynamic catalogs will be extended with a catalog name when such a catalog is created. For example, given the above configuration, a dynamic catalog named scratch would end up in /tmp/dynamic/scratch.
Some of the directives allowed within a catalog definition (those marked as inheritable) can also be specified at the top-level, where they act as a default value inherited by catalogs which don't explicitly specify that setting.
Main PATHNAME
TransactionLogDir PATHNAME
(Added in version 7.0.0 or before.) Specifies the directory in which transaction log subdirectories will be created for repositories in this catalog. The directory will be extended with the name of a repository. For example, if TransactionLogDir is /tmp/tlogs, then transaction logs for repository example will be stored in /tmp/tlogs/example. This parameter is optional and defaults to the value supplied for the Main parameter.
See the line in the example below
TransactionLogDir /mnt/disk3/ag4-transaction-logs which says transaction logs should be placed in the /mnt/disk3/ag4-transaction-logs/[repository-name]/ directory.
The value of this directive can affect performance. See the discussion in the Performance Tuning document.
StringTableDir PATHNAME
TransactionLogDir for information on how directory names are constructed. This parameter is optional and defaults to the value supplied for the Main parameter. The value of this directive can affect performance. See the discussion in the Performance Tuning document. (Added in version 7.0.0 or before.)
StringTableSize INTEGER
StringTableCompression VALUE inheritable
none (the default), lzo (same as lzo999), lzo1, lzo999 (same as lzo), or zlib. lzo999 compresses more than lzo1 but takes more time. The string table compression method can only be set when a repository is created. See the discussion of this directive here in the Performance Tuning document. (Added in version 7.0.0 or before.)
ExpectedStoreSize INTEGER inheritable
CheckpointInterval TIME inheritable
10s, 5m, 1h) that specifies how often checkpoints will be performed. The default value is 5m. The value of this directive can affect performance. See the discussion in the Performance Tuning document. (Added in version 7.0.0 or before.)
MaxRecoveryTime TIME inheritable
10s, 5m, 1h). AllegroGraph normally performs checkpoints at regular intervals, as configured by the CheckpointInterval directive. If MaxRecoveryTime is specified, AllegroGraph will maintain an estimate of how long recovery would take if a crash occurred at a given moment. When this estimated recovery time exceeds MaxRecoveryTime, a checkpoint will be performed. (Added in version 7.0.0 or before.)
TransactionLogSize INTEGER inheritable
10m for ten megabytes) that determines how big individual transaction log files are allowed to grow. When a transaction log size meets or exceeds this size, a new transaction log file will be created. The maximum is just under 4g. (Added in version 7.0.0 or before.)
TlogSyncMethod VALUE
DesiredTlogFiles INTEGER
(Added in version 7.0.0 or before.) This parameter specifies the number of transaction log files which should be preallocated at database creation time. The default value is 2. Specifying a larger value helps lower the probability of additional transaction log files being created during commits.
Note: The circumstances under which the number of tlog files may grow larger than DesiredTlogFiles are if there is a long-running backup, transaction log archiving is running slowly, or if replication is running slowly or stalled. When possible, AllegroGraph will reduce the number of transaction log files back down to DesiredTlogFiles.
InstanceTimeout TIME inheritable
10s, 5m, 1h) a database instance will stay open without being accessed. The default is one hour. Starting a database instance can be time consuming. By keeping idle instances around this directive allows for trading off memory for lower worst case latency on database access. Note that this value is advisory; AllegroGraph checks for idle database instances intermittently so a given instance may linger longer than the instanceTimeout. (Added in version 7.0.0 or before.)
TransactionLogArchive PATHNAME
TransactionLogRetain
TransactionLogReplicationJobname
What follows is a more complete example to demonstrate the various configuration options in more detail.
# Don't allow normal HTTP access, only SSL
Port 10035
AllowHTTP no
SSLPort 10036
SSLCertificate /var/lib/ag4/server.cert
SettingsDirectory /var/lib/ag4/settings
Backends 5
# You can actually remove this after the first server run, to
# reduce the risk of someone finding it here.
SuperUser test:xyzzy
ExpectedStoreSize 100000
SessionPorts 8080-8083
<RootCatalog>
Main /var/lib/ag4/root
</RootCatalog>
<Catalog fast>
ExpectedStoreSize 2000000
CheckpointInterval 1h
Main /var/lib/ag4/fast
StringTableDir /mnt/disk2/ag4-string-tables
TransactionLogDir /mnt/disk3/ag4-transaction-logs
</Catalog>
<DynamicCatalogs>
Main /var/lib/ag4/dynamic
</DynamicCatalogs> In some circumstances, it is desirable to modify the settings of an existing database by editing the 'parameters.dat' file in the database main directory. The syntax of this file is similar to that of the server configuration file, but only the parameters that are normally present inside of a catalog definition are allowed.
For example, the 'parameters.dat' file for a database 'demo' created with the 'fast' catalog definition above would look like this:
CheckpointInterval 1h
Main /var/lib/ag4/fast
StringTableDir /mnt/disk2/ag4/fast It might be edited to change the CheckpointInterval. It is also possible to add new file placement rules. When modifying any of the file placement related parameters of a database, care must be taken to make sure that all files that constitute the current database state are still visible to the database. For example, if the StringTableDir directory in the database above should be removed, all files in /mnt/disk2/ag4/fast/demo/ would need to be manually moved into the main directory of the database, /var/lib/ag4/fast/demo/.
Note that resetting some parameters in 'parameters.dat' has no effect. In particular, changing ExpectedStoreSize in parameters.dat does nothing. The only way to change that is to set the option in the configuration file and recreate the database.
When moving around database files, it is important to know that some of these files are sparse, i.e. they contain holes (unallocated blocks). Many file management utilities (like 'cp' and 'tar') can optionally preserve file sparseness, but care should be taken to make sure that copies of database files don't become unexpectedly large after a manual manipulation.
Server control: starting and stopping the serverThe method used to start and stop the AllegroGraph server depends on the type of install: an RPM install or installation from a tar.gz file (see Server Installation). The RPM install places files in specific locations. The configuration file agraph.cfg is placed in /etc/agraph/ and you can use /sbin/service to start and stop Allegrograph:
You can start AllegroGraph by running:
/sbin/service agraph start
You can stop AllegroGraph by running:
/sbin/service agraph stop In addition, chkconfig can be used to make AllegroGraph start when the system boots. For example:
chkconfig agraph on You can also use agraph-control with an RPM install.
The tar.gz installation is more flexible, and you choose the AllegroGraph directory as part of the installation process (again, see Server Installation). The typical way to start and stop AllegroGraph installed from a tar.gz file is to use agraph-control.
Starting multiple serversYou can run multiple servers on the same machine if desired. Separate instances must have different settings directories, and must use different ports. These are specified in the configuration file so each server instance must have its own configuration file. If you try to run two servers with conflicting information, the second will fail to start with a message similar to:
Daemonizing...
Starting server failed:
There appears to already be an AllegroGraph server running (pid 12803).
If it is your intention to run another AllegroGraph server
simultaneously,
please make a separate configuration file which has different values
for the following parameters:
Port 61111
SettingsDirectory /disk1/allegrograph/settings/
agraph-control is a script that can be used to start and stop AllegroGraph. It also can process other commands, as described below. agraph-control is located in the bin/ subdirectory of the AllegroGraph directory. The calling template is
agraph-control [OPTIONS] <command> Additionally when command is start or restart, agraph-control will also accept additional command-line options, so the calling sequence is
agraph-control [CONTROL-OPTIONS] <start | restart > [-- COMMAND-LINE-OPTIONS] The command-line-options are the arguments accepted by the agraph program (which is called by agraph-control) and are listed below.
Control optionsThere are three control options: --config, --cluster-config and --cluster.
--config
The value of --config should be the path of the configuration file. The usual location of that file in a tar.gz install is the lib/ subdirectory of the AllegroGraph directory. The usual location in an RPM install is /etc/agraph/. The default name is agraph.cfg.
Thus, with a tar.gz install, you can start the AllegroGraph server with
[Agraph dir]/bin/agraph-control --config [Agraph dir]/lib/agraph.cfg start --config is not specified, the behavior is as follows:
For an RPM install when not running as root, there is no default and --config must have a value.
For an RPM install when running as root, the default is /etc/agraph/agraph.cfg.
For a tar.gz install, the default is agraph.cfg in lib/ subdirectory of the AllegroGraph directory.
--config is not found, the AllegroGraph server is not started and a message like the following is printed:
Cannot locate configuration file (tried <supplied path>). --config is unspecified, and the agraph.cfg file is not found in the default location or you are not running as root with an RPM install, the AllegroGraph server is not started and the following message is printed:
Cannot determine location of configuration file. Please use --config --cluster-config
--cluster
--cluster argument suffices. If there are problems, use --cluster-config and --config instead.
--port N
N, thus overriding the value specified by the Port directive in the configuration file (see above). This argument is convenient when the number in the configuration file happens to be in use.
--sslport N
SSLPort directive in the configuration file (see above). This argument is convenient when the number in the configuration file happens to be in use.
The commands to agraph-control are:
The signals used by the AllegroGraph service daemon are:
For the status command, a 0 exit status is returned if the server is up, non-zero if the server is down.
For all other commands, the exit status is 0 if the command was executed succesfully, and non-zero if an error is reported during command execution.
The agraph programagraph-control is a script which launches the actual program, named agraph. While agraph-control is recommended when starting the server, you can use agraph, particularly when you wish to invoke options not available to agraph-control. agraph accepts the following command-line arguments:
--config file
agraph.cfg in the executable's directory, or, failing that, /etc/agraph/agraph.cfg. (If the configuration file cannot be found, AllegroGraph does not start and prints the message No configuration file found.
--log-dir directory
LogDir directive.
--debug
--log-level level
debug,daemon:info,storage:warn.
--port N
Port directive in the configuration file (see above). This argument, similar to the --port argument to agraph-control (see above) is convenient when the number in the configuration file happens to be in use.
--sslport N
SSLPort directive in the configuration file (see above). similar to the --sslport argument to agraph-control (see above) is convenient when the number in the configuration file happens to be in use.
--http-trace file-pathname
--http-trace-options options
--pid-file file
PidFile directive.
--run-as user
RunAs directive.
--no-daemonize
--stop-server
--stop-timeout seconds
--stop-server request. Must be an integer greater than 0. If --force has also been supplied, then the default value is 10; otherwise the default value is 60.
--version
--short-version
--help
AllegroGraph uses POSIX shared memory for inter-process communication.
Each AllegroGraph instance requires a certain amount of shared memory (depending on the ExpectedStoreSize setting). The actual size is reported in agraph.log when an instance is started.
On Linux, the shared memory comes from tmpfs, which is typically mounted on /dev/shm. Default size is half of RAM. To resize, issue a command like the following as the root user:
mount -o remount,size=<size> <shm-device-file> For example:
mount -o remount,size=8G /dev/shm To make the change permanent, /etc/fstab needs to be updated or the above command must be run from a startup script such as /etc/rc.local.
/dev/shm is usually mounted with permissions that allow any process to use it, for example:
$ ls -ld /dev/shm
drwxrwxrwt 2 root root 40 Oct 17 16:31 /dev/shm/ However, sites with strict security policies may have /dev/shm mounted with tight permissions (for example, to only allow root to use shared memory). For AllegroGraph to operate, /dev/shm must have permissions which allow at least the RunAs user to read and write to it. Consult with your systems administrator if AllegroGraph fails to start up due to the permissions on /dev/shm.
If a previously-working instance doesn't start due to shared memory problem, then there may be a lingering process which still has a handle on a shared memory segment.
$ <stop-allegrograph>
# Check total size, available and used size.
$ df -h /dev/shm
# If the 'Used' column shows a non-trivial amount,
# look for processes that use /dev/shm.
$ lsof /dev/shm
# Maybe kill offending processes
$ kill -9 <pid1> <pid2> ...
$ <start-allegrograph> RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4