rserver.conf
The following is a list of available options that can be specified in the rserver.conf
configuration file, which controls behavior of Workbench’s rserver
process, allowing you to tune HTTP, authorization options, and other settings that broadly affect Posit Workbench.
verify Settings
verify-installation
Runs verification mode to verify the current installation.
Type: bool
Default: 0
verify-user
Specifies the run-as user for additional Job Launcher verification.
Type: string
Default: <empty string>
verify-test
Specifies the verify-installation test to run. Leave empty to run all tests.
Type: string
Default: <empty string>
server Settings
server-working-dir
The default working directory of the rserver process.
Type: string
Default: /
server-user
The user account of the rserver process.
Type: string
Default: rstudio-server
server-daemonize
Indicates whether or not the rserver process should run as a daemon.
Type: bool
Default: 1 (true) if rserver was run with root privilege, otherwise 0 (false).
server-pid-file
The path to a file where the rserver daemon’s pid is written.
Type: string
Default: /var/run/rstudio-server.pid
server-set-umask
If enabled, sets the rserver process umask to 022
on startup, which causes new files to have rw-r--r--
permissions.
Type: bool
Default: 1
server-data-dir
Path to the data directory where Posit Workbench will write run-time state.
Type: string
Default: /var/run/rstudio-server
server-add-header
Adds a header to all responses from Posit Workbench. This option can be specified multiple times to add multiple headers.
Type: string
Default: <empty string>
server-db-migrate-path
The relative path from the RStudio installation directory, or absolute path where the Workbench Database migration program binary is located.
Type: string
Default: bin/workbench-database-migrate
server-nginx-path
The relative path from the RStudio installation directory, or absolute path where the NGINX binary is located.
Type: string
Default: bin/rserver-http
server-nginx-conf-template-path
The relative path from the RStudio installation directory, or absolute path where the NGINX config file templates are located.
Type: string
Default: conf
server-nginx-conf-path
Specifies the path to the NGINX config files.
Type: string
Default: /var/lib/rstudio-server/conf
server-nginx-ld-library-path
Specifies the LD_LIBRARY_PATH for the NGINX executable.
Type: string
Default: <empty string>
server-access-log
Indicates whether or not to write HTTP access logs to /var/log/rstudio/rstudio-server.
Type: bool
Default: 0
nginx-error-log-level
Specifies one of crit, error, warn, info, debug (note: debug level requires a debug build of rserver-http - the bundled NGINX executable)
Type: string
Default: warn
server-nginx-http-directives-path
Specifies the path to custom NGINX http directives.
Type: string
Default: The first nginx.http.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.http.conf if no XDG_CONFIG_DIRS are specified.
server-nginx-server-directives-path
Specifies the path to custom NGINX server directives.
Type: string
Default: The first nginx.server.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.server.conf if no XDG_CONFIG_DIRS are specified.
server-nginx-site-directives-path
Specifies the path to custom NGINX site directives.
Type: string
Default: The first nginx.site.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.site.conf if no XDG_CONFIG_DIRS are specified.
server-nginx-worker-connections-path
Specifies the path to custom NGINX worker directives that replace the default options for # of file descriptors, worker_connections, and worker_processes.
Type: string
Default: The first nginx.worker.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.worker.conf if no XDG_CONFIG_DIRS are specified. If no nginx.worker.conf exists, default values of 1 worker_process, 2048 worker_connections, and 4096 for the nofile rlimit are used.
server-nginx-static-directives-path
Specifies the path to custom NGINX static directives file that replaces the default optimization for offloading static file serving from rserver and rworkspaces.
Type: string
Default: The first nginx.static.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.static.conf if no XDG_CONFIG_DIRS are specified. If no nginx.static.conf exists, directives are included so that the local NGINX server handles most static file resource without proxying them to rserver.
server-health-check-enabled
Indicates whether or not to allow access to the server health check URL.
Type: bool
Default: 0
server-license-type
Specifies whether to use remote (floating) or local (activation) licensing.
Type: string
Default: local
license-retry-seconds
Specifies the number of seconds to wait between floating license retries.
Type: int
Default:
license-warning-days
Specifies the number of days before the license expiration during which a warning will be shown to the user; set to 0 to disable license warnings.
Type: int
Default: 15
resolve-load-balancer-nodes
Indicates whether or not to resolve IP addresses associated with load balancer nodes; not compatible with SSL unless the IP address is in the CN/SAN.
Type: bool
Default: 0
server-balancer-path
The relative path from the RStudio installation directory, or absolute path where the custom load balancing script is located.
Type: string
Default: bin/rserver-balancer
server-multiple-sessions
Indicates whether or not to allow multiple sessions per user.
Type: bool
Default: 1
r-versions-multiple
Indicates whether or not to allow the use of multiple R versions.
Type: bool
Default: 1
server-project-sharing
Indicates whether or not to allow project sharing.
Type: bool
Default: 1
server-project-sharing-root-dir
Specifies the root directory for shared projects in addition to users’ own home directories.
Type: string
Default: <empty string>
server-user-home-page
Indicates whether or not to show the user home page upon login.
Type: bool
Default: 1
r-versions-scan
Indicates whether or not to scan for available R versions on the system.
Type: bool
Default: 1
modules-bin-path
Specifies the path to modules sh init binary. This is necessary if you intend to load R versions via modules.
Type: string
Default: <empty string>
admin-enabled
Indicates whether or not to allow access to the administration dashboard.
Type: bool
Default: 0
admin-group
Limits admin dashboard access to users belonging to the specified group.
Type: string
Default: <empty string>
admin-superuser-group
Limits admin superusers to those belonging to the specified group.
Type: string
Default: <empty string>
admin-monitor-log-use-server-time-zone
Indicates whether or not to use the server time zone when displaying the monitor log. If disabled, uses UTC.
Type: bool
Default: 0
r-versions-path
Specifies the path to the file containing the list of available R Versions in JSON format. This file will be automatically generated by the rserver process after discovering the R versions available on the system. It is strongly recommended not to modify this setting in most cases.
Type: string
Default: /var/lib/rstudio-server/r-versions
launcher-address
Specifies the address of the Launcher service (local unix domain socket file or IP address).
Type: string
Default: <empty string>
launcher-port
Specifies the port of the Launcher to connect to (if not using a unix domain socket).
Type: string
Default: <empty string>
launcher-use-ssl
Indicates whether or not to use SSL connections when connecting to the Launcher (if not using a unix domain socket).
Type: bool
Default: 0
launcher-verify-ssl-certs
Indicates whether or not to verify the Launcher certificate(s) when using an SSL connection.
Type: bool
Default: 1
launcher-sessions-enabled
Indicates whether or not to use the Launcher for creating sessions.
Type: bool
Default: 0
launcher-default-cluster
Specifies the default cluster to launch jobs on when using the Launcher.
Type: string
Default: <empty string>
launcher-sessions-callback-address
The callback address (hostname, IP address, or HTTP URL) of rserver for Launcher sessions to communicate back.
Type: string
Default: <empty string>
launcher-sessions-callback-verify-ssl-certs
Indicates whether or not to enforce SSL certificate verification of the server when Launcher sessions communicate back via the callback address.
Type: bool
Default: 1
launcher-sessions-callback-timeout
The number of seconds to wait before timing out a connection from a Launcher session to the callback address.
Type: int
Default: 10
launcher-sessions-container-image
Specifies the default container image to use for Launcher sessions. Only applicable for container-based job systems (e.g. Kubernetes).
Type: string
Default: <empty string>
launcher-sessions-container-run-as-root
Indicates whether or not to run the Launcher session containers as root. If not, uses the requesting user’s UID. Only applicable for container-based job systems.
Type: bool
Default: 0
launcher-sessions-create-container-user
Indicates whether or not to create a user for the container’s owner when running Launcher session containers. Only applicable for container-based job systems.
Type: bool
Default: 1
launcher-sessions-connection-timeout-seconds
Specifies the connection timeout in seconds to use when establishing a connection to a Launcher session.
Type: int
Default: 3
launcher-sessions-proxy-timeout-seconds
Specifies the connection timeout in seconds to use for waiting for a launcher job to be running for a normal proxy request.
Type: int
Default: 5
launcher-sessions-clusters
Specifies a comma-separated list of available clusters for launching interactive sessions (or all Launcher clusters if empty).
Type: string
Default: <empty string>
launcher-adhoc-clusters
Specifies a comma-separated list of available clusters for launching ad hoc jobs (or all Launcher clusters if empty).
Type: string
Default: <empty string>
launcher-sessions-container-images
Specifies a comma-separated list of available container images for launching interactive sessions (or all cluster images if empty). Only applicable for container-based job systems.
Type: string
Default: <empty string>
launcher-adhoc-container-images
Specifies a comma-separated list of available container images for launching ad hoc jobs (or all cluster images if empty). Only applicable for container-based job systems.
Type: string
Default: <empty string>
launcher-sessions-forward-container-environment
Used in previous versions to forward environment variables from the Kubernetes container spec to the session. Use the more general-purpose launcher-sessions-forward-environment=0
setting to control this behavior instead.
This option is deprecated and should not be used.
Type: bool
Default: 1
launcher-sessions-container-forward-groups
Indicates whether or not to forward the user’s supplemental groups to the container. Only applicable for container-based job systems.
Type: bool
Default: 1
rstudio-pro-sessions-enabled
Indicates whether or not RStudio Pro Sessions can be started from the homepage.
Type: bool
Default: 1
load-balancing-enabled
Set to 1 to enable server load balancing, 0 to disable. When not set, the presence of the load-balancer
configuration file enables server load balancing for compatibility (a warning is issued to make this choice explicit).
Type: string
Default: <empty string>
max-streams-per-user
Set to limit the number of streaming connections an individual user can have open. The oldest one is closed when the limit is surpassed.
Type: int
Default: 3
streaming-connection-timeout-seconds
Specifies a maximum timeout in seconds to allow status stream connections to stay open. Set to 0 to disable stream connection timeout.
Type: int
Default: 300
launcher-sessions-forward-environment
Forward environment variables from the parent Launcher job (i.e. Kubernetes container or Slurm job) to the session.
Type: bool
Default: 1
launcher-sessions-auto-update
Indicates whether or not to automatically update session components on non-Local clusters. Only supported on Kubenernetes.
Type: bool
Default: 0
session-hooks-enabled
Whether or not session hooks are enabled.
Type: bool
Default: 0
session-hooks-path
Path to a directory of scripts that can be called by a session hook.
Type: string
Default: <empty string>
session-hooks-start
Scripts that should be run when a session starts.
Type: string
Default: <empty string>
session-hooks-stop
Scripts that should be run when a session stops.
Type: string
Default: <empty string>
www Settings
www-address
The network address that Posit Workbench will listen on for incoming connections.
Type: string
Default: 0.0.0.0
www-port
The port that Posit Workbench will bind to while listening for incoming connections. If left empty, the port will be automatically determined based on your SSL settings (443 for SSL, 8787 for no SSL).
Type: string
Default: <empty string>
www-socket
The socket that RStudio Server will bind to while listening for incoming connections. If left empty, a port will be used.
Type: string
Default: <empty string>
www-root-path
The path prefix added by a proxy to the incoming RStudio URL. This setting is used so Posit Workbench knows what path it is being served from. If running Posit Workbench behind a path-modifying proxy, this should be changed to match the base Posit Workbench URL.
Type: string
Default: Assume the root path '/' if not defined.
www-thread-pool-size
The size of the threadpool from which requests will be serviced. This needs to have enough threads to avoid bottlenecks due to certain requests that block the request thread (e.g. a login fail might run into a delay caused by the pam configuration). For systems with lots of users a larger value is recommended. For systems with only one or two users, a value of 2 will be slightly more efficient.
Type: int
Default: 6
www-proxy-localhost
Indicates whether or not to proxy requests to localhost ports over the main server port. This should generally be enabled, and is used to proxy HTTP traffic within a session that belongs to code running within the session (e.g. Shiny or Plumber APIs)
Type: bool
Default: 1
www-verify-user-agent
Indicates whether or not to verify connecting browser user agents to ensure they are compatible with Posit Workbench.
Type: bool
Default: 1
www-same-site
The value of the ‘SameSite’ attribute on the cookies issued by Posit Workbench. Accepted values are ‘none’ or ‘lax’. The value ‘none’ should be used only when RStudio is hosted into an iframe. For compatibility with some browsers (i.e. Safari 12), duplicate cookies will be issued by Posit Workbench when ‘none’ is used.
Type: string
Default: <empty string>
www-frame-origin
Specifies the allowed origin for the iframe hosting RStudio if iframe embedding is enabled.
Type: string
Default: none
www-enable-origin-check
If enabled, cause RStudio to enforce that incoming request origins are from the host domain. This can be added for additional security. See https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#verifying-origin-with-standard-headers
Type: bool
Default: 0
www-allow-origin
Specifies an additional origin that requests are allowed from, even if it does not match the host domain. Used if origin checking is enabled. May be specified multiple times for multiple origins.
Type: string
Default: <empty string>
session-use-file-storage
Whether to use the file system to store metadata about the session storage or the internal database. Setting this to false may require special network configuration. See Session storage for more information.
Type: bool
Default: 1
www-stats-monitor-seconds
The time interval in seconds to log info/debug messages with stats on server performance. Set to 0 to disable.
Type: int
Default: 60
ssl-enabled
Enables or disables SSL.
Type: bool
Default: 0
ssl-certificate
Specifies the path to the SSL certificate for Posit Workbench to use.
Type: string
Default: <empty string>
ssl-certificate-key
Specifies the path to the SSL certificate private key.
Type: string
Default: <empty string>
ssl-protocols
Specifies the list of supported SSL protocols separated by a space.
Type: string
Default: TLSv1 TLSv1.1 TLSv1.2
ssl-redirect-http
Indicates whether or not HTTP requests should automatically be redirected to HTTPS.
Type: bool
Default: 1
ssl-hsts
Indicates whether or not to enable Strict Transport Security when SSL is in use.
Type: bool
Default: 1
ssl-hsts-max-age
Specifies the maximum age for Strict Transport Security.
Type: int
Default: 86400
ssl-hsts-include-subdomains
Indicates whether or not to include subdomains in HSTS protection.
Type: bool
Default: 0
session-ssl-enabled
Set to false (0) to disable use of the SSL protocol when communicating with launcher sessions. By default, certificates are auto-generated.
Type: bool
Default: 1
session-ssl-cert
Disables the use of auto-generated per-job certificates for SSL communication between the server and remote sessions. Provides the path to existing cert file on the session host, which must be accessible to the session user.
Type: string
Default: <empty string>
session-ssl-cert-key
Path to cert key file, the private key for SSL communication between server and remote sessions. Required when using session-ssl-cert and must also be accessible on the session host to the owner of the session.
Type: string
Default: <empty string>
session-ssl-verify-certs
Set to 0 to disable session cert verification (useful for testing purposes only - do not use in production).
Type: bool
Default: 1
rsession Settings
rsession-which-r
The path to the main R program (e.g. /usr/bin/R). This should be set if no versions are specified in /etc/rstudio/r-versions and the default R installation is not available on the system path.
Type: string
Default: <empty string>
rsession-path
The relative path from the RStudio installation directory, or absolute path to the rsession executable.
Type: string
Default: rsession
rldpath-path
The path to the r-ldpath script which specifies extra library paths for R versions.
Type: string
Default: r-ldpath
rsession-ld-library-path
Specifies additional LD_LIBRARY_PATHs to use for RStudio Pro Sessions.
Type: string
Default: <empty string>
rsession-config-file
If set, overrides the path to the /etc/rstudio/rsession.conf configuration file. The specified path may be a relative path from the RStudio installation directory, or an absolute path.
Type: string
Default: <empty string>
rsession-proxy-max-wait-secs
The maximum time to wait in seconds for a successful response when proxying requests to rsession.
Type: int
Default: 30
rsession-exec-command
Specifies the wrapper command used when executing the rsession binary.
Type: string
Default: <empty string>
rsession-no-profile
Indicates whether or not to disable user profiles from executing on session start.
Type: bool
Default: 0
rsession-diagnostics-enabled
Indicates whether or not session diagnostic data should be collected. This can be used for troubleshooting issues with session starts.
Type: bool
Default: 0
rsession-diagnostics-dir
Specifies the directory where session diagnostic data should be written.
Type: string
Default: /tmp
rsession-diagnostics-strace-enabled
Indicates whether or not strace data should be included when collecting session diagnostic data.
Type: bool
Default: 0
rsession-diagnostics-libsegfault
Specifies the path to libSegFault.so library which is used for dumping stack trace information when session diagnostics are collected.
Type: string
Default: <empty string>
database Settings
database-config-file
If set, overrides the path to the /etc/rstudio/database.conf configuration file.
Type: string
Default: <empty string>
db-connection-timeout
Specifies the number of seconds to wait for making a new db connection
Type: int
Default: 15
auth Settings
auth-none
If set, disables multi-user authentication. Workbench/Pro features may not work in this mode.
Type: bool
Default: 1 (true) if rserver was run without root privilege, otherwise 0 (false).
auth-validate-users
Indicates whether or not to validate that authenticated users exist on the target system. Disabling this option may cause issues to start or to run a session.
Type: bool
Default: 1 (true) if rserver was run with root privilege, otherwise 0 (false).
auth-stay-signed-in-days
The number of days to keep a user signed in when using the “Stay Signed In” option. Will only take affect when auth-timeout-minutes is 0 (disabled).
Type: int
Default: 30
auth-timeout-minutes
The number of minutes a user will stay logged in while idle before required to sign in again. Set this to 0 (disabled) to enable legacy timeout auth-stay-signed-in-days.
Type: int
Default: 60
auth-encrypt-password
Indicates whether or not to encrypt the password sent from the login form. For security purposes, we strongly recommend you leave this enabled.
Type: bool
Default: 1
auth-login-page-html
The path to a file containing additional HTML customization for the login page.
Type: string
Default: /etc/rstudio/login.html
auth-rdp-login-page-html
The path to a file containing additional HTML customization for the login page, as seen by RDP users.
Type: string
Default: /etc/rstudio/rdplogin.html
auth-required-user-group
Specifies a group that users must be in to be able to use RStudio.
Type: string
Default: <empty string>
auth-minimum-user-id
Specifies a minimum user id value. Users with a uid lower than this value may not use RStudio.
Type: string
Default: auto
auth-pam-require-password-prompt
Indicates whether or not to require the “Password:” prompt before sending the password via PAM. In most cases, this should be enabled. If using a custom PAM password prompt, you may need to disable this setting if PAM logins do not work correctly.
Type: bool
Default: 1
auth-sign-in-throttle-seconds
The minimum amount of time a user must wait before attempting to sign in again after signing out.
Type: int
Default: 5
auth-revocation-list-dir
If set, overrides the path to the directory which contains the revocation list to be used for storing expired tokens. As of Workbench 1.4, this has been moved to database storage, and so this setting is deprecated, but will be used to port over any existing file-based expired tokens.
This option is deprecated and should not be used.
Type: string
Default: <empty string>
auth-stay-signed-in
Indicates whether or not to allow users to stay signed in across browser sessions.
Type: bool
Default: 1
auth-active-timeout-minutes
Specifies a maximum number of minutes for the duration of a user session. After this time expires, the user is logged out regardless of whether they have been active or inactive. A value of 0 indicates that no active timeout is enforced.
Type: int
Default: 0
auth-user-rewrite-rule
Specifies the default rewrite rule for the authentication provider when using Google OAuth, OpenID, SAML, or proxied authentication. The format of a rewrite rule is a regular expression followed by a space and then a replacement string. The replacement string can reference captured parts of the regular expression using $1, $2, etc.
Type: string
Default: <empty string>
auth-google-accounts
Enables/disables authentication via Google accounts.
Type: bool
Default: 0
auth-google-accounts-redirect-base-uri
Specifies an override URI to use instead of the redirect URI detected for Google accounts. This is needed if running behind a proxy without the X-RStudio-Request header.
Type: string
Default: <empty string>
auth-openid
Enables/disables authentication via OpenID SSO.
Type: bool
Default: 0
auth-openid-base-uri
Overrides the detected base URI for the server. This is needed if running behind a proxy without the X-RStudio-Request header.
Type: string
Default: <empty string>
auth-openid-issuer
Specifies the HTTPS URL of the OpenID issuer and the location of ‘/.well-known/open-configuration’
Type: string
Default: <empty string>
auth-openid-scopes
Specifies any additional space-separated scopes required by the OpenID OP to return a username claim.
Type: string
Default: <empty string>
auth-openid-username-claim
Specifies the name of the OpenID claim used to define the username.
Type: string
Default: preferred_username
auth-openid-email-claim
Specifies the name of the OpenID claim used to define the user’s email address. Only used if user-provisioning-register-on-first-login
is enabled.
Type: string
Default: email
auth-openid-name-claim
Specifies the name of the OpenID claim used to define the user’s display name. Only used if user-provisioning-register-on-first-login
is enabled.
Type: string
Default: name
auth-openid-posix-id-claim
Specifies the name of the OpenID claim used to define the user’s POSIX ID. Only used if user-provisioning-register-on-first-login
is enabled.
Type: string
Default: <empty string>
auth-openid-posix-name-claim
Specifies the name of the OpenID claim used to define the user’s POSIX name. Only used if user-provisioning-register-on-first-login
is enabled.
Type: string
Default: <empty string>
auth-openid-homedir-claim
Specifies the name of the OpenID claim used to define the user’s home directory path. Only used if user-provisioning-register-on-first-login
is enabled.
Type: string
Default: <empty string>
auth-saml
Enables/disables authentication via SAML SSO.
Type: bool
Default: 0
auth-saml-metadata-path
Specifies the path to the XML SAML metadata file. Overrides the metadata URL option if present.
Type: string
Default: <empty string>
auth-saml-metadata-url
Specifies the location of the XML SAML metadata on the Identity Provider. Requires back-end connectivity.
Type: string
Default: <empty string>
auth-saml-idp-entity-id
Specifies the entity identifier (name or URI) of the Identity Provider. Only used if no metadata is defined.
Type: string
Default: <empty string>
auth-saml-idp-sso-url
Specifies the endpoint that will receive SSO requests on the Identity Provider. Only used if no metadata is defined.
Type: string
Default: <empty string>
auth-saml-idp-sign-cert-path
Specifies the path to the PEM certificate file for verifying SAML signatures. Only used if no metadata is defined.
Type: string
Default: <empty string>
auth-saml-idp-post-binding
When enabled, uses HTTP POST for SSO. Otherwise, uses an HTTP redirect. This must match the metadata specification if metadata is defined.
Type: bool
Default: 0
auth-saml-sso-initiation
Indicates if only “idp” or “sp” can initiate a SAML SSO sequence. If not defined, both can initiate.
Type: string
Default: <empty string>
auth-saml-sp-base-uri
Overrides the detected base URI for the server. This is needed if running behind a proxy without the X-RStudio-Request header.
Type: string
Default: <empty string>
auth-saml-sp-encryption-key-path
Specifies the path to the PEM file containing the private key for decrypting SAML responses. Also used for request signing if a signing method is defined.
Type: string
Default: <empty string>
auth-saml-sp-encryption-cert-path
Specifies the path to the PEM certificate file for encrypting SAML responses. Also used for request signing if a signing method is defined.
Type: string
Default: <empty string>
auth-saml-sp-signing-key-path
Specifies the path to the PEM file containing the private key for signing SAML requests. Not used if an encryption key is defined.
Type: string
Default: <empty string>
auth-saml-sp-signing-cert-path
Specifies the path to the PEM certificate file for verifying SAML requests signature. Not used if an encryption certificate is defined.
Type: string
Default: <empty string>
auth-saml-sp-request-signing-method
Indicates whether “sha1”, “sha256”, or “sha512” is used to sign SAML requests. If not defined, the SAML requests will not be signed.
Type: string
Default: <empty string>
auth-saml-sp-name-id-format
Requests that the NameID Format be one of “unspecified”, “emailAddress”, “persistent” or “transient”. This must match the metadata specification if metadata is defined.
Type: string
Default: <empty string>
auth-saml-sp-attribute-username
Specifies the name of the attribute in the SAML assertion used to define the username.
Type: string
Default: Username
auth-saml-sp-attribute-email
Specifies the name of the attribute in the SAML assertion used to define the user’s email address. Only used if user-provisioning-register-on-first-login
is enabled.
Type: string
Default: <empty string>
auth-saml-sp-attribute-name
Specifies the name of the attribute in the SAML assertion used to define the user’s display name. Only used if user-provisioning-register-on-first-login
is enabled.
Type: string
Default: <empty string>
auth-saml-sp-attribute-posix-id
Specifies the name of the attribute in the SAML assertion used to define the user’s POSIX ID. Only used if user-provisioning-register-on-first-login
is enabled.
Type: string
Default: <empty string>
auth-saml-sp-attribute-posix-name
Specifies the name of the attribute in the SAML assertion used to define the user’s POSIX name. Only used if user-provisioning-register-on-first-login
is enabled.
Type: string
Default: <empty string>
auth-saml-sp-attribute-homedir
Specifies the name of the attribute in the SAML assertion used to define the user’s home directory path. Only used if user-provisioning-register-on-first-login
is enabled.
Type: string
Default: <empty string>
auth-proxy
Enables/disables authentication via proxy by using a special header field.
Type: bool
Default: 0
auth-proxy-sign-in-url
Specifies the URL of the sign in page for proxied authentication.
Type: string
Default: <empty string>
auth-proxy-sign-out-url
Specifies the optional URL of the sign out page for proxied authentication.
Type: string
Default: <empty string>
auth-proxy-sign-in-delay
Specifies the delay in seconds to show user sign in info when redirecting from the proxy sign in page.
Type: int
Default: 0
auth-proxy-user-header
Specifies the name of the HTTP header that RStudio should read the proxied user identity from.
Type: string
Default: X-RStudio-Username
auth-proxy-user-header-rewrite
Specifies the re-write rule for the auth-proxy-user-header. The format of a re-write rule is a regular expression followed by a space and then a replacement string. The replacement string can reference captured parts of the regular expression using $1, $2, etc.
Type: string
Default: <empty string>
auth-pam-sessions-enabled
Enables or disables PAM sessions when new sessions are started. To enable PAM sessions with launcher-sessions-enabled=1, set auth-pam-sessions-enabled=1 explicitly. In that case, either the auth-pam-sessions-use-password=1 setting must also be enabled or pam_rootok must be available on the session node so workbench can perform the equivalent of the unix command su
to start a session. See the PAM Sessions section of the guide for more info.
Type: bool
Default: 1 - enabled by default unless launcher-sessions-enabled=1
auth-pam-sessions-profile
Specifies the profile to use for PAM sessions.
Type: string
Default: su
auth-pam-sessions-use-password
Indicates whether or not to use passwords when creating PAM sessions. Requires storing of user passwords in memory, though we use industry best-practices for keeping the passwords secure.
Type: bool
Default: 0
auth-pam-sessions-close
Indicates whether or not to close the PAM session when the RStudio Pro Session exits.
Type: bool
Default: 0
workbench-api-enabled
Enable use of the workbench API - that allows user specific api-tokens to enable additional apis to manage that user’s sessions (preview feature - see doc for details).
Type: bool
Default: 0
workbench-api-admin-enabled
Enables used of the workbench API with admin-level tokens. These permit read-only access to user information but do not allow launching of sessions or impersonation of users to modify their information (preview feature - see doc for details).
Type: bool
Default: 0
workbench-api-super-admin-enabled
Enables used of the workbench API with super-admin-level tokens that do permit api tokens that start sessions on the user’s behalf (preview feature - see doc for details)
Type: bool
Default: 0
monitor Settings
monitor-interval-seconds
The interval in seconds at which the monitor is probed for new data.
Type: int
Default: 60
monitor-stderr-enabled
Indicates whether or not to log metrics to stderr.
Type: bool
Default: 0
monitor-rrd-enabled
Indicates whether or not to enable logging of metrics to RRD.
Type: bool
Default: 1
monitor-data-path
Specifies the path where monitor logs and RRD databases should be written.
Type: string
Default: /var/lib/rstudio-server/monitor
monitor-rstudio-session-metrics
Indicates whether or not to collect metrics about session utilization per user.
Type: bool
Default: 1
monitor-rrd-rrdtool-binary
Specifies the path to the rrdtool binary.
Type: string
Default: /usr/bin/rrdtool
monitor-graphite-enabled
Enables/disables logging of metrics to graphite.
Type: bool
Default: 0
monitor-graphite-host
Specifies the host to send graphite metrics to.
Type: string
Default: 127.0.0.1
monitor-graphite-port
Specifies the port to send graphite metrics to.
Type: int
Default: 2003
monitor-graphite-client-id
Specifies the optional client id to include along with graphite metrics.
Type: string
Default: <empty string>
audit-data-path
Specifies the path to where audit data should be stored.
Type: string
Default: /var/lib/rstudio-server/audit
audit-r-console
Specifies the level of console activity that should be audited (none, input, or all).
Type: string
Default: none
audit-r-console-user-limit-months
Specifies the number of months of user console data to retain within the audit directory.
Type: int
Default: 0
audit-r-console-user-limit-mb
Specifies the limit in megabytes on user console actions to retain in the audit log.
Type: int
Default: 50
audit-r-console-compress
Indicates whether or not to compress console audit logs using gzip compression.
Type: bool
Default: 0
audit-r-console-format
Specifies the format to use for the console audit log (csv or json).
Type: string
Default: csv
audit-r-sessions
Indicates whether or not to audit RStudio Pro Session activity.
Type: bool
Default: Enabled if using named user licensing. Disabled otherwise.
audit-r-sessions-limit-months
Specifies the number of months of session action data to retain within the audit directory.
Type: int
Default: 13
audit-r-sessions-limit-mb
Specifies the limit in megabytes on session actions to retain in the audit log.
Type: int
Default: 1024
audit-r-sessions-format
Specifies the format to use for the session audit log (csv or json).
Type: string
Default: csv
metrics Settings
metrics-enabled
Indicates whether or not to enable the prometheus metrics endpoint.
Type: bool
Default: 0
metrics-port
Specifies the port to use for the prometheus metrics endpoint.
Type: int
Default: 8989
metrics-address
Specifies the address to use for the prometheus metrics endpoint. When not present, the value of www-address will be used.
Type: string
Default: <empty string>
metrics-nginx-directives-path
Specifies the path to custom NGINX metrics server directives.
Type: string
Default: The first nginx.metrics-server.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.metrics-server.conf if no XDG_CONFIG_DIRS are specified.
databricks Settings
databricks-enabled
Whether to enable Databricks integrations, either 1 or 0. The default is ‘auto’, which enables the integrations if there are a non-zero number of Databricks workspaces configured.
Type: string
Default: auto
userProvisioning Settings
user-provisioning-enabled
Enables or disables the auto user provisioning feature of Workbench.
Type: string
Default: 0
user-homedir-path
When user provisioning is enabled, this path will serve as the parent for user home directories.
Type: string
Default: /home
user-provisioning-start-uid
Specifies the minimum value to use when assigning UIDs to newly provisioned users. To avoid conflicts with system user accounts, this value must be greater than or equal to 1000.
Type: int
Default: 1000
user-provisioning-register-on-first-login
When enabled, users are automatically provisioned the first time they log in. Otherwise, users must be provisioned through the SCIM API before they can log in. Requires user-provisioning-enabled=1
. Not supported by all authentication methods.
Type: bool
Default: 0
snowflake Settings
allow-refresh-snowflake-roles
When enabled, allows Workbench to automatically refresh the list of Snowflake roles for a user when they log in.
Type: bool
Default: 1