rserver.conf

The following is a list of available options that can be specified in the rserver.conf configuration file, which controls behavior of Workbench’s rserver process, allowing you to tune HTTP, authorization options, and other settings that broadly affect Posit Workbench.

verify Settings

verify-installation

Runs verification mode to verify the current installation.

Type: bool
Default: 0

verify-user

Specifies the run-as user for additional Job Launcher verification.

Type: string
Default: <empty string>

verify-test

Specifies the verify-installation test to run. Leave empty to run all tests.

Type: string
Default: <empty string>

server Settings

server-working-dir

The default working directory of the rserver process.

Type: string
Default: /

server-user

The user account of the rserver process.

Type: string
Default: rstudio-server

server-daemonize

Indicates whether or not the rserver process should run as a daemon.

Type: bool
Default: 1 (true) if rserver was run with root privilege, otherwise 0 (false).

server-pid-file

The path to a file where the rserver daemon’s pid is written.

Type: string
Default: /var/run/rstudio-server.pid

server-set-umask

If enabled, sets the rserver process umask to 022 on startup, which causes new files to have rw-r-r permissions.

Type: bool
Default: 1

server-data-dir

Path to the data directory where Posit Workbench will write run-time state.

Type: string
Default: /var/run/rstudio-server

server-add-header

Adds a header to all responses from Posit Workbench. This option can be specified multiple times to add multiple headers.

Type: string
Default: <empty string>

server-nginx-path

The relative path from the RStudio installation directory, or absolute path where the NGINX binary is located.

Type: string
Default: bin/rserver-http

server-nginx-conf-template-path

The relative path from the RStudio installation directory, or absolute path where the NGINX config file templates are located.

Type: string
Default: conf

server-nginx-conf-path

Specifies the path to the NGINX config files.

Type: string
Default: /var/lib/rstudio-server/conf

server-nginx-ld-library-path

Specifies the LD_LIBRARY_PATH for the NGINX executable.

Type: string
Default: <empty string>

server-access-log

Indicates whether or not to write HTTP access logs to /var/log/rstudio/rstudio-server.

Type: bool
Default: 0

nginx-error-log-level

Specifies one of crit, error, warn, info, debug (note: debug level requires a debug build of rserver-http - the bundled NGINX executable)

Type: string
Default: warn

server-nginx-http-directives-path

Specifies the path to custom NGINX http directives.

Type: string
Default: The first nginx.http.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.http.conf if no XDG_CONFIG_DIRS are specified.

server-nginx-server-directives-path

Specifies the path to custom NGINX server directives.

Type: string
Default: The first nginx.server.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.server.conf if no XDG_CONFIG_DIRS are specified.

server-nginx-site-directives-path

Specifies the path to custom NGINX site directives.

Type: string
Default: The first nginx.site.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.site.conf if no XDG_CONFIG_DIRS are specified.

server-nginx-worker-connections-path

Specifies the path to custom NGINX worker directives that replace the default options for # of file descriptors, worker_connections, and worker_processes.

Type: string
Default: The first nginx.worker.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.worker.conf if no XDG_CONFIG_DIRS are specified. If no nginx.worker.conf exists, default values of 1 worker_process, 2048 worker_connections, and 4096 for the nofile rlimit are used.

server-nginx-static-directives-path

Specifies the path to custom NGINX static directives file that replaces the default optimization for offloading static file serving from rserver and rworkspaces.

Type: string
Default: The first nginx.static.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.static.conf if no XDG_CONFIG_DIRS are specified. If no nginx.static.conf exists, directives are included so that the local NGINX server handles most static file resource without proxying them to rserver.

server-health-check-enabled

Indicates whether or not to allow access to the server health check URL.

Type: bool
Default: 0

server-license-type

Specifies whether to use remote (floating) or local (activation) licensing.

Type: string
Default: local

license-retry-seconds

Specifies the number of seconds to wait between floating license retries.

Type: int
Default:

license-warning-days

Specifies the number of days before the license expiration during which a warning will be shown to the user; set to 0 to disable license warnings.

Type: int
Default: 15

resolve-load-balancer-nodes

Indicates whether or not to resolve IP addresses associated with load balancer nodes; not compatible with SSL unless the IP address is in the CN/SAN.

Type: bool
Default: 0

server-balancer-path

The relative path from the RStudio installation directory, or absolute path where the custom load balancing script is located.

Type: string
Default: bin/rserver-balancer

server-multiple-sessions

Indicates whether or not to allow multiple sessions per user.

Type: bool
Default: 1

r-versions-multiple

Indicates whether or not to allow the use of multiple R versions.

Type: bool
Default: 1

server-user-home-page

Indicates whether or not to show the user home page upon login.

Type: bool
Default: 1

r-versions-scan

Indicates whether or not to scan for available R versions on the system.

Type: bool
Default: 1

modules-bin-path

Specifies the path to modules sh init binary. This is necessary if you intend to load R versions via modules.

Type: string
Default: <empty string>

admin-enabled

Indicates whether or not to allow access to the administration dashboard.

Type: bool
Default: 0

admin-group

Limits admin dashboard access to users belonging to the specified group.

Type: string
Default: <empty string>

admin-superuser-group

Limits admin superusers to those belonging to the specified group.

Type: string
Default: <empty string>

admin-monitor-log-use-server-time-zone

Indicates whether or not to use the server time zone when displaying the monitor log. If disabled, uses UTC.

Type: bool
Default: 0

r-versions-path

Specifies the path to the file containing the list of available R Versions in JSON format. This file will be automatically generated by the rserver process after discovering the R versions available on the system. It is strongly recommended not to modify this setting in most cases.

Type: string
Default: /var/lib/rstudio-server/r-versions

launcher-address

Specifies the address of the Launcher service (local unix domain socket file or IP address).

Type: string
Default: <empty string>

launcher-port

Specifies the port of the Launcher to connect to (if not using a unix domain socket).

Type: string
Default: <empty string>

launcher-use-ssl

Indicates whether or not to use SSL connections when connecting to the Launcher (if not using a unix domain socket).

Type: bool
Default: 0

launcher-verify-ssl-certs

Indicates whether or not to verify the Launcher certificate(s) when using an SSL connection.

Type: bool
Default: 1

launcher-sessions-enabled

Indicates whether or not to use the Launcher for creating sessions.

Type: bool
Default: 0

launcher-default-cluster

Specifies the default cluster to launch jobs on when using the Launcher.

Type: string
Default: <empty string>

launcher-sessions-callback-address

The callback address (hostname, IP address, or HTTP URL) of rserver for Launcher sessions to communicate back.

Type: string
Default: <empty string>

launcher-sessions-callback-verify-ssl-certs

Indicates whether or not to enforce SSL certificate verification of the server when Launcher sessions communicate back via the callback address.

Type: bool
Default: 1

launcher-sessions-callback-timeout

The number of seconds to wait before timing out a connection from a Launcher session to the callback address.

Type: int
Default: 10

launcher-sessions-container-image

Specifies the default container image to use for Launcher sessions. Only applicable for container-based job systems (e.g. Kubernetes).

Type: string
Default: <empty string>

launcher-sessions-container-run-as-root

Indicates whether or not to run the Launcher session containers as root. If not, uses the requesting user’s UID. Only applicable for container-based job systems.

Type: bool
Default: 0

launcher-sessions-create-container-user

Indicates whether or not to create a user for the container’s owner when running Launcher session containers. Only applicable for container-based job systems.

Type: bool
Default: 1

launcher-sessions-connection-timeout-seconds

Specifies the connection timeout in seconds to use when establishing a connection to a Launcher session.

Type: int
Default: 3

launcher-sessions-proxy-timeout-seconds

Specifies the connection timeout in seconds to use for waiting for a launcher job to be running for a normal proxy request.

Type: int
Default: 25

launcher-sessions-clusters

Specifies a comma-separated list of available clusters for launching interactive sessions (or all Launcher clusters if empty).

Type: string
Default: <empty string>

launcher-adhoc-clusters

Specifies a comma-separated list of available clusters for launching ad hoc jobs (or all Launcher clusters if empty).

Type: string
Default: <empty string>

launcher-sessions-container-images

Specifies a comma-separated list of available container images for launching interactive sessions (or all cluster images if empty). Only applicable for container-based job systems.

Type: string
Default: <empty string>

launcher-adhoc-container-images

Specifies a comma-separated list of available container images for launching ad hoc jobs (or all cluster images if empty). Only applicable for container-based job systems.

Type: string
Default: <empty string>

launcher-sessions-forward-container-environment

Used in previous versions to forward environment variables from the Kubernetes container spec to the session. Use the more general-purpose launcher-sessions-forward-environment=0 setting to control this behavior instead.
This option is deprecated and should not be used.

Type: bool
Default: 1

launcher-sessions-container-forward-groups

Indicates whether or not to forward the user’s supplemental groups to the container. Only applicable for container-based job systems.

Type: bool
Default: 1

rstudio-pro-sessions-enabled

Indicates whether or not RStudio Pro Sessions can be started from the homepage.

Type: bool
Default: 1

load-balancing-enabled

Set to 1 to enable server load balancing, 0 to disable. When not set, the presence of the load-balancer configuration file enables server load balancing for compatibility (a warning is issued to make this choice explicit).

Type: string
Default: <empty string>

max-streams-per-user

Set to limit the number of streaming connections an individual user can have open. The oldest one is closed when the limit is surpassed.

Type: int
Default: 3

streaming-connection-timeout-seconds

Specifies a maximum timeout in seconds to allow status stream connections to stay open. Set to 0 to disable stream connection timeout.

Type: int
Default: 300

launcher-sessions-forward-environment

Forward environment variables from the parent Launcher job (i.e. Kubernetes container or Slurm job) to the session.

Type: bool
Default: 1

www Settings

www-address

The network address that Posit Workbench will listen on for incoming connections.

Type: string
Default: 0.0.0.0

www-port

The port that Posit Workbench will bind to while listening for incoming connections. If left empty, the port will be automatically determined based on your SSL settings (443 for SSL, 80 for no SSL).

Type: string
Default: <empty string>

www-root-path

The path prefix added by a proxy to the incoming RStudio URL. This setting is used so Posit Workbench knows what path it is being served from. If running Posit Workbench behind a path-modifying proxy, this should be changed to match the base Posit Workbench URL.

Type: string
Default: Assume the root path '/' if not defined.

www-thread-pool-size

The size of the threadpool from which requests will be serviced. This may be increased to enable more concurrency, but should only be done if the underlying hardware has more than 2 cores. It is recommended to use a value that is <= to the number of hardware cores, or <= to two times the number of hardware cores if the hardware utilizes hyperthreading.

Type: int
Default: 2

www-proxy-localhost

Indicates whether or not to proxy requests to localhost ports over the main server port. This should generally be enabled, and is used to proxy HTTP traffic within a session that belongs to code running within the session (e.g. Shiny or Plumber APIs)

Type: bool
Default: 1

www-verify-user-agent

Indicates whether or not to verify connecting browser user agents to ensure they are compatible with Posit Workbench.

Type: bool
Default: 1

www-same-site

The value of the ‘SameSite’ attribute on the cookies issued by Posit Workbench. Accepted values are ‘none’ or ‘lax’. The value ‘none’ should be used only when RStudio is hosted into an iframe. For compatibility with some browsers (i.e. Safari 12), duplicate cookies will be issued by Posit Workbench when ‘none’ is used.

Type: string
Default: <empty string>

www-frame-origin

Specifies the allowed origin for the iframe hosting RStudio if iframe embedding is enabled.

Type: string
Default: none

www-enable-origin-check

If enabled, cause RStudio to enforce that incoming request origins are from the host domain. This can be added for additional security. See https://cheatsheetseries.owasp.org/cheatsheets/Cross-Site_Request_Forgery_Prevention_Cheat_Sheet.html#verifying-origin-with-standard-headers

Type: bool
Default: 0

www-allow-origin

Specifies an additional origin that requests are allowed from, even if it does not match the host domain. Used if origin checking is enabled. May be specified multiple times for multiple origins.

Type: string
Default: <empty string>

session-use-file-storage

Whether to use the file system to store metadata about the session storage or the internal database. Setting this to false may require special network configuration. See Session storage for more information.

Type: bool
Default: 1

www-stats-monitor-seconds

The time interval in seconds to log info/debug messages with stats on server performance. Set to 0 to disable.

Type: int
Default: 60

ssl-enabled

Enables or disables SSL.

Type: bool
Default: 0

ssl-certificate

Specifies the path to the SSL certificate for Posit Workbench to use.

Type: string
Default: <empty string>

ssl-certificate-key

Specifies the path to the SSL certificate private key.

Type: string
Default: <empty string>

ssl-protocols

Specifies the list of supported SSL protocols separated by a space.

Type: string
Default: TLSv1 TLSv1.1 TLSv1.2

ssl-redirect-http

Indicates whether or not HTTP requests should automatically be redirected to HTTPS.

Type: bool
Default: 1

ssl-hsts

Indicates whether or not to enable Strict Transport Security when SSL is in use.

Type: bool
Default: 1

ssl-hsts-max-age

Specifies the maximum age for Strict Transport Security.

Type: int
Default: 86400

ssl-hsts-include-subdomains

Indicates whether or not to include subdomains in HSTS protection.

Type: bool
Default: 0

session-ssl-enabled

Set to false (0) to disable use of the SSL protocol when communicating with launcher sessions. By default, certificates are auto-generated.

Type: bool
Default: 1

session-ssl-cert

Disables the use of auto-generated per-job certificates for SSL communication between the server and remote sessions. Provides the path to existing cert file on the session host, which must be accessible to the session user.

Type: string
Default: <empty string>

session-ssl-cert-key

Path to cert key file, the private key for SSL communication between server and remote sessions. Required when using session-ssl-cert and must also be accessible on the session host to the owner of the session.

Type: string
Default: <empty string>

session-ssl-cert-authority

Path to a certificate file in PEM format on server host to use for trusting session certs when using session-ssl-cert. This cert will override the default certificate authority for validating self-signed certs or those from a private CA.

Type: string
Default: <empty string>

session-ssl-verify-certs

Set to 0 to disable session cert verification (useful for testing purposes only - do not use in production).

Type: bool
Default: 1

rsession Settings

rsession-which-r

The path to the main R program (e.g. /usr/bin/R). This should be set if no versions are specified in /etc/rstudio/r-versions and the default R installation is not available on the system path.

Type: string
Default: <empty string>

rsession-path

The relative path from the RStudio installation directory, or absolute path to the rsession executable.

Type: string
Default: rsession

rldpath-path

The path to the r-ldpath script which specifies extra library paths for R versions.

Type: string
Default: r-ldpath

rsession-ld-library-path

Specifies additional LD_LIBRARY_PATHs to use for RStudio Pro Sessions.

Type: string
Default: <empty string>

rsession-config-file

If set, overrides the path to the /etc/rstudio/rsession.conf configuration file. The specified path may be a relative path from the RStudio installation directory, or an absolute path.

Type: string
Default: <empty string>

rsession-proxy-max-wait-secs

The maximum time to wait in seconds for a successful response when proxying requests to rsession.

Type: int
Default: 10

rsession-exec-command

Specifies the wrapper command used when executing the rsession binary.

Type: string
Default: <empty string>

rsession-no-profile

Indicates whether or not to disable user profiles from executing on session start.

Type: bool
Default: 0

rsession-diagnostics-enabled

Indicates whether or not session diagnostic data should be collected. This can be used for troubleshooting issues with session starts.

Type: bool
Default: 0

rsession-diagnostics-dir

Specifies the directory where session diagnostic data should be written.

Type: string
Default: /tmp

rsession-diagnostics-strace-enabled

Indicates whether or not strace data should be included when collecting session diagnostic data.

Type: bool
Default: 0

rsession-diagnostics-libsegfault

Specifies the path to libSegFault.so library which is used for dumping stack trace information when session diagnostics are collected.

Type: string
Default: <empty string>

database Settings

database-config-file

If set, overrides the path to the /etc/rstudio/database.conf configuration file.

Type: string
Default: <empty string>

db-connection-timeout

Specifies the number of seconds to wait for making a new db connection

Type: int
Default: 15

auth Settings

auth-none

If set, disables multi-user authentication. Workbench/Pro features may not work in this mode.

Type: bool
Default: 1 (true) if rserver was run without root privilege, otherwise 0 (false).

auth-validate-users

Indicates whether or not to validate that authenticated users exist on the target system. Disabling this option may cause issues to start or to run a session.

Type: bool
Default: 1 (true) if rserver was run with root privilege, otherwise 0 (false).

auth-stay-signed-in-days

The number of days to keep a user signed in when using the “Stay Signed In” option. Will only take affect when auth-timeout-minutes is 0 (disabled).

Type: int
Default: 30

auth-timeout-minutes

The number of minutes a user will stay logged in while idle before required to sign in again. Set this to 0 (disabled) to enable legacy timeout auth-stay-signed-in-days.

Type: int
Default: 60

auth-encrypt-password

Indicates whether or not to encrypt the password sent from the login form. For security purposes, we strongly recommend you leave this enabled.

Type: bool
Default: 1

auth-required-user-group

Specifies a group that users must be in to be able to use RStudio.

Type: string
Default: <empty string>

auth-minimum-user-id

Specifies a minimum user id value. Users with a uid lower than this value may not use RStudio.

Type: string
Default: auto

auth-pam-require-password-prompt

Indicates whether or not to require the “Password:” prompt before sending the password via PAM. In most cases, this should be enabled. If using a custom PAM password prompt, you may need to disable this setting if PAM logins do not work correctly.

Type: bool
Default: 1

auth-revocation-list-dir

If set, overrides the path to the directory which contains the revocation list to be used for storing expired tokens. As of Workbench 1.4, this has been moved to database storage, and so this setting is deprecated, but will be used to port over any existing file-based expired tokens.
This option is deprecated and should not be used.

Type: string
Default: <empty string>

auth-cookies-force-secure

Indicates whether or not auth cookies should be forcefully marked as secure. This should be enabled if running an SSL terminator in front of Posit Workbench. Otherwise, cookies will be marked secure if SSL is configured.

Type: bool
Default: 0

auth-stay-signed-in

Indicates whether or not to allow users to stay signed in across browser sessions.

Type: bool
Default: 1

auth-google-accounts

Enables/disables authentication via Google accounts.

Type: bool
Default: 0

auth-google-accounts-redirect-base-uri

Specifies an override URI to use instead of the redirect URI detected for Google accounts. This is needed if running behind a proxy without the X-RStudio-Request header.

Type: string
Default: <empty string>

auth-openid

Enables/disables authentication via OpenID SSO.

Type: bool
Default: 0

auth-openid-base-uri

Overrides the detected base URI for the server. This is needed if running behind a proxy without the X-RStudio-Request header.

Type: string
Default: <empty string>

auth-openid-issuer

Specifies the HTTPS URL of the OpenID issuer and the location of ‘/.well-known/open-configuration’

Type: string
Default: <empty string>

auth-openid-scopes

Specifies any additional space-separated scopes required by the OpenID OP to return a username claim.

Type: string
Default: <empty string>

auth-openid-username-claim

Specifies the name of the OpenID claim used to define the username.

Type: string
Default: preferred_username

auth-openid-email-claim

Specifies the name of the OpenID claim used to define the user’s email address. Only used if user-provisioning-register-on-first-login is enabled.

Type: string
Default: email

auth-openid-name-claim

Specifies the name of the OpenID claim used to define the user’s display name. Only used if user-provisioning-register-on-first-login is enabled.

Type: string
Default: name

auth-openid-posix-id-claim

Specifies the name of the OpenID claim used to define the user’s POSIX ID. Only used if user-provisioning-register-on-first-login is enabled.

Type: string
Default: <empty string>

auth-openid-posix-name-claim

Specifies the name of the OpenID claim used to define the user’s POSIX name. Only used if user-provisioning-register-on-first-login is enabled.

Type: string
Default: <empty string>

auth-openid-homedir-claim

Specifies the name of the OpenID claim used to define the user’s home directory path. Only used if user-provisioning-register-on-first-login is enabled.

Type: string
Default: <empty string>

auth-saml

Enables/disables authentication via SAML SSO.

Type: bool
Default: 0

auth-saml-metadata-path

Specifies the path to the XML SAML metadata file. Overrides the metadata URL option if present.

Type: string
Default: <empty string>

auth-saml-metadata-url

Specifies the location of the XML SAML metadata on the Identity Provider. Requires back-end connectivity.

Type: string
Default: <empty string>

auth-saml-idp-entity-id

Specifies the entity identifier (name or URI) of the Identity Provider. Only used if no metadata is defined.

Type: string
Default: <empty string>

auth-saml-idp-sso-url

Specifies the endpoint that will receive SSO requests on the Identity Provider. Only used if no metadata is defined.

Type: string
Default: <empty string>

auth-saml-idp-sign-cert-path

Specifies the path to the PEM certificate file for verifying SAML signatures. Only used if no metadata is defined.

Type: string
Default: <empty string>

auth-saml-idp-post-binding

When enabled, uses HTTP POST for SSO. Otherwise, uses an HTTP redirect. This must match the metadata specification if metadata is defined.

Type: bool
Default: 0

auth-saml-sso-initiation

Indicates if only “idp” or “sp” can initiate a SAML SSO sequence. If not defined, both can initiate.

Type: string
Default: <empty string>

auth-saml-sp-base-uri

Overrides the detected base URI for the server. This is needed if running behind a proxy without the X-RStudio-Request header.

Type: string
Default: <empty string>

auth-saml-sp-encryption-key-path

Specifies the path to the PEM file containing the private key for decrypting SAML responses. Also used for request signing if a signing method is defined.

Type: string
Default: <empty string>

auth-saml-sp-encryption-cert-path

Specifies the path to the PEM certificate file for encrypting SAML responses. Also used for request signing if a signing method is defined.

Type: string
Default: <empty string>

auth-saml-sp-signing-key-path

Specifies the path to the PEM file containing the private key for signing SAML requests. Not used if an encryption key is defined.

Type: string
Default: <empty string>

auth-saml-sp-signing-cert-path

Specifies the path to the PEM certificate file for verifying SAML requests signature. Not used if an encryption certificate is defined.

Type: string
Default: <empty string>

auth-saml-sp-request-signing-method

Indicates whether “sha1”, “sha256”, or “sha512” is used to sign SAML requests. If not defined, the SAML requests will not be signed.

Type: string
Default: <empty string>

auth-saml-sp-name-id-format

Requests that the NameID Format be one of “unspecified”, “emailAddress”, “persistent” or “transient”. This must match the metadata specification if metadata is defined.

Type: string
Default: <empty string>

auth-saml-sp-attribute-username

Specifies the name of the attribute in the SAML assertion used to define the user’s username.

Type: string
Default: Username

auth-saml-sp-attribute-email

Specifies the name of the attribute in the SAML assertion used to define the user’s email address. Only used if user-provisioning-register-on-first-login is enabled.

Type: string
Default: <empty string>

auth-saml-sp-attribute-name

Specifies the name of the attribute in the SAML assertion used to define the user’s display name. Only used if user-provisioning-register-on-first-login is enabled.

Type: string
Default: <empty string>

auth-saml-sp-attribute-posix-id

Specifies the name of the attribute in the SAML assertion used to define the user’s POSIX ID. Only used if user-provisioning-register-on-first-login is enabled.

Type: string
Default: <empty string>

auth-saml-sp-attribute-posix-name

Specifies the name of the attribute in the SAML assertion used to define the user’s POSIX name. Only used if user-provisioning-register-on-first-login is enabled.

Type: string
Default: <empty string>

auth-saml-sp-attribute-homedir

Specifies the name of the attribute in the SAML assertion used to define the user’s home directory path. Only used if user-provisioning-register-on-first-login is enabled.

Type: string
Default: <empty string>

auth-proxy

Enables/disables authentication via proxy by using a special header field.

Type: bool
Default: 0

auth-proxy-sign-out-url

Specifies the optional URL of the sign out page for proxied authentication.

Type: string
Default: <empty string>

auth-proxy-user-header

Specifies the name of the HTTP header that RStudio should read the proxied user identity from.

Type: string
Default: X-RStudio-Username

auth-proxy-user-header-rewrite

Specifies the re-write rule for the auth-proxy-user-header. The format of a re-write rule is a regular expression followed by a space and then a replacement string. The replacement string can reference captured parts of the regular expression using $1, $2, etc.

Type: string
Default: <empty string>

auth-pam-sessions-enabled

Enables or disables PAM sessions when new sessions are started. To enable PAM sessions with launcher-sessions-enabled=1, set auth-pam-sessions-enabled=1 explicitly. In that case, either the auth-pam-sessions-use-password=1 setting must also be enabled or pam_rootok must be available on the session node so workbench can perform the equivalent of the unix command su to start a session. See the PAM Sessions section of the guide for more info.

Type: bool
Default: 1 - enabled by default unless launcher-sessions-enabled=1

auth-pam-sessions-profile

Specifies the profile to use for PAM sessions.

Type: string
Default: su

auth-pam-sessions-use-password

Indicates whether or not to use passwords when creating PAM sessions. Requires storing of user passwords in memory, though we use industry best-practices for keeping the passwords secure.

Type: bool
Default: 0

auth-pam-sessions-close

Indicates whether or not to close the PAM session when the RStudio Pro Session exits.

Type: bool
Default: 0

workbench-api-enabled

Enable use of the workbench API - that allows user specific api-tokens to enable additional apis to manage that user’s sessions (preview feature - see doc for details).

Type: bool
Default: 0

workbench-api-admin-enabled

Enables used of the workbench API with admin-level tokens. These permit read-only access to user information but do not allow launching of sessions or impersonation of users to modify their information (preview feature - see doc for details).

Type: bool
Default: 0

workbench-api-super-admin-enabled

Enables used of the workbench API with super-admin-level tokens that do permit api tokens that start sessions on the user’s behalf (preview feature - see doc for details)

Type: bool
Default: 0

monitor Settings

monitor-interval-seconds

The interval in seconds at which the monitor is probed for new data.

Type: int
Default: 60

monitor-stderr-enabled

Indicates whether or not to log metrics to stderr.

Type: bool
Default: 0

monitor-rrd-enabled

Indicates whether or not to enable logging of metrics to RRD.

Type: bool
Default: 1

monitor-data-path

Specifies the path where monitor logs and RRD databases should be written.

Type: string
Default: /var/lib/rstudio-server/monitor

monitor-rstudio-session-metrics

Indicates whether or not to collect metrics about session utilization per user.

Type: bool
Default: 1

monitor-rrd-rrdtool-binary

Specifies the path to the rrdtool binary.

Type: string
Default: /usr/bin/rrdtool

monitor-graphite-enabled

Enables/disables logging of metrics to graphite.

Type: bool
Default: 0

monitor-graphite-host

Specifies the host to send graphite metrics to.

Type: string
Default: 127.0.0.1

monitor-graphite-port

Specifies the port to send graphite metrics to.

Type: int
Default: 2003

monitor-graphite-client-id

Specifies the optional client id to include along with graphite metrics.

Type: string
Default: <empty string>

audit-data-path

Specifies the path to where audit data should be stored.

Type: string
Default: /var/lib/rstudio-server/audit

audit-r-console

Specifies the level of console activity that should be audited (none, input, or all).

Type: string
Default: none

audit-r-console-user-limit-months

Specifies the number of months of user console data to retain within the audit directory.

Type: int
Default: 0

audit-r-console-user-limit-mb

Specifies the limit in megabytes on user console actions to retain in the audit log.

Type: int
Default: 50

audit-r-console-compress

Indicates whether or not to compress console audit logs using gzip compression.

Type: bool
Default: 0

audit-r-console-format

Specifies the format to use for the console audit log (csv or json).

Type: string
Default: csv

audit-r-sessions

Indicates whether or not to audit RStudio Pro Session activity.

Type: bool
Default: Enabled if using named user licensing. Disabled otherwise.

audit-r-sessions-limit-months

Specifies the number of months of session action data to retain within the audit directory.

Type: int
Default: 13

audit-r-sessions-limit-mb

Specifies the limit in megabytes on session actions to retain in the audit log.

Type: int
Default: 1024

audit-r-sessions-format

Specifies the format to use for the session audit log (csv or json).

Type: string
Default: csv

server-shared-storage-path

Specifies the path to the shared storage directory.

Type: string
Default: /var/lib/rstudio-server/shared-storage

metrics Settings

metrics-enabled

Indicates whether or not to enable the prometheus metrics endpoint.

Type: bool
Default: 0

metrics-port

Specifies the port to use for the prometheus metrics endpoint.

Type: int
Default: 8989

metrics-address

Specifies the address to use for the prometheus metrics endpoint. When not present, the value of www-address will be used.

Type: string
Default: <empty string>

metrics-nginx-directives-path

Specifies the path to custom NGINX metrics server directives.

Type: string
Default: The first nginx.metrics-server.conf file that is found on the XDG_CONFIG_DIRS environment, or /etc/rstudio/nginx.metrics-server.conf if no XDG_CONFIG_DIRS are specified.

databricks Settings

databricks-enabled

Whether to enable Databricks integrations, either 1 or 0. The default is ‘auto’, which enables the integrations if there are a non-zero number of Databricks workspaces configured.

Type: string
Default: auto

userProvisioning Settings

user-provisioning-enabled

Enables or disables the auto user provisioning feature of Workbench.

Type: string
Default: 0

user-homedir-path

When user provisioning is enabled, this path will serve as the parent for user home directories.

Type: string
Default: /home

user-provisioning-start-uid

Specifies the minimum value to use when assigning UIDs to newly provisioned users. To avoid conflicts with system user accounts, this value must be greater than or equal to 1000.

Type: int
Default: 1000

user-provisioning-register-on-first-login

When enabled, users are automatically provisioned the first time they log in. Otherwise, users must be provisioned through the SCIM API before they can log in. Requires user-provisioning-enabled=1. Not supported by all authentication methods.

Type: bool
Default: 0

snowflake Settings

allow-refresh-snowflake-roles

When enabled, allows Workbench to automatically refresh the list of Snowflake roles for a user when they log in.

Type: bool
Default: 1