diff --git a/docs/.gitignore b/docs/.gitignore deleted file mode 100644 index d584946e13..0000000000 --- a/docs/.gitignore +++ /dev/null @@ -1,5 +0,0 @@ -hugo/ -grpc_apis/ -mutagen.yml.lock -helpers/output/* -services/**/_index.md diff --git a/docs/Makefile b/docs/Makefile deleted file mode 100644 index fdb2c1ccce..0000000000 --- a/docs/Makefile +++ /dev/null @@ -1,55 +0,0 @@ -SHELL := bash - -include ../.bingo/Variables.mk - -.PHONY: help -help: - @grep -E '^[a-zA-Z0-9_-]+:.*?## .*$$' $(MAKEFILE_LIST) | sort | awk -F'[:;##]' '{printf "\033[36m%-30s\033[0m %s\n", $$2, $$NF}' - -.PHONY: docs-generate -docs-generate: ## run docs-generate for all oCIS services - @pushd helpers && go run .; popd - -.PHONY: docs-init -docs-init: - @mkdir -p hugo/content/ - @mkdir -p hugo/public/ - @touch hugo/public/.nojekyll - @cd hugo && git init - @cd hugo && git config advice.detachedHead false - @cd hugo && git remote rm origin || true - @cd hugo && git remote add origin https://github.com/owncloud/owncloud.github.io - @cd hugo && git fetch --depth=1 - @cd hugo && git checkout origin/main -f - @$(MAKE) -C hugo theme - -.PHONY: docs-serve -docs-serve: docs-init docs-generate docs-copy ## serve docs with hugo - @bash -c "trap 'trap - SIGINT SIGTERM ERR; $(MAKE) --no-print-directory docs-sync-stop; exit 0' SIGINT SIGTERM ERR; $(MAKE) --no-print-directory docs-sync-start && $(MAKE) --no-print-directory hugo-serve" - -.PHONY: test -test: $(HUGO) - @cd hugo && $(HUGO) - -.PHONY: hugo-serve -hugo-serve: $(HUGO) - @cd hugo && $(HUGO) server - -.PHONY: docs-copy -docs-copy: docs-init docs-sync-start docs-sync-stop - -.PHONY: docs-sync-start -docs-sync-start: $(MUTAGEN) - @$(MUTAGEN) project terminate || true - @$(MUTAGEN) daemon stop || true - @$(MUTAGEN) project start - @$(MUTAGEN) project flush - -.PHONY: docs-sync-stop -docs-sync-stop: $(MUTAGEN) - @$(MUTAGEN) project terminate - @$(MUTAGEN) daemon stop - -.PHONY: clean -clean: ## clean up docs build artifacts - @rm -rf hugo diff --git a/docs/README.md b/docs/README.md deleted file mode 100644 index 05a5f41b0c..0000000000 --- a/docs/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# Documentation - -To contribute to documentation please see also: [Documentation](http://owncloud.dev/ocis/development/build-docs/) - -Note that when running a helper like `make -C docs docs-generate` locally, you will see the generated output in e.g. docs/services/. When merging a PR, the pipeline will generate the output in the master branch but finally moves it into the `docs` branch. You will therefore _not_ see changes in the docs folder of the master branch! diff --git a/docs/_index.md b/docs/_index.md deleted file mode 100644 index bfdbe806ad..0000000000 --- a/docs/_index.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: ownCloud ---- - -{{< toc >}} - -## Admin Documentation - -Before you start reading, if you are interested in: - -- learning ocis from an admin perspective, -- different deployment scenarios, -- deployment examples, -- detailed settings and more - -we would recommend to continue with the [ownCloud Admin Documentation for Infinite Scale](https://doc.owncloud.com/ocis/next/). - -## Developer Documentation - -Welcome to our developer documentation. Here you find documentation with focus for *developers*: - -- [oCIS]({{< ref "./ocis" >}}) server -- oCIS Services -- Clients like: - - [ownCloud Web](https://github.com/owncloud/web) - the new web frontend for oCIS and ownCloud - - [ownCloud Android app](https://github.com/owncloud/android) - - [ownCloud iOS app](https://github.com/owncloud/ios-app) - - [ownCloud Desktop Syncing Client](https://github.com/owncloud/client) -- Integrations - -## We love open source - -The oCIS server is Apache v2 licensed. -The lower storage layer of oCIS is defined by the CS3 APIs and implemented in the REVA project. Our goal is to develop the CS3 APIs to an open standard and collaborate on the open source REVA reference implementation for CS3 APIs. - -You can also find all client sources on [GitHub](https://github.com/owncloud/). - -## Join the oCIS Community - -The [server repository](https://github.com/owncloud/ocis) on [GitHub](https://www.github.com) is a good entry point to the oCIS project. In addition to that there are also ownCloud projects for clients for [iOS](https://github.com/owncloud/ios-app), [Android](https://github.com/owncloud/android), the major [Desktop](https://github.com/owncloud/desktop) platforms and [ownCloud Web](https://github.com/owncloud/web). - -To chat about development, [join our public chat](https://talk.owncloud.com/channel/ocis) - -If you want to help and improve ownCloud or oCIS, start coding or open issues on GitHub in the related repository. - -We are very happy to hear your feedback and ideas! diff --git a/docs/apis/_index.md b/docs/apis/_index.md deleted file mode 100644 index f30eff878c..0000000000 --- a/docs/apis/_index.md +++ /dev/null @@ -1,53 +0,0 @@ ---- -title: APIs -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/apis/ -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -{{< toc-tree >}} - -Infinite Scale provides a large set of different **application programming interfaces (APIs)**. Infinite Scale is built by microservices. That means many calls to "functions" in the code are remote calls. - -Basically we have two different API "universes": [HTTP](http) and [gRPC](grpc_apis). - -{{< columns >}} - -{{< figure src="/ocis/static/http-logo.png" width="70%" alt="Image sourced from https://commons.wikimedia.org/ free of licenses" >}} -<---> - -{{< figure src="/ocis/static/grpc-logo.png" width="70%" alt="Image sourced from https://grpc.io/ under CC 4.0 BY license" >}} - -{{< /columns >}} - - -For inter-service-communication we are using mostly gRPC calls because it has some advantages. In the future, clients may decide to use gRPC directly to make use of these advantages. - -{{< figure src="/ocis/static/ocis-apis.drawio.svg" class="page-image">}} - -## [HTTP](http) - -HTTP APIs are mostly used for client <-> server communication. Modern applications are embracing a [RESTful](https://en.wikipedia.org/wiki/Representational_state_transfer) software architecture style. REST APIs are using the HTTP protocol to transfer data between clients and servers. All our clients talk to the Server using HTTP APIs. This has legacy reasons and is well-supported across many platforms and technologies. Infinite Scale uses an [HTTP API gateway](../services/proxy) to route client requests to the correct service. - -### OpenAPI - -It is best practise to define APIs and their behavior by a spec. We are using the OpenAPI standard for all new APIs. The [OpenAPI Specification](https://swagger.io/specification/), previously known as the Swagger Specification, is a specification for a machine-readable interface definition language for describing, producing, consuming and visualizing RESTful web services. Previously part of the Swagger framework, it became a separate project in 2016, overseen by the OpenAPI Initiative, an open-source collaboration project of the Linux Foundation. Swagger and some other tools can generate code, documentation and test cases from interface files. - -### RFC - -Some APIs have become a de facto standard and are additionally covered by an [RFC](https://en.wikipedia.org/wiki/Request_for_Comments). - -## [gRPC](grpc_apis) - -In gRPC, a client application can directly call methods on a server application on a different machine as if it was a local object. This makes it easier to create distributed applications based on microservices. In gRPC we can define a service and specify the methods that can be called remotely. A gRPC client has a stub that provides the same methods and types as the server. -Infinite Scale uses a [gRPC API Gateway](../services/gateway) to route the requests to the correct service. - -### Protobuf - -gRPC APIs are typically defined by [Protocol buffers](https://developers.google.com/protocol-buffers/docs/overview). The different client and server stubs are created from ``*.proto`` files by code generation tools. - -## Versioning - -There are different standards for API versioning: Through URL, through request parameter, through custom header and through content negotiation. Ocis uses the versioning by URL concept although this creates a big code footprint. The versioning follows [SemVer](https://semver.org). We update the major version number when breaking changes are needed. Clients can decide which major version they use through the request URL. The specific implementation is documented on each API. - diff --git a/docs/apis/grpc_apis/_index.md b/docs/apis/grpc_apis/_index.md deleted file mode 100644 index 78ea417719..0000000000 --- a/docs/apis/grpc_apis/_index.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -title: gRPC -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/apis/grpc_apis/ -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -{{< toc-tree >}} - -## **R**emote   **P**rocedure   **C**alls - -[gRPC](https://grpc.io) is a modern open source high performance Remote Procedure Call (RPC) framework that can run in any environment. It can efficiently connect services in and across data centers with pluggable support for load balancing, tracing, health checking and authentication. It is also applicable in last mile of distributed computing to connect devices, mobile applications and browsers to backend services. - -## Advantages of gRPC - -{{< columns >}} -### {{< icon "gauge-high" >}}   Performance - -gRPC uses http/2 by default and is faster than REST. When using protocol buffers for encoding, the information comes on and off the wire much faster than JSON. Latency is an important factor in distributed systems. JSON encoding creates a noticeable factor of latency. For distributed systems and high data loads, gRPC can actually make an important difference. Other than that, gRPC supports multiple calls via the same channel and the connections are bidirectional. A single connection can transmit requests and responses at the same time. gRPC keeps connections open to reuse the same connection again which prevents latency and saves bandwidth. - -<---> -### {{< icon "helmet-safety" >}}   Robustness - -gRPC empowers better relationships between clients and servers. The rules of communication are strictly enforced. That is not the case in REST calls, where the client and the server can send and receive anything they like and hopefully the other end understands what to do with it. In gRPC, to make changes to the communication, both client and server need to change accordingly. This prevents mistakes specially in microservice architectures. -{{< /columns >}} -{{< columns >}} - -### {{< icon "magnifying-glass-plus" >}}   Debuggability - -gRPC requests are re-using the same context and can be tracked or traced across multiple service boundaries. -This helps to identify slow calls and see what is causing delays. It is possible to cancel requests which cancels -them on all involved services. - -<---> -### {{< icon "boxes-stacked" >}}   Microservices - -gRPC has been evolving and has become the best option for communication between microservices because of its unmatched -performance and its polyglot nature. One of the biggest strengths of microservices is the freedom of programming -languages and technologies. By using gRPC we can leverage all the advantages of strictly enforced communication -standards combined with freedom of choice between different programming languages - whichever would fit best. - -{{< /columns >}} - -{{< hint type=info title="gRPC Advantages" >}} - -- http/2 -- protocol buffers -- reusable connections -- multi language support -{{< /hint >}} - -## CS3 APIs - -{{< figure src="/ocis/static/cs3org.png" >}} - -The [CS3 APIs](https://github.com/cs3org/cs3apis) connect storages and application providers. - -The CS3 APIs follow Google and Uber API design guidelines, specially on error handling and naming convention. You can read more about these -guidelines at https://cloud.google.com/apis/design/ and https://github.com/uber/prototool/blob/dev/style/README.md. - -The CS3 APIs use [Protocol Buffers version 3 (proto3)](https://github.com/protocolbuffers/protobuf) as their -Interface Definition Language (IDL) to define the API interface and the structure of the payload messages. diff --git a/docs/apis/http/_index.md b/docs/apis/http/_index.md deleted file mode 100644 index c64ba1e4a0..0000000000 --- a/docs/apis/http/_index.md +++ /dev/null @@ -1,11 +0,0 @@ ---- -title: Http -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/apis/http/ -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -The [Hypertext Transfer Protocol (HTTP)](https://www.rfc-editor.org/rfc/rfc2616) is a stateless application-level protocol for distributed, collaborative, hypertext information systems. HTTP is the foundation of data communication for the World Wide Web, where hypertext documents include hyperlinks to other resources that the user can easily access, for example by a mouse click or by tapping the screen in a web browser. - -Development of HTTP was initiated by Tim Berners-Lee at CERN in 1989 and summarized in a simple document describing the behavior of a client and a server using the first HTTP protocol version that was named 0.9. That first version of HTTP protocol soon evolved into a more elaborated version that was the first draft toward a far future version 1.0 diff --git a/docs/apis/http/authorization.md b/docs/apis/http/authorization.md deleted file mode 100644 index 476d0b283e..0000000000 --- a/docs/apis/http/authorization.md +++ /dev/null @@ -1,142 +0,0 @@ ---- -title: Authorization -weight: 40 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/apis/http/ -geekdocFilePath: authorization.md ---- - -In its default configuration, Infinite Scale supports three authentication methods as outlined on the [OIDC official site](https://openid.net/specs/openid-connect-core-1_0.html#rfc.section.3): -1. Authorization Code Flow -2. Implicit Flow -3. Hybrid Flow - -For detailed information on Infinite Scale's support for OpenID Connect (OIDC), please consult the [OIDC section](https://owncloud.dev/ocis/identity-provider/oidc). -To authenticate a client app using OIDC, both `client_id` and `client_secret` are essential. Infinite Scale does not offer dynamic registration. The required data for the default [ownCloud clients](https://doc.owncloud.com/server/next/admin_manual/configuration/user/oidc/oidc.html#client-ids-secrets-and-redirect-uris) can be found in the link and are availble for the following apps: -- Desktop -- Android -- iOS - -While selecting an ownCloud client for authentication, take note of specific limitations such as the `Redirect URI`: - -| Source | Redirect URI | -|------|--------| -|Android|oc://android.owncloud.com| -|iOS|oc://ios.owncloud.com| -|Desktop|http://127.0.0.1
http://localhost | - -In this example, the desktop app's `client_id` and `client_secret` are being used. - -```bash -client_id=xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69 -client_secret=UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh -``` - -## Authorization Code Flow - -1. Requesting authorization - - To initiate the OIDC Code Flow, you can use tools like curl and a web browser. - The user should be directed to a URL to authenticate and give their consent (bypassing consent is against the standard): - - ```plaintext - https://ocis.test/signin/v1/identifier/_/authorize?client_id=client_id&scope=openid+profile+email+offline_access&response_type=code&redirect_uri=http://path-to-redirect-uri - ``` - - After a successful authentication, the browser will redirect to a URL that looks like this: - - ```plaintext - http://path-to-redirect-uri?code=mfWsjEL0mc8gx0ftF9LFkGb__uFykaBw&scope=openid%20profile%20email%20offline_access&session_state=32b08dd...&state= - ``` - - For the next step extract the code from the URL. - - In the above example, - the code is `mfWsjEL0mc8gx0ftF9LFkGb__uFykaBw` - -2. Requesting an access token - - The next step in the OIDC Code Flow involves an HTTP POST request - to the token endpoint of the **Infinite Scale Identity Server**. - - ```bash - curl -vk -X POST https://ocis.test/konnect/v1/token \ - -d "grant_type=authorization_code" \ - -d "code=3a3PTcO-WWXfN3l1mDN4u7G5PzWFxatU" \ - -d "redirect_uri=http:path-to-redirect-uri" \ - -d "client_id=client_id" \ - -d "client_secret=client_secret" - ``` - - Response looks like this: - ```json - { - "access_token": "eyJhbGciOid...", - "token_type": "Bearer", - "id_token": "eyJhbGciOi...", - "refresh_token": "eyJhbGciOiJ...", - "expires_in": 300 - } - ``` - -3. Refreshing an access token - - If the access token has expired, you can get a new one using the refresh token. - ```bash - curl -vk -X POST https://ocis.test/konnect/v1/token \ - -d "grant_type=refresh_token" \ - -d "refresh_token=eyJhbGciOiJ..." \ - -d "redirect_uri=http://path-to-redirect-uri" \ - -d "client_id=client_id" \ - -d "client_secret=client_secret" - ``` - - Response looks like this: - ```json - { - "access_token": "eyJhbGciOi...", - "token_type": "Bearer", - "expires_in": 300 - } - ``` - -## Implicit Code Flow - -When using the implicit flow, tokens are provided in a URI fragment of the redirect URL. -Valid values for the `response_type` request parameter are: - -- token -- id_token token - -{{< hint type=warning title="Important Warning" >}} -If you are using the implicit flow, `nonce` parameter is required in the initial `/authorize` request. -`nonce=pL3UkpAQPZ8bTMGYOmxHY/dQABin8yrqipZ7iN0PY18=` - -bash command to generate cryptographically random value -```bash -openssl rand -base64 32 -``` -{{< /hint >}} - -The user should be directed to a URL to authenticate and give their consent (bypassing consent is against the standard): -```bash -https://ocis.test/signin/v1/identifier/_/authorize?client_id=client_id&scope=openid+profile+email+offline_access&response_type=id_token+token&redirect_uri=http://path-to-redirect-uri&nonce=pL3UkpAQPZ8bTMGYOmxHY/dQABin8yrqipZ7iN0PY18= - ``` - -After a successful authentication, the browser will redirect to a URL that looks like this: -```bash -http://path-to-redirect-uri#access_token=eyJhbGciOiJQUzI...&expires_in=300&id_token=eyJhbGciOiJ...&scope=email%20openid%20profile&session_state=c8a1019f5e054d...&state=&token_type=Bearer -``` - -For the next step, extract the access_token from the URL. -```bash -access_token = 'eyJhbGciOiJQ...' - ``` - -## Hybrid Flow -The Hybrid Flow in OpenID Connect melds features from both the Implicit and Authorization Code flows. It allows clients to directly retrieve certain tokens from the Authorization Endpoint, yet also offers the option to acquire additional tokens from the Token Endpoint. - -The Authorization Server redirects back to the client with appropriate parameters in the response, based on the value of the response_type request parameter: -- code token -- code id_token -- code id_token token diff --git a/docs/apis/http/graph/_index.md b/docs/apis/http/graph/_index.md deleted file mode 100644 index cde6f929dc..0000000000 --- a/docs/apis/http/graph/_index.md +++ /dev/null @@ -1,72 +0,0 @@ ---- -title: "LibreGraph" -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/apis/http/graph -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -The LibreGraph API is a REST Api which is inspired by the [Microsoft Graph API](https://developer.microsoft.com/en-us/graph). It tries to stay compliant with the Microsoft Graph API and aims to be the Next Generation Api in Infinite Scale where we want to support most of the features of the platform. -The [API specification](https://github.com/owncloud/libre-graph-api) is available in the OpenApi 3 standard and there are generated client and server [SDKs](https://github.com/owncloud/libre-graph-api#clients) available. You can browse the API with the [Swagger UI](https://owncloud.dev/libre-graph-api/). - -## Calling the LibreGraph API - -```sh -{HTTP method} https://ocis.url/graph/{version}/{resource}?{query-parameters} -``` - -The request component consists of: - -| Component | Description | -|--------------------|-------------------------------------------------------------------------| -| {HTTP method} | The HTTP method which is used in the request. | -| {version} | The version of the LibreGraph API used by the client. | -| {resource} | The LibreGraph Resource which the client is referencing in the request. | -| {query-parameters} | Optional parameters for the request to customize the response. | - -### HTTP methods - -| Method | Description | -|--------|-------------------------------| -| GET | Read data from a resource. | -| POST | Create a new resource. | -| PATCH | Update an existing resource. | -| PUT | Replace an existing resource. | -| DELETE | Delete an existing resource. | - -The methods `GET` and `DELETE` need no request body. The methods `POST`, `PATCH` and `PUT` require a request body, normally in JSON format to provide the needed values. - -### Version - -Infinite Scale currently provides the version `v1.0`. - -### Resource - -A resource could be an entity or a complex type and is usually defined by properties. Entities are always recognizable by an `Id` property. The URL contains the resource which you are interacting with e.g. `/me/drives` or `/groups/{group-id}`. - -Each resource could possibly require different permissions. Usually you need permissions on a higher level for creating or updating an existing resource than for reading. - -### Query parameters - -Query parameters can be OData system query options, or other strings that a method accepts to customize its response. - -You can use optional OData system query options to include more or fewer properties than the default response, filter the response for items that match a custom query, or provide additional parameters for a method. - -For example, adding the following filter parameter restricts the drives returned to only those with the driveType property of `project`. - -```shell -GET https://ocis.url/graph/v1.0/drives?$filter=driveType eq 'project' -``` -For more information about OData query options please check the [API specification](https://github.com/owncloud/libre-graph-api) and the provided examples. - -### Authorization - -For development purposes the examples in the developer documentation use Basic Auth. It is disabled by default and should only be enabled by setting `PROXY_ENABLE_BASIC_AUTH` in [the proxy](../../../services/proxy/configuration/#environment-variables) for development or test instances. - -To authenticate with a Bearer token or OpenID Connect access token replace the `-u user:password` Basic Auth option of curl with a `-H 'Authorization: Bearer '` header. A `` can be obtained by copying it from a request in the browser, although it will time out within minutes. To automatically refresh the OpenID Connect access token an ssh-agent like solution like [oidc-agent](https://github.com/indigo-dc/oidc-agent) should be used. The graph endpoints that support a preconfigured token can be found in the [API specification](https://github.com/owncloud/libre-graph-api) - -## Resources - -{{< toc-tree >}} diff --git a/docs/apis/http/graph/groups.md b/docs/apis/http/graph/groups.md deleted file mode 100644 index ca2daf45a5..0000000000 --- a/docs/apis/http/graph/groups.md +++ /dev/null @@ -1,275 +0,0 @@ ---- -title: Groups -weight: 40 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/apis/http/graph -geekdocFilePath: groups.md ---- - -{{< toc >}} - -## Groups API - -The Groups API is implementing a subset of the functionality of the -[MS Graph Group resource](https://docs.microsoft.com/en-us/graph/api/resources/group?view=graph-rest-1.0) -The JSON representation of a Group as handled by the Groups API looks like this: - -``` -{ - "displayName": "group", - "id": "f0d97060-da16-4b0d-9fa4-d1ec43afc5f1" -} -``` - -Our implementation currently supports two Attributes for a Group: - -| Attribute | Description | -|---------------|-----------------------------------------------------------------------------------------------------------------------------| -| displayName | The groups name | -| id | An unique, stable readonly identifier for the group that stays the same for the whole lifetime of the Group, usually a UUID | - - -### Reading groups - -#### `GET /groups` - -Returns a list of all groups - -Example: - -``` -curl -k 'https://localhost:9200/graph/v1.0/groups' -u user:password - -``` - -Response: - -``` -{ - "value": [ - { - "displayName": "group", - "id": "38580a2e-7018-42ed-aff6-b2af0b4e9790" - }, - { - "displayName": "Example Users", - "id": "7a20f238-8a22-4458-902d-47674c317e5f" - } - ] -} -``` - - -#### `GET /groups?$expand=members` - -Returns a list of all groups including its members - -Example: - -``` -curl -k 'https://localhost:9200/graph/v1.0/groups?$expand=members' -u user:password - -``` - -Response: - -``` -{ - "value": [ - { - "displayName": "group", - "id": "38580a2e-7018-42ed-aff6-b2af0b4e9790", - "members": [ - { - "displayName": "user1", - "id": "2e7b7e23-6c42-4d34-81b0-2bed34e51983", - "mail": "user1@example.org", - "onPremisesSamAccountName": "user1" - }, - { - "displayName": "user2", - "id": "b45c9e35-0d95-4165-96bc-68bff4a316ed", - "mail": "user2@example.org", - "onPremisesSamAccountName": "user2" - } - ] - }, - { - "displayName": "Example Users", - "id": "7a20f238-8a22-4458-902d-47674c317e5f", - "members": [ - { - "displayName": "user3", - "id": "026fbfef-79ef-4f5d-887b-9eaf42777239", - "mail": "user3@example.org", - "onPremisesSamAccountName": "user3" - } - ] - } - ] -} -``` - -#### `GET /groups/{groupid}` - -Example: - -``` -curl -k 'https://localhost:9200/graph/v1.0/groups/7a20f238-8a22-4458-902d-47674c317e5f' -u user:password -``` - -Response: - -``` -{ - "displayName": "Example Users", - "id": "7a20f238-8a22-4458-902d-47674c317e5f" -} -``` - -#### `GET /groups/{groupid}?$expand=members` - -Example: - -``` -curl -k 'https://localhost:9200/graph/v1.0/groups/7a20f238-8a22-4458-902d-47674c317e5f?$expand=members' -u user:password -``` - -Response: - -``` -{ - "displayName": "Example Users", - "id": "7a20f238-8a22-4458-902d-47674c317e5f", - "members": [ - { - "displayName": "user3", - "id": "026fbfef-79ef-4f5d-887b-9eaf42777239", - "mail": "user3@example.org", - "onPremisesSamAccountName": "user3" - } - ] -} -``` -### Getting Group Members - -#### `GET /groups/{groupid}/members` - -Returns a list of User objects that are members of a group. - -Example: - -``` -curl -k 'https://localhost:9200/graph/v1.0/groups/7a20f238-8a22-4458-902d-47674c317e5f/members' -u user:password - -``` - -Response: - -``` -[ - { - "displayName": "Test User", - "id": "c54b0588-7157-4521-bb52-c1c8ca84ea71", - "mail": "example@example.org", - "onPremisesSamAccountName": "example" - }, - { - "displayName": "Albert Einstein", - "id": "4c510ada-c86b-4815-8820-42cdf82c3d51", - "mail": "einstein@example.org", - "onPremisesSamAccountName": "einstein" - } -] -``` - -### Creating / Updating Groups - -#### `POST /groups` - -Use this to create a new group. -h -##### Request Body - -Note the missing `"id"` Attribute. It will be generated by the server: - -``` -{ - "displayName": "Example Users" -} -``` - -##### Response - -When successful, the response will return the new group including the newly allocated `"id"`: - -``` -{ - "displayName": "Example Users", - "id": "7a20f238-8a22-4458-902d-47674c317e5f" -} -``` - -#### `DELETE /groups/{id}` - -Example: - -``` -curl -k --request DELETE 'https://localhost:9200/graph/v1.0/groups/7a20f238-8a22-4458-902d-47674c317e5f' -u user:password -``` - -When successful the API returns no response body and the HTTP status code 204 (No Content) - -#### `PATCH /groups/{id}` - -Updating attributes of a single group is supposed to be done with a patch request. This is however currently not fully -implemented for our write-enabled backends. The PATCH request can however be used to add multiple members to a group at once. -See below. - -### Adding a single member to a group - -#### `POST /groups/{id}/members/$ref` - -The request body contains a single attribute "`@odata.id`" referencing the new member of the group by URI. Example: - -``` -curl -k --header "Content-Type: application/json" \ - --request POST --data \ - '{ "@odata.id": "https://localhost:9200/graph/v1.0/users/4c510ada-c86b-4815-8820-42cdf82c3d51" }' \ - 'https://localhost:9200/graph/v1.0/groups/7a20f238-8a22-4458-902d-47674c317e5f/members/$ref' -u user:password - -``` - -When successful the API returns no response body and the HTTP status code 204 (No Content) - -### Adding multiple members in a single request - -#### `PATCH /groups/{id}` - -The request body contains the attribute `members@odata.bind` holding a list of URI references for the new members. -Example: - -``` -{ - "members@odata.bind": [ - "https://localhost:9200/graph/v1.0/users/4c510ada-c86b-4815-8820-42cdf82c3d51", - "https://localhost:9200/graph/v1.0/users/c54b0588-7157-4521-bb52-c1c8ca84ea71" - ] -} -``` - -When successful the API returns no response body and the HTTP status code 204 (No Content) - -### Removing a member - -#### `DELETE /groups/{groupid}/members/{id}/$ref` - -Example - -``` -curl -k --request DELETE \ - 'https://localhost:9200/graph/v1.0/groups/7a20f238-8a22-4458-902d-47674c317e5f/members/4c510ada-c86b-4815-8820-42cdf82c3d51/$ref' \ - -u user:password -``` - -When successful the API returns no response body and the HTTP status code 204 (No Content) diff --git a/docs/apis/http/graph/permissions.md b/docs/apis/http/graph/permissions.md deleted file mode 100644 index d6c957f107..0000000000 --- a/docs/apis/http/graph/permissions.md +++ /dev/null @@ -1,184 +0,0 @@ ---- -title: Permissions -weight: 50 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/apis/http/graph -geekdocFilePath: permissions.md ---- - -{{< toc >}} - -## Permissions API - -The Permissions API is implementing a subset of the functionality of the -[MS Graph Permission resource](https://learn.microsoft.com/en-us/graph/api/resources/permission?view=graph-rest-1.0). - -### Example Permissions - -The JSON representation of a Drive, as handled by the Spaces API, looks like this: -````json -{ - "@libre.graph.permissions.roles.allowedValues": [ - { - "id": "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5", - "description": "Allows reading the shared file or folder", - "displayName": "Viewer", - "@libre.graph.weight": 1 - }, - { - "id": "fb6c3e19-e378-47e5-b277-9732f9de6e21", - "description": "Allows reading and writing the shared file or folder", - "displayName": "Editor", - "@libre.graph.weight": 2 - }, - { - "id": "312c0871-5ef7-4b3a-85b6-0e4074c64049", - "description": "Allows managing a space", - "displayName": "Manager", - "@libre.graph.weight": 3 - }, - { - "id": "4916f47e-66d5-49bb-9ac9-748ad00334b", - "description": "Allows creating new files", - "displayName": "File Drop", - "@libre.graph.weight": 4 - } - ], - "@libre.graph.permissions.actions.allowedValues": [ - "libre.graph/driveItem/basic/read", - "libre.graph/driveItem/permissions/read", - "libre.graph/driveItem/upload/create", - "libre.graph/driveItem/standard/allTasks", - "libre.graph/driveItem/upload/create" - ], - "value": [ - { - "id": "67445fde-a647-4dd4-b015-fc5dafd2821d", - "link": { - "type": "view", - "webUrl": "https://cloud.example.org/s/fhGBMIkKFEHWysj" - } - }, - { - "id": "34646ab6-be32-43c9-89e6-987e0c237e9b", - "roles": [ - "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5" - ], - "grantedToV2": [ - { - "user": { - "id": "4c510ada-c86b-4815-8820-42cdf82c3d51", - "displayName": "Albert Einstein" - } - } - ] - }, - { - "id": "81d5bad3-3eff-410a-a2ea-eda2d14d4474", - "roles": [ - "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5" - ], - "grantedToV2": [ - { - "user": { - "id": "4c510ada-c86b-4815-8820-42cdf82c3d51", - "displayName": "Albert Einstein" - } - } - ] - }, - { - "id": "b470677e-a7f5-4304-8ef5-f5056a21fff1", - "roles": [ - "b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5" - ], - "grantedToV2": [ - { - "user": { - "id": "f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c", - "displayName": "Marie Skłodowska Curie" - } - } - ] - }, - { - "id": "453b02be-4ec2-4e7d-b576-09fc153de812", - "roles": [ - "fb6c3e19-e378-47e5-b277-9732f9de6e21" - ], - "grantedToV2": [ - { - "user": { - "id": "4c510ada-c86b-4815-8820-42cdf82c3d51", - "displayName": "Albert Einstein" - } - } - ], - "expirationDateTime": "2018-07-15T14:00:00.000Z" - }, - { - "id": "86765c0d-3905-444a-9b07-76201f8cf7df", - "roles": [ - "312c0871-5ef7-4b3a-85b6-0e4074c64049" - ], - "grantedToV2": [ - { - "group": { - "id": "167cbee2-0518-455a-bfb2-031fe0621e5d", - "displayName": "Philosophy Haters" - } - } - ] - }, - { - "id": "c42b5cbd-2d65-42cf-b0b6-fb6d2b762256", - "grantedToV2": [ - { - "user": { - "id": "4c510ada-c86b-4815-8820-42cdf82c3d51", - "displayName": "Albert Einstein" - } - } - ], - "@libre.graph.permissions.actions": [ - "libre.graph/driveItem/basic/read", - "libre.graph/driveItem/path/update" - ] - } - ] -} -```` - -## Creating Share Invitation / Link - -### Create a link share `POST /drives/{drive-id}/items/{item-id}/createLink` - -https://owncloud.dev/libre-graph-api/#/drives.permissions/CreateLink - -### Create a user/group share `POST /drives/{drive-id}/items/{item-id}/invite` - -https://owncloud.dev/libre-graph-api/#/drives.permissions/Invite - -## Reading Permissions - -### List the effective sharing permissions on a driveitem `GET /drives/{drive-id}/items/{item-id}/permissions` - -https://owncloud.dev/libre-graph-api/#/drives.permissions/ListPermissions - -### List Get sharing permission for a file or folder `GET /drives/{drive-id}/items/{item-id}/permissions/{perm-id}` - -https://owncloud.dev/libre-graph-api/#/drives.permissions/GetPermission - -## Updating Permissions - -### Updating sharing permission `POST /drives/{drive-id}/items/{item-id}/permissions/{perm-id}` - -https://owncloud.dev/libre-graph-api/#/drives.permissions/UpdatePermission - -### Set password of permission `POST /drives/{drive-id}/items/{item-id}/permissions/{perm-id}/setPassword` - -https://owncloud.dev/libre-graph-api/#/drives.permissions/SetPermissionPassword - -### Deleting permission `DELETE /drives/{drive-id}/items/{item-id}/permissions/{perm-id}` - -https://owncloud.dev/libre-graph-api/#/drives.permissions/DeletePermission \ No newline at end of file diff --git a/docs/apis/http/graph/role.md b/docs/apis/http/graph/role.md deleted file mode 100644 index 7355da872a..0000000000 --- a/docs/apis/http/graph/role.md +++ /dev/null @@ -1,38 +0,0 @@ ---- -title: Role -weight: 60 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/apis/http/graph -geekdocFilePath: permissions.md ---- - -{{< toc >}} - -## Role API - -The Roles API is implementing a subset of the functionality of the -[MS Graph Role Management](https://learn.microsoft.com/en-us/graph/api/resources/rolemanagement?view=graph-rest-1.0). - -## Role Management - -### List roleDefinitions `GET /v1beta1/roleManagement/permissions/roleDefinitions` - -https://owncloud.dev/libre-graph-api/#/roleManagement/ListPermissionRoleDefinitions - -### Get unifiedRoleDefinition `GET /drives/{drive-id}/items/{item-id}/permissions/{perm-id}` - -https://owncloud.dev/libre-graph-api/#/roleManagement/GetPermissionRoleDefinition - -## Role Assignment - -### Get appRoleAssignments of a user `GET /v1.0/users/{user-id}/appRoleAssignments` - -https://owncloud.dev/libre-graph-api/#/user.appRoleAssignment/user.ListAppRoleAssignments - -### Grant an appRoleAssignment to a user `POST /v1.0/users/{user-id}/appRoleAssignments` - -https://owncloud.dev/libre-graph-api/#/user.appRoleAssignment/user.CreateAppRoleAssignments - -### Delete the appRoleAssignment from a user `DELETE /v1.0/users/{user-id}/appRoleAssignments/{appRoleAssignment-id}` - -https://owncloud.dev/libre-graph-api/#/user.appRoleAssignment/user.DeleteAppRoleAssignments \ No newline at end of file diff --git a/docs/apis/http/graph/spaces.md b/docs/apis/http/graph/spaces.md deleted file mode 100644 index bba134e4b7..0000000000 --- a/docs/apis/http/graph/spaces.md +++ /dev/null @@ -1,494 +0,0 @@ ---- -title: Spaces -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/apis/http/graph -geekdocFilePath: spaces.md ---- - -{{< toc >}} - -## Spaces API - -The Spaces API is implementing a subset of the functionality of the -[MS Graph Drives resource](https://learn.microsoft.com/en-us/graph/api/resources/drive?view=graph-rest-1.0). - -### Example Space - -The JSON representation of a Drive, as handled by the Spaces API, looks like this: -````json -{ - "driveAlias": "project/mars", - "driveType": "project", - "id": "storage-users-1$89ad5ad2-5fdb-4877-b8c9-601a9670b925", - "lastModifiedDateTime": "2023-01-24T21:19:26.417055+01:00", - "name": "Mars", - "owner": { - "user": { - "displayName": "", - "id": "89ad5ad2-5fdb-4877-b8c9-601a9670b925" - } - }, - "quota": { - "remaining": 999853685, - "state": "normal", - "total": 1000000000, - "used": 146315 - }, - "root": { - "eTag": "\"910af0061161c42d8d1224df6c4a2527\"", - "id": "storage-users-1$89ad5ad2-5fdb-4877-b8c9-601a9670b925", - "permissions": [ - { - "grantedToIdentities": [ - { - "user": { - "displayName": "Admin", - "id": "some-admin-user-id-0000-000000000000" - } - } - ], - "roles": [ - "manager" - ] - } - ], - "webDavUrl": "https://localhost:9200/dav/spaces/storage-users-1$89ad5ad2-5fdb-4877-b8c9-601a9670b925" - }, - "special": [ - { - "eTag": "\"f97829324f63ce778095334cfeb0097b\"", - "file": { - "mimeType": "image/jpeg" - }, - "id": "storage-users-1$89ad5ad2-5fdb-4877-b8c9-601a9670b925!40171bea-3263-47a8-80ef-0ca20c37f45a", - "lastModifiedDateTime": "2022-02-15T17:11:50.000000496+01:00", - "name": "Mars_iStock-MR1805_20161221.jpeg", - "size": 146250, - "specialFolder": { - "name": "image" - }, - "webDavUrl": "https://localhost:9200/dav/spaces/storage-users-1$89ad5ad2-5fdb-4877-b8c9-601a9670b925%2189ad5ad2-5fdb-4877-b8c9-601a9670b925/.space/Mars_iStock-MR1805_20161221.jpeg" - }, - { - "eTag": "\"ff38b31d8f109a4fbb98ab34499a3379\"", - "file": { - "mimeType": "text/markdown" - }, - "id": "storage-users-1$89ad5ad2-5fdb-4877-b8c9-601a9670b925!e2167612-7578-46e2-8ed7-971481037bc1", - "lastModifiedDateTime": "2023-01-24T21:10:23.661841+01:00", - "name": "readme.md", - "size": 65, - "specialFolder": { - "name": "readme" - }, - "webDavUrl": "https://localhost:9200/dav/spaces/storage-users-1$89ad5ad2-5fdb-4877-b8c9-601a9670b925%2189ad5ad2-5fdb-4877-b8c9-601a9670b925/.space/readme.md" - } - ], - "webUrl": "https://localhost:9200/f/storage-users-1$89ad5ad2-5fdb-4877-b8c9-601a9670b925" -} -```` - -## Creating Spaces - -### Create a single space `POST /drives` - -https://owncloud.dev/libre-graph-api/#/drives/CreateDrive - -### Create a space item (Enable sync) `POST /drives/{drive-id}/root/children` - -https://owncloud.dev/libre-graph-api/#/drives.root/CreateDriveItem - -## Reading Spaces - -```shell -GET https://ocis.url/graph/{version}/{me/}drives/?{query-parameters} -``` - -| Component | Description | -|--------------------|------------------------------------------------------------------------------------------------------------------------| -| {version} | The version of the LibreGraph API used by the client. | -| {/me} | The `me` component of the part is optional. If used, you only see spaces where the acting user is a regular member of. | -| {query-parameters} | Optional parameters for the request to customize the response. | - -### List all spaces `GET /drives` - -Returns a list of all available spaces, even ones where the acting user is not a regular member of. You need elevated permissions to do list all spaces. If you don't have the elevated permissions, the result is the same like `GET /me/drives`. - - -{{< hint type=info title="Multiple Administration Personas" >}} - -The ownCloud spaces concept draws a strict line between users which can work with the content of a space and others who have the permission to manage the space. A user which is able to manage quota and space metadata does not necessarily need to be able to access the content of a space. - -**Space Admin**\ -There is a global user role "Space Admin" which grants users some global permissions to manage space quota and some space metadata. This Role enables the user also to disable, restore and delete spaces. He cannot manage space members. - -**Space Manager**\ -The "Space Manager" is a user which is a regular member of a space because he has been invited. In addition to being part of a space the user can also manage the memberships of the space. - -{{< /hint >}} - -### List My Spaces `GET /me/drives` - -https://owncloud.dev/libre-graph-api/#/me.drives/ListMyDrives - -## Modifying Spaces - -Modify the properties of a space. You need elevated permissions to execute this request. - -### Set the space quota to 5GB `PATCH /drives/{drive-id}` - -To limit the quota of a space you need to set the `quota.total` value. The API response will give back all actual quota properties. - -````json -{ - "quota": { - "remaining": 5368709120, - "state": "normal", - "total": 5368709120, - "used": 0 - } -} -```` - -| Attribute | Description | -|-----------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| remaining | The remaining disk space in `bytes`. If the quota is not limited, this will show the total available disk space. | -| state | The state of the space in regards to quota usage. This can be used for visual indicators. It can be `normal`(<75%), `nearing`(between 75% and 89%), `critical`(between 90% and 99%) and `exceeded`(100%). | -| total | The space id. The value needs to be a space ID. | -| used | The used disk space in bytes. | - -{{< tabs "set-space-quota" >}} -{{< tab "Request" >}} -```shell -curl -L -k -X PATCH 'https://localhost:9200/graph/v1.0/drives/storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff' \ --H 'Content-Type: application/json' \ ---data-raw '{ - "quota": { - "total": 5368709120 - } -}' -``` -{{< /tab >}} -{{< tab "Response - 200 OK" >}} -````json {hl_lines=[17]} -{ - "description": "Marketing team resources", - "driveAlias": "project/marketing", - "driveType": "project", - "id": "storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff", - "lastModifiedDateTime": "2023-01-18T17:13:48.385204589+01:00", - "name": "Marketing", - "owner": { - "user": { - "displayName": "", - "id": "535aa42d-a3c7-4329-9eba-5ef48fcaa3ff" - } - }, - "quota": { - "remaining": 5368709120, - "state": "normal", - "total": 5368709120, - "used": 0 - }, - "root": { - "eTag": "\"f91e56554fd9305db81a93778c0fae96\"", - "id": "storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff", - "permissions": [ - { - "grantedToIdentities": [ - { - "user": { - "displayName": "Admin", - "id": "some-admin-user-id-0000-000000000000" - } - } - ], - "roles": [ - "manager" - ] - } - ], - "webDavUrl": "https://localhost:9200/dav/spaces/storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff" - }, - "webUrl": "https://localhost:9200/f/storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff" -} -```` -{{< /tab >}} -{{< /tabs >}} - -### Change the space name, subtitle and alias `PATCH /drives/{drive-id}` - -You can change multiple space properties in one request as long as you submit a valid JSON body. Please be aware that some properties need different permissions. - -{{< tabs "change-space-props" >}} -{{< tab "Request" >}} -```shell -curl -L -k -X PATCH 'https://localhost:9200/graph/v1.0/drives/storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff' \ --H 'Content-Type: application/json' \ ---data-raw '{ - "name": "Mars", - "description": "Mission to mars", - "driveAlias": "project/mission-to-mars" -}' -``` -{{< /tab >}} - -{{< tab "Response - 200 OK" >}} -````json {hl_lines=[2,3,7]} -{ - "description": "Mission to mars", - "driveAlias": "project/mission-to-mars", - "driveType": "project", - "id": "storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff", - "lastModifiedDateTime": "2023-01-19T14:17:36.094283+01:00", - "name": "Mars", - "owner": { - "user": { - "displayName": "", - "id": "535aa42d-a3c7-4329-9eba-5ef48fcaa3ff" - } - }, - "quota": { - "remaining": 15, - "state": "normal", - "total": 15, - "used": 0 - }, - "root": { - "eTag": "\"f5fee4fdfeedd6f98956500779eee15e\"", - "id": "storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff", - "permissions": [ - { - "grantedToIdentities": [ - { - "user": { - "displayName": "Admin", - "id": "some-admin-user-id-0000-000000000000" - } - } - ], - "roles": [ - "manager" - ] - } - ], - "webDavUrl": "https://localhost:9200/dav/spaces/storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff" - }, - "webUrl": "https://localhost:9200/f/storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff" -} -```` -{{< /tab >}} -{{< /tabs >}} - -## Disabling / Deleting Spaces - -### Disable a space `DELETE /drives/{drive-id}` - -This operation will make the space content unavailable for all space members. No data will be deleted. - -{{< tabs "disable-space" >}} -{{< tab "Request" >}} -```shell -curl -L -k -X DELETE 'https://localhost:9200/graph/v1.0/drives/storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff/' -``` -{{< /tab >}} - -{{< tab "Response - 204 No Content" >}} - -This response has no body value. - -A disabled space will appear in listings with a `root.deleted.state=trashed` property. The space description and the space image will not be readable anymore. - -```json {hl_lines=[18,19,20]} -{ - "description": "Marketing team resources", - "driveAlias": "project/marketing", - "driveType": "project", - "id": "storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff", - "lastModifiedDateTime": "2023-01-19T14:17:36.094283+01:00", - "name": "Marketing", - "owner": { - "user": { - "displayName": "", - "id": "535aa42d-a3c7-4329-9eba-5ef48fcaa3ff" - } - }, - "quota": { - "total": 15 - }, - "root": { - "deleted": { - "state": "trashed" - }, - "eTag": "\"f5fee4fdfeedd6f98956500779eee15e\"", - "id": "storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff", - "permissions": [ - { - "grantedToIdentities": [ - { - "user": { - "displayName": "Admin", - "id": "some-admin-user-id-0000-000000000000" - } - } - ], - "roles": [ - "manager" - ] - } - ], - "webDavUrl": "https://localhost:9200/dav/spaces/storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff" - }, - "webUrl": "https://localhost:9200/f/storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff" -} -``` - -{{< /tab >}} -{{< /tabs >}} - -### Restore a space `PATCH /drives/{drive-id}` - -This operation will make the space content available again to all members. No content will be changed. - -To restore a space, the Header `Restore: T` needs to be set. -{{< tabs "restore-space" >}} -{{< tab "Request" >}} - -```shell -curl -L -X PATCH 'https://localhost:9200/graph/v1.0/drives/storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff/' \ --H 'Restore: T' \ --H 'Content-Type: text/plain' \ ---data-raw '{}' -``` - -{{< hint type=info title="Body value" >}} - -This request needs an empty body (--data-raw '{}') to fulfil the standard libregraph specification even when the body is not needed. - -{{< /hint >}} -{{< /tab >}} - -{{< tab "Response - 200 OK" >}} - -```json -{ - "description": "Marketing team resources", - "driveAlias": "project/marketing", - "driveType": "project", - "id": "storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff", - "lastModifiedDateTime": "2023-01-19T14:17:36.094283+01:00", - "name": "Marketing", - "owner": { - "user": { - "displayName": "", - "id": "535aa42d-a3c7-4329-9eba-5ef48fcaa3ff" - } - }, - "quota": { - "remaining": 15, - "state": "normal", - "total": 15, - "used": 0 - }, - "root": { - "eTag": "\"f5fee4fdfeedd6f98956500779eee15e\"", - "id": "storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff", - "permissions": [ - { - "grantedToIdentities": [ - { - "user": { - "displayName": "Admin", - "id": "some-admin-user-id-0000-000000000000" - } - } - ], - "roles": [ - "manager" - ] - } - ], - "webDavUrl": "https://localhost:9200/dav/spaces/storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff" - }, - "webUrl": "https://localhost:9200/f/storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff" -} -``` - -{{< /tab >}} -{{< /tabs >}} - -### Permanently delete a space `DELETE /drives/{drive-id}` - -This operation will delete a space and all its data permanently. This is restricted to spaces which are already disabled. - -To delete a space, the Header `Purge: T` needs to be set. - -{{< tabs "delete-space" >}} -{{< tab "Request" >}} - -```shell {hl_lines=[2]} -curl -L -X DELETE 'https://localhost:9200/graph/v1.0/drives/storage-users-1$535aa42d-a3c7-4329-9eba-5ef48fcaa3ff' \ --H 'Purge: T' -``` - -{{< hint type=warning title="Data will be deleted" >}} - -This request will delete a space and all its content permanently. This operation cannot be reverted. - -{{< /hint >}} - -{{< /tab >}} -{{< tab "Response - 204 No Content" >}} - -This response has no body value. - -{{< /tab >}} -{{< tab "Response - 400 Bad Request" >}} - -The space to be deleted was not disabled before. - -```json -{ - "error": { - "code": "invalidRequest", - "innererror": { - "date": "2023-01-24T19:57:19Z", - "request-id": "f62af40f-bc18-475e-acd7-e9008d6bd326" - }, - "message": "error: bad request: can't purge enabled space" - } -} -``` -{{< /tab >}} -{{< /tabs >}} - -## Sharing Space - -### Add member to space `POST /drives/{drive-id}/root/invite` - -https://owncloud.dev/libre-graph-api/#/drives.permissions/Invite - -### Sharing space as a link `POST /drives/{drive-id}/root/createLink` - -https://owncloud.dev/libre-graph-api/#/drives.root/CreateLinkSpaceRoot - -## Reading Space Permissions - -### Listing permissions of a space `GET /drives/{drive-id}/root/permissions` - -https://owncloud.dev/libre-graph-api/#/drives.root/ListPermissionsSpaceRoot - -## Modifying / Deleting Space Permissions - -### Update permissions of a drive `PATCH /drives/{drive-id}/root/permissions/{perm-id}` - -https://owncloud.dev/libre-graph-api/#/drives.root/UpdatePermissionSpaceRoot - -### Set password of a link share `POST /drives/{drive-id}/root/permissions/{perm-id}/setPassword` - -https://owncloud.dev/libre-graph-api/#/drives.root/SetPermissionPasswordSpaceRoot - -### Removing acess to a space `DELETE /drives/{drive-id}/root/permissions/{perm-id}` - -https://owncloud.dev/libre-graph-api/#/drives.root/DeletePermissionSpaceRoot diff --git a/docs/apis/http/graph/users.md b/docs/apis/http/graph/users.md deleted file mode 100644 index 84cb5d0eb5..0000000000 --- a/docs/apis/http/graph/users.md +++ /dev/null @@ -1,270 +0,0 @@ ---- -title: Users -weight: 30 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/apis/http/graph -geekdocFilePath: users.md ---- - -{{< toc >}} - -## Users API - -The Users API is implementing a subset of the functionality of the -[MS Graph User resource](https://docs.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0) -The JSON representation of a User handled by the Users API looks like this: - -``` -{ - "displayName": "Albert Einstein", - "id": "4c510ada-c86b-4815-8820-42cdf82c3d51", - "mail": "einstein@example.org", - "onPremisesSamAccountName": "einstein" -} -``` - -Our implementation currently supports only a limited set of Attributes of Users: - -| Attribute | Description | -|---------------|---------------------------------------------------------------------------------------------------------------------------| -| displayName | The full name of the user, usually a combination of given name and last name | -| mail | The user's email address | -| onPremisesSamAccountName | The loginname/account name of the user | -| id | An unique, stable readonly identifier for the user that stays the same for the whole lifetime of the User, usually a UUID | -| passwordProfile | Contains the password of the users. This is only present when updating or creating users. It is never returned by the API | - - -### Reading users - -#### `GET /me` - -Returns the user object of the currently signed-in user - -Example: -``` -curl -k 'https://localhost:9200/graph/v1.0/me' -u user:password -``` - -Response: -``` -{ - "displayName": "Albert Einstein", - "id": "4c510ada-c86b-4815-8820-42cdf82c3d51", - "mail": "einstein@example.org", - "onPremisesSamAccountName": "einstein" -} -``` - -#### `GET /users` - -Returns a list of all users - -Example: - -``` -curl -k 'https://localhost:9200/graph/v1.0/users' -u user:password - -``` - -Response: - -``` -{ - "value": [ - { - "displayName": "Albert Einstein", - "id": "4c510ada-c86b-4815-8820-42cdf82c3d51", - "mail": "einstein@example.org", - "onPremisesSamAccountName": "einstein" - }, - { - "displayName": "Maurice Moss", - "id": "058bff95-6708-4fe5-91e4-9ea3d377588b", - "mail": "moss@example.org", - "onPremisesSamAccountName": "moss" - } - ] -} -``` - -#### `GET /users?$expand=memberOf` - -Returns a list of all users - -Example: - -``` -curl -k 'https://localhost:9200/graph/v1.0/users?$expand=memberOf' -u user:password - -``` - -Response: - -``` -{ - "value": [ - { - "displayName": "Albert Einstein", - "id": "4c510ada-c86b-4815-8820-42cdf82c3d51", - "mail": "einstein@example.org", - "onPremisesSamAccountName": "einstein", - "memberOf": [ - { - "displayName": "users", - "id": "509a9dcd-bb37-4f4f-a01a-19dca27d9cfa" - }, - { - "displayName": "sailing-lovers", - "id": "6040aa17-9c64-4fef-9bd0-77234d71bad0" - }, - { - "displayName": "violin-haters", - "id": "dd58e5ec-842e-498b-8800-61f2ec6f911f" - }, - { - "displayName": "physics-lovers", - "id": "262982c1-2362-4afa-bfdf-8cbfef64a06e" - } - ], - }, - { - "displayName": "Maurice Moss", - "id": "058bff95-6708-4fe5-91e4-9ea3d377588b", - "mail": "moss@example.org", - "onPremisesSamAccountName": "moss", - "memberOf": [ - { - "displayName": "users", - "id": "509a9dcd-bb37-4f4f-a01a-19dca27d9cfa" - } - ], - } - ] -} -``` - -#### `GET /users/{userid or accountname}` - -Example: - -``` -curl -k 'https://localhost:9200/graph/v1.0/users/058bff95-6708-4fe5-91e4-9ea3d377588b' -u user:password -``` - -Response: - -``` -{ - "displayName": "Maurice Moss", - "id": "058bff95-6708-4fe5-91e4-9ea3d377588b", - "mail": "moss@example.org", - "onPremisesSamAccountName": "moss" -} -``` - -#### `GET /users/{userid or accountname}?$expand=memberOf` - -Example: - -``` -curl -k 'https://localhost:9200/graph/v1.0/users/058bff95-6708-4fe5-91e4-9ea3d377588b?$expand=memberOf' -u user:password -``` - -Response: - -``` -{ - "displayName": "Maurice Moss", - "id": "058bff95-6708-4fe5-91e4-9ea3d377588b", - "mail": "moss@example.org", - "onPremisesSamAccountName": "moss", - "memberOf": [ - { - "displayName": "users", - "id": "509a9dcd-bb37-4f4f-a01a-19dca27d9cfa" - } - ], -} -``` - -### Creating / Updating Users - -#### `POST /users` - -Use this to create a new user. - -##### Request Body - -Note the missing `"id"` Attribute. It will be generated by the server: - -``` -{ - "displayName": "Example User", - "mail": "example@example.org", - "onPremisesSamAccountName": "example", - "passwordProfile": { - "password": "ThePassword" - } -} -``` - -##### Response - -When successful, the response will return the new user, without the password, but including the newly allocated `"id"`: - -``` -{ - "displayName":"Example User", - "id":"c067b139-c91c-4e47-8be6-669156a0587b", - "mail":"example@example.org", - "onPremisesSamAccountName":"example" -} -``` - -#### `DELETE /users/{id}` - -Example: - -``` -curl -k --request DELETE 'https://localhost:9200/graph/v1.0/users/c067b139-c91c-4e47-8be6-669156a0587b' -u user:password -``` - -When successful the API returns no response body and the HTTP status code 204 (No Content) - - -#### `PATCH /users/{id}` - -Updating attributes of a single user can be done with a patch request. The Request Body contains the new values of the attributes -to be updated. E.g. to update the `displayName` Attribute: - -``` - curl -k --header "Content-Type: application/json" \ - --request PATCH --data '{"displayName": "Test User" }' \ - 'https://localhost:9200/graph/v1.0/users/c54b0588-7157-4521-bb52-c1c8ca84ea71' -u user:password -``` - -Similar to creating a user via `POST`, the `PATCH` request will return the user object containing the new attribute values. - -### Change password - -#### `POST /me/changePassword` - -Users can change their own password by sending a POST request to `/me/changePassword` - -##### Request Body - -``` -{ - "currentPassword": "current", - "newPassword": "new" -} - -``` - -When successful the API returns no response body and the HTTP status code 204 (No Content) - -``` - curl -i -k --header "Content-Type: application/json" \ - --request POST --data '{"currentPassword": "current", "newPassword": "new" }' \ - 'https://localhost:9200/graph/v1.0/me/changePassword' -u user:current -``` diff --git a/docs/apis/http/tus_upload.md b/docs/apis/http/tus_upload.md deleted file mode 100644 index c15f3e5bc7..0000000000 --- a/docs/apis/http/tus_upload.md +++ /dev/null @@ -1,249 +0,0 @@ ---- -title: "Resumable Upload" -date: 2023-10-10T00:00:00+00:00 -weight: 21 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/apis/http -geekdocFilePath: tus_upload.md -geekdocCollapseSection: true ---- - -Infinite Scale supports the tus resumable-upload protocol, which is a robust, modular, and open protocol designed to resume large file uploads reliably over HTTP. -In situations where file uploads might be interrupted due to network issues, browser crashes, or other unforeseen interruptions, -tus ensures that uploads can be resumed from the point of failure without losing data. -This documentation shows some basic examples, refer [tus official site](https://tus.io/protocols/resumable-upload) for more details. - -## Supported tus Features - -The backend announces certain tus features to clients. WebDAV responses come with tus HTTP headers for the offical tus features, and additional, ownCloud specific features are announced via the capabilities endpoint (e.g. `https://localhost:9200/ocs/v1.php/cloud/capabilities?format=json`). - -The following snippet shows the relevant part of the server capabilities of Infinite Scale that concerns the tus upload: -```json -{ - "ocs": { - "data": { - "capabilities": { - "files": { - "tus_support": { - "version": "1.0.0", - "resumable": "1.0.0", - "extension": "creation,creation-with-upload", - "max_chunk_size": 10000000, - "http_method_override": "" - } - } - } - } - } - } -} -``` - -| Parameter | Environment Variable | Default Value | Description | -| -------------- | ------------------------------ | ------------- | ------------------------------------------------------------------- | -| max_chunk_size | FRONTEND_UPLOAD_MAX_CHUNK_SIZE | 10000000 | Announces the max chunk sizes in bytes for uploads via the clients. | - -## Upload in Chunks - -### Create an Upload URL - -The client must send a POST request against a known upload creation URL to request a new upload resource. -The filename has to be provided in base64-encoded format. - -Example: -```shell -# base64 encoded filename 'tustest.txt' is 'dHVzdGVzdC50eHQ=' -echo -n 'tustest.txt' | base64 -``` - -{{< tabs "create-upload-url" >}} -{{< tab "Request" >}} -```shell -curl -ks -XPOST https://ocis.test/remote.php/dav/spaces/8d72036d-14a5-490f-889e-414064156402$196ac304-7b88-44ce-a4db-c4becef0d2e0 \ --H "Authorization: Bearer eyJhbGciOiJQUzI..."\ --H "Tus-Resumable: 1.0.0" \ --H "Upload-Length: 10" \ --H "Upload-Metadata: filename dHVzdGVzdC50eHQ=" -``` -{{< /tab >}} - -{{< tab "Response - 201 Created" >}} -``` -< HTTP/1.1 201 Created -< Access-Control-Allow-Headers: Tus-Resumable, Upload-Length, Upload-Metadata, If-Match -< Access-Control-Allow-Origin: * -< Access-Control-Expose-Headers: Tus-Resumable, Upload-Offset, Location -< Content-Length: 0 -< Content-Security-Policy: default-src 'none'; -< Date: Mon, 16 Oct 2023 08:49:39 GMT -< Location: https://ocis.test/data/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXZhIiwiZXhwIjoxNjk3NTMyNTc5LCJpYXQiOjE2OTc0NDYxNzksInRhcmdldCI6Imh0dHA6Ly9sb2NhbGhvc3Q6OTE1OC9kYXRhL3R1cy8zYTU3ZWZlMS04MzE0LTQ4MGEtOWY5Ny04N2Q1YzBjYTJhMTgifQ.FbrlY7mdOfsbFgMrP8OtcHlCEq72a2ZVnPD2iBo9MfM -< Tus-Extension: creation,creation-with-upload,checksum,expiration -< Tus-Resumable: 1.0.0 -< Vary: Origin -< X-Content-Type-Options: nosniff -< X-Download-Options: noopen -< X-Frame-Options: SAMEORIGIN -< X-Permitted-Cross-Domain-Policies: none -< X-Request-Id: xxxxxxxxxxxxxxxxxxxxxx -< X-Robots-Tag: none -< X-Xss-Protection: 1; mode=block -< -* Connection #0 to host localhost left intact -``` -{{< /tab >}} -{{< /tabs >}} - -The server will return a temporary upload URL in the location header of the response: -``` -< Location: https://ocis.test/data/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXZhIiwiZXhwIjoxNjk3NTMyNTc5LCJpYXQiOjE2OTc0NDYxNzksInRhcmdldCI6Imh0dHA6Ly9sb2NhbGhvc3Q6OTE1OC9kYXRhL3R1cy8zYTU3ZWZlMS04MzE0LTQ4MGEtOWY5Ny04N2Q1YzBjYTJhMTgifQ.FbrlY7mdOfsbFgMrP8OtcHlCEq72a2ZVnPD2iBo9MfM -``` - -### Upload the First Chunk - -Once a temporary upload URL has been created, a client can send a PATCH request to upload a file. The file content should be sent in the body of the request: -{{< tabs "upload-the-first-chunk" >}} -{{< tab "Request" >}} -```shell -curl -ks -XPATCH https://temporary-upload-url \ --H "Authorization: Bearer eyJhbGciOiJQUzI..." \ --H "Tus-Resumable: 1.0.0" \ --H "Upload-Offset: 0" \ --H "Content-Type: application/offset+octet-stream" -d "01234" -``` -{{< /tab >}} - -{{< tab "Response - 204 No Content" >}} -``` -< HTTP/1.1 204 No Content -< Date: Tue, 17 Oct 2023 04:10:52 GMT -< Oc-Fileid: 8d72036d-14a5-490f-889e-414064156402$73bb5450-816b-4cae-90aa-1f96adc95bd4!84e319e4-de1d-4dd8-bbd0-e51d933cdbcd -< Tus-Resumable: 1.0.0 -< Upload-Expires: 1697602157 -< Upload-Offset: 5 -< Vary: Origin -< X-Content-Type-Options: nosniff -< X-Request-Id: xxxxxxxxxxxxxxxxxxxxxx -< -* Connection #0 to host localhost left intact -``` -{{< /tab >}} -{{< /tabs >}} - -### Upload Further Chunks - -After the first chunk is uploaded, the second chunk can be uploaded by pointing `Upload-Offset` to exact position that was returned in the first response. -Upload process will not be marked as complete until the total uploaded content size matches the `Upload-Length` specified during the creation of the temporary URL. - -{{< tabs "upload-the-second-chunk" >}} -{{< tab "Request" >}} -```shell -curl -ks -XPATCH https://temporary-upload-url \ --H "Authorization: Bearer eyJhbGciOiJQUzI..." \ --H "Tus-Resumable: 1.0.0" \ --H "Upload-Offset: 5" \ --H "Content-Type: application/offset+octet-stream" -d "56789" -``` -{{< /tab >}} - -{{< tab "Response - 204 No Content" >}} -``` -< HTTP/1.1 204 No Content -< Date: Tue, 17 Oct 2023 04:11:00 GMT -< Oc-Fileid: 8d72036d-14a5-490f-889e-414064156402$73bb5450-816b-4cae-90aa-1f96adc95bd4!84e319e4-de1d-4dd8-bbd0-e51d933cdbcd -< Tus-Resumable: 1.0.0 -< Upload-Expires: 1697602157 -< Upload-Offset: 10 -< Vary: Origin -< X-Content-Type-Options: nosniff -< X-Request-Id: xxxxxxxxxxxxxxxxxxxxxx -< -* Connection #0 to host localhost left intact -``` -{{< /tab >}} -{{< /tabs >}} -{{< hint type=warning title="Important Warning" >}} -`Upload-Offset` header indicates the byte position in the target file where the server should start writing the upload content. -It ensures data integrity and order during the upload process. -{{< /hint >}} - -## Creation with Upload - -{{< tabs "creation-with-upload" >}} -{{< tab "Request" >}} -```shell -curl -ks -XPOST https://ocis.test/remote.php/dav/spaces/{space-id} \ --H "Authorization: Bearer eyJhbGciOiJQUzI..." \ --H "Tus-Resumable: 1.0.0" \ --H "Upload-Length: 14" \ --H "Content-Type: application/offset+octet-stream" \ --H "Upload-Metadata: filename dGVzdC50eHQ=" \ --H "Tus-Extension: creation-with-upload" \ --d "upload content" -``` -{{< /tab >}} - -{{< tab "Response - 201 Created" >}} -```shell -< HTTP/1.1 201 Created -< Access-Control-Allow-Headers: Tus-Resumable, Upload-Length, Upload-Metadata, If-Match -< Access-Control-Allow-Origin: * -< Access-Control-Expose-Headers: Tus-Resumable, Upload-Offset, Location -< Content-Length: 0 -< Content-Security-Policy: default-src 'none'; -< Content-Type: text/plain -< Date: Mon, 16 Oct 2023 04:18:25 GMT -< Etag: "372c96743f68bc40e789124d30567371" -< Last-Modified: Mon, 16 Oct 2023 04:18:25 +0000 -< Location: https://ocis.test/data/eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJyZXZhIiwiZXhwIjoxNjk3NTE2MzA1LCJpYXQiOjE2OTc0Mjk5MDUsInRhcmdldCI6Imh0dHA6Ly9sb2NhbGhvc3Q6OTE1OC9kYXRhL3R1cy82NjlhODBlZi1hN2VjLTQwYTAtOGNmOS05MTgwNTVhYzlkZjAifQ.yq-ofJYnJ9FLML7Z_jki1FJQ7Ulbt9O_cmLe6V411A4 -< Oc-Etag: "372c96743f68bc40e789124d30567371" -< Oc-Fileid: 44d3e1e0-6c01-4b94-9145-9d0068239fcd$446bdad4-4b27-41f1-afce-0881f202a214!d7c292a6-c395-4e92-bf07-2c1663aec8dd -< Oc-Perm: RDNVWZP -< Tus-Extension: creation,creation-with-upload,checksum,expiration -< Tus-Resumable: 1.0.0 -< Upload-Expires: 1697516305 -< Upload-Offset: 14 -< Vary: Origin -< X-Content-Type-Options: nosniff -< X-Download-Options: noopen -< X-Frame-Options: SAMEORIGIN -* TLSv1.2 (IN), TLS header, Supplemental data (23): -{ [5 bytes data] -< X-Permitted-Cross-Domain-Policies: none -< X-Request-Id: xxxxxxxxxxxxxxxxxxxxxx -< X-Robots-Tag: none -< X-Xss-Protection: 1; mode=block -< -* Connection #0 to host localhost left intact -``` -{{< /tab >}} -{{< /tabs >}} - -{{< hint type=warning title="Important Warning" >}} -The `Upload-Length` header of the request has to contain the exact size of the upload content in byte. -{{< /hint >}} - -## Supported Upload-Metadata - -Upload-metadata key-value pairs aren't specified in the general tus docs. The following ones are supported in the ownCloud ecosystem: - -| Parameter (key) | Example (value, MUST be Base64 encoded) | Description | -| -------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- | -| `name` OR `filename` (mandatory) | example.pdf | Filename | -| `mtime` (recommended) | 1701708712 | Modification time (Unix time format) | -| `checksum` (recommended) | SHA1 a330de5886e5a92d78fb3f8d59fe469857759e72 | Checksum, computed from the client | -| `type` OR `filetype` | application/pdf | MIME Type, sent by the web UI | -| `relativePath` | undefined | File path relative to the folder that is being uploaded, including the filename. Sent by the web UI | -| `spaceId` | 8748cddf-66b7-4b85-91a7-e6d08d8e1639$a9778d63-21e7-4d92-9b47-1b81144b9993 | Sent by the web UI | -| `spaceName` | Personal | Sent by the web UI | -| `driveAlias` | personal/admin | Sent by the web UI | -| `driveType` | personal | Sent by the web UI | -| `currentFolder` | / | Sent by the web UI | -| `currentFolderId` | 8748cddf-66b7-4b85-91a7-e6d08d8e1639$a9778d63-21e7-4d92-9b47-1b81144b9993!a9778d63-21e7-4d92-9b47-1b81144b9993 | Sent by the web UI | -| `uppyId` | uppy-example/pdf-1e-application/pdf-238300 | Sent by the web UI | -| `relativeFolder` | | File path relative to the folder that is being uploaded, without filename. Sent by the web UI. | -| `tusEndpoint` | https://ocis.ocis-traefik.latest.owncloud.works/remote.php/dav/spaces/8748cddf-66b7-4b85-91a7-e6d08d8e1639$a9778d63-21e7-4d92-9b47-1b81144b9993 | Sent by the web UI | -| `uploadId` | 71d5f878-a96c-4d7b-9627-658d782c93d7 | Sent by the web UI | -| `topLevelFolderId` | undefined | Sent by the web UI | -| `routeName` | files-spaces-generic | Sent by the web UI | -| `routeDriveAliasAndItem` | cGVyc29uYWwvYWRtaW4= | Sent by the web UI | -| `routeShareId` | | Share ID when uploading into a received folder share. Sent by the web UI | diff --git a/docs/apis/http/webdav/_index.md b/docs/apis/http/webdav/_index.md deleted file mode 100644 index 07be35b44a..0000000000 --- a/docs/apis/http/webdav/_index.md +++ /dev/null @@ -1,547 +0,0 @@ ---- -title: "WebDAV" -date: 2023-07-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/apis/http/webdav -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -{{< toc >}} - -**Web** **D**istributed **A**uthoring and **V**ersioning (WebDAV) consists of a set of methods, headers, and content-types extending HTTP/1.1 for the management of resources and -properties, creation and management of resource collections, URL namespace manipulation, and resource locking (collision avoidance). WebDAV is one of the central APIs that ownCloud uses for handling file resources, metadata and locks. - - -{{< hint type=info title="RFC" >}} -**WebDAV RFCs** - -RFC 2518 was published in February 1999. [RFC 4918](https://datatracker.ietf.org/doc/html/rfc4918), published in June 2008 obsoletes RFC 2518 with minor revisions mostly due to interoperability experience. - -{{< /hint >}} -## Calling the WebDAV API - -### Request URI - -```sh -{HTTP method} https://ocis.url/{webdav-base}/{resourceID}/{path} -``` - -The request URI consists of: - -| Component | Description | -|---------------|--------------------------------------------------------------------------------------------------------| -| {HTTP method} | The HTTP method which is used in the request. | -| {webdav-base} | The WebDAV base path component. Possible options are | -| | `dav/spaces/` This is the default and optimized endpoint for all WebDAV requests. | -| | `remote.php/dav/spaces/`* | -| | `remote.php/webdav/`* | -| | `webdav/`* | -| | `dav/`* | -| {resourceID} | This resourceID is used as the WebDAV root element. All children are accessed by their relative paths. | -| {path} | The relative path to the WebDAV root. In most of the casese, this is the space root. | - -\* these dav endpoints are implemented for legacy reasons and should not be used. Note: The legacy endpoints **do not take the resourceID as an argument.** - -### HTTP methods - -| Method | Description | -|-----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| PROPFIND | Retrieve properties as XML from a web resource. It is also overloaded to retrieve the collection structure (a.k.a. directory hierarchy) of a remote system. | -| PROPPATCH | Process instructions specified in the request body to set and/or remove properties defined on the resource identified by the request uri. | -| MKCOL | Create a WebDAV collection (folder) at the location specified by the request uri. | -| GET | Retrieve a WebDAV resource. | -| HEAD | Retrieve a WebDAV resource without reading the body. | -| PUT | A PUT performed on an existing resource replaces the GET response entity of the resource. | -| POST | Not part of the WebDAV rfc and has no effect on a WebDAV resource. However, this method is used in the TUS protocol for uploading resources. | -| PATCH | Not part of the WebDAV rfc and has no effect on a WebDAV resource. However, this method is used in the TUS protocol for uploading resources. | -| COPY | Creates a duplicate of the source resource identified by the Request-URI, in the destination resource identified by the URI in the Destination header. | -| MOVE | The MOVE operation on a non-collection resource is the logical equivalent of a copy (COPY), followed by consistency maintenance processing, followed by a delete of the source, where all three actions are performed in a single operation. | | -| DELETE | Delete the resource identified by the Request-URI. | -| LOCK | A LOCK request to an existing resource will create a lock on the resource identified by the Request-URI, provided the resource is not already locked with a conflicting lock. | -| UNLOCK | The UNLOCK method removes the lock identified by the lock token in the Lock-Token request header. The Request-URI must identify a resource within the scope of the lock. | - -The methods `MKCOL`, `GET`, `HEAD`, `LOCK`, `COPY`, `MOVE`, `UNLOCK` and `DELETE` need no request body. - -The methods `PROPFIND`, `PROPPATCH`, `PUT` require a request body, normally in XML format to provide the needed values. - -{{< hint type=tip title="Tooling" >}} -**WebDAV is not REST** - -The WebDAV protocol was created before the REST paradigm has become the de-facto standard for API design. WebDAV uses http methods which are not part of REST. Therefore all the tooling around API design and documentation is not usable (like OpenApi 3.0 / Swagger or others). -{{< /hint >}} - -### Authentication - -For development purposes the examples in the developer documentation use Basic Auth. It is disabled by default and should only be enabled by setting `PROXY_ENABLE_BASIC_AUTH` in [the proxy](../../../services/proxy/configuration/#environment-variables) for development or test instances. - -To authenticate with a Bearer token or OpenID Connect access token replace the `-u user:password` Basic Auth option of curl with a `-H 'Authorization: Bearer '` header. A `` can be obtained by copying it from a request in the browser, although it will time out within minutes. To automatically refresh the OpenID Connect access token an ssh-agent like solution like [oidc-agent](https://github.com/indigo-dc/oidc-agent) should be used. - -## Listing Properties - -This method is used to list the properties of a resource in xml. This method can also be used to retrieve the listing of a WebDAV collection which means the content of a remote directory. - -{{< tabs "list-properties" >}} -{{< tab "Curl" >}} -```shell -curl -L -X PROPFIND 'https://localhost:9200/dav/spaces/storage-users-1%24some-admin-user-id-0000-000000000000/' \ --H 'Depth: 1' \ --d ' - - - - - - - - - - - - - - - - - -' -``` -{{< /tab >}} -{{< tab "HTTP" >}} -```shell -PROPFIND /dav/spaces/storage-users-1%24some-admin-user-id-0000-000000000000/ HTTP/1.1 -Host: localhost:9200 -Origin: https://localhost -Access-Control-Request-Method: PROPFIND -Depth: 1 -Content-Type: application/xml -Authorization: Basic YWRtaW46YWRtaW4= -Content-Length: 436 - - - - - - - - - - - - - - - - - - - - -``` -{{< /tab >}} -{{< /tabs >}} - -The request consists of a request body and an optional `Depth` Header. - -{{< hint type=tip title="PROPFIND usage" >}} -**Metadata and Directory listings** - -Clients can use the `PROPFIND` method to retrieve properties of resources (metadata) and to list the content of a directories. -{{< /hint >}} -### Response - -{{< tabs "response list properties" >}} -{{< tab "207 - Multistatus" >}} - -#### Multi Status Response - -A Multi-Status response conveys information about multiple resources -in situations where multiple status codes might be appropriate. The -default Multi-Status response body is an application/xml -HTTP entity with a `multistatus` root element. Further elements -contain `200`, `300`, `400`, and `500` series status codes generated during -the method invocation. - -Although `207` is used as the overall response status code, the -recipient needs to consult the contents of the multistatus response -body for further information about the success or failure of the -method execution. The response MAY be used in success, partial -success and also in failure situations. - -The `multistatus` root element holds zero or more `response` elements -in any order, each with information about an individual resource. - -#### Body - -```xml - - - /dav/spaces/storage-users-1$some-admin-user-id-0000-000000000000/ - - - RDNVCKZP - 0 - storage-users-1$some-admin-user-id-0000-000000000000!some-admin-user-id-0000-000000000000 - storage-users-1$some-admin-user-id-0000-000000000000!some-admin-user-id-0000-000000000000 - admin - Admin - https://localhost:9200/f/storage-users-1$some-admin-user-id-0000-000000000000%21some-admin-user-id-0000-000000000000 - 10364682 - Mon, 04 Sep 2023 20:10:09 GMT - "c4d3610dfe4fac9b44e1175cfc44b12b" - - - - - HTTP/1.1 200 OK - - - - - - - - - HTTP/1.1 404 Not Found - - - - /dav/spaces/storage-users-1$some-admin-user-id-0000-000000000000/New%20file.txt - - - RDNVWZP - - SHA1:1c68ea370b40c06fcaf7f26c8b1dba9d9caf5dea MD5:2205e48de5f93c784733ffcca841d2b5 ADLER32:058801ab - - 0 - storage-users-1$some-admin-user-id-0000-000000000000!90cc3e73-0c6c-4346-9c4d-f529976d4990 - storage-users-1$some-admin-user-id-0000-000000000000!90cc3e73-0c6c-4346-9c4d-f529976d4990 - admin - Admin - - 0 - 1 - 3 - - https://localhost:9200/f/storage-users-1$some-admin-user-id-0000-000000000000%2190cc3e73-0c6c-4346-9c4d-f529976d4990 - 5 - 5 - Mon, 28 Aug 2023 20:45:03 GMT - "75115347c74701a3be9c635ddebbf5c4" - text/plain - - - HTTP/1.1 200 OK - - - - /dav/spaces/storage-users-1$some-admin-user-id-0000-000000000000/NewFolder/ - - - RDNVCKZP - 0 - storage-users-1$some-admin-user-id-0000-000000000000!5c73ecd9-d9f4-44f4-b685-ca4cb40aa6b7 - storage-users-1$some-admin-user-id-0000-000000000000!5c73ecd9-d9f4-44f4-b685-ca4cb40aa6b7 - admin - Admin - https://localhost:9200/f/storage-users-1$some-admin-user-id-0000-000000000000%215c73ecd9-d9f4-44f4-b685-ca4cb40aa6b7 - 0 - Mon, 28 Aug 2023 20:45:10 GMT - "e83367534cc595a45d706857fa5f03d8" - - - - - HTTP/1.1 200 OK - - - - - - - - - HTTP/1.1 404 Not Found - - - -``` -{{< /tab >}} -{{< tab "400 - Bad Request" >}} - -#### Body - -```xml - - - Sabre\DAV\Exception\BadRequest - Invalid Depth header value: 3 - -``` - -This can occur if the request is malformed e.g. due to an invalid xml request body or an invalid depth header value. -{{< /tab >}} -{{< tab "404 - Not Found" >}} - -#### Body - -```xml - - - Sabre\DAV\Exception\NotFound - Resource not found - -``` -{{< /tab >}} -{{< /tabs >}} - -### Request Body - -The `PROPFIND` Request can include an XML request body containing a list of namespaced property names. - -### Namespaces - -When building the body of your DAV request, you will request properties that are available under a specific namespace URI. It is usual to declare prefixes for those namespace in the `d:propfind` element of the body. - -Available namespaces: - -| URI | Prefix | -|-------------------------------------------|--------| -| DAV: | d | -| http://sabredav.org/ns | s | -| http://owncloud.org/ns | oc | -| http://open-collaboration-services.org/ns | ocs | -| http://open-cloud-mesh.org/ns | ocm | - -### Request Example with declared namespaces - -```xml - - - -``` - -### Supported WebDAV Properties - -| Property | Desription | Example | -| ----------------------------------- | -------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ | -| `` | The latest modification time. | `Fri, 30 Dec 2022 14:22:43 GMT` | -| `` | The file's etag. | `"c3a1ee4a0c28edc15b9635c3bf798013"` | -| `` | The mime type of the file. | `image/jpeg` | -| `` | Specifies the nature of the resource. | `` for a folder | -| `` | The size if it is a file in bytes. | `5` bytes | -| `` | Describes the active locks on a resource. | Detailed Example in [Locking]() | -| `` | The globally unique ID of the resource. | `storage-1$27475553-7fb7-4689-b4cf-bbb635daff79!27475553-7fb7-4689-b4cf-bbb635daff79` | -| `` | The globally unique ID of the resource. | `storage-1$27475553-7fb7-4689-b4cf-bbb635daff79!27475553-7fb7-4689-b4cf-bbb635daff79` | -| `` | Direct URL to download a file from. | Not implemented. | -| `` | Determines the actions a user can take on the resource. | The value is a string containing letters that clients can use to determine available actions. | -| | | `S`: Shared | -| | | `M`: Mounted | -| | | `D`: Deletable | -| | | `NV`: Updateable, Renameable, Moveable | -| | | `W`: Updateable (file) | -| | | `CK`: Creatable (folders only) | -| | | `Z`: Deniable | -| | | `P`: Trashbin Purgable | -| | | `X`: Securely Viewable | -| | | In the early stages this was indeed a list of permissions. Over time, more flags were added and the term permissions no longer really fits well. | -| `` | List of user specified tags. | `test` | -| ` ` | The favorite state. | `0` for not favourited, `1` for favourited | -| `` | The user id of the owner of a resource. Project spaces have no owner. | `einstein` | -| `` | The display name of the owner of a resource. Project spaces have no owner. | `Albert Einstein` | -| `` | List of share types. | `0` = User Share | -| | | `1` = Group Share | -| | | `2` = Public Link | -| `` | | ``
`SHA1:1c68ea370b40c06fcaf7f26c8b1dba9d9caf5dea MD5:2205e48de5f93c784733ffcca841d2b5 ADLER32:058801ab`
`` | -| | | Due to a bug in the very early development of ownCloud, this value is not an array, but a string separated by whitespaces. | -| `` | Similar to `getcontentlength` but it also works for folders. | `10` bytes | -| `` | The ID of the share if the resource is part of such. | `storage-1$27475553-7fb7-4689-b4cf-bbb635daff79!27475553-7fb7-4689-b4cf-bbb635daff79` | -| `` | The root path of the shared resource if the resource is part of such. | `/shared-folder` | -| `` | The ID of the shared resource if the resource is part of such. | `storage-1$27475553-7fb7-4689-b4cf-bbb635daff79!27475553-7fb7-4689-b4cf-bbb635daff79` | -| `` | The type of the resource if it's a public link. | `folder` | -| `` | The share permissions of the resource if it's a public link. | `1` | -| `` | The expiration date of the public link. | `Tue, 14 May 2024 12:44:29 GMT` | -| `` | The date the public link was created. | `Tue, 14 May 2024 12:44:29 GMT` | -| `` | The username of the user who created the public link. | `admin` | -| `` | The original name of the resource before it was deleted. | `some-file.txt` | -| `` | The original location of the resource before it was deleted. | `some-file.txt` | -| `` | The date the resource was deleted. | `Tue, 14 May 2024 12:44:29 GMT` | -| `` | Audio meta data if the resource contains such. | `MetallicaMetallicaEnter Sandman` | -| `` | Location meta data if the resource contains such. | `51.504106-0.074575` | - -### Request Headers - -A client executing a `PROPFIND` request MUST submit a Depth Header value. In practice, support for infinite-depth requests MAY be disabled, due to the performance and security concerns associated with this behavior. Servers SHOULD treat a -request without a Depth header as if a `Depth: infinity` header was included. Infinite depth requests are disabled by default in ocis. - -| Name | Value | -|-------------------------------------------|---------------------------------------------------------------------------------------| -| Depth | `0` = Only return the desired resource. | -| | `1` = Return the desired resource and all resources one level below in the hierarchy. | -| | `infinity` = Return all resources below the root. | - -{{< hint type=caution title="Use the Depth header with caution" >}} -**Depth: infinity** - -Using the `Depth: infinity` header value can cause heavy load on the server, depending on the size of the file tree. - -The request can run into a timeout and the server performance could be affected for other users. - -{{< /hint >}} - -## Create a Directory - -Clients create directories (WebDAV collections) by executing a `MKCOL` request at the location specified by the request url. - -{{< tabs "create-folder" >}} -{{< tab "Curl" >}} -```shell -curl -L -X MKCOL 'https://localhost:9200/dav/spaces/storage-users-1%24some-admin-user-id-0000-000000000000/NewFolder/' \ --H 'Authorization: Basic YWRtaW46YWRtaW4=' -``` -{{< /tab >}} -{{< tab "HTTP" >}} -```shell -MKCOL /dav/spaces/storage-users-1%24some-admin-user-id-0000-000000000000/NewFolder/ HTTP/1.1 -Host: localhost:9200 -Authorization: Basic YWRtaW46YWRtaW4= -``` -{{< /tab >}} -{{< /tabs >}} -### Response - -{{< tabs "response create folder" >}} -{{< tab "201 - Created" >}} -This indicates that the Resource has been created successfully. - -#### Body - -The response has no body. -{{< /tab >}} -{{< tab "403 - Forbidden" >}} - -#### Body - -```xml - - - Sabre\DAV\Exception\Forbidden - - -``` -{{< /tab >}} -{{< tab "405 - Method not allowed" >}} - -#### Body - -```xml - - - Sabre\DAV\Exception\MethodNotAllowed - The resource you tried to create already exists - -``` -{{< /tab >}} -{{< /tabs >}} - -## Upload File - -To upload files to the remote server, clients can use the `PUT` method to create or fully replace the content of the remote file. - -### Request Headers - -| Name | Usage | -|---------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| `X-OC-Mtime` | Send the last modified
time of the file to the server in unixtime format. The server applies this mtime to the resource rather than the actual time. | -| `OC-Checksum` | Provide the checksum of the
file content to the server.
This is used to prevent corrupted data transfers. | -| `If-Match` | The If-Match request-header field is used with a method to make it
conditional. A client that has one or more entities previously
obtained from the resource can verify that one of those entities is
current by including a list of their associated entity tags in the
If-Match header field. | - -{{< tabs "upload-file" >}} -{{< tab "Curl" >}} -```shell -curl -L -X PUT 'https://localhost:9200/dav/spaces/storage-users-1%24some-admin-user-id-0000-000000000000/test.txt' \ --H 'X-OC-Mtime: 1692369418' \ --H 'OC-Checksum: SHA1:40bd001563085fc35165329ea1ff5c5ecbdbbeef' \ --H 'If-Match: "4436aef907f41f1ac7dfd1ac3d0d455f"' \ --H 'Content-Type: text/plain' \ --H 'Authorization: Basic YWRtaW46YWRtaW4=' \ --d '123' -``` -{{< /tab >}} -{{< tab "HTTP" >}} -```shell -PUT /dav/spaces/storage-users-1%24some-admin-user-id-0000-000000000000/test.txt HTTP/1.1 -Host: localhost:9200 -X-OC-Mtime: 1692369418 -OC-Checksum: SHA1:40bd001563085fc35165329ea1ff5c5ecbdbbeef -If-Match: "4436aef907f41f1ac7dfd1ac3d0d455f" -Content-Type: text/plain -Authorization: Basic YWRtaW46YWRtaW4= -Content-Length: 3 - -123 -``` -{{< /tab >}} -{{< /tabs >}} - -### Response - -{{< tabs "response upload file" >}} -{{< tab "201 - Created" >}} -This indicates that the Resource has been created successfully. - -#### Body - -The response has no body. - -#### Headers - -```yaml -Oc-Etag: "4436aef907f41f1ac7dfd1ac3d0d455f" -Oc-Fileid: storage-users-1$some-admin-user-id-0000-000000000000!07452b22-0ba9-4539-96e1-3511aff7fd2f -Last-Modified: Fri, 18 Aug 2023 14:36:58 +0000 -X-Oc-Mtime: accepted -``` -{{< /tab >}} -{{< tab "204 - No Content" >}} -This indicates that the Resource has been updated successfully. - -#### Body - -The response has no body. - -#### Headers - -```yaml -Oc-Etag: "4436aef907f41f1ac7dfd1ac3d0d455f" -Oc-Fileid: storage-users-1$some-admin-user-id-0000-000000000000!07452b22-0ba9-4539-96e1-3511aff7fd2f -Last-Modified: Fri, 18 Aug 2023 14:36:58 +0000 -X-Oc-Mtime: accepted -``` -{{< /tab >}} -{{< tab "400 - Bad Request" >}} -This indicates that the checksum, which was sent by the client, does not match the computed one after all bytes have been received by the server. - -#### Body - -```xml - - - Sabre\DAV\Exception\BadRequest - The computed checksum does not match the one received from the client. - -``` -{{< /tab >}} -{{< tab "403 - Forbidden" >}} - -The user cannot create files in that remote location. -{{< /tab >}} -{{< tab "404 - Not Found" >}} - -The remote target space cannot be found. -{{< /tab >}} -{{< tab "409 - Conflict" >}} - -This error can occur when the request cannot be executed due to a missing precondition. One example is a PUT into a non-existing remote folder. It can also happen when the client sends the wrong etag in the `If-Match` header. -{{< /tab >}} -{{< /tabs >}} diff --git a/docs/architecture/_index.md b/docs/architecture/_index.md deleted file mode 100644 index e4ed804974..0000000000 --- a/docs/architecture/_index.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: Architecture -date: 2023-12-06T13:00:00+01:00 -weight: 10 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/architecture -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -In the architecture part of the documentation we collect useful developer documentation on different aspects of the architecture. We are using mermaid.js to collaborate on the necessary diagrams. - -*Pictures tell more than a thousand words.* diff --git a/docs/architecture/collaborative-storage.md b/docs/architecture/collaborative-storage.md deleted file mode 100644 index 62768146e5..0000000000 --- a/docs/architecture/collaborative-storage.md +++ /dev/null @@ -1,111 +0,0 @@ ---- -title: "Collaborative Storage" -date: 2023-11-09T12:35:00+01:00 -weight: 30 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/storage-backends/ -geekdocFilePath: collaborative-storage.md ---- - -{{< toc >}} - -One of the envisioned design goals of Infinite Scale is to work with so called _collaborative storage_, which means that the file system it is running on is not exclusive for Infinite Scale, but can be manipulated in parallel through third party tools. Infinite Scale is expected to monitor the changes that happen independently and react in a consistent and user friendly way. - -A real world example of that would be a third party "data producer" that submits data directly into a file system path, not going through Infinite Scale APIs. - -This document outlines a few challenges and design concepts for collaborative storage. It is also the base "checklist" for custom storage provider implementations for certain storages, ie. for Ceph- or IBM Storage Scale which provide features that allow more sophisticated and efficient implementations of this goal. - - -# Storage Driver Components - -This discusses a few components and sub functions of the storage driver that have relevance for the collaborative storage. - -## Path Locations - -What is called "the oCIS file system" is defined as the entire filetree underneath a special path in the local POSIX file system, which might either be a real local file system or a mounted net filesystem. It is expected that oCIS is the only consumer of that file tree, except what is expected behaviour with a collaborative file system, that adds and edits files in that tree. - -Underneath the oCIS file system root, there is an collection of different folders containing oCIS specific data. Specific storage driver data is in the directory `storage/users`, organized by spaces. -(TODO: Check again how different storage drivers work together without overwriting data of each other) - -## Spaces - -Infinite Scale provides spaces as an additional organization organizational unit for data. Each space is a separate entity with its own attributes such as access patterns and quota. - -A storage driver has to model the separation of spaces and provide a list of spaces in general and also a list of spaces a user can access. Furthermore, it needs to be able to create different types of spaces (Home- or Project space). - -On POSIX, each space could for example be mapped to it's own directory in a special spaces folder under the oCIS root folder. - -## ID to Path Lookup - -Infinite Scale uses file IDs to efficiently identify files within a file tree. The lookup from a given ID to a path within the oCIS file tree is a very basic function that more or less defines the Infinite Scale performance. The functionality to for example query the file path for a given Inode number (which is the nearest equivalent for the Infinite Scale file ID) can not be done with standard POSIX system calls. - -The interface defining the collaborative storage needs an abstraction for this particular function, returning the file id for a given path, and returning the path for given id. - -## Change Notification - -When a file is changed by a process outside of oCIS, this needs to be monitored by oCIS to quickly maintain internal caches and data structures as required. - -The collaborative storage driver needs a way to achieve that. The easiest way for an POSIX based collaborative storage is inotify, that needs to be set up recursively on a file tree to record changes. Additional it is a challenge to destinguish between changes that were done from external activity and the ones that oCIS creates by its own file operations. - -For GPFS, there is a subsystem called delivering that: - -https://www.ibm.com/docs/en/storage-scale/5.1.9?topic=reference-clustered-watch-folder] - -## ETag Propagation - -ownCloud requires that changes which happen "down" in a tree, can be detected in the root element of the tree. That happens through the change of the ETag metadata of each file and/or directory. An ETag is a random, text based tag, that only has one requirement: It has to change its content if a resource further down in the file tree has changed either its content or its metadata. (See [this issue](https://github.com/owncloud/ocis/issues/3782) for further discussion about the ETag/CTag). - -POSIX file systems do not maintain a change flag like the ETag by default. The file time stamps (atime, ctime, mtime) in general are not fine granular enough (only seconds for some file systems) and depend on the server time, which renders them useless in a distributed environment. - -Infinite Scale needs to implement ETag propagation "up". For the collaborative storage, that needs to be combined with the change notification described above. - -Certain file systems implement this functionality either independently from Infinite Scale (EOS) or at least support proper change notifications (Ceph, GPFS?). - -## Metadata Management - -Metadata are data "snippets" that are as tightly attached to files as ever possible. In best case, a rename of a file silently keeps the metadata as well. In POSIX, this can be achieved by extended file attributes with certain limitations. - -## Quota - -Each space has it's own quota, thus a storage driver implementation needs to consider that. - -For GPFS for example, there is support for quota handling in the file system. - -https://www.ibm.com/docs/en/gpfs/4.1.0.4?topic=interfaces-gpfs-quotactl-subroutine - -Other systems store quota data in the metadata storage and implement propagation of used quota similar to the ETag propagation. - -## User Management - -With user management it is meant how to handle the users and groups within oCIS and how that reflects to the file system where data is stored. - -### Exclusive Environment - -In exclusive environments (aka. decomposedFS) all files of oCIS (ie. the entire oCIS filetree) belongs to a system user with the name `ocis` typically. - -### Collaborative Storage - -For collaborative storages, the approach described above does not longer work because users are supposed to be able to manipulate data in "their" file tree parts, and that is identified by ACLs and the owner of the files. - -That requires a few prerequisites that have to be fulfilled: - -1. oCIS as one "client" changing data and the system that allows to access the file tree directly have to use the same user provider, to ensure that each user that is available on a shell is also available in oCIS. That ensures that changes are authenticated through system ACLs and users. LDAP based authentication on the system via PAM and the same LDAP as source for the oCIS IDP should be a sufficient setup. -2. oCIS must be able to write as a "different" user than the ocis system user. That means that we somehow have to impersonate file changing ooperations and run these as the user that is authenticated in oCIS. - -Example: There is a user ben. It has to have an entry in the LDAP that is used by IDP which oCIS is running "behind". With that, ben is able to authenticate through the IDP and work in the oCIS web app. The oCIS linux process will do writes and other changes impersonated as user ben. - -For the access of data on the commandline, the logins to the linux system must be authenticated against the same LDAP - so that ben can authenticate on a terminal using username and password. With that, the user can interactively change data that belongs to user ben (simplified said). - -To give permissions to groups, the linux group management must work accordingly. The same is true for file permissions. - -## Trashbin - -When a user deletes a file in oCIS it is moved to a so called trashbin that allows to restore the file if the deletion was accidentailly. - -## Versions - -When an existing file is changed, the former file state is to be preserved with data and metadata by oCIS. Some file system types provide this functionality via snapshots on partition or even file level. Other do not and have to implement that via a hidden directory keeping old file versions. - - - - diff --git a/docs/architecture/efficient-stat-polling.md b/docs/architecture/efficient-stat-polling.md deleted file mode 100644 index 13ad65b366..0000000000 --- a/docs/architecture/efficient-stat-polling.md +++ /dev/null @@ -1,202 +0,0 @@ ---- -title: "Efficient Stat Polling" -date: 2020-03-03T10:31:00+01:00 -weight: 30 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/architecture -geekdocFilePath: efficient-stat-polling.md ---- - -The fallback sync mechanism uses the ETag to determine which part of a sync tree needs to be checked by recursively descending into folders whose ETag has changed. The ETag can be calculated using a `stat()` call in the filesystem and we are going to explore how many `stat()` calls are necessary and how the number might be reduced. - -## ETag propagation - -What does ETag propagation mean? Whenever a file changes its content or metadata the ETag or "entity tag" changes. In the early days of ownCloud it was decided to extend this behavior to folders as well, which is outside of any WebDAV RFC specification. Nevertheless, here we are, using the ETag to reflect changes, not only on WebDAV resources but also WebDAV collections. The server will propagate the ETag change up to the root of the tree. - -{{}} -graph TD - linkStyle default interpolate basis - - subgraph final ETag propagation - ert3(( etag:N )) --- el3(( etag:O )) & er3(( etag:N )) - er3 --- erl3(( etag:O )) & err3(( etag:N )) - end - - subgraph first ETag propagation - ert2(( etag:O )) --- el2(( etag:O )) & er2(( etag:N )) - er2 --- erl2(( etag:O )) & err2(( etag:N )) - end - - subgraph initial file change - ert(( etag:O )) --- el(( etag:O )) & er(( etag:O )) - er --- erl(( etag:O )) & err(( etag:N )) - end -{{}} - -The old `etag:O` is replaced by propagating the new `etag:N` up to the root, where the client will pick it up and explore the tree by comparing the old ETags known to him with the state of the current ETags on the server. This form of sync is called *state based sync*. - -## Single user sync -To let the client detect changes in the drive (a tree of files and folders) of a user, we rely on the ETag of every node in the tree. The discovery phase starts at the root of the tree and checks if the ETag has changed since the last discovery: -- if it is still the same nothing has changed inside the tree -- if it changed the client will compare the ETag of all immediate children and recursively descend into every node that changed - -This works, because the server side will propagate ETag changes in the tree up to the root. - -{{}} -graph TD - linkStyle default interpolate basis - - ec( client ) -->|"stat()"|ert - - subgraph - ert(( )) --- el(( )) & er(( )) - er --- erl(( )) & err(( )) - end -{{}} - -## Multiple users -On an ocis server there is not one user but many. Each of them may have one or more clients running. In the worst case all of them polling the ETag of his home root node every 30 seconds. - -Keep in mind that etags are only propagated inside each distinct tree. No sharing is considered yet. - -{{}} -graph TD - linkStyle default interpolate basis - - ec( client ) -->|"stat()"|ert - - subgraph - ert(( )) --- el(( )) & er(( )) - er --- erl(( )) & err(( )) - end - - mc( client ) -->|"stat()"|mrt - - subgraph - mrt(( )) --- ml(( )) & mr(( )) - mr --- mrl(( )) & mrr(( )) - end - - fc( client ) -->|"stat()"|frt - - subgraph - frt(( )) --- fl(( )) & fr(( )) - fr --- frl(( )) & frr(( )) - end -{{}} - -## Sharing -*Storage providers* are responsible for persisting shares as close to the storage as possible. - -One implementation may persist shares using ACLs, another might use custom extended attributes. The chosen implementation is storage specific and always a tradeoff between various requirements. Yet, the goal is to treat the storage provider as the single source of truth for all metadata. - -If users can bypass the storage provider using e.g. `ssh` additional mechanisms needs to make sure no inconsistencies arise: -- the ETag must still be propagated in a tree, eg using inotify, a policy engine or workflows triggered by other means -- deleted files should land in the trash (e.g. `rm` could be wrapped to move files to trash) -- overwriting files should create a new version ... other than a fuse fs I see no way of providing this for normal posix filesystems. Other storage backends that use the s3 protocol might provide versions natively. - -The storage provider is also responsible for keeps track of references e.g. using a shadow tree that users normally cannot see or representing them as symbolic links in the filesystem (Beware of symbolic link cycles. The clients are currently unaware of them and would flood the filesystem). - -To prevent write amplification ETags must not propagate across references. When a file that was shared by einstein changes the ETag must not be propagated into any share recipients tree. - -{{}} -graph TD - linkStyle default interpolate basis - - - ec( einsteins client ) -->|"stat()"|ert - - subgraph - ml --- mlr(( )) - mrt(( )) --- ml(( )) & mr(( )) - mr --- mrl(( )) & mrr(( )) - end - - mlr -. reference .-> er - - subgraph - ert(( )) --- el(( )) & er(( )) - er --- erl(( )) & err(( )) - end - - mc( maries client ) -->|"stat()"|mrt - -{{}} - -But how can Marie's client detect the change? - -We are trading writes for reads: the client needs to stat the own tree & all shares or entry points into other storage trees. - -It would require client changes that depend on the server side actually having an endpoint that can efficiently list all entry points into storages a user has access to including their current etag. - -But having to list n storages might become a bottleneck anyway, so we are going to have the gateway calculate a virtual root ETag for all entry points a user has access to and cache that. - -## Server Side Stat Polling -Every client polls the virtual root ETag (every 30 sec). The gateway will cache the virtual root ETag of every storage for 30 sec as well. That way every storage provider is only stated once every 30 sec (can be throttled dynamically to adapt to storage io load). - - -{{}} -graph TD - linkStyle default interpolate basis - - ec( client ) -->|"stat()"|evr - - subgraph gateway caching virtual etags - evr(( )) - mvr(( )) - fvr(( )) - end - - evr --- ert - mvr --- mrt - fvr --- frt - - subgraph - ert(( )) --- el(( )) & er(( )) - er --- erl(( )) & err(( )) - end - - mc( client ) -->|"stat()"|mvr - - subgraph - mrt(( )) --- ml(( )) & mr(( )) - ml --- mlm(( )) - mr --- mrl(( )) & mrr(( )) - end - - mlm -.- er - mvr -.- er - - fc( client ) -->|"stat()"|fvr - - subgraph - frt(( )) --- fl(( )) & fr(( )) - fr --- frl(( )) & frr(( )) - end - -{{}} - -Since the active clients will poll the etag for all active users the gateway will have their ETag cached. This is where sharing comes into play: The gateway also needs to stat the ETag of all other entry points ... or mount points. That may increase the number of stat like requests to storage providers by an order of magnitude. - -### Ram considerations - -For a single machine using a local posix storage the linux kernel already caches the inodes that contain the metadata that is necessary to calculate the ETag (even extended attributes are supported). With 4k inodes 256 nodes take 1Mb of RAM, 1k inodes take 4Mb and 1M inodes take 4Gb to completely cache the file metadata. For distributed filesystems a dedicated cache might make sense to prevent hammering it with stat like requests to calculate ETags. - -### Bandwidth considerations - -The bandwidth for a single machine might be another bottleneck. Consider a propfind request with roughly 500 bytes and a response with roughly 800 bytes in size: -- At 100Mbit (~10Mb/s) you can receive 20 000 PROPFIND requests -- At 1000Mbit (~100Mb/s) you can receive 200 000 PROPFIND requests -- At 10Gbit (~1Gb/s) you can receive 2 000 000 PROPFIND requests - -This can be scaled by adding more gateways and sharding users because these components are stateless. - -## Share mount point polling cache -What can we do to reduce the number of stat calls to storage providers. Well, the gateway queries the share manager for all mounted shares of a user (or all entry points, not only the users own root/home). The share references contain the storage provider that contains the share. If every user has its own storage provider id the gateway could check in its own cache if the storage root etag has changed. It will be up-to-date because another client likely already polled for its etag. -This would reduce the number of necessary stat requests to active storages. - -### Active share node cache invalidation -We can extend the lifetime of share ETag cache entries and only invalidate them when the root of the storage that contains them changes its ETag. That would reduce the number of stat requests to the number of active users. - -### Push notifications -We can further enhance this by sending push notifications when the root of a storage changes. Which is becoming increasingly necessary for mobile devices anyway. diff --git a/docs/architecture/posixfs-storage-driver.md b/docs/architecture/posixfs-storage-driver.md deleted file mode 100644 index ea96490063..0000000000 --- a/docs/architecture/posixfs-storage-driver.md +++ /dev/null @@ -1,207 +0,0 @@ ---- -title: "PosixFS Storage Driver" -date: 2024-05-27T14:31:00+01:00 -weight: 30 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/architecture -geekdocFilePath: posixfs-storage-driver.md ---- - -{{< toc >}} - -The Posix FS Storage Driver is a new storage driver for Infinite Scale. - -The scope of this document is to give a high level overview to the technical aspects of the Posix FS Storage Driver and guide the setup. - -## Introduction - -The Posix FS Storage Driver is a backend component that manages files on the server utilizing a "real" file tree that represents the data with folders and files in the file system as users are used to it. That is the big difference compared to Decomposed FS which is the default storage driver in Infinite Scale. - -This does not mean that Infinite Scale is trading any of its benefits to this new feature: It still implements simplicity by running without a database, it continues to store metadata in the file system and adds them transparently to caches and search indexes, and it also features the full spaces concept as before, just to name a few examples. - -The architecture of Infinite Scale allows configuring different storage drivers for specific storage types and purposes on a space granularity. The Posix FS Storage Driver is an alternative to the default driver called Decomposed FS. - -However, the clarity of the file structure in the underlying file system is not the only benefit of the Posix FS Storage Driver. This new technology allows users to manipulate the data directly in the file system, and any changes made to files outside of Infinite Scale are monitored and directly reflected in Infinite Scale. For example, a scanner could store its output directly to the Infinite Scale file system, which immediately gets picked up in Infinite Scale. - -For the first time ever with feature rich open source file sync & share systems, users can either choose to work with their data through the clients of the system, its APIs or even directly in the underlying file system on the server. - -That is another powerful vector for integration and enables a new spectrum of use cases across all domains. - -## Technical Aspects - -The Posix FS Storage Driver uses a few features of the underlying file system, which are mandatory and directly contributing to the performance of the system. - -While the simplest form of Posix FS Storage Driver runs with default file systems of every modern Linux system which are directly mounted and thus support inotify, the full power of this unfolds with more capable file systems such as IBM Storage Scale or Ceph. These are recommended as reliable foundations for big installations of Infinite Scale. - -This chapter describes some technical aspects of this storage driver. - -### Path Locations - -The file tree that is used as storage path for both data and metadata is located under the local path on the machine that is running Infinite Scale. That might either be a real local file system or a mounted net filesystem. It is expected that oCIS is the only consumer of that file tree, except what is expected behaviour with a collaborative file system, that works with files in that tree. - -Underneath the Infinite Scale file system root, there is a collection of different folders containing Infinite Scale specific data storing personal spaces, project spaces and indexes. - -### Metadata - -Infinite Scale is highly dependent on the efficient usage of meta data which are attached to file resources, but also logical elements such as spaces. - -Metadata is stored in extended attributes (as also supported by decompsed FS) which poses the benefit that metadata is always directly attached to the actual resources. As a result, care has to be taken that extended attributes are considered when working with the file tree however, e.g. when creating or restoring backups. - -Note: The maximum number and size of extended attributes are limited depending on the filesystem and block size. See [GPFS Specifics](#gpfs-specifics) for more details on GPFS file systems. - -All indexing and caching of metadata is implemented in higher system levels than the storage driver, and thus are not different to the components used with other storage drivers like the decomposed FS. - -### Monitoring - -To get information about changes such as new files added, files edited or removed, Infinite Scale uses a monitoring system to directly watch the file system. This starts with the Linux inotify system and ranges to much more sophisticated services as for example in Spectrum Scale (see [GPFS Specifics](#gpfs-specifics) for more details on GPFS file systems). - -Based on the information transmitted by the watching service, Infinite Scale is able to "register" new or changed files into its own caches and internal management structures. This enables Infinite Scale to deliver resource changes through the "traditional" channels such as APIs and clients. - -Since the most important metadata is the file tree structure itself, it is impossible for the "split brain" situation between data and metadata to cause trouble. - -### Automatic ETag Propagation - -The ETag of a resource can be understood as a content fingerprint of any file- or folder resource in Infinite Scale. It is mainly used by clients to detect changes of resources. The rule is, that if the content of a file changed the ETag has to change as well, as well as the ETag of all parent folders up to the root of the space. - -Infinite Scale uses a built in mechanism to maintain the ETag for each resource in the file meta data, and also propagates it automatically. - -A sophisticated underlying file system could provide an attribute that fulfills this requirement and changes whenever content or metadata of a resource changes, and - which is most important - also changes the attribute of the parent resource and the parent of the parent etc. - -### Automatic Tree Size Propagation - -Similar to the ETag propagation described before, Infinite Scale also tracks the accumulated tree size in all nodes of the file tree. A change to any file requires a re-calculation of the size attribute in all parent folders. - -Infinite Scale would benefit from file systems with native tree size propagation. - -### Quota - -Each space has it's own quota, thus every storage driver implementation needs to consider that. - -For example, IBM Spectrum Scale supports quota handling directly in the file system. - -Other systems store quota data in the metadata storage and implement propagation of used quota similar to the tree size propagation. - -### File ID Resolution - -Infinite Scale uses an ID based approach to work with resources, rather than a file path based mechanism. The reason for that is, that ID based lookups can be done way more efficiently compared to tree traversals, just to name one reason. - -The most important component of the ID is a unique file ID that identifies the resource within a space. Ideally the Inode of a file could be used here. However, some file systems re-use inodes which must be avoided. Infinite Scale thus does not use the file Inode, but generates a UUID instead. - -ID based lookups utilize an ID cache which needs to be shared between all storageprovider and dataprovider instances. During startup a scan of the whole file tree is performed to detect and cache new entities. - -In the future a powerful underlying file system could support Infinite Scale by providing an API that - -1. Provides the ID for a given file path referenced resource -2. Provides the path for a given ID. - -These two operations are very crucial for the performance of the entire system. - -### User Management - -With the requirement that data can be manipulated either through the filesystem or the Infinite Scale system, the question under which UID the manipulation happens is important. - -There are a few possible ways for user management: -1. Changes can either be only accepted by the same user that Infinite Scale is running under, for example the user `ocis`. All manipulations in the filesystem have to be done by, and only by this user. -2. Group based: All users who should be able to manipulate files have to be in a unix group. The Infinite Scale user has also to be member of that group. The default umask in the directory used has to allow group writing all over the place. -3. Impersonation: Infinite Scale impersonates the user who owns the folder on the file system to mimic the access as the user. - -All possibilities have pros and cons for operations. - -One for all, it seems reasonable to use LDAP to manage users which is the base for the Infinite Scale IDP as well as the system login system via PAM. - -### GID Based Space Access - -The Posix FS Storage Driver supports GID based space access to support the problem that project spaces might have to be accessible by multiple users on disk. In order to enable this feature the `ocis` binary needs to have the `setgid` capability and `STORAGE_USERS_POSIX_USE_SPACE_GROUPS` needs to be set to `true`. Inifinite Scale will then use the space GID (the gid of the space root) for all file system access using the `setfsgid` syscall, i.e. all files and directories created by Infinite Scale will belong to the same group as the space root. - -## Advanced Features - -Depending on the capabilities of the underlying file system, the Posix FS Storage Driver can benefit from more advanced functionality described here. - -### Versioning - -If the underlying file system is able to create versions of single resources (imagine a git based file system) this functionality could directly be used by Infinite Scale. - -In the current state of the Posix FS Storage Driver, versioning is not supported. - -### Trashbin - -If the underlying file system handles deleted files in a trash bin that allows restoring of previously removed files, this functionality could directly be used by Infinite Scale. - -If not available it will follow the [the Free Desktop Trash specificaton](https://specifications.freedesktop.org/trash-spec/trashspec-latest.html). - -## Limitations - -As of Q2/2024 the Posix FS Storage Driver is not officially supported and in technical preview state. - -The tech preview comes with the following limitations: - -1. Only inotify and GPFS file system change notification methods are supported -1. Versioning is not supported yet -1. The space/project folders in the filesystem are named after the UUID, not the real space name -1. No CephFS support yet -1. Postprocessing (ie. anti virus check) does not happen for file actions outside of Infinite Scale - -## Setup - -This describes the steps to use the Posix FS Storage Driver storage driver with Infinite Scale. - -It is possible to use different storage drivers in the same Infinite Scale installation. For example it is possible to set up one space running on Posix FS Storage Driver while others run Decomposed FS. - -### Prerequisites - -To use the Posix FS Storage Driver, the following prerequisites have to be fulfilled: - -1. There must be storage available to store meta data and blobs, available under a root path. -1. When using inotify, the storage must be local on the same machine. Network mounts do not work with inotify. `inotifywait` needs to be installed. -1. The storage root path must be writeable and executable by the same user Infinite Scale is running under. -1. An appropiate version of Infinite Scale is installed, version number 5.0.5 and later. -1. `nats-js-kv` as cache service - - -### Setup Configuration - -This is an example configuration with environment variables that configures Infinite Scale to use Posix FS Storage Driver for all spaces it works with, ie. Personal and Project Spaces: - -``` -export STORAGE_USERS_DRIVER="posix" -export STORAGE_USERS_POSIX_ROOT="/home/kf/tmp/posix-storage" -export STORAGE_USERS_POSIX_WATCH_TYPE="inotifywait" -export STORAGE_USERS_ID_CACHE_STORE="nats-js-kv" -export STORAGE_USERS_ID_CACHE_STORE_NODES="localhost:9233" - -# Optionally enable gid based space access -export STORAGE_USERS_POSIX_USE_SPACE_GROUPS="true" -``` - -## GPFS Specifics - -When using GPFS as the underlying filesystem the machine running the according `storage-users` service needs to have the GPFS filesystem mounted locally. The mount path is given to ocis as the `STORAGE_USERS_POSIX_ROOT` path. - -Other than that there a few other points to consider: - -### Extended Attributes - -As described above metadata is stored as extended attributes of the according entities and thus is suspect to their limitations. In GPFS extended attributes are first stored in the inode itself but can then also use an overflow block which is at least 64KB and up to the metadata block size. Inode and metadata block size should be chosen accordingly. - -### FS Watcher - -The Posix FS Storage Driver supports two different watchers for detecting changes to the filesystem. The watchfolder watcher is better tested and supported at that point. - -#### GPFS File Audit Logging - -The `gpfsfileauditlogging` watcher tails a GPFS file audit log and parses the JSON events to detect relevant changes. - -``` -export STORAGE_USERS_POSIX_WATCH_TYPE="gpfsfileauditlogging" -export STORAGE_USERS_POSIX_WATCH_PATH="/path/to/current/audit/log" -``` - -#### GPFS Watchfolder - -The `gpfswatchfolder` watcher connects to a kafka cluster which is being filled with filesystem events by the GPFS watchfolder service. - -``` -export STORAGE_USERS_POSIX_WATCH_TYPE="gpfswatchfolder" -export STORAGE_USERS_POSIX_WATCH_PATH="fs1_audit" # the kafka topic to watch -export STORAGE_USERS_POSIX_WATCH_FOLDER_KAFKA_BROKERS="192.168.1.180:29092" -``` diff --git a/docs/architecture/protocol-changes.md b/docs/architecture/protocol-changes.md deleted file mode 100644 index 4647dcf48f..0000000000 --- a/docs/architecture/protocol-changes.md +++ /dev/null @@ -1,200 +0,0 @@ ---- -title: "Protocol changes" -date: 2022-05-17T08:46:00+01:00 -weight: 30 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/architecture -geekdocFilePath: protocol-changes.md ---- - -The spaces concept allows clients to look up the space endpoints a user has access to and then do individual sync discoveries. Technically, we introduce an indirection that allows clients to rely on server provided URLs instead of hardcoded `/webdav` or `/dav/files/{username}` paths, that may change over time. - -## Space discovery - -{{}} -%%{init: {"sequence": { "showSequenceNumbers":true, "messageFontFamily":"courier", "messageFontWeight":"normal", "messageFontSize":"11"}}}%% -%% font weight is a css bug: https://github.com/mermaid-js/mermaid/issues/1976 -%% edit this diagram by pasting it into eg. https://mermaid.live -sequenceDiagram - participant Client - participant Graph - participant SpaceA - participant SpaceB - links Client: {"web": "https://owncloud.dev/clients/web/", "RClone": "https://owncloud.dev/clients/rclone/"} - link Graph: Documentation @ https://owncloud.dev/extensions/graph/ - - Note left of Client: First, a clients looks
up the spaces a user has access to - opt space lookup - Client->>+Graph: GET /me/drives - Graph-->>-Client: 200 OK JSON list of spaces, say A, B and C,
each with a dedicated webDavURL, etag and quota - end - - Note left of Client: Then it can do a parallel
sync discovery on spaces
whose etag changed - par Client to Space A - Client->>+SpaceA: PROPFIND {webDavURL for Space A} - SpaceA-->>-Client: 207 Multistatus PROPFIND response - and Client to Space B - Client->>+SpaceB: PROPFIND {webDavURL for space B} - SpaceB-->>-Client: 207 Multistatus PROPFIND response - end -{{}} - -### New /dav/spaces/{spaceid} endpoint with spaceid and a relative path - -The ocDAV service is responsible for translating ownCloud flavoured WebDAV into CS3 API calls. - -**General view** - -A PROPFIND finds its way to a storage provider like this: - -{{}} -%%{init: {"sequence": { "showSequenceNumbers":true, "messageFontFamily":"courier", "messageFontWeight":"normal", "messageFontSize":"11"}}}%% -%% font weight is a css bug: https://github.com/mermaid-js/mermaid/issues/1976 -%% edit this diagram by pasting it into eg. https://mermaid.live -sequenceDiagram - participant Client - participant ocDAV - participant StorageProvider - - Note right of Client: {spaceid} identifies the space
{relative/path} is relative to the space root - Client->>+ocDAV: PROPFIND /dav/space/{spaceid}/{relative/path} - Note right of ocDAV: translate ownCloud flavoured webdav
into CS3 API requests - ocDAV->>+StorageProvider: ListContainer({spaceid}, path: {relative/path}) - StorageProvider-->>-ocDAV: []ResourceInfo - ocDAV-->>-Client: 207 Multistatus -{{}} - -While the above is a simplification to get an understanding of what needs to go where, there are several places where sharding can happen. - -**Proxy can do user based routing** - -The ocis proxy authenticates requests and can forward requests to different backends, depending on the logged-in user or cookies. For example multiple ocdav services can be configured to shard users based on username or affiliation. - -{{}} -%%{init: {"sequence": { "showSequenceNumbers":true, "messageFontFamily":"courier", "messageFontWeight":"normal", "messageFontSize":"11"}}}%% -%% font weight is a css bug: https://github.com/mermaid-js/mermaid/issues/1976 -%% edit this diagram by pasting it into eg. https://mermaid.live -sequenceDiagram - participant Client - participant proxy - participant ocDAV1 as ocDAV [a-k] - participant ocDAV2 as ocDAV [l-z] - - Note right of Client: {spaceid} identifies the space
{relative/path} is relative to the space root - Client->>+proxy: PROPFIND /dav/space/{spaceid}/{relative/path} - - alt username starting with a-k - proxy->>+ocDAV1: PROPFIND /dav/space/{spaceid}/{relative/path} - Note right of ocDAV1: translate ownCloud flavoured webdav
into CS3 API requests - ocDAV1-->>-Client: 207 Multistatus - else username starting with l-z - proxy->>+ocDAV2: PROPFIND /dav/space/{spaceid}/{relative/path} - ocDAV2-->>-Client: 207 Multistatus - end -{{}} - -**Gateway can do path or storage provider id based routing** - -The reva gateway acts as a facade to multiple storage providers that can be configured with the storage registry: - -{{}} -%%{init: {"sequence": { "showSequenceNumbers":true, "messageFontFamily":"courier", "messageFontWeight":"normal", "messageFontSize":"11"}}}%% -%% font weight is a css bug: https://github.com/mermaid-js/mermaid/issues/1976 -%% edit this diagram by pasting it into eg. https://mermaid.live -sequenceDiagram - participant ocDAV - participant Gateway - participant StorageRegistry - participant StorageProvider1 as StorageProvider [a-k] - participant StorageProvider2 as StorageProvider [l-z] - - Note right of ocDAV: translate ownCloud flavoured webdav
into CS3 API requests - ocDAV->>+Gateway: ListContainer({spaceid}, path: {relative/path}) - Note right of Gateway: find address of the storage provider
that is responsible for the space - Gateway->>+StorageRegistry: ListStorageProviders({spaceid}) - StorageRegistry-->>-Gateway: []ProviderInfo - Note right of Gateway: forward request to
correct storage provider - alt username starting with a-k - Gateway->>+StorageProvider1: ListContainer({spaceid}, path: {relative/path}) - StorageProvider1-->>-Gateway: []ResourceInfo - else username starting with l-z - Gateway->>+StorageProvider2: ListContainer({spaceid}, path: {relative/path}) - StorageProvider2-->>-Gateway: []ResourceInfo - end - Gateway-->>-ocDAV: []ResourceInfo -{{}} - - -### Old /dav/files/{username} endpoint with username and a path relative to the users home - -**PROPFIND request against old webdav endpoints** - -To route a PROPFIND request against the old webdav endpoints like `/dav/files/username`, ocdav first has to build a CS3 namespace prefix, e.g. `/users/{{.Id.OpaqueId}}` to the users home. - -{{}} -%%{init: {"sequence": { "showSequenceNumbers":true, "messageFontFamily":"courier", "messageFontWeight":"normal", "messageFontSize":"11"}}}%% -%% font weight is a css bug: https://github.com/mermaid-js/mermaid/issues/1976 -%% edit this diagram by pasting it into eg. https://mermaid.live -sequenceDiagram - participant Client - participant ocDAV - participant Gateway - - opt old /dav/files/{username} endpoint with username and a path relative to the users home - Note right of Client: translate ownCloud flavoured webdav
into CS3 API requests - Client->>+ocDAV: PROPFIND /dav/files/{username}/{relative/path} - Note right of ocDAV: translate ownCloud flavoured webdav
into CS3 API requests - ocDAV->>+Gateway: GetUser({username}) - Gateway-->>-ocDAV: User - Note right of ocDAV: build path prefix to user home - ocDAV->>+ocDAV: {namespace/prefix} = ApplyLayout({path layout}, User), eg. /users/e/einstein - Note right of ocDAV: look up the space responsible for a path - ocDAV->>+Gateway: ListStorageSpaces(path: {namespace/prefix}/{relative/path}) - Gateway-->>-ocDAV: []StorageSpace - Note right of ocDAV: make actual request with space and relative path - ocDAV->>+Gateway: ListContainer({spaceid}, path: {relative/path}) - Gateway-->>-ocDAV: []ResourceInfo - ocDAV-->>-Client: 207 Multistatus - end -{{}} - -**Handling legacy global namespace webdav endpoints** - -The reason ocis uses a path based lookup instead of looking up the current users home using the user id and a space type filter is, because there are deployments that use a global namespace at the legacy `/webdav` endpoint. To support these use cases, the gateway allows looking up spaces using their mount path. - -{{}} -%%{init: {"sequence": { "showSequenceNumbers":true, "messageFontFamily":"courier", "messageFontWeight":"normal", "messageFontSize":"11"}}}%% -%% font weight is a css bug: https://github.com/mermaid-js/mermaid/issues/1976 -%% edit this diagram by pasting it into eg. https://mermaid.live -sequenceDiagram - participant Client - participant ocDAV - participant Gateway - - Note right of Client: translate ownCloud flavoured webdav
into CS3 API requests - alt old /dav/files/{username} endpoint with username and a path relative to the users home - Client->>+ocDAV: PROPFIND /dav/files/{username}/{relative/path} - Note right of ocDAV: look up {username} in URL path - ocDAV->>+Gateway: GetUser({username}) - Gateway-->>-ocDAV: User - Note right of ocDAV:build namespace prefix to user home - ocDAV->>+ocDAV: {namespace/prefix} = ApplyLayout({namespace layout}, User), eg. /users/e/einstein - else legacy /webdav/ endpoint with a path relative to the users home - Client->>+ocDAV: PROPFIND /webdav/{relative/path} - Note right of ocDAV: use currently logged in user - ocDAV->>+ocDAV: ContextGetUser() - Note right of ocDAV: build namespace prefix to user home - ocDAV->>+ocDAV: {namespace/prefix} = ApplyLayout({namespace layout}, User), eg. /users/e/einstein - else legacy /webdav/ endpoint with a path relative to a global namespace - Client->>+ocDAV: PROPFIND /webdav/{relative/path} - Note right of ocDAV: omit namespace prefix by using empty layout template - ocDAV->>+ocDAV: {namespace/prefix} = ApplyLayout("/", u), always returns "/" - end - Note right of ocDAV: look up the space responsible for a path - ocDAV->>+Gateway: ListStorageSpaces(path: {namespace/prefix}/{relative/path}) - Gateway-->>-ocDAV: []StorageSpace - Note right of ocDAV: make actual request with space and relative path - ocDAV->>+Gateway: ListContainer({spaceid}, path: {relative/path}) - Gateway-->>-ocDAV: []ResourceInfo - ocDAV-->>-Client: 207 Multistatus -{{}} diff --git a/docs/architecture/services-communication.md b/docs/architecture/services-communication.md deleted file mode 100644 index f3e827426d..0000000000 --- a/docs/architecture/services-communication.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -title: "Services Communication" -date: 2022-02-15T11:26:00+01:00 -weight: 30 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/architecture -geekdocFilePath: services-communication.md ---- - -{{< figure src="/ocis/static/ocis-services-communication.drawio.svg" >}} diff --git a/docs/architecture/upload-processing.md b/docs/architecture/upload-processing.md deleted file mode 100644 index 7caca17ba6..0000000000 --- a/docs/architecture/upload-processing.md +++ /dev/null @@ -1,121 +0,0 @@ ---- -title: "Upload processing" -date: 2022-07-06T12:47:00+01:00 -weight: 30 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/architecture -geekdocFilePath: upload-processing.md ---- - -Uploads are handled by a dedicated service that uses TUS.io for resumable uploads. When all bytes have been transferred the upload is finalized by making the file available in file listings and for download. - -The finalization may be asynchronous when mandatory workflow steps are involved. - -## Legacy PUT upload - -{{}} - -%%{init: {"sequence": { "showSequenceNumbers":true, "messageFontFamily":"courier", "messageFontWeight":"normal", "messageFontSize":"11"}}}%% -%% font weight is a css bug: https://github.com/mermaid-js/mermaid/issues/1976 -%% edit this diagram by pasting it into eg. https://mermaid.live -sequenceDiagram - participant Client - participant ocdav - participant storageprovider - participant dataprovider - - Client->>+ocdav: PUT /dav/spaces/{spaceid}/newfile.bin - ocdav->>+storageprovider: InitiateFileUpload - storageprovider-->>-ocdav: OK, Protocol simple, UploadEndpoint: /data, Token: {jwt} - Note right of ocdav: The {jwt} contains the internal actual target, eg.:
http://localhost:9158/data/simple/91cc9882-db71-4b37-b694-a522850fcee1 - ocdav->>+dataprovider: PUT /data
X-Reva-Transfer: {jwt} - dataprovider-->>-ocdav: 201 Created - ocdav-->>-Client: 201 Created - -{{}} - -## TUS upload - -{{}} - -%%{init: {"sequence": { "showSequenceNumbers":true, "messageFontFamily":"courier", "messageFontWeight":"normal", "messageFontSize":"11"}}}%% -%% font weight is a css bug: https://github.com/mermaid-js/mermaid/issues/1976 -%% edit this diagram by pasting it into eg. https://mermaid.live -sequenceDiagram - participant Client - participant ocdav - participant storageprovider - participant datagateway - participant dataprovider - - - Client->>+ocdav: POST /dav/spaces/{spaceid}
Upload-Metadata: {base64 encoded filename etc}
TUS-Resumable: 1.0.0 - ocdav->>+storageprovider: InitiateFileUpload - storageprovider-->>-ocdav: OK, Protocol tus, UploadEndpoint: /data, Token: {jwt} - Note right of ocdav: The {jwt} contains the internal actual target, eg.:
http://localhost:9158/data/tus/24d893f5-b942-4bc7-9fb0-28f49f980160 - ocdav-->>-Client: 201 Created
Location: /data/{jwt}
TUS-Resumable: 1.0.0 - - Client->>+datagateway: PATCH /data/{jwt}
TUS-Resumable: 1.0.0
Upload-Offset: 0 - Note over datagateway: unwrap the {jwt} target - datagateway->>+dataprovider: PATCH /data/tus/24d893f5-b942-4bc7-9fb0-28f49f980160
X-Reva-Transfer: {jwt} - Note over dataprovider: storage driver
handles request - dataprovider-->>-datagateway: 204 No Content
TUS-Resumable: 1.0.0
Upload-Offset: 363976 - datagateway-->>-Client: 204 No Content
TUS-Resumable: 1.0.0
Upload-Offset: 363976 - -{{}} - - -## TUS upload with async postprocessing - - - -{{}} - -%%{init: {"sequence": { "showSequenceNumbers":true, "messageFontFamily":"courier", "messageFontWeight":"normal", "messageFontSize":"11"}}}%% -%% font weight is a css bug: https://github.com/mermaid-js/mermaid/issues/1976 -%% edit this diagram by pasting it into eg. https://mermaid.live -sequenceDiagram - participant Client - participant ocdav - participant storageprovider - participant datagateway - participant dataprovider - participant nats - - - Client->>+ocdav: POST /dav/spaces/{spaceid}
Upload-Metadata: {base64 encoded filename etc}
TUS-Resumable: 1.0.0 - ocdav->>+storageprovider: InitiateFileUpload - storageprovider-->>-ocdav: OK, Protocol tus, UploadEndpoint: /data, Token: {jwt} - Note right of ocdav: The {jwt} contains the internal actual target, eg.:
http://localhost:9158/data/tus/24d893f5-b942-4bc7-9fb0-28f49f980160 - ocdav-->>-Client: 201 Created
Location: /data/{jwt}
TUS-Resumable: 1.0.0 - - Client->>+datagateway: PATCH /data/{jwt}
TUS-Resumable: 1.0.0
Upload-Offset: 0 - - Note over datagateway: unwrap the {jwt} target - datagateway->>+dataprovider: PATCH /data/tus/24d893f5-b942-4bc7-9fb0-28f49f980160
X-Reva-Transfer: {jwt} - Note over dataprovider: storage driver
handles request - dataprovider-)nats: emit all-bytes-received event - nats-)processing: all-bytes-received({uploadid}) event - Note over dataprovider: TODO: A lot of time may pass here, we could use
the `Prefer: respond-async` header to return early
with a 202 Accepted status and a Location header
to a websocket endpoint - alt success - processing-)nats: emit processing-finished({uploadid}) event - nats-)dataprovider: processing-finished({uploadid}) event - dataprovider-->>-datagateway: 204 No Content
TUS-Resumable: 1.0.0
Upload-Offset: 363976 - datagateway-->>-Client: 204 No Content
TUS-Resumable: 1.0.0
Upload-Offset: 363976 - else failure - activate dataprovider - activate datagateway - processing-)nats: emit processing-aborted({uploadid}) event - nats-)dataprovider: processing-aborted({uploadid}) event - Note over dataprovider: FIXME: What HTTP status code should we report?
422 Unprocessable Content is just a proposal, see
https://httpwg.org/specs/rfc9110.html#status.422 - dataprovider-->>-datagateway: 422 Unprocessable Content
TUS-Resumable: 1.0.0
Upload-Offset: 363976 - datagateway-->>-Client: 422 Unprocessable Content
TUS-Resumable: 1.0.0
Upload-Offset: 363976 - end - -{{}} - - -## Async TUS upload with postprocessing -This might be a TUS extension or a misunderstanding on our side of what tus can do for us. Clients should send a `Prefer: respond-async` header to allow the server to return early when postprocessing might take longer. The PATCH requests can then return status `202 Accepted` and a `Location` header to a websocket that clients can use to track the processing / upload progress. - -TODO there is a conflict with the TUS.io POST request with the creation extension, as that also returns a `Location` header which carries the upload URL. We would need another header to transport the websocket location. Maybe `Websocket-Location` or `Progress-Location`? diff --git a/docs/clients/_index.md b/docs/clients/_index.md deleted file mode 100644 index 0370bab5eb..0000000000 --- a/docs/clients/_index.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -title: Clients -date: 2023-12-06T13:00:00+01:00 -weight: 10 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/clients/ -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- diff --git a/docs/clients/rclone/_index.md b/docs/clients/rclone/_index.md deleted file mode 100644 index 9190aee312..0000000000 --- a/docs/clients/rclone/_index.md +++ /dev/null @@ -1,25 +0,0 @@ ---- -title: Rclone -date: 2021-11-17T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/clients/rclone -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -## About Rclone - -{{< hint ok >}} -Rclone is a command line program to manage files on cloud storage. It is a feature rich alternative to cloud vendors' web storage interfaces. Over 40 cloud storage products support rclone including S3 object stores, business & consumer file storage services, as well as standard transfer protocols. - -Rclone has powerful cloud equivalents to the unix commands rsync, cp, mv, mount, ls, ncdu, tree, rm, and cat. Rclone's familiar syntax includes shell pipeline support, and --dry-run protection. It is used at the command line, in scripts or via its API. - -Users call rclone "The Swiss army knife of cloud storage", and "Technology indistinguishable from magic". -{{< /hint >}} - -Source: [Rclone project website](https://rclone.org/) - -## Table of Contents - -{{< toc-tree >}} \ No newline at end of file diff --git a/docs/clients/rclone/webdav-sync-basic-auth.md b/docs/clients/rclone/webdav-sync-basic-auth.md deleted file mode 100644 index e922a156f3..0000000000 --- a/docs/clients/rclone/webdav-sync-basic-auth.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: WebDAV with Basic Authentication -date: 2021-11-17T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/clients/rclone -geekdocFilePath: webdav-sync-basic-auth.md -geekdocCollapseSection: true ---- - - -## WebDAV with Basic Authentication - -{{< hint danger >}} -Basic Authentication is disabled by default in oCIS because of security considerations. In order to make the following Rclone commands work the oCIS administrator needs to enable Basic Authentication e.g. by setting the environment variable `PROXY_ENABLE_BASIC_AUTH` to `true`. - -Please consider to use [Rclone with OpenID Connect]({{< ref "webdav-sync-oidc.md" >}}) instead. -{{< /hint >}} - -For the usage of a WebDAV remote with Rclone see also the [Rclone documentation](https://rclone.org/webdav/) - -## Configure the WebDAV remote - -First of all we need to set up our credentials and the WebDAV remote for Rclone. In this example we do this by setting environment variables. You might also set up a named remote or use command line options to achieve the same. - -``` bash -export RCLONE_WEBDAV_VENDOR=owncloud -export RCLONE_WEBDAV_URL=https://ocis.owncloud.test/remote.php/webdav/ -export RCLONE_WEBDAV_USER=einstein -export RCLONE_WEBDAV_PASS=$(rclone obscure relativity) -``` - -{{< hint info >}} -Please note that `RCLONE_WEBDAV_PASS` is not set to the actual password, but to the value returned by `rclone obscure `. -{{< /hint >}} - -We now can use Rclone to sync the local folder `/tmp/test` to `/test` in your oCIS home folder. - - -### Sync to the WebDAV remote - -``` bash -rclone sync :local:/tmp :webdav:/test -``` - -If your oCIS doesn't use valid SSL certificates, you may need to use `rclone --no-check-certificate sync ...`. diff --git a/docs/clients/rclone/webdav-sync-oidc.md b/docs/clients/rclone/webdav-sync-oidc.md deleted file mode 100644 index a64b32e48b..0000000000 --- a/docs/clients/rclone/webdav-sync-oidc.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: WebDAV with OpenID Connect -date: 2021-11-17T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/clients/rclone -geekdocFilePath: webdav-sync-oidc.md -geekdocCollapseSection: true ---- - - -## WebDAV with OpenID Connect - -Rclone itself is not able to open and maintain an OpenID Connect session. But it is able to still use OpenID Connect for authentication by leveraging a so called OIDC-agent. - -### Setting up the OIDC-agent - -You need to install the [OIDC-agent](https://github.com/indigo-dc/oidc-agent) from your OS' package repository (e.g. [Debian](https://github.com/indigo-dc/oidc-agent#debian-packages) or [MacOS](https://github.com/indigo-dc/oidc-agent#debian-packages)). - - -### Configuring the OIDC-agent - -Run the following command to add a OpenID Connect profile to your OIDC-agent. It will open the login page of OpenID Connect identity provider where you need to log in if you don't have an active session. - -``` bash -oidc-gen \ - --client-id=oidc-agent \ - --client-secret="" \ - --pub \ - --issuer https://ocis.owncloud.test \ - --redirect-uri=http://localhost:12345 \ - --scope max \ - einstein-ocis-owncloud-test -``` - -If you have dynamic client registration enabled on your OpenID Connect identity provider, you can skip the `--client-id`, `--client-secret` and `--pub` options. - -If you're using a dedicated OpenID Connect client for the OIDC-agent, we recommend a public one with the following two redirect URIs: `http://127.0.0.1:*` and `http://localhost:*`. Alternatively you also may use the already existing OIDC client of the ownCloud Desktop Client (`--client-id=xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69` and `--client-secret=UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh`, no `--pub` set, request specific scope for offline access), e.g.: -``` bash -oidc-gen \ - --client-id=xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69 \ - --client-secret=UBntmLjC2yYCeHwsyj73Uwo9TAaecAetRwMw0xYcvNL9yRdLSUi0hUAHfvCHFeFh \ - --issuer https://cloud.ocis.test \ - --redirect-uri=http://localhost:12345 \ - --scope="openid offline_access profile email" \ - my-client -``` - -When using a self signed certificate you have to provide the certificate chain using `--cp /etc/ssl/certs/test.cert.pem`. In case oidc-gen cannot determine the flow try with `--flow=code`. - -Please also note that the OIDC-agent will listen on your localhost interface on port 12345 for the time of the initial authentication. If that port is already occupied on your machine, you can easily change that by setting the `--redirect-uri` parameter to a different value. - -After a successful login or an already existing session you will be redirected to success page of the OIDC-agent. -You will now be asked for a password for your account configuration, so that your OIDC session is secured and cannot be used by other people with access to your computer. - - - -## Configure the WebDAV remote - -First of all we need to set up our credentials and the WebDAV remote for Rclone. In this example we do this by setting environment variables. You might also set up a named remote or use command line options to achieve the same. - -``` bash -export RCLONE_WEBDAV_VENDOR=owncloud -export RCLONE_WEBDAV_URL=https://ocis.owncloud.test/remote.php/webdav/ -export RCLONE_WEBDAV_BEARER_TOKEN_COMMAND="oidc-token einstein-ocis-owncloud-test" -``` - - -### Sync to the WebDAV remote - -We now can use Rclone to sync the local folder `/tmp/test` to `/test` in your oCIS home folder. - -``` bash -rclone sync :local:/tmp :webdav:/test -``` - -If your oCIS doesn't use valid SSL certificates, you may need to use `rclone --no-check-certificate sync ...`. diff --git a/docs/helpers/README.md b/docs/helpers/README.md deleted file mode 100644 index 4e56011f60..0000000000 --- a/docs/helpers/README.md +++ /dev/null @@ -1,230 +0,0 @@ -# Docs Helpers - - * [Introduction](#introduction) - * [Output Generated](#output) - * [Admin Doc Process](#admin-doc-process) - * [Branching](#branching) - * [Service-Dependent Output](#service-dependent-output) - * [Generate Envvar Docs for Config Structs](#generate-envvar-docs-for-config-structs) - * [Deprecation Process](#deprecation-process) - * [Global Envvars](#global-envvars) - * [Extended Envvars](#extended-envvars) - * [General Extended Envvars Info](#general-extended-envvars-info) - * [Extract Extended Envvars](#extract-extended-envvars) - * [Generate Extended Envvar Docs](#generate-extended-envvar-docs) - * [Tasks for New Releases](#tasks-for-new-releases) - * [Backporting](#backporting) - -## Introduction - -`docs/helpers` contains a go program named `main.go` which creates docs by extracting information from the code using additional go programs. Individual steps (programs) can be called manually if needed. Note that not all programs are called automatically on purpose, see the [Tasks for New Releases](#tasks-for-new-releases) below. `main.go` is used by `make docs-generate` (or `make -C docs docs-generate` when running manually from the repos root) which is triggered by the CI or can be called manually. It calls the other required programs and has these main responsibilities for automatic runs: - -- Generate docs for envvars in config structs including deprecations if there are any. -- Extract and generate docs for `extended` envvars that are not mentioned in config structs (aka "rogue" envvars). -- Extract and generate docs for `global` envvars which occur in multiple services. -- Create `docs/service//_index.md` from `service//README.md` files while keeping the existing `_index.md` if the service README.md has not been created so far. Also see the important note at [docs README](../README.md). - -## Output Generated - -- The generated yaml files can be found at: `docs/services/_includes` when running locally respectively in the `docs branch` after the CI has finished. -- The generated adoc files can be found at: `docs/services/_includes/adoc` when running locally respectively in the `docs branch` after the CI has finished. -- The file name for global envvars is named: `global_configvars.adoc`. -- The file name for extended envvars is named: `extended_configvars.adoc`. -- A file named `docs/helpers/env_vars.yaml` containing envvar changes gets updated if changes have been identified. -- A file named `docs/helpers/extended_vars.yaml` containing changes for extended envvars gets updated if changes have been identified. Note, if changes appear, **this file needs manual treatment** before committing, see [Extended Envvars](#extended-envvars) below. - -## Admin Doc Process - -Whenever a build from the [ocis admin](https://github.com/owncloud/docs-ocis) documentation or any other admin related documentation is triggered, files generated here in the ocis repo are included into the build process and added in a proper manner defined by the admin documentation. The updated documentation will then show up on the public [admin documentation](https://doc.owncloud.com/ocis/next/). - -## Branching - -The following is valid for envvars and yaml files related to the doc process: - -* When filing a pull request in the ocis master branch relating to docs, CI runs `make docs-generate` and copies the result into the `docs` branch of ocis. This branch is then taken as base for owncloud.dev and as reference for the [admin docs](https://doc.owncloud.com/ocis/next/). -* When running `make docs-generate` _locally_, the same output is created as above but it stays in the same branch where the make command was issued. - -In both cases, `make docs-generate` removes files in the target folder `_includes` to avoid remnants. All content is recreated. - -On a side note (unrelated to the `docs` branch), [deployment examples](https://github.com/owncloud/ocis/tree/master/deployments/examples) have their own branch related to an ocis stable version to keep the state consistent, which is necessary for the admin documentation. - -## Service-Dependent Output - -For each service available, a file named like `_configvars.adoc` is created containing a: - -* table on top defining deprecated envvars - if applicable -* table containing all envvars with their name, type, default value and description - -The table with deprecations is always printed in the final adoc file even if there are none, but is rendered in the docs build process only if the `HasDeprecations` value is set. This value is automatically handed over via the adoc file. The template file can be found at `docs/templates/ADOC.tmpl`. - -### Generate Envvar Docs for Config Structs - -Generates docs from a template file, mainly extracting `"env"` and `"desc"` tags from the config structs. - -Templates can be found in `docs/helpers` folder. (Same as this `README`.) Check `.tmpl` files - -### Deprecation Process - -For details on deprecation see the [deprecating-variables](https://github.com/owncloud/ocis/blob/master/docs/ocis/development/deprecating-variables.md) documentation. - -## Global Envvars - -Global envvars are gathered by checking if the envvar is available in more than one service. The table created is similar to the service-dependent envvar table but additionally contains a column with all service names where this envvar occurs. The output is rendered in list form where each item is clickable and automatically points to the corresponding service page. The template file can be found at `docs/templates/ADOC_global.tmpl`. - -If global envvars do not appear in the list of globals, before checking if the code works, do a manual search in the ocis/services folder with `grep -rn OC_xxx` if the envvar in question appears at least twice. If the envvar only appears once, the helpers code works correct. - -## Extended Envvars - -### General Extended Envvars Info - -"Extended" envvars are variables that need to be present *before* the core or services are starting up as they depend on the info provided like path for config files etc. Therefore they are _not_ bound to services like other envvars. Extended envvars are identified via `os.Getenv`, usually defined via a subfolder of `ocis-pkg`. The real envvar name name cant be automatically assigned and needs to be manually defined via the code in the `extended_vars.yaml` file. - -It can happen that extended envvars are found but do not need to be published as they are for internal use only. Those envvars can be defined to be ignored for further processing. - -**IMPORTANT:** - -- **First Time Identification**\ - Once an extended envvar has been identified, it is added to the `extended_vars.yaml` file found, but never changed or touched by the process anymore. There is one exception with respect to single/double quote usage. While you can (and will) manually define a text like: `"'/var/lib/ocis'"`, quotes are transformed by the process in the .yaml file to: `'''/var/lib/ocis'''`. There is no need to change this back, as the final step transforms this correctly for the adoc table. - -- **Item Naming**\ - An extended envvar may not have the right naming. It may appear as `name: _registryEnv`. In case, this envvar needs to be named properly like `name: MICRO_REGISTRY` which can only be done in close alignment with development. - -- **Item Uniqueness**\ - The identification, if an envvar is already present in the yaml file, is made via the `rawname` and the `path` identifier which includes the line number. **If there is a change in the source file shifting line numbers, new items will get added and old ones do not get touched.** Though technically ok, this can cause confusion to identify which items are correctly present or just added additionally just be cause code location has changed. If there are multiple occurrences of the same `rawname` value, check which one contains relevant data and set `do_ignore` to `false` and all others to `true`. When there are two identical blocks with different source references, mostly the one containing a proper `default_value` is the active one. Populate the false block with the envvar data to be used. - -- **Fixing Items**\ - If an item has been identified as additionally added because there was a change in the code location, it is mostly sufficient to just fix the line number in the `path` key of the existing/correct one and double check by removing the newly added ones. Then, re-run `make docs-generate`. If the fix was correct, no new items of the same will re-appear. - -- **Remove Orphaned Items**\ - To get rid of items with wrong line numbers, check `rawname` the `path` and correct the _existing ones_, especially the one containing the description and which is marked `do_ignore` false. Only items that have a real line number match need to be present, orphaned items can safely be removed. You can double-check valid items by creating a dummy branch, delete the `extended_vars.yaml` and run `make docs-generate` to regenerate the file having only items with valid path references. With that info, you can remove orphaned items from the live file. Note to be careful on judging only on `foundincode` set to false indicating an item not existing anymore. Fix all items first, when rerunning `make docs-generate`, this may change back to true! - -- **Sort Ordering**\ - Do not change the sort order of extended envvar blocks as they are automatically reordered alphabetically. - -- **Mandatory Key Values**\ - Because extended envvars do not have the same structural setup as "normal" envvars (like type, description or defaults), this info needs to be provided manually once - for each valid block. Any change of this info will be noticed during the next CI run, the corresponding adoc file generated, changes transported to the docs branch and published in the next admin docs build. See the following example with all keys listed and populated: - ```yaml - rawname: registryAddressEnv - path: ocis-pkg/registry/registry.go:44 - foundincode: true - name: MICRO_REGISTRY_ADDRESS - type: string - default_value: "" - description: The bind address of the internal go micro framework. Only change on - supervision of ownCloud Support. - do_ignore: false - ``` - -### Extract Extended Envvars - -The grep command parses the code, looking for `os.Getenv` and passes these contents to a yaml file along with the following information: -```golang -// Variable contains all information about one rogue envvar -type Variable struct { - // These field structs are automatically filled: - // RawName can be the name of the envvar or the name of its var - RawName string `yaml:"rawname"` - // Path to the envvar with linenumber - Path string `yaml:"path"` - // FoundInCode indicates if the variable is still found in the codebase. - FoundInCode bool `yaml:"foundincode"` - // Name is equal to RawName but will not be overwritten in consecutive runs - Name string `yaml:"name"` - - // These field structs need manual filling: - // Type of the envvar - Type string `yaml:"type"` - // DefaultValue of the envvar - DefaultValue string `yaml:"default_value"` - // Description of what this envvar does - Description string `yaml:"description"` - // Do not export this envvar into the generated adoc table - Ignore bool `yaml:"do_ignore"` - - // For simplicity ignored for now: - // DependendServices []Service `yaml:"dependend_services"` -} -``` - -This yaml file can later be manually edited to add descriptions, default values, etc. - -**IMPORTANT**: `RawName`, `Path` and `FoundInCode` are automatically filled by the program. DO NOT EDIT THESE VALUES MANUALLY. - -### Generate Extended Envvar Docs - -The process further picks up the `yaml` file generated in the `Extract Rogue Envvars` step and renders it to an adoc file (a table is created) using a go template. The template file for this step can be found at `docs/templates/ADOC_extended.tmpl`. - -## Doc Tasks for New Releases - -**IMPORTANT**\ -For a new ocis release, some tasks are necessary to be done **before** and **after** releasing. Follow the steps carefully to avoid issues. Most of the docs related tasks are not part of the CI. With each step finished successfully, the next step can be started. Sometimes, due to last minute changes, steps need to be redone! - -**Backgroud Information**\ -Admin docs rely on the existance of the following branches in the ocis repo. Note that the reference in the admin docs which ocis branch is accessed is defined in the `antora.yml` file via `attributes` existing in each branch. - -* `docs`\ -This reflects ocis master and is referenced from the admin docs from the master branch showing as `next` in the documentation. -* `docs-stable-x.y`\ -This reflects a published ocis release and is referenced from the admin docs from the corresponding branch showing like `7.0` - -Because of this, branching and parametrizing admin docs occurs **after** branching an ocis release with its necessary branches! If you branch admin docs before the required ocis branches are available, you must set the ocis source branch to import data from to `docs` and reconfigure afterwards. - -**Notes** -* When docs relevant data will be generated in ocis, they will be written into the `docs/servcies/...` folder structure, but they are in the master branch. When merging, an automated process will move/copy them into the `docs`branch. When running make commands locally, the relocation is not done and files reside on the generated location! - -* .adoc file generation - * Service related adoc files are autogenerated and saved in `/docs/services/` but will be _relocated_ by each merge into the docs branch into a subfolder named `services/_include/adoc/`. - * Release based envvar changes are saved during manual generation in `/docs/services/general-info/env-var-deltas/` but will be _copied_ on each merge into the doc branch into a subfolder named `services/_include/adoc/env-var-deltas/`. - -* Exclude paths for Hugo - * The paths defined above for .adoc files are excluded from parsing by Hugo. The source of what to exclude is defined in the `config.yaml` file located in [owncloud.github.io](https://github.com/owncloud/owncloud.github.io/). Any folder containg .adoc files must be added there else `make -C docs docs-serve` or CI will fail reporting an adoc related parsing error. (We could also add an asciidoc parser to Hugo as alternative...) - -### Task List - -The following can be done at any time but it must be done *latest* when no envvar changes are made which is just before a new release gets finally tagged. The data generated **must** be part of the upcoming release and be merged before tagging/branching! - -**Before Releasing** Generate required .adoc files necessary for the admin docs - -* Run from the ocis root `make -C docs docs-generate` - * **Check for Extended Envvars**\ -Check if there is a change in the `extended-envars.yaml` output. In this case, process [Extended Envvars](#extended-envvars). When done, re-run the make command and check if the output of `./docs/services/_includes/adoc/extended_configvars.adoc` matches the expectations. - * **Check for a changed 'env_vars.yaml' File**\ -This file will most likely show changes and merging them is essential as base for added/removed or deprecated envvars. This file will get additions/updates only, but things never get automatically deleted. - * **Mandatory for a new release**, remove all envvars from the `env_vars.yaml` file manually that have been removed from the code, either with or without deprecation. - - Commit the changes, create a PR and merge it. Next steps are based on this! - -* Create added/removed and deprecated envvar .adoc files between versions containing includable tables pulled by the admin docs. - * Parametrize variables in `docs/helpers/changed_envvars.py` according your needs necessary to generate proper output. - * Create a branch and run from the ocis root `python3 docs/helpers/changed_envvars.py`\ - This will create three files that need manual treatment before committing/merging. Note that this script accesses sources from github and not locally, therefore an actual `env_vars.yaml` in github is essential. - * Check the output of all three files and fix/delete any envvar in `env_vars.yaml` if required. If fixes have been done, the changed `env_vars.yaml` file **MUST** be _merged_ first, you must rebase and rerun the python script. - * If all three files contain correct data, manually set the xrefs. This cant be done automatically. Use one of the existing `added` files as template to generate a consistent output. - * Merge the three files and rerun the python script to prove all has been done correctly. You should now see only changes in xrefs as they get overwritten by default data. If this is the case, you can safely drop the generated changes. - -**After Releasing** Generate required .md files necessary for the dev docs - -Similar to the Asciidoc files for the admin docs, Markdown files necessary for the dev docs need to be generated. The program for this is written in go and currently does not compare versions but only checks the introduction version. This is sufficient for devs as details necessary for migration documentation is done via the .adoc files in the admin docs. - -* In `./docs/helpers` run: `go run . --help`\ - This will give you an overview of available commands. - * Because `env_vars.yaml` has been cleaned up as part of the _before release_ tasks above, we can rely on its actuality for the branches to be compared. - * Create delta files for added, removed and deprecated envvars. To do so type:\ - `go run . env-var-delta-table` and use as parameter the versions you want to compare. Example: `v5.0.0 v7.0.0`. - * List and check the files created in `./docs/helpers/output/env-deltas/`. The markdown files created contain a table with dev relevant data. Any other files created are not relevant and can safely be deleted. - * Create a branch and move the markdown files from `./docs/helpers/output/env-deltas/` to `./docs/services/general-info/env-var-deltas/`. The markdown files will be consumed by dev docs from this location. - - -* Commit all changes, create a PR and merge. Dev docs is now up-to-date. - -## Backporting - -The ocis repo contains branches which are necessary for the documentation. The `docs` branch is related to changes in master, necessary for owncloud.dev and the admin docs referencing master content when it comes to envvars and yaml files. - -Cases for a backport can be a typo in an envvar description you want to have fixed in a stable branch too or a file was created after the stable branch was set up but needs to be available in that branch. - -When a new stable ocis release (branch) is published, like `stable-5.0`, an additional branch (including CI) is set up manually by the dev team for referencing docs content like `docs-stable-5.0` - related to envvars and yaml files only - and added to the CI. - -In case it is necessary to transport a change from master to a stable branch like `docs-stable-5.0`, you must backport the original changes that will create that file to the `stable-5.0` branch. The CI will then take care of creating the results in the target `docs-stable-5.0`. - -If the change is expected to have a bigger impact on documenation, you can locally run `make -C docs docs-generate` in the respective branch containing the changes or independently in the `stable-x.y` branch after merging to see if there are additional actions necessary and changed files may need to get checked in. diff --git a/docs/helpers/changed_envvars.py b/docs/helpers/changed_envvars.py deleted file mode 100644 index 4890a276f5..0000000000 --- a/docs/helpers/changed_envvars.py +++ /dev/null @@ -1,221 +0,0 @@ -import yaml -import sys -import os -from datetime import date -from urllib.request import urlopen - -## this python script generates based on defined variables adoc files for added, removed and deprecated -## envvars based on the env_vars.yaml that must exist in each referenced version. -## it is CRUCIAL that the version compared TO is actual - do required updates first! -## note that env_vars.yaml has been introduced with v6.0.0, comparing earlier is not possible -## note that we are always comparing from github sources and NOT local files - -## when the files got created, you MUST do some post work manually like referencing services with xref: -## when running, files get recreated, existing content gets overwritten!! - -## you MUST run this script from the local ocis repo root !! -## like: python3 docs/helpers/changed_envvars.py -## create a branch to prepare the changes - -# CHANGE according your needs -# old is the base version to compare from -# new is the target version to compare to -# tagged versions must be of format: 'tags/v6.0.0' -# master is different, it must be: 'heads/master' -versionOld = 'tags/v7.0.0' -versionNew = 'heads/master' - -# CHANGE according your needs -from_version = '7.0.0' -to_version = '7.1.0' - -# CHANGE according your needs -# this will create files like 5.0.0-7.0.0-added and 5.0.0-7.0.0-removed -# this should match which versions you compare. master is ok if that is the base for a named release -nameComponent = '7.0.0-7.1.0' - -# ADD new elements when a new version has been published so that it gets excluded -# array of version patterns to be excluded for added items. we dont need patch versions -excludePattern = ['pre5.0', '5.0', '6.0', '6.0.0', '6.0.1', '6.1.0', '6.7', '7.0', '7.0.0'] - -# DO NOT CHANGE -# this is the path the added/removed result is written to -adocWritePath = 'docs/services/general-info/env-var-deltas' - -addedWith = {} -removedWith = {} -deprecatedWith = {} - -def check_path(): - # check which path the script started. we can do this because the target path must be present - # exit if not present - if not os.path.exists(adocWritePath): - print('Path not found: ' + adocWritePath) - sys.exit() - -def get_sources(versionOld, versionNew): - # get the sources from github - git_bleft_dir = 'https://raw.githubusercontent.com/owncloud/ocis/refs/' - git_right_dir ='/docs/helpers/env_vars.yaml' - - urlOld = git_bleft_dir + versionOld + git_right_dir - urlNew = git_bleft_dir + versionNew + git_right_dir - - try: - fileOld = urlopen(urlOld).read().decode('utf-8') - fileNew = urlopen(urlNew).read().decode('utf-8') - return yaml.safe_load(fileOld), yaml.safe_load(fileNew) - - except Exception as e: - print(e) - sys.exit() - -def get_added(fileNew, excludePattern): - # create dict with added items - addedWith = {} - for key, value in fileNew.items(): - if not fileNew[key]['introductionVersion'] in str(excludePattern): - addedWith[key] = value - return addedWith - -def get_removed(fileOld, fileNew): - # create dict with removed items - removedWith = {} - for key, value in fileOld.items(): - if not key in fileNew: - removedWith[key] = value - return removedWith - -def get_deprecated(fileNew): - # create dict with deprecated items - deprecatedWith = {} - for key, value in fileNew.items(): - if value['removalVersion']: - deprecatedWith[key] = value - return deprecatedWith - -def create_adoc_start(type_text, from_version, to_version, creation_date, columns, closing): - # create the page/table header - # 'closing' contains variable column names dependen if added/removed ir deprecated - a = '''// # {ftype} Variables between oCIS {ffrom} and oCIS {fto} -// commenting the headline to make it better includable - -// table created per {fdate} -// the table should be recreated/updated on source () changes - -[width="100%",cols="{fcolumns}",options="header"] -|=== -| Service | Variable | Description | {fclosing} - -'''.format(ftype = type_text, ffrom = from_version, fto = to_version, fdate = creation_date, fcolumns = columns, fclosing = closing) - return a - -def create_adoc_end(): - # close the table - a = '''|=== - -''' - return a - -def add_adoc_line_1(service, variable, description, value): - # add a table line for added/removed - # the dummy values are only here to have the same number of parameters as add_adoc_line_2 - a = '''| {fservice} -| {fvariable} -| {fdescription} -| {fvalue} - -'''.format(fservice = service, fvariable = variable, fdescription = description, fvalue = value) - return a - -def add_adoc_line_2(service, variable, description, removalVersion, deprecationInfo): - # add a table line for deprecated, this has different columns - a = '''| {fservice} -| {fvariable} -| {fdescription} -| {fremovalVersion} -| {fdeprecationInfo} - -'''.format(fservice = service, fvariable = variable, fdescription = description, fremovalVersion = removalVersion, fdeprecationInfo = deprecationInfo) - return a - -def create_table(type_text, source_dict, from_version, to_version, date_today, type = False): - # get the table header - columns = '~,~,~,~' if type == False else '~,~,~,~,~' - closing = 'Default' if type == False else 'Removal Version | Deprecation Info' - a = create_adoc_start(type_text, from_version, to_version, date_today, columns, closing) - - if not type: - # added and removed envvars - # first add all ocis_ - for key, value in source_dict.items(): - if key.startswith('OC_'): - a += add_adoc_line_1( - 'xref:deployment/services/env-vars-special-scope.adoc[Special Scope Envvars]', - key, - value['description'], - value['defaultValue'] - ) - # then add all others - for key, value in source_dict.items(): - if not key.startswith('OC_'): - a += add_adoc_line_1( - 'xref:{s-path}/xxx.adoc[xxx]', - key, - value['description'], - value['defaultValue'] - ) - else: - # deprecated envvars - # first add all ocis_ - for key, value in source_dict.items(): - if key.startswith('OC_'): - a += add_adoc_line_2( - 'xref:deployment/services/env-vars-special-scope.adoc[Special Scope Envvars]', - key, - value['description'], - value['removalVersion'], - value['deprecationInfo'] - ) - # then add all others - for key, value in source_dict.items(): - if not key.startswith('OC_'): - a += add_adoc_line_2( - 'xref:{s-path}/xxx.adoc[xxx]', - key, - value['description'], - value['removalVersion'], - value['deprecationInfo'] - ) - - # finally close the table - a += create_adoc_end() - return a - -def write_output(a, type_text): - # write the content to a file - try: - with open(adocWritePath + '/' + nameComponent + '-' + type_text + '.adoc', 'w') as file: - file.write(a) - except Exception as e: - print('Failed creating ' + type_text + ' file') - print(e) - sys.exit() - -## here are the tasks in sequence - -check_path() -fileOld, fileNew = get_sources(versionOld, versionNew) -addedWith = get_added(fileNew, excludePattern) -removedWith = get_removed(fileOld, fileNew) -deprecatedWith = get_deprecated(fileNew) - -a = create_table('Added', addedWith, from_version, to_version, date.today().strftime('%Y.%m.%d')) -r = create_table('Removed', removedWith, from_version, to_version, date.today().strftime('%Y.%m.%d')) -d = create_table('Deprecated', deprecatedWith, from_version, to_version, date.today().strftime('%Y.%m.%d'), True) - -write_output(a, 'added') -write_output(r, 'removed') -write_output(d, 'deprecated') - -print('Success, see files created in: ' + adocWritePath) diff --git a/docs/helpers/configenvextractor.go b/docs/helpers/configenvextractor.go deleted file mode 100644 index b20c36900b..0000000000 --- a/docs/helpers/configenvextractor.go +++ /dev/null @@ -1,79 +0,0 @@ -package main - -import ( - "fmt" - "log" - "os" - "os/exec" - "path" - "path/filepath" - "strings" - "text/template" -) - -var targets = map[string]string{ - "templates/adoc-generator.go.tmpl": "output/adoc/adoc-generator.go", - "templates/example-config-generator.go.tmpl": "output/exampleconfig/example-config-generator.go", - "templates/environment-variable-docs-generator.go.tmpl": "output/env/environment-variable-docs-generator.go", - "templates/envar-delta-table.go.tmpl": "output/env/envvar-delta-table.go", -} - -// RenderTemplates does something with templates -func RenderTemplates() { - fmt.Println("Getting relevant packages") - paths, err := filepath.Glob("../../services/*/pkg/config/defaults/defaultconfig.go") - if err != nil { - log.Fatal(err) - } - replacer := strings.NewReplacer( - "../../", "github.com/opencloud-eu/opencloud/", - "/defaultconfig.go", "", - ) - for i := range paths { - paths[i] = replacer.Replace(paths[i]) - } - - for template, output := range targets { - generateIntermediateCode(template, output, paths) - runIntermediateCode(output) - } - fmt.Println("Cleaning up") - err = os.RemoveAll("output") - if err != nil { - fmt.Println(err) - } -} - -func generateIntermediateCode(templatePath string, intermediateCodePath string, paths []string) { - content, err := os.ReadFile(templatePath) - if err != nil { - log.Fatal(err) - } - fmt.Println("Generating intermediate go code for " + intermediateCodePath + " using template " + templatePath) - tpl := template.Must(template.New("").Parse(string(content))) - err = os.MkdirAll(path.Dir(intermediateCodePath), 0700) - if err != nil { - log.Fatal(err) - } - runner, err := os.Create(intermediateCodePath) - if err != nil { - log.Fatal(err) - } - err = tpl.Execute(runner, paths) - if err != nil { - log.Fatal(err) - } -} - -func runIntermediateCode(intermediateCodePath string) { - fmt.Println("Running intermediate go code for " + intermediateCodePath) - defaultConfigPath := "/etc/opencloud" - defaultDataPath := "/var/lib/opencloud" - os.Setenv("OC_BASE_DATA_PATH", defaultDataPath) - os.Setenv("OC_CONFIG_DIR", defaultConfigPath) - out, err := exec.Command("go", "run", intermediateCodePath).CombinedOutput() - if err != nil { - log.Fatal(string(out), err) - } - fmt.Println(string(out)) -} diff --git a/docs/helpers/env-var-delta.go b/docs/helpers/env-var-delta.go deleted file mode 100644 index 7d917e6821..0000000000 --- a/docs/helpers/env-var-delta.go +++ /dev/null @@ -1,122 +0,0 @@ -package main - -import ( - "fmt" - "github.com/rogpeppe/go-internal/semver" - "gopkg.in/yaml.v2" - "log" - "os" - "path/filepath" - "text/template" -) - -const envVarYamlSource = "env_vars.yaml" - -var envVarOutPutTemplates = map[string]string{ - "added": "templates/env-vars-added.md.tmpl", - "removed": "templates/env-vars-removed.md.tmpl", - "deprecated": "templates/env-vars-deprecated.md.tmpl", -} - -// ConfigField represents the env-var annotation in the code -type ConfigField struct { - Name string `yaml:"name"` - DefaultValue string `yaml:"defaultValue"` - Type string `yaml:"type"` - Description string `yaml:"description"` - IntroductionVersion string `yaml:"introductionVersion"` - DeprecationVersion string `yaml:"deprecationVersion"` - RemovalVersion string `yaml:"removalVersion"` - DeprecationInfo string `yaml:"deprecationInfo"` -} - -type TemplateData struct { - StartVersion string - EndVersion string - DeltaFields []*ConfigField -} - -// RenderEnvVarDeltaTable generates tables for env-var deltas -func RenderEnvVarDeltaTable(osArgs []string) { - if !semver.IsValid(osArgs[2]) { - log.Fatalf("Start version invalid semver: %s", osArgs[2]) - } - if !semver.IsValid(osArgs[3]) { - log.Fatalf("Target version invalid semver: %s", osArgs[3]) - } - if semver.Compare(osArgs[2], osArgs[3]) >= 0 { - log.Fatalf("Start version %s is not smaller than target version %s", osArgs[2], osArgs[3]) - } - if semver.Compare(osArgs[2], "v5.0.0") < 0 { - log.Fatalf("This tool does not support versions prior v5.0.0, (given %s)", osArgs[2]) - } - startVersion := osArgs[2] - endVersion := osArgs[3] - fmt.Printf("Generating tables for env-var deltas between version %s and %s...\n", startVersion, endVersion) - curdir, err := os.Getwd() - if err != nil { - log.Fatal(err) - } - fullYamlPath := filepath.Join(curdir, envVarYamlSource) - configFields := make(map[string]*ConfigField) - variableList := map[string][]*ConfigField{ - "added": {}, - "removed": {}, - "deprecated": {}, - } - fmt.Printf("Reading existing variable definitions from %s\n", fullYamlPath) - yfile, err := os.ReadFile(fullYamlPath) - if err == nil { - err := yaml.Unmarshal(yfile, configFields) - if err != nil { - log.Fatal(err) - } - } - fmt.Printf("Success, found %d entries\n", len(configFields)) - for _, field := range configFields { - if field.IntroductionVersion != "" && - field.IntroductionVersion != "pre5.0" && - !semver.IsValid(field.IntroductionVersion) && - field.IntroductionVersion[0] != 'v' { - field.IntroductionVersion = "v" + field.IntroductionVersion - } - if field.IntroductionVersion != "pre5.0" && !semver.IsValid(field.IntroductionVersion) { - fmt.Printf("Invalid semver for field %s: %s\n", field.Name, field.IntroductionVersion) - os.Exit(1) - } - //fmt.Printf("Processing field %s dv: %s, iv: %s\n", field.Name, field.DeprecationVersion, field.IntroductionVersion) - if semver.IsValid(field.RemovalVersion) && semver.Compare(startVersion, field.RemovalVersion) < 0 && semver.Compare(endVersion, field.RemovalVersion) >= 0 { - variableList["removed"] = append(variableList["removed"], field) - } - if semver.IsValid(field.DeprecationVersion) && semver.Compare(startVersion, field.DeprecationVersion) <= 0 && semver.Compare(endVersion, field.DeprecationVersion) > 0 { - variableList["deprecated"] = append(variableList["deprecated"], field) - } - if semver.IsValid(field.IntroductionVersion) && semver.Compare(startVersion, field.IntroductionVersion) <= 0 && semver.Compare(endVersion, field.IntroductionVersion) >= 0 { - fmt.Printf("Adding field %s iv: %s\n", field.Name, field.IntroductionVersion) - variableList["added"] = append(variableList["added"], field) - } - } - for templateName, templatePath := range envVarOutPutTemplates { - content, err := os.ReadFile(templatePath) - if err != nil { - log.Fatal(err) - } - tpl := template.Must(template.New(templateName).Parse(string(content))) - err = os.MkdirAll("output/env-deltas", 0700) - if err != nil { - log.Fatal(err) - } - targetFile, err := os.Create(filepath.Join("output/env-deltas", fmt.Sprintf("%s-%s-%s.md", startVersion, endVersion, templateName))) - if err != nil { - log.Fatal(err) - } - err = tpl.Execute(targetFile, TemplateData{ - StartVersion: startVersion, - EndVersion: endVersion, - DeltaFields: variableList[templateName], - }) - if err != nil { - log.Fatal(err) - } - } -} diff --git a/docs/helpers/env_vars.yaml b/docs/helpers/env_vars.yaml deleted file mode 100644 index 0443e94437..0000000000 --- a/docs/helpers/env_vars.yaml +++ /dev/null @@ -1,16614 +0,0 @@ -ACTIVITYLOG_CORS_ALLOW_CREDENTIALS: - name: OC_CORS_ALLOW_CREDENTIALS;ACTIVITYLOG_CORS_ALLOW_CREDENTIALS - defaultValue: "true" - type: bool - description: 'Allow credentials for CORS.See following chapter for more details: - *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_CORS_ALLOW_HEADERS: - name: OC_CORS_ALLOW_HEADERS;ACTIVITYLOG_CORS_ALLOW_HEADERS - defaultValue: '[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id - Ocs-Apirequest]' - type: '[]string' - description: 'A list of allowed CORS headers. See following chapter for more details: - *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_CORS_ALLOW_METHODS: - name: OC_CORS_ALLOW_METHODS;ACTIVITYLOG_CORS_ALLOW_METHODS - defaultValue: '[GET]' - type: '[]string' - description: 'A list of allowed CORS methods. See following chapter for more details: - *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_CORS_ALLOW_ORIGINS: - name: OC_CORS_ALLOW_ORIGINS;ACTIVITYLOG_CORS_ALLOW_ORIGINS - defaultValue: '[*]' - type: '[]string' - description: 'A list of allowed CORS origins. See following chapter for more details: - *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_DEBUG_ADDR: - name: ACTIVITYLOG_DEBUG_ADDR - defaultValue: 127.0.0.1:9197 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_DEBUG_PPROF: - name: ACTIVITYLOG_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_DEBUG_TOKEN: - name: ACTIVITYLOG_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_DEBUG_ZPAGES: - name: ACTIVITYLOG_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_HTTP_ADDR: - name: ACTIVITYLOG_HTTP_ADDR - defaultValue: 127.0.0.1:9195 - type: string - description: The bind address of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_HTTP_ROOT: - name: ACTIVITYLOG_HTTP_ROOT - defaultValue: / - type: string - description: Subdirectory that serves as the root for this HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_JWT_SECRET: - name: OC_JWT_SECRET;ACTIVITYLOG_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_LOG_COLOR: - name: OC_LOG_COLOR;ACTIVITYLOG_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_LOG_FILE: - name: OC_LOG_FILE;ACTIVITYLOG_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_LOG_LEVEL: - name: OC_LOG_LEVEL;ACTIVITYLOG_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_LOG_PRETTY: - name: OC_LOG_PRETTY;ACTIVITYLOG_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_SERVICE_ACCOUNT_ID: - name: OC_SERVICE_ACCOUNT_ID;ACTIVITYLOG_SERVICE_ACCOUNT_ID - defaultValue: "" - type: string - description: The ID of the service account the service should use. See the 'auth-service' - service description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_SERVICE_ACCOUNT_SECRET: - name: OC_SERVICE_ACCOUNT_SECRET;ACTIVITYLOG_SERVICE_ACCOUNT_SECRET - defaultValue: "" - type: string - description: The service account secret. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_STORE: - name: OC_PERSISTENT_STORE;ACTIVITYLOG_STORE - defaultValue: nats-js-kv - type: string - description: 'The type of the store. Supported values are: ''memory'', ''nats-js-kv'', - ''redis-sentinel'', ''noop''. See the text description for details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_STORE_AUTH_PASSWORD: - name: OC_PERSISTENT_STORE_AUTH_PASSWORD;ACTIVITYLOG_STORE_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the store. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_STORE_AUTH_USERNAME: - name: OC_PERSISTENT_STORE_AUTH_USERNAME;ACTIVITYLOG_STORE_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the store. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_STORE_DATABASE: - name: ACTIVITYLOG_STORE_DATABASE - defaultValue: activitylog - type: string - description: The database name the configured store should use. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_STORE_NODES: - name: OC_PERSISTENT_STORE_NODES;ACTIVITYLOG_STORE_NODES - defaultValue: '[127.0.0.1:9233]' - type: '[]string' - description: A list of nodes to access the configured store. This has no effect - when 'memory' store is configured. Note that the behaviour how nodes are used - is dependent on the library of the configured store. See the Environment Variable - Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_STORE_TABLE: - name: ACTIVITYLOG_STORE_TABLE - defaultValue: "" - type: string - description: The database table the store should use. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_STORE_TTL: - name: OC_PERSISTENT_STORE_TTL;ACTIVITYLOG_STORE_TTL - defaultValue: 0s - type: Duration - description: Time to live for events in the store. See the Environment Variable - Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;ACTIVITYLOG_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_TRACING_ENABLED: - name: OC_TRACING_ENABLED;ACTIVITYLOG_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;ACTIVITYLOG_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_TRACING_TYPE: - name: OC_TRACING_TYPE;ACTIVITYLOG_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ACTIVITYLOG_TRANSLATION_PATH: - name: OC_TRANSLATION_PATH;ACTIVITYLOG_TRANSLATION_PATH - defaultValue: "" - type: string - description: (optional) Set this to a path with custom translations to overwrite - the builtin translations. Note that file and folder naming rules apply, see the - documentation for more details. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_CLAMAV_SOCKET: - name: ANTIVIRUS_CLAMAV_SOCKET - defaultValue: /run/clamav/clamd.ctl - type: string - description: The socket clamav is running on. Note the default value is an example - which needs adaption according your OS. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_DEBUG_ADDR: - name: ANTIVIRUS_DEBUG_ADDR - defaultValue: 127.0.0.1:9277 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_DEBUG_PPROF: - name: ANTIVIRUS_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_DEBUG_SCAN_OUTCOME: - name: ANTIVIRUS_DEBUG_SCAN_OUTCOME - defaultValue: "" - type: string - description: 'A predefined outcome for virus scanning, FOR DEBUG PURPOSES ONLY! - (example values: ''found,infected'')' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_DEBUG_TOKEN: - name: ANTIVIRUS_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_DEBUG_ZPAGES: - name: ANTIVIRUS_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_EVENTS_AUTH_PASSWORD: - name: OC_EVENTS_AUTH_PASSWORD;ANTIVIRUS_EVENTS_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_EVENTS_AUTH_USERNAME: - name: OC_EVENTS_AUTH_USERNAME;ANTIVIRUS_EVENTS_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_EVENTS_CLUSTER: - name: OC_EVENTS_CLUSTER;ANTIVIRUS_EVENTS_CLUSTER - defaultValue: opencloud-cluster - type: string - description: The clusterID of the event system. The event system is the message - queuing service. It is used as message broker for the microservice architecture. - Mandatory when using NATS as event system. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_EVENTS_ENABLE_TLS: - name: OC_EVENTS_ENABLE_TLS;ANTIVIRUS_EVENTS_ENABLE_TLS - defaultValue: "false" - type: bool - description: Enable TLS for the connection to the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_EVENTS_ENDPOINT: - name: OC_EVENTS_ENDPOINT;ANTIVIRUS_EVENTS_ENDPOINT - defaultValue: 127.0.0.1:9233 - type: string - description: The address of the event system. The event system is the message queuing - service. It is used as message broker for the microservice architecture. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_EVENTS_TLS_INSECURE: - name: OC_INSECURE;ANTIVIRUS_EVENTS_TLS_INSECURE - defaultValue: "false" - type: bool - description: Whether to verify the server TLS certificates. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_EVENTS_TLS_ROOT_CA_CERTIFICATE: - name: OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;ANTIVIRUS_EVENTS_TLS_ROOT_CA_CERTIFICATE - defaultValue: "" - type: string - description: The root CA certificate used to validate the server's TLS certificate. - If provided ANTIVIRUS_EVENTS_TLS_INSECURE will be seen as false. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_ICAP_SCAN_TIMEOUT: - name: ANTIVIRUS_ICAP_SCAN_TIMEOUT - defaultValue: 5m0s - type: Duration - description: Scan timeout for the ICAP client. Defaults to '5m' (5 minutes). See - the Environment Variable Types description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_ICAP_SERVICE: - name: ANTIVIRUS_ICAP_SERVICE - defaultValue: avscan - type: string - description: The name of the ICAP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_ICAP_URL: - name: ANTIVIRUS_ICAP_URL - defaultValue: icap://127.0.0.1:1344 - type: string - description: URL of the ICAP server. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_INFECTED_FILE_HANDLING: - name: ANTIVIRUS_INFECTED_FILE_HANDLING - defaultValue: delete - type: string - description: 'Defines the behaviour when a virus has been found. Supported options - are: ''delete'', ''continue'' and ''abort ''. Delete will delete the file. Continue - will mark the file as infected but continues further processing. Abort will keep - the file in the uploads folder for further admin inspection and will not move - it to its final destination.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_LOG_COLOR: - name: OC_LOG_COLOR;ANTIVIRUS_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_LOG_FILE: - name: OC_LOG_FILE;ANTIVIRUS_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_LOG_LEVEL: - name: OC_LOG_LEVEL;ANTIVIRUS_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_LOG_PRETTY: - name: OC_LOG_PRETTY;ANTIVIRUS_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_MAX_SCAN_SIZE: - name: ANTIVIRUS_MAX_SCAN_SIZE - defaultValue: "" - type: string - description: 'The maximum scan size the virus scanner can handle. Only this many - bytes of a file will be scanned. 0 means unlimited and is the default. Usable - common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], - example: 2GB.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_SCANNER_TYPE: - name: ANTIVIRUS_SCANNER_TYPE - defaultValue: clamav - type: string - description: The antivirus scanner to use. Supported values are 'clamav' and 'icap'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;ANTIVIRUS_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_TRACING_ENABLED: - name: OC_TRACING_ENABLED;ANTIVIRUS_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;ANTIVIRUS_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_TRACING_TYPE: - name: OC_TRACING_TYPE;ANTIVIRUS_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -ANTIVIRUS_WORKERS: - name: ANTIVIRUS_WORKERS - defaultValue: "10" - type: int - description: The number of concurrent go routines that fetch events from the event - queue. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_DEBUG_ADDR: - name: APP_PROVIDER_DEBUG_ADDR - defaultValue: 127.0.0.1:9165 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_DEBUG_PPROF: - name: APP_PROVIDER_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_DEBUG_TOKEN: - name: APP_PROVIDER_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_DEBUG_ZPAGES: - name: APP_PROVIDER_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing traces - in-memory. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_DRIVER: - name: APP_PROVIDER_DRIVER - defaultValue: "" - type: string - description: Driver, the APP PROVIDER services uses. Only 'wopi' is supported as - of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_EXTERNAL_ADDR: - name: APP_PROVIDER_EXTERNAL_ADDR - defaultValue: eu.opencloud.api.app-provider - type: string - description: Address of the app provider, where the GATEWAY service can reach it. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_GRPC_ADDR: - name: APP_PROVIDER_GRPC_ADDR - defaultValue: 127.0.0.1:9164 - type: string - description: The bind address of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_GRPC_PROTOCOL: - name: OC_GRPC_PROTOCOL;APP_PROVIDER_GRPC_PROTOCOL - defaultValue: tcp - type: string - description: The transport protocol of the GPRC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_JWT_SECRET: - name: OC_JWT_SECRET;APP_PROVIDER_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_LOG_COLOR: - name: OC_LOG_COLOR;APP_PROVIDER_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_LOG_FILE: - name: OC_LOG_FILE;APP_PROVIDER_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_LOG_LEVEL: - name: OC_LOG_LEVEL;APP_PROVIDER_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_LOG_PRETTY: - name: OC_LOG_PRETTY;APP_PROVIDER_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_SERVICE_NAME: - name: APP_PROVIDER_SERVICE_NAME - defaultValue: app-provider - type: string - description: 'The name of the service. This needs to be changed when using more - than one app provider. Each app provider configured needs to be identified by - a unique service name. Possible examples are: ''app-provider-collabora'', ''app-provider-onlyoffice'', - ''app-provider-office365''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;APP_PROVIDER_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_TRACING_ENABLED: - name: OC_TRACING_ENABLED;APP_PROVIDER_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;APP_PROVIDER_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_TRACING_TYPE: - name: OC_TRACING_TYPE;APP_PROVIDER_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_WOPI_APP_API_KEY: - name: APP_PROVIDER_WOPI_APP_API_KEY - defaultValue: "" - type: string - description: API key for the wopi app. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_WOPI_APP_DESKTOP_ONLY: - name: APP_PROVIDER_WOPI_APP_DESKTOP_ONLY - defaultValue: "false" - type: bool - description: Offer this app only on desktop. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_WOPI_APP_ICON_URI: - name: APP_PROVIDER_WOPI_APP_ICON_URI - defaultValue: "" - type: string - description: URI to an app icon to be used by clients. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_WOPI_APP_INTERNAL_URL: - name: APP_PROVIDER_WOPI_APP_INTERNAL_URL - defaultValue: "" - type: string - description: Internal URL to the app, like in your DMZ. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_WOPI_APP_NAME: - name: APP_PROVIDER_WOPI_APP_NAME - defaultValue: "" - type: string - description: Human readable app name. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_WOPI_APP_URL: - name: APP_PROVIDER_WOPI_APP_URL - defaultValue: "" - type: string - description: URL for end users to access the app. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_WOPI_DISABLE_CHAT: - name: APP_PROVIDER_WOPI_DISABLE_CHAT;OC_WOPI_DISABLE_CHAT - defaultValue: "false" - type: bool - description: Disable the chat functionality of the office app. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL: - name: OC_URL;APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL - defaultValue: https://localhost:9200/ - type: string - description: Base url to navigate back from the app to the containing folder in - the file list. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_WOPI_FOLDER_URL_PATH_TEMPLATE: - name: APP_PROVIDER_WOPI_FOLDER_URL_PATH_TEMPLATE - defaultValue: /f/{{.ResourceID}} - type: string - description: Path template to navigate back from the app to the containing folder - in the file list. Supported template variables are {{.ResourceInfo.ResourceID}}, - {{.ResourceInfo.Mtime.Seconds}}, {{.ResourceInfo.Name}}, {{.ResourceInfo.Path}}, - {{.ResourceInfo.Type}}, {{.ResourceInfo.Id.SpaceId}}, {{.ResourceInfo.Id.StorageId}}, - {{.ResourceInfo.Id.OpaqueId}}, {{.ResourceInfo.MimeType}} - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_WOPI_INSECURE: - name: APP_PROVIDER_WOPI_INSECURE - defaultValue: "false" - type: bool - description: Disable TLS certificate validation for requests to the WOPI server - and the web office application. Do not set this in production environments. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL: - name: APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL - defaultValue: "" - type: string - description: External url of the CS3org WOPI server. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_PROVIDER_WOPI_WOPI_SERVER_IOP_SECRET: - name: APP_PROVIDER_WOPI_WOPI_SERVER_IOP_SECRET - defaultValue: "" - type: string - description: Shared secret of the CS3org WOPI server. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_REGISTRY_DEBUG_ADDR: - name: APP_REGISTRY_DEBUG_ADDR - defaultValue: 127.0.0.1:9243 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_REGISTRY_DEBUG_PPROF: - name: APP_REGISTRY_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_REGISTRY_DEBUG_TOKEN: - name: APP_REGISTRY_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_REGISTRY_DEBUG_ZPAGES: - name: APP_REGISTRY_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_REGISTRY_GRPC_ADDR: - name: APP_REGISTRY_GRPC_ADDR - defaultValue: 127.0.0.1:9242 - type: string - description: The bind address of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_REGISTRY_GRPC_PROTOCOL: - name: OC_GRPC_PROTOCOL;APP_REGISTRY_GRPC_PROTOCOL - defaultValue: tcp - type: string - description: The transport protocol of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_REGISTRY_JWT_SECRET: - name: OC_JWT_SECRET;APP_REGISTRY_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_REGISTRY_LOG_COLOR: - name: OC_LOG_COLOR;APP_REGISTRY_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_REGISTRY_LOG_FILE: - name: OC_LOG_FILE;APP_REGISTRY_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_REGISTRY_LOG_LEVEL: - name: OC_LOG_LEVEL;APP_REGISTRY_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_REGISTRY_LOG_PRETTY: - name: OC_LOG_PRETTY;APP_REGISTRY_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_REGISTRY_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;APP_REGISTRY_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_REGISTRY_TRACING_ENABLED: - name: OC_TRACING_ENABLED;APP_REGISTRY_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_REGISTRY_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;APP_REGISTRY_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -APP_REGISTRY_TRACING_TYPE: - name: OC_TRACING_TYPE;APP_REGISTRY_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_DEBUG_ADDR: - name: AUDIT_DEBUG_ADDR - defaultValue: 127.0.0.1:9229 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_DEBUG_PPROF: - name: AUDIT_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_DEBUG_TOKEN: - name: AUDIT_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_DEBUG_ZPAGES: - name: AUDIT_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_EVENTS_AUTH_PASSWORD: - name: OC_EVENTS_AUTH_PASSWORD;AUDIT_EVENTS_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_EVENTS_AUTH_USERNAME: - name: OC_EVENTS_AUTH_USERNAME;AUDIT_EVENTS_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_EVENTS_CLUSTER: - name: OC_EVENTS_CLUSTER;AUDIT_EVENTS_CLUSTER - defaultValue: opencloud-cluster - type: string - description: The clusterID of the event system. The event system is the message - queuing service. It is used as message broker for the microservice architecture. - Mandatory when using NATS as event system. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_EVENTS_ENABLE_TLS: - name: OC_EVENTS_ENABLE_TLS;AUDIT_EVENTS_ENABLE_TLS - defaultValue: "false" - type: bool - description: Enable TLS for the connection to the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_EVENTS_ENDPOINT: - name: OC_EVENTS_ENDPOINT;AUDIT_EVENTS_ENDPOINT - defaultValue: 127.0.0.1:9233 - type: string - description: The address of the event system. The event system is the message queuing - service. It is used as message broker for the microservice architecture. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_EVENTS_TLS_INSECURE: - name: OC_INSECURE;AUDIT_EVENTS_TLS_INSECURE - defaultValue: "false" - type: bool - description: Whether to verify the server TLS certificates. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_EVENTS_TLS_ROOT_CA_CERTIFICATE: - name: OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;AUDIT_EVENTS_TLS_ROOT_CA_CERTIFICATE - defaultValue: "" - type: string - description: The root CA certificate used to validate the server's TLS certificate. - If provided AUDIT_EVENTS_TLS_INSECURE will be seen as false. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_FILEPATH: - name: AUDIT_FILEPATH - defaultValue: "" - type: string - description: Filepath of the logfile. Mandatory if LOG_TO_FILE is set to 'true'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_FORMAT: - name: AUDIT_FORMAT - defaultValue: json - type: string - description: Log format. Supported values are '' (empty) and 'json'. Using 'json' - is advised, '' (empty) renders the 'minimal' format. See the text description - for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_LOG_COLOR: - name: OC_LOG_COLOR;AUDIT_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_LOG_FILE: - name: OC_LOG_FILE;AUDIT_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_LOG_LEVEL: - name: OC_LOG_LEVEL;AUDIT_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_LOG_PRETTY: - name: OC_LOG_PRETTY;AUDIT_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_LOG_TO_CONSOLE: - name: AUDIT_LOG_TO_CONSOLE - defaultValue: "true" - type: bool - description: Logs to stdout if set to 'true'. Independent of the LOG_TO_FILE option. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_LOG_TO_FILE: - name: AUDIT_LOG_TO_FILE - defaultValue: "false" - type: bool - description: Logs to file if set to 'true'. Independent of the LOG_TO_CONSOLE option. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;AUDIT_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_TRACING_ENABLED: - name: OC_TRACING_ENABLED;AUDIT_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;AUDIT_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUDIT_TRACING_TYPE: - name: OC_TRACING_TYPE;AUDIT_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_CORS_ALLOW_CREDENTIALS: - name: OC_CORS_ALLOW_CREDENTIALS;AUTH_APP_CORS_ALLOW_CREDENTIALS - defaultValue: "true" - type: bool - description: 'Allow credentials for CORS.See following chapter for more details: - *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_CORS_ALLOW_HEADERS: - name: OC_CORS_ALLOW_HEADERS;AUTH_APP_CORS_ALLOW_HEADERS - defaultValue: '[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id - Ocs-Apirequest]' - type: '[]string' - description: 'A list of allowed CORS headers. See following chapter for more details: - *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_CORS_ALLOW_METHODS: - name: OC_CORS_ALLOW_METHODS;AUTH_APP_CORS_ALLOW_METHODS - defaultValue: '[GET POST DELETE]' - type: '[]string' - description: 'A list of allowed CORS methods. See following chapter for more details: - *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_CORS_ALLOW_ORIGINS: - name: OC_CORS_ALLOW_ORIGINS;AUTH_APP_CORS_ALLOW_ORIGINS - defaultValue: '[*]' - type: '[]string' - description: 'A list of allowed CORS origins. See following chapter for more details: - *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_DEBUG_ADDR: - name: AUTH_APP_DEBUG_ADDR - defaultValue: 127.0.0.1:9245 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_DEBUG_PPROF: - name: AUTH_APP_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_DEBUG_TOKEN: - name: AUTH_APP_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_DEBUG_ZPAGES: - name: AUTH_APP_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing traces - in-memory. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_ENABLE_IMPERSONATION: - name: AUTH_APP_ENABLE_IMPERSONATION - defaultValue: "false" - type: bool - description: Allows admins to create app tokens for other users. Used for migration. - Do NOT use in productive deployments. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_GRPC_ADDR: - name: AUTH_APP_GRPC_ADDR - defaultValue: 127.0.0.1:9246 - type: string - description: The bind address of the GRPC service. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_GRPC_PROTOCOL: - name: OC_GRPC_PROTOCOL;AUTH_APP_GRPC_PROTOCOL - defaultValue: tcp - type: string - description: The transport protocol of the GRPC service. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_HTTP_ADDR: - name: AUTH_APP_HTTP_ADDR - defaultValue: 127.0.0.1:9247 - type: string - description: The bind address of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_HTTP_ROOT: - name: AUTH_APP_HTTP_ROOT - defaultValue: / - type: string - description: Subdirectory that serves as the root for this HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_JWT_SECRET: - name: OC_JWT_SECRET;AUTH_APP_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_LOG_COLOR: - name: OC_LOG_COLOR;AUTH_APP_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_LOG_FILE: - name: OC_LOG_FILE;AUTH_APP_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_LOG_LEVEL: - name: OC_LOG_LEVEL;AUTH_APP_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_LOG_PRETTY: - name: OC_LOG_PRETTY;AUTH_APP_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_MACHINE_AUTH_API_KEY: - name: OC_MACHINE_AUTH_API_KEY;AUTH_APP_MACHINE_AUTH_API_KEY - defaultValue: "" - type: string - description: The machine auth API key used to validate internal requests necessary - to access resources from other services. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_SKIP_USER_GROUPS_IN_TOKEN: - name: AUTH_APP_SKIP_USER_GROUPS_IN_TOKEN - defaultValue: "false" - type: bool - description: Disables the encoding of the user's group memberships in the access - token. This reduces the token size, especially when users are members of a large - number of groups. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;AUTH_APP_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_TRACING_ENABLED: - name: OC_TRACING_ENABLED;AUTH_APP_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;AUTH_APP_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_APP_TRACING_TYPE: - name: OC_TRACING_TYPE;AUTH_APP_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_AUTH_MANAGER: - name: AUTH_BASIC_AUTH_MANAGER - defaultValue: ldap - type: string - description: The authentication manager to check if credentials are valid. Supported - value is 'ldap'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_DEBUG_ADDR: - name: AUTH_BASIC_DEBUG_ADDR - defaultValue: 127.0.0.1:9147 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_DEBUG_PPROF: - name: AUTH_BASIC_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_DEBUG_TOKEN: - name: AUTH_BASIC_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_DEBUG_ZPAGES: - name: AUTH_BASIC_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing traces - in-memory. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_DISABLE_USER_MECHANISM: - name: OC_LDAP_DISABLE_USER_MECHANISM;AUTH_BASIC_DISABLE_USER_MECHANISM - defaultValue: attribute - type: string - description: An option to control the behavior for disabling users. Valid options - are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API - will add the user to the configured group for disabled users, if set to 'attribute' - this will be done in the ldap user entry, if set to 'none' the disable request - is not processed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_DISABLED_USERS_GROUP_DN: - name: OC_LDAP_DISABLED_USERS_GROUP_DN;AUTH_BASIC_DISABLED_USERS_GROUP_DN - defaultValue: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm - type: string - description: The distinguished name of the group to which added users will be classified - as disabled when 'disable_user_mechanism' is set to 'group'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_GRPC_ADDR: - name: AUTH_BASIC_GRPC_ADDR - defaultValue: 127.0.0.1:9146 - type: string - description: The bind address of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_GRPC_PROTOCOL: - name: OC_GRPC_PROTOCOL;AUTH_BASIC_GRPC_PROTOCOL - defaultValue: tcp - type: string - description: The transport protocol of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_IDP_URL: - name: OC_URL;OC_OIDC_ISSUER;AUTH_BASIC_IDP_URL - defaultValue: https://localhost:9200 - type: string - description: The identity provider value to set in the userids of the CS3 user objects - for users returned by this user provider. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_JWT_SECRET: - name: OC_JWT_SECRET;AUTH_BASIC_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_BIND_DN: - name: OC_LDAP_BIND_DN;AUTH_BASIC_LDAP_BIND_DN - defaultValue: uid=reva,ou=sysusers,o=libregraph-idm - type: string - description: LDAP DN to use for simple bind authentication with the target LDAP - server. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_BIND_PASSWORD: - name: OC_LDAP_BIND_PASSWORD;AUTH_BASIC_LDAP_BIND_PASSWORD - defaultValue: "" - type: string - description: Password to use for authenticating the 'bind_dn'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_CACERT: - name: OC_LDAP_CACERT;AUTH_BASIC_LDAP_CACERT - defaultValue: /var/lib/opencloud/idm/ldap.crt - type: string - description: Path/File name for the root CA certificate (in PEM format) used to - validate TLS server certificates of the LDAP service. If not defined, the root - directory derives from $OC_BASE_DATA_PATH/idm. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_GROUP_BASE_DN: - name: OC_LDAP_GROUP_BASE_DN;AUTH_BASIC_LDAP_GROUP_BASE_DN - defaultValue: ou=groups,o=libregraph-idm - type: string - description: Search base DN for looking up LDAP groups. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_GROUP_FILTER: - name: OC_LDAP_GROUP_FILTER;AUTH_BASIC_LDAP_GROUP_FILTER - defaultValue: "" - type: string - description: LDAP filter to add to the default filters for group searches. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_GROUP_OBJECTCLASS: - name: OC_LDAP_GROUP_OBJECTCLASS;AUTH_BASIC_LDAP_GROUP_OBJECTCLASS - defaultValue: groupOfNames - type: string - description: The object class to use for groups in the default group search filter - ('groupOfNames'). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_GROUP_SCHEMA_DISPLAYNAME: - name: OC_LDAP_GROUP_SCHEMA_DISPLAYNAME;AUTH_BASIC_LDAP_GROUP_SCHEMA_DISPLAYNAME - defaultValue: cn - type: string - description: LDAP Attribute to use for the displayname of groups (often the same - as groupname attribute). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_GROUP_SCHEMA_GROUPNAME: - name: OC_LDAP_GROUP_SCHEMA_GROUPNAME;AUTH_BASIC_LDAP_GROUP_SCHEMA_GROUPNAME - defaultValue: cn - type: string - description: LDAP Attribute to use for the name of groups. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_GROUP_SCHEMA_ID: - name: OC_LDAP_GROUP_SCHEMA_ID;AUTH_BASIC_LDAP_GROUP_SCHEMA_ID - defaultValue: ownclouduuid - type: string - description: LDAP Attribute to use as the unique id for groups. This should be a - stable globally unique id (e.g. a UUID). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING: - name: OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING;AUTH_BASIC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING - defaultValue: "false" - type: bool - description: Set this to true if the defined 'id' attribute for groups is of the - 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute - of Active Directory for the group IDs. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_GROUP_SCHEMA_MAIL: - name: OC_LDAP_GROUP_SCHEMA_MAIL;AUTH_BASIC_LDAP_GROUP_SCHEMA_MAIL - defaultValue: mail - type: string - description: LDAP Attribute to use for the email address of groups (can be empty). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_GROUP_SCHEMA_MEMBER: - name: OC_LDAP_GROUP_SCHEMA_MEMBER;AUTH_BASIC_LDAP_GROUP_SCHEMA_MEMBER - defaultValue: member - type: string - description: LDAP Attribute that is used for group members. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_GROUP_SCOPE: - name: OC_LDAP_GROUP_SCOPE;AUTH_BASIC_LDAP_GROUP_SCOPE - defaultValue: sub - type: string - description: LDAP search scope to use when looking up groups. Supported values are - 'base', 'one' and 'sub'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_INSECURE: - name: OC_LDAP_INSECURE;AUTH_BASIC_LDAP_INSECURE - defaultValue: "false" - type: bool - description: Disable TLS certificate validation for the LDAP connections. Do not - set this in production environments. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_LOGIN_ATTRIBUTES: - name: LDAP_LOGIN_ATTRIBUTES;AUTH_BASIC_LDAP_LOGIN_ATTRIBUTES - defaultValue: '[uid]' - type: '[]string' - description: A list of user object attributes that can be used for login. See the - Environment Variable Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_URI: - name: OC_LDAP_URI;AUTH_BASIC_LDAP_URI - defaultValue: ldaps://localhost:9235 - type: string - description: URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' - and 'ldap://' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_USER_BASE_DN: - name: OC_LDAP_USER_BASE_DN;AUTH_BASIC_LDAP_USER_BASE_DN - defaultValue: ou=users,o=libregraph-idm - type: string - description: Search base DN for looking up LDAP users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_USER_ENABLED_ATTRIBUTE: - name: OC_LDAP_USER_ENABLED_ATTRIBUTE;AUTH_BASIC_LDAP_USER_ENABLED_ATTRIBUTE - defaultValue: ownCloudUserEnabled - type: string - description: LDAP attribute to use as a flag telling if the user is enabled or disabled. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_USER_FILTER: - name: OC_LDAP_USER_FILTER;AUTH_BASIC_LDAP_USER_FILTER - defaultValue: "" - type: string - description: LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_USER_OBJECTCLASS: - name: OC_LDAP_USER_OBJECTCLASS;AUTH_BASIC_LDAP_USER_OBJECTCLASS - defaultValue: inetOrgPerson - type: string - description: The object class to use for users in the default user search filter - ('inetOrgPerson'). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_USER_SCHEMA_DISPLAYNAME: - name: OC_LDAP_USER_SCHEMA_DISPLAYNAME;AUTH_BASIC_LDAP_USER_SCHEMA_DISPLAYNAME - defaultValue: displayname - type: string - description: LDAP Attribute to use for the displayname of users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_USER_SCHEMA_ID: - name: OC_LDAP_USER_SCHEMA_ID;AUTH_BASIC_LDAP_USER_SCHEMA_ID - defaultValue: ownclouduuid - type: string - description: LDAP Attribute to use as the unique ID for users. This should be a - stable globally unique ID like a UUID. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING: - name: OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING;AUTH_BASIC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING - defaultValue: "false" - type: bool - description: Set this to true if the defined 'ID' attribute for users is of the - 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute - of Active Directory for the user IDs. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_USER_SCHEMA_MAIL: - name: OC_LDAP_USER_SCHEMA_MAIL;AUTH_BASIC_LDAP_USER_SCHEMA_MAIL - defaultValue: mail - type: string - description: LDAP Attribute to use for the email address of users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_USER_SCHEMA_USERNAME: - name: OC_LDAP_USER_SCHEMA_USERNAME;AUTH_BASIC_LDAP_USER_SCHEMA_USERNAME - defaultValue: uid - type: string - description: LDAP Attribute to use for username of users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LDAP_USER_SCOPE: - name: OC_LDAP_USER_SCOPE;AUTH_BASIC_LDAP_USER_SCOPE - defaultValue: sub - type: string - description: LDAP search scope to use when looking up users. Supported values are - 'base', 'one' and 'sub'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LOG_COLOR: - name: OC_LOG_COLOR;AUTH_BASIC_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LOG_FILE: - name: OC_LOG_FILE;AUTH_BASIC_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LOG_LEVEL: - name: OC_LOG_LEVEL;AUTH_BASIC_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_LOG_PRETTY: - name: OC_LOG_PRETTY;AUTH_BASIC_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_OWNCLOUDSQL_DB_HOST: - name: AUTH_BASIC_OWNCLOUDSQL_DB_HOST - defaultValue: mysql - type: string - description: Hostname of the database server. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_OWNCLOUDSQL_DB_NAME: - name: AUTH_BASIC_OWNCLOUDSQL_DB_NAME - defaultValue: owncloud - type: string - description: Name of the owncloud database. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_OWNCLOUDSQL_DB_PASSWORD: - name: AUTH_BASIC_OWNCLOUDSQL_DB_PASSWORD - defaultValue: "" - type: string - description: Password for the database user. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_OWNCLOUDSQL_DB_PORT: - name: AUTH_BASIC_OWNCLOUDSQL_DB_PORT - defaultValue: "3306" - type: int - description: Network port to use for the database connection. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_OWNCLOUDSQL_DB_USERNAME: - name: AUTH_BASIC_OWNCLOUDSQL_DB_USERNAME - defaultValue: owncloud - type: string - description: Database user to use for authenticating with the owncloud database. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_OWNCLOUDSQL_IDP: - name: AUTH_BASIC_OWNCLOUDSQL_IDP - defaultValue: https://localhost:9200 - type: string - description: The identity provider value to set in the userids of the CS3 user objects - for users returned by this user provider. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID: - name: AUTH_BASIC_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID - defaultValue: "false" - type: bool - description: Join the user properties table to read user ID's. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_OWNCLOUDSQL_JOIN_USERNAME: - name: AUTH_BASIC_OWNCLOUDSQL_JOIN_USERNAME - defaultValue: "false" - type: bool - description: Join the user properties table to read usernames - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_OWNCLOUDSQL_NOBODY: - name: AUTH_BASIC_OWNCLOUDSQL_NOBODY - defaultValue: "90" - type: int64 - description: Fallback number if no numeric UID and GID properties are provided. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_SKIP_USER_GROUPS_IN_TOKEN: - name: AUTH_BASIC_SKIP_USER_GROUPS_IN_TOKEN - defaultValue: "false" - type: bool - description: Disables the encoding of the user's group memberships in the reva access - token. This reduces the token size, especially when users are members of a large - number of groups. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;AUTH_BASIC_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_TRACING_ENABLED: - name: OC_TRACING_ENABLED;AUTH_BASIC_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;AUTH_BASIC_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BASIC_TRACING_TYPE: - name: OC_TRACING_TYPE;AUTH_BASIC_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_DEBUG_ADDR: - name: AUTH_BEARER_DEBUG_ADDR - defaultValue: 127.0.0.1:9149 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_DEBUG_PPROF: - name: AUTH_BEARER_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_DEBUG_TOKEN: - name: AUTH_BEARER_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_DEBUG_ZPAGES: - name: AUTH_BEARER_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_GRPC_ADDR: - name: AUTH_BEARER_GRPC_ADDR - defaultValue: 127.0.0.1:9148 - type: string - description: The bind address of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_GRPC_PROTOCOL: - name: OC_GRPC_PROTOCOL;AUTH_BEARER_GRPC_PROTOCOL - defaultValue: tcp - type: string - description: The transport protocol of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_JWT_SECRET: - name: OC_JWT_SECRET;AUTH_BEARER_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_LOG_COLOR: - name: OC_LOG_COLOR;AUTH_BEARER_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_LOG_FILE: - name: OC_LOG_FILE;AUTH_BEARER_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_LOG_LEVEL: - name: OC_LOG_LEVEL;AUTH_BEARER_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_LOG_PRETTY: - name: OC_LOG_PRETTY;AUTH_BEARER_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_OIDC_GID_CLAIM: - name: AUTH_BEARER_OIDC_GID_CLAIM - defaultValue: "" - type: string - description: Name of the claim, which holds the GID. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_OIDC_ID_CLAIM: - name: AUTH_BEARER_OIDC_ID_CLAIM - defaultValue: preferred_username - type: string - description: Name of the claim, which holds the user identifier. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_OIDC_INSECURE: - name: OC_INSECURE;AUTH_BEARER_OIDC_INSECURE - defaultValue: "false" - type: bool - description: Allow insecure connections to the OIDC issuer. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_OIDC_ISSUER: - name: OC_URL;OC_OIDC_ISSUER;AUTH_BEARER_OIDC_ISSUER - defaultValue: https://localhost:9200 - type: string - description: URL of the OIDC issuer. It defaults to URL of the builtin IDP. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_OIDC_UID_CLAIM: - name: AUTH_BEARER_OIDC_UID_CLAIM - defaultValue: "" - type: string - description: Name of the claim, which holds the UID. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_SKIP_USER_GROUPS_IN_TOKEN: - name: AUTH_BEARER_SKIP_USER_GROUPS_IN_TOKEN - defaultValue: "false" - type: bool - description: Disables the encoding of the user's group memberships in the reva access - token. This reduces the token size, especially when users are members of a large - number of groups. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;AUTH_BEARER_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_TRACING_ENABLED: - name: OC_TRACING_ENABLED;AUTH_BEARER_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;AUTH_BEARER_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_BEARER_TRACING_TYPE: - name: OC_TRACING_TYPE;AUTH_BEARER_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_MACHINE_API_KEY: - name: OC_MACHINE_AUTH_API_KEY;AUTH_MACHINE_API_KEY - defaultValue: "" - type: string - description: Machine auth API key used to validate internal requests necessary for - the access to resources from other services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_MACHINE_DEBUG_ADDR: - name: AUTH_MACHINE_DEBUG_ADDR - defaultValue: 127.0.0.1:9167 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_MACHINE_DEBUG_PPROF: - name: AUTH_MACHINE_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_MACHINE_DEBUG_TOKEN: - name: AUTH_MACHINE_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_MACHINE_DEBUG_ZPAGES: - name: AUTH_MACHINE_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_MACHINE_GRPC_ADDR: - name: AUTH_MACHINE_GRPC_ADDR - defaultValue: 127.0.0.1:9166 - type: string - description: The bind address of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_MACHINE_GRPC_PROTOCOL: - name: OC_GRPC_PROTOCOL;AUTH_MACHINE_GRPC_PROTOCOL - defaultValue: tcp - type: string - description: The transport protocol of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_MACHINE_JWT_SECRET: - name: OC_JWT_SECRET;AUTH_MACHINE_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_MACHINE_LOG_COLOR: - name: OC_LOG_COLOR;AUTH_MACHINE_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_MACHINE_LOG_FILE: - name: OC_LOG_FILE;AUTH_MACHINE_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_MACHINE_LOG_LEVEL: - name: OC_LOG_LEVEL;AUTH_MACHINE_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_MACHINE_LOG_PRETTY: - name: OC_LOG_PRETTY;AUTH_MACHINE_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_MACHINE_SKIP_USER_GROUPS_IN_TOKEN: - name: AUTH_MACHINE_SKIP_USER_GROUPS_IN_TOKEN - defaultValue: "false" - type: bool - description: Disables the encoding of the user's group memberships in the reva access - token. This reduces the token size, especially when users are members of a large - number of groups. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_MACHINE_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;AUTH_MACHINE_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_MACHINE_TRACING_ENABLED: - name: OC_TRACING_ENABLED;AUTH_MACHINE_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_MACHINE_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;AUTH_MACHINE_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_MACHINE_TRACING_TYPE: - name: OC_TRACING_TYPE;AUTH_MACHINE_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_SERVICE_DEBUG_ADDR: - name: AUTH_SERVICE_DEBUG_ADDR - defaultValue: 127.0.0.1:9198 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_SERVICE_DEBUG_PPROF: - name: AUTH_SERVICE_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_SERVICE_DEBUG_TOKEN: - name: AUTH_SERVICE_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_SERVICE_DEBUG_ZPAGES: - name: AUTH_SERVICE_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_SERVICE_GRPC_ADDR: - name: AUTH_SERVICE_GRPC_ADDR - defaultValue: 127.0.0.1:9199 - type: string - description: The bind address of the GRPC service. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_SERVICE_GRPC_PROTOCOL: - name: OC_GRPC_PROTOCOL;AUTH_SERVICE_GRPC_PROTOCOL - defaultValue: tcp - type: string - description: The transport protocol of the GRPC service. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_SERVICE_JWT_SECRET: - name: OC_JWT_SECRET;AUTH_SERVICE_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_SERVICE_LOG_COLOR: - name: OC_LOG_COLOR;AUTH_SERVICE_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_SERVICE_LOG_FILE: - name: OC_LOG_FILE;AUTH_SERVICE_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_SERVICE_LOG_LEVEL: - name: OC_LOG_LEVEL;AUTH_SERVICE_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_SERVICE_LOG_PRETTY: - name: OC_LOG_PRETTY;AUTH_SERVICE_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_SERVICE_SERVICE_ACCOUNT_ID: - name: OC_SERVICE_ACCOUNT_ID;AUTH_SERVICE_SERVICE_ACCOUNT_ID - defaultValue: "" - type: string - description: The ID of the service account the service should use. See the 'auth-service' - service description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_SERVICE_SERVICE_ACCOUNT_SECRET: - name: OC_SERVICE_ACCOUNT_SECRET;AUTH_SERVICE_SERVICE_ACCOUNT_SECRET - defaultValue: "" - type: string - description: The service account secret. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_SERVICE_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;AUTH_SERVICE_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_SERVICE_TRACING_ENABLED: - name: OC_TRACING_ENABLED;AUTH_SERVICE_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_SERVICE_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;AUTH_SERVICE_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -AUTH_SERVICE_TRACING_TYPE: - name: OC_TRACING_TYPE;AUTH_SERVICE_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_DEBUG_ADDR: - name: CLIENTLOG_DEBUG_ADDR - defaultValue: 127.0.0.1:9260 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_DEBUG_PPROF: - name: CLIENTLOG_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_DEBUG_TOKEN: - name: CLIENTLOG_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_DEBUG_ZPAGES: - name: CLIENTLOG_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_EVENTS_AUTH_PASSWORD: - name: OC_EVENTS_AUTH_PASSWORD;CLIENTLOG_EVENTS_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_EVENTS_AUTH_USERNAME: - name: OC_EVENTS_AUTH_USERNAME;CLIENTLOG_EVENTS_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_EVENTS_CLUSTER: - name: OC_EVENTS_CLUSTER;CLIENTLOG_EVENTS_CLUSTER - defaultValue: opencloud-cluster - type: string - description: The clusterID of the event system. The event system is the message - queuing service. It is used as message broker for the microservice architecture. - Mandatory when using NATS as event system. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_EVENTS_ENABLE_TLS: - name: OC_EVENTS_ENABLE_TLS;CLIENTLOG_EVENTS_ENABLE_TLS - defaultValue: "false" - type: bool - description: Enable TLS for the connection to the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_EVENTS_ENDPOINT: - name: OC_EVENTS_ENDPOINT;CLIENTLOG_EVENTS_ENDPOINT - defaultValue: 127.0.0.1:9233 - type: string - description: The address of the event system. The event system is the message queuing - service. It is used as message broker for the microservice architecture. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_EVENTS_TLS_INSECURE: - name: OC_INSECURE;CLIENTLOG_EVENTS_TLS_INSECURE - defaultValue: "false" - type: bool - description: Whether to verify the server TLS certificates. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_EVENTS_TLS_ROOT_CA_CERTIFICATE: - name: OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;CLIENTLOG_EVENTS_TLS_ROOT_CA_CERTIFICATE - defaultValue: "" - type: string - description: The root CA certificate used to validate the server's TLS certificate. - If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_JWT_SECRET: - name: OC_JWT_SECRET;CLIENTLOG_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_REVA_GATEWAY: - name: OC_REVA_GATEWAY;CLIENTLOG_REVA_GATEWAY - defaultValue: eu.opencloud.api.gateway - type: string - description: CS3 gateway used to look up user metadata - introductionVersion: "5.0" - deprecationVersion: "6.0" - removalVersion: '%%NEXT_PRODUCTION_VERSION%%' - deprecationInfo: CLIENTLOG_REVA_GATEWAY removed for simplicity. -CLIENTLOG_SERVICE_ACCOUNT_ID: - name: OC_SERVICE_ACCOUNT_ID;CLIENTLOG_SERVICE_ACCOUNT_ID - defaultValue: "" - type: string - description: The ID of the service account the service should use. See the 'auth-service' - service description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_SERVICE_ACCOUNT_SECRET: - name: OC_SERVICE_ACCOUNT_SECRET;CLIENTLOG_SERVICE_ACCOUNT_SECRET - defaultValue: "" - type: string - description: The service account secret. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;CLIENTLOG_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_TRACING_ENABLED: - name: OC_TRACING_ENABLED;CLIENTLOG_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;CLIENTLOG_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_TRACING_TYPE: - name: OC_TRACING_TYPE;CLIENTLOG_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_USERLOG_LOG_COLOR: - name: OC_LOG_COLOR;CLIENTLOG_USERLOG_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_USERLOG_LOG_FILE: - name: OC_LOG_FILE;CLIENTLOG_USERLOG_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_USERLOG_LOG_LEVEL: - name: OC_LOG_LEVEL;CLIENTLOG_USERLOG_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -CLIENTLOG_USERLOG_LOG_PRETTY: - name: OC_LOG_PRETTY;CLIENTLOG_USERLOG_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_APP_ADDR: - name: COLLABORATION_APP_ADDR - defaultValue: https://127.0.0.1:9980 - type: string - description: The URL where the WOPI app is located, such as https://127.0.0.1:8080. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_APP_DESCRIPTION: - name: COLLABORATION_APP_DESCRIPTION - defaultValue: Open office documents with Collabora - type: string - description: App description - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_APP_ICON: - name: COLLABORATION_APP_ICON - defaultValue: image-edit - type: string - description: Icon for the app - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_APP_INSECURE: - name: COLLABORATION_APP_INSECURE - defaultValue: "false" - type: bool - description: Skip TLS certificate verification when connecting to the WOPI app - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_APP_LICENSE_CHECK_ENABLE: - name: COLLABORATION_APP_LICENSE_CHECK_ENABLE - defaultValue: "false" - type: bool - description: Enable license checking to edit files. Needs to be enabled when using - Microsoft365 with the business flow. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_APP_NAME: - name: COLLABORATION_APP_NAME - defaultValue: Collabora - type: string - description: The name of the app which is shown to the user. You can chose freely - but you are limited to a single word without special characters or whitespaces. - We recommend to use pascalCase like 'CollaboraOnline'. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_APP_PRODUCT: - name: COLLABORATION_APP_PRODUCT - defaultValue: "" - type: string - description: The WebOffice app, either Collabora, OnlyOffice, Microsoft365 or MicrosoftOfficeOnline. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_APP_PROOF_DISABLE: - name: COLLABORATION_APP_PROOF_DISABLE - defaultValue: "false" - type: bool - description: Disable the proof keys verification - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_APP_PROOF_DURATION: - name: COLLABORATION_APP_PROOF_DURATION - defaultValue: 12h - type: string - description: Duration for the proof keys to be cached in memory, using time.ParseDuration - format. If the duration can't be parsed, we'll use the default 12h as duration - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_CS3API_DATAGATEWAY_INSECURE: - name: COLLABORATION_CS3API_DATAGATEWAY_INSECURE - defaultValue: "false" - type: bool - description: Connect to the CS3API data gateway insecurely. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_DEBUG_ADDR: - name: COLLABORATION_DEBUG_ADDR - defaultValue: 127.0.0.1:9304 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_DEBUG_PPROF: - name: COLLABORATION_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_DEBUG_TOKEN: - name: COLLABORATION_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_DEBUG_ZPAGES: - name: COLLABORATION_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_GRPC_ADDR: - name: COLLABORATION_GRPC_ADDR - defaultValue: 127.0.0.1:9301 - type: string - description: The bind address of the GRPC service. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_GRPC_PROTOCOL: - name: OC_GRPC_PROTOCOL;COLLABORATION_GRPC_PROTOCOL - defaultValue: tcp - type: string - description: The transport protocol of the GRPC service. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_HTTP_ADDR: - name: COLLABORATION_HTTP_ADDR - defaultValue: 127.0.0.1:9300 - type: string - description: The bind address of the HTTP service. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_JWT_SECRET: - name: OC_JWT_SECRET;COLLABORATION_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_LOG_COLOR: - name: OC_LOG_COLOR;COLLABORATION_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_LOG_FILE: - name: OC_LOG_FILE;COLLABORATION_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_LOG_LEVEL: - name: OC_LOG_LEVEL;COLLABORATION_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_LOG_PRETTY: - name: OC_LOG_PRETTY;COLLABORATION_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_STORE: - name: OC_PERSISTENT_STORE;COLLABORATION_STORE - defaultValue: nats-js-kv - type: string - description: 'The type of the store. Supported values are: ''memory'', ''nats-js-kv'', - ''redis-sentinel'', ''noop''. See the text description for details.' - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_STORE_AUTH_PASSWORD: - name: OC_PERSISTENT_STORE_AUTH_PASSWORD;COLLABORATION_STORE_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the store. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_STORE_AUTH_USERNAME: - name: OC_PERSISTENT_STORE_AUTH_USERNAME;COLLABORATION_STORE_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the store. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_STORE_DATABASE: - name: COLLABORATION_STORE_DATABASE - defaultValue: collaboration - type: string - description: The database name the configured store should use. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_STORE_NODES: - name: OC_PERSISTENT_STORE_NODES;COLLABORATION_STORE_NODES - defaultValue: '[127.0.0.1:9233]' - type: '[]string' - description: A list of nodes to access the configured store. This has no effect - when 'memory' store is configured. Note that the behaviour how nodes are used - is dependent on the library of the configured store. See the Environment Variable - Types description for more details. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_STORE_TABLE: - name: COLLABORATION_STORE_TABLE - defaultValue: "" - type: string - description: The database table the store should use. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_STORE_TTL: - name: OC_PERSISTENT_STORE_TTL;COLLABORATION_STORE_TTL - defaultValue: 30m0s - type: Duration - description: Time to live for events in the store. Defaults to '30m' (30 minutes). - See the Environment Variable Types description for more details. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;COLLABORATION_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_TRACING_ENABLED: - name: OC_TRACING_ENABLED;COLLABORATION_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;COLLABORATION_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_TRACING_TYPE: - name: OC_TRACING_TYPE;COLLABORATION_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_WOPI_DISABLE_CHAT: - name: COLLABORATION_WOPI_DISABLE_CHAT;OC_WOPI_DISABLE_CHAT - defaultValue: "false" - type: bool - description: Disable chat in the office web frontend. This feature applies to OnlyOffice - and Microsoft. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_WOPI_PROXY_SECRET: - name: COLLABORATION_WOPI_PROXY_SECRET - defaultValue: "" - type: string - description: Optional, the secret to authenticate against the OpenCloud WOPI proxy. - This secret can be obtained from OpenCloud via the office365 proxy subscription. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_WOPI_PROXY_URL: - name: COLLABORATION_WOPI_PROXY_URL - defaultValue: "" - type: string - description: The URL to the OpenCloud WOPI proxy. Optional. To use this feature, - you need an office365 proxy subscription. If you become part of the Microsoft - CSP program (https://learn.microsoft.com/en-us/partner-center/enroll/csp-overview), - you can use WebOffice without a proxy. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_WOPI_SECRET: - name: COLLABORATION_WOPI_SECRET - defaultValue: "" - type: string - description: Used to mint and verify WOPI JWT tokens and encrypt and decrypt the - REVA JWT token embedded in the WOPI JWT token. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_WOPI_SHORTTOKENS: - name: COLLABORATION_WOPI_SHORTTOKENS - defaultValue: "false" - type: bool - description: Use short access tokens for WOPI access. This is useful for office - packages, like Microsoft Office Online, which have URL length restrictions. If - enabled, a persistent store must be configured. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -COLLABORATION_WOPI_SRC: - name: COLLABORATION_WOPI_SRC - defaultValue: https://localhost:9300 - type: string - description: The WOPI source base URL containing schema, host and port. Set this - to the schema and domain where the collaboration service is reachable for the - wopi app, such as https://office.example.test. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_DEBUG_ADDR: - name: EVENTHISTORY_DEBUG_ADDR - defaultValue: 127.0.0.1:9270 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_DEBUG_PPROF: - name: EVENTHISTORY_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_DEBUG_TOKEN: - name: EVENTHISTORY_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_DEBUG_ZPAGES: - name: EVENTHISTORY_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_EVENTS_AUTH_PASSWORD: - name: OC_EVENTS_AUTH_PASSWORD;EVENTHISTORY_EVENTS_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_EVENTS_AUTH_USERNAME: - name: OC_EVENTS_AUTH_USERNAME;EVENTHISTORY_EVENTS_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_EVENTS_CLUSTER: - name: OC_EVENTS_CLUSTER;EVENTHISTORY_EVENTS_CLUSTER - defaultValue: opencloud-cluster - type: string - description: The clusterID of the event system. The event system is the message - queuing service. It is used as message broker for the microservice architecture. - Mandatory when using NATS as event system. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_EVENTS_ENABLE_TLS: - name: OC_EVENTS_ENABLE_TLS;EVENTHISTORY_EVENTS_ENABLE_TLS - defaultValue: "false" - type: bool - description: Enable TLS for the connection to the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_EVENTS_ENDPOINT: - name: OC_EVENTS_ENDPOINT;EVENTHISTORY_EVENTS_ENDPOINT - defaultValue: 127.0.0.1:9233 - type: string - description: The address of the event system. The event system is the message queuing - service. It is used as message broker for the microservice architecture. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_EVENTS_TLS_INSECURE: - name: OC_INSECURE;EVENTHISTORY_EVENTS_TLS_INSECURE - defaultValue: "false" - type: bool - description: Whether to verify the server TLS certificates. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_EVENTS_TLS_ROOT_CA_CERTIFICATE: - name: OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;EVENTHISTORY_EVENTS_TLS_ROOT_CA_CERTIFICATE - defaultValue: "" - type: string - description: The root CA certificate used to validate the server's TLS certificate. - Will be seen as empty if NOTIFICATIONS_EVENTS_TLS_INSECURE is provided. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_GRPC_ADDR: - name: EVENTHISTORY_GRPC_ADDR - defaultValue: 127.0.0.1:9274 - type: string - description: The bind address of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_LOG_COLOR: - name: OC_LOG_COLOR;EVENTHISTORY_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_LOG_FILE: - name: OC_LOG_FILE;EVENTHISTORY_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_LOG_LEVEL: - name: OC_LOG_LEVEL;EVENTHISTORY_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_LOG_PRETTY: - name: OC_LOG_PRETTY;EVENTHISTORY_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_STORE: - name: OC_PERSISTENT_STORE;EVENTHISTORY_STORE - defaultValue: nats-js-kv - type: string - description: 'The type of the store. Supported values are: ''memory'', ''nats-js-kv'', - ''redis-sentinel'', ''noop''. See the text description for details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_STORE_AUTH_PASSWORD: - name: OC_PERSISTENT_STORE_AUTH_PASSWORD;EVENTHISTORY_STORE_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the store. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_STORE_AUTH_USERNAME: - name: OC_PERSISTENT_STORE_AUTH_USERNAME;EVENTHISTORY_STORE_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the store. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_STORE_DATABASE: - name: EVENTHISTORY_STORE_DATABASE - defaultValue: eventhistory - type: string - description: The database name the configured store should use. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_STORE_NODES: - name: OC_PERSISTENT_STORE_NODES;EVENTHISTORY_STORE_NODES - defaultValue: '[127.0.0.1:9233]' - type: '[]string' - description: A list of nodes to access the configured store. This has no effect - when 'memory' store is configured. Note that the behaviour how nodes are used - is dependent on the library of the configured store. See the Environment Variable - Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_STORE_TABLE: - name: EVENTHISTORY_STORE_TABLE - defaultValue: "" - type: string - description: The database table the store should use. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_STORE_TTL: - name: OC_PERSISTENT_STORE_TTL;EVENTHISTORY_STORE_TTL - defaultValue: 336h0m0s - type: Duration - description: Time to live for events in the store. Defaults to '336h' (2 weeks). - See the Environment Variable Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;EVENTHISTORY_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_TRACING_ENABLED: - name: OC_TRACING_ENABLED;EVENTHISTORY_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;EVENTHISTORY_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -EVENTHISTORY_TRACING_TYPE: - name: OC_TRACING_TYPE;EVENTHISTORY_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_APP_HANDLER_INSECURE: - name: OC_INSECURE;FRONTEND_APP_HANDLER_INSECURE - defaultValue: "false" - type: bool - description: Allow insecure connections to the frontend. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR: - name: FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR - defaultValue: eu.opencloud.api.collaboration - type: string - description: Service name or address of the app provider to use for secure view. - Should match the service name or address of the registered CS3 app provider. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_ARCHIVER_INSECURE: - name: OC_INSECURE;FRONTEND_ARCHIVER_INSECURE - defaultValue: "false" - type: bool - description: Allow insecure connections to the archiver. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_ARCHIVER_MAX_NUM_FILES: - name: FRONTEND_ARCHIVER_MAX_NUM_FILES - defaultValue: "10000" - type: int64 - description: Max number of files that can be packed into an archive. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_ARCHIVER_MAX_SIZE: - name: FRONTEND_ARCHIVER_MAX_SIZE - defaultValue: "1073741824" - type: int64 - description: Max size in bytes of the zip archive the archiver can create. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_AUTO_ACCEPT_SHARES: - name: FRONTEND_AUTO_ACCEPT_SHARES - defaultValue: "true" - type: bool - description: Defines if shares should be auto accepted by default. Users can change - this setting individually in their profile. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_CHECKSUMS_PREFERRED_UPLOAD_TYPE: - name: FRONTEND_CHECKSUMS_PREFERRED_UPLOAD_TYPE - defaultValue: sha1 - type: string - description: The supported checksum type for uploads that indicates to clients supporting - multiple hash algorithms which one is preferred by the server. Must be one out - of the defined list of SUPPORTED_TYPES. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_CHECKSUMS_SUPPORTED_TYPES: - name: FRONTEND_CHECKSUMS_SUPPORTED_TYPES - defaultValue: '[sha1 md5 adler32]' - type: '[]string' - description: A list of checksum types that indicate to clients which hashes the - server can use to verify upload integrity. Supported types are 'sha1', 'md5' and - 'adler32'. See the Environment Variable Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_CONFIGURABLE_NOTIFICATIONS: - name: FRONTEND_CONFIGURABLE_NOTIFICATIONS - defaultValue: "false" - type: bool - description: Allow configuring notifications via web client. - introductionVersion: "7.1" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_CORS_ALLOW_CREDENTIALS: - name: OC_CORS_ALLOW_CREDENTIALS;FRONTEND_CORS_ALLOW_CREDENTIALS - defaultValue: "false" - type: bool - description: 'Allow credentials for CORS.See following chapter for more details: - *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_CORS_ALLOW_HEADERS: - name: OC_CORS_ALLOW_HEADERS;FRONTEND_CORS_ALLOW_HEADERS - defaultValue: '[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match - If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm - Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires - Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control]' - type: '[]string' - description: 'A list of allowed CORS headers. See following chapter for more details: - *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_CORS_ALLOW_METHODS: - name: OC_CORS_ALLOW_METHODS;FRONTEND_CORS_ALLOW_METHODS - defaultValue: '[OPTIONS HEAD GET PUT POST PATCH DELETE MKCOL PROPFIND PROPPATCH - MOVE COPY REPORT SEARCH]' - type: '[]string' - description: 'A list of allowed CORS methods. See following chapter for more details: - *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_CORS_ALLOW_ORIGINS: - name: OC_CORS_ALLOW_ORIGINS;FRONTEND_CORS_ALLOW_ORIGINS - defaultValue: '[https://localhost:9200]' - type: '[]string' - description: 'A list of allowed CORS origins. See following chapter for more details: - *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_DATA_GATEWAY_PREFIX: - name: FRONTEND_DATA_GATEWAY_PREFIX - defaultValue: data - type: string - description: Path prefix for the data gateway. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_DEBUG_ADDR: - name: FRONTEND_DEBUG_ADDR - defaultValue: 127.0.0.1:9141 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_DEBUG_PPROF: - name: FRONTEND_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_DEBUG_TOKEN: - name: FRONTEND_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_DEBUG_ZPAGES: - name: FRONTEND_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_DEFAULT_LINK_PERMISSIONS: - name: FRONTEND_DEFAULT_LINK_PERMISSIONS - defaultValue: "1" - type: int - description: Defines the default permissions a link is being created with. Possible - values are 0 (= internal link, for instance members only) and 1 (= public link - with viewer permissions). Defaults to 1. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_DEFAULT_UPLOAD_PROTOCOL: - name: FRONTEND_DEFAULT_UPLOAD_PROTOCOL - defaultValue: tus - type: string - description: The default upload protocol to use in clients. Currently only 'tus' - is available. See the developer API documentation for more details about TUS. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_DISABLE_SSE: - name: OC_DISABLE_SSE;FRONTEND_DISABLE_SSE - defaultValue: "false" - type: bool - description: When set to true, clients are informed that the Server-Sent Events - endpoint is not accessible. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_EDITION: - name: OC_EDITION;FRONTEND_EDITION - defaultValue: Community - type: string - description: Edition of oCIS. Used for branding purposes. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_ENABLE_FAVORITES: - name: FRONTEND_ENABLE_FAVORITES - defaultValue: "false" - type: bool - description: Enables the support for favorites in the clients. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_ENABLE_FEDERATED_SHARING_INCOMING: - name: OC_ENABLE_OCM;FRONTEND_ENABLE_FEDERATED_SHARING_INCOMING - defaultValue: "false" - type: bool - description: Changing this value is NOT supported. Enables support for incoming - federated sharing for clients. The backend behaviour is not changed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_ENABLE_FEDERATED_SHARING_OUTGOING: - name: OC_ENABLE_OCM;FRONTEND_ENABLE_FEDERATED_SHARING_OUTGOING - defaultValue: "false" - type: bool - description: Changing this value is NOT supported. Enables support for outgoing - federated sharing for clients. The backend behaviour is not changed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_EVENTS_AUTH_PASSWORD: - name: OC_EVENTS_AUTH_PASSWORD;FRONTEND_EVENTS_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_EVENTS_AUTH_USERNAME: - name: OC_EVENTS_AUTH_USERNAME;FRONTEND_EVENTS_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_EVENTS_CLUSTER: - name: OC_EVENTS_CLUSTER;FRONTEND_EVENTS_CLUSTER - defaultValue: opencloud-cluster - type: string - description: The clusterID of the event system. The event system is the message - queuing service. It is used as message broker for the microservice architecture. - Mandatory when using NATS as event system. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_EVENTS_ENABLE_TLS: - name: OC_EVENTS_ENABLE_TLS;FRONTEND_EVENTS_ENABLE_TLS - defaultValue: "false" - type: bool - description: Enable TLS for the connection to the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_EVENTS_ENDPOINT: - name: OC_EVENTS_ENDPOINT;FRONTEND_EVENTS_ENDPOINT - defaultValue: 127.0.0.1:9233 - type: string - description: The address of the event system. The event system is the message queuing - service. It is used as message broker for the microservice architecture. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_EVENTS_TLS_INSECURE: - name: OC_INSECURE;FRONTEND_EVENTS_TLS_INSECURE - defaultValue: "false" - type: bool - description: Whether to verify the server TLS certificates. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_EVENTS_TLS_ROOT_CA_CERTIFICATE: - name: FRONTEND_EVENTS_TLS_ROOT_CA_CERTIFICATE;OCS_EVENTS_TLS_ROOT_CA_CERTIFICATE - defaultValue: "" - type: string - description: The root CA certificate used to validate the server's TLS certificate. - If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_FULL_TEXT_SEARCH_ENABLED: - name: FRONTEND_FULL_TEXT_SEARCH_ENABLED - defaultValue: "false" - type: bool - description: Set to true to signal the web client that full-text search is enabled. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_HTTP_ADDR: - name: FRONTEND_HTTP_ADDR - defaultValue: 127.0.0.1:9140 - type: string - description: The bind address of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_HTTP_PREFIX: - name: FRONTEND_HTTP_PREFIX - defaultValue: "" - type: string - description: The Path prefix where the frontend can be accessed (defaults to /). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_HTTP_PROTOCOL: - name: FRONTEND_HTTP_PROTOCOL - defaultValue: tcp - type: string - description: The transport protocol of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_JWT_SECRET: - name: OC_JWT_SECRET;FRONTEND_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_LDAP_SERVER_WRITE_ENABLED: - name: OC_LDAP_SERVER_WRITE_ENABLED;FRONTEND_LDAP_SERVER_WRITE_ENABLED - defaultValue: "true" - type: bool - description: Allow creating, modifying and deleting LDAP users via the GRAPH API. - This can only be set to 'true' when keeping default settings for the LDAP user - and group attribute types (the 'OC_LDAP_USER_SCHEMA_* and 'OC_LDAP_GROUP_SCHEMA_* - variables). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_LOG_COLOR: - name: OC_LOG_COLOR;FRONTEND_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_LOG_FILE: - name: OC_LOG_FILE;FRONTEND_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_LOG_LEVEL: - name: OC_LOG_LEVEL;FRONTEND_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_LOG_PRETTY: - name: OC_LOG_PRETTY;FRONTEND_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_MACHINE_AUTH_API_KEY: - name: OC_MACHINE_AUTH_API_KEY;FRONTEND_MACHINE_AUTH_API_KEY - defaultValue: "" - type: string - description: The machine auth API key used to validate internal requests necessary - to access resources from other services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_MAX_CONCURRENCY: - name: OC_MAX_CONCURRENCY;FRONTEND_MAX_CONCURRENCY - defaultValue: "1" - type: int - description: Maximum number of concurrent go-routines. Higher values can potentially - get work done faster but will also cause more load on the system. Values of 0 - or below will be ignored and the default value will be used. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_MAX_QUOTA: - name: OC_SPACES_MAX_QUOTA;FRONTEND_MAX_QUOTA - defaultValue: "0" - type: uint64 - description: Set the global max quota value in bytes. A value of 0 equals unlimited. - The value is provided via capabilities. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE: - name: FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE - defaultValue: '{{.Mail}}' - type: string - description: Additional information attribute for the user like {{.Mail}}. - introductionVersion: pre5.0 - deprecationVersion: 7.0.0 - removalVersion: '%%NEXT_PRODUCTION_VERSION%%' - deprecationInfo: The OCS API is deprecated -FRONTEND_OCS_ENABLE_DENIALS: - name: FRONTEND_OCS_ENABLE_DENIALS - defaultValue: "false" - type: bool - description: 'EXPERIMENTAL: enable the feature to deny access on folders.' - introductionVersion: pre5.0 - deprecationVersion: 7.0.0 - removalVersion: '%%NEXT_PRODUCTION_VERSION%%' - deprecationInfo: The OCS API is deprecated -FRONTEND_OCS_INCLUDE_OCM_SHAREES: - name: OC_ENABLE_OCM;FRONTEND_OCS_INCLUDE_OCM_SHAREES - defaultValue: "false" - type: bool - description: Include OCM sharees when listing sharees. - introductionVersion: "5.0" - deprecationVersion: 7.0.0 - removalVersion: '%%NEXT_PRODUCTION_VERSION%%' - deprecationInfo: FRONTEND_OCS_INCLUDE_OCM_SHAREES, the OCS API is deprecated -FRONTEND_OCS_LIST_OCM_SHARES: - name: OC_ENABLE_OCM;FRONTEND_OCS_LIST_OCM_SHARES - defaultValue: "true" - type: bool - description: Include OCM shares when listing shares. See the OCM service documentation - for more details. - introductionVersion: "5.0" - deprecationVersion: 7.0.0 - removalVersion: '%%NEXT_PRODUCTION_VERSION%%' - deprecationInfo: FRONTEND_OCS_LIST_OCM_SHARES, the OCS API is deprecated -FRONTEND_OCS_PERSONAL_NAMESPACE: - name: FRONTEND_OCS_PERSONAL_NAMESPACE - defaultValue: /users/{{.Id.OpaqueId}} - type: string - description: Home namespace identifier. - introductionVersion: pre5.0 - deprecationVersion: 7.0.0 - removalVersion: '%%NEXT_PRODUCTION_VERSION%%' - deprecationInfo: The OCS API is deprecated -FRONTEND_OCS_PREFIX: - name: FRONTEND_OCS_PREFIX - defaultValue: ocs - type: string - description: URL path prefix for the OCS service. Note that the string must not - start with '/'. - introductionVersion: pre5.0 - deprecationVersion: 7.0.0 - removalVersion: '%%NEXT_PRODUCTION_VERSION%%' - deprecationInfo: The OCS API is deprecated -FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD: - name: OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD;FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD - defaultValue: "true" - type: bool - description: Set this to true if you want to enforce passwords on all public shares. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD, the OCS API is deprecated - | | FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD, the OCS API is deprecated | - FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD, the OCS API is deprecated | FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD, - the OCS API is deprecated | FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD, the - OCS API is deprecated -FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD: - name: OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD;FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD - defaultValue: "false" - type: bool - description: Set this to true if you want to enforce passwords for writable shares. - Only effective if the setting for 'passwords on all public shares' is set to false. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: FRONTEND_OCS_PUBLIC_WRITABLE_SHARE_MUST_HAVE_PASSWORD, the OCS - API is deprecated | | FRONTEND_OCS_PUBLIC_WRITABLE_SHARE_MUST_HAVE_PASSWORD, - the OCS API is deprecated | FRONTEND_OCS_PUBLIC_WRITABLE_SHARE_MUST_HAVE_PASSWORD, - the OCS API is deprecated | FRONTEND_OCS_PUBLIC_WRITABLE_SHARE_MUST_HAVE_PASSWORD, - the OCS API is deprecated | FRONTEND_OCS_PUBLIC_WRITABLE_SHARE_MUST_HAVE_PASSWORD, - the OCS API is deprecated -FRONTEND_OCS_SHARE_PREFIX: - name: FRONTEND_OCS_SHARE_PREFIX - defaultValue: /Shares - type: string - description: Path prefix for shares as part of an ocis resource. Note that the path - must start with '/'. - introductionVersion: pre5.0 - deprecationVersion: 7.0.0 - removalVersion: '%%NEXT_PRODUCTION_VERSION%%' - deprecationInfo: The OCS API is deprecated -FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD: - name: OC_CACHE_AUTH_PASSWORD;FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to use for authentication. Only applies when using the - 'nats-js-kv' store type. - introductionVersion: "5.0" - deprecationVersion: 7.0.0 - removalVersion: '%%NEXT_PRODUCTION_VERSION%%' - deprecationInfo: FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD, the OCS API is deprecated -FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME: - name: OC_CACHE_AUTH_USERNAME;FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to use for authentication. Only applies when using the - 'nats-js-kv' store type. - introductionVersion: "5.0" - deprecationVersion: 7.0.0 - removalVersion: '%%NEXT_PRODUCTION_VERSION%%' - deprecationInfo: FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME, the OCS API is deprecated -FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE: - name: OC_CACHE_DISABLE_PERSISTENCE;FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE - defaultValue: "false" - type: bool - description: Disable persistence of the cache. Only applies when using the 'nats-js-kv' - store type. Defaults to false. - introductionVersion: "5.0" - deprecationVersion: 7.0.0 - removalVersion: '%%NEXT_PRODUCTION_VERSION%%' - deprecationInfo: FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE, the OCS API is deprecated -FRONTEND_OCS_STAT_CACHE_STORE: - name: OC_CACHE_STORE;FRONTEND_OCS_STAT_CACHE_STORE - defaultValue: memory - type: string - description: 'The type of the cache store. Supported values are: ''memory'', ''redis-sentinel'', - ''nats-js-kv'', ''noop''. See the text description for details.' - introductionVersion: pre5.0 - deprecationVersion: 7.0.0 - removalVersion: '%%NEXT_PRODUCTION_VERSION%%' - deprecationInfo: FRONTEND_OCS_STAT_CACHE_STORE, the OCS API is deprecated -FRONTEND_OCS_STAT_CACHE_STORE_NODES: - name: OC_CACHE_STORE_NODES;FRONTEND_OCS_STAT_CACHE_STORE_NODES - defaultValue: '[127.0.0.1:9233]' - type: '[]string' - description: A list of nodes to access the configured store. This has no effect - when 'memory' store is configured. Note that the behaviour how nodes are used - is dependent on the library of the configured store. See the Environment Variable - Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: 7.0.0 - removalVersion: '%%NEXT_PRODUCTION_VERSION%%' - deprecationInfo: FRONTEND_OCS_STAT_CACHE_STORE_NODES, the OCS API is deprecated -FRONTEND_OCS_STAT_CACHE_TABLE: - name: FRONTEND_OCS_STAT_CACHE_TABLE - defaultValue: "" - type: string - description: The database table the store should use. - introductionVersion: pre5.0 - deprecationVersion: 7.0.0 - removalVersion: '%%NEXT_PRODUCTION_VERSION%%' - deprecationInfo: The OCS API is deprecated -FRONTEND_OCS_STAT_CACHE_TTL: - name: OC_CACHE_TTL;FRONTEND_OCS_STAT_CACHE_TTL - defaultValue: 5m0s - type: Duration - description: Default time to live for user info in the cache. Only applied when - access tokens has no expiration. See the Environment Variable Types description - for more details. - introductionVersion: pre5.0 - deprecationVersion: 7.0.0 - removalVersion: '%%NEXT_PRODUCTION_VERSION%%' - deprecationInfo: FRONTEND_OCS_STAT_CACHE_TTL, the OCS API is deprecated -FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: - name: OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST;FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST - defaultValue: "" - type: string - description: Path to the 'banned passwords list' file. This only impacts public - link password validation. See the documentation for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_PASSWORD_POLICY_DISABLED: - name: OC_PASSWORD_POLICY_DISABLED;FRONTEND_PASSWORD_POLICY_DISABLED - defaultValue: "false" - type: bool - description: Disable the password policy. Defaults to false if not set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_PASSWORD_POLICY_MIN_CHARACTERS: - name: OC_PASSWORD_POLICY_MIN_CHARACTERS;FRONTEND_PASSWORD_POLICY_MIN_CHARACTERS - defaultValue: "8" - type: int - description: Define the minimum password length. Defaults to 8 if not set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_PASSWORD_POLICY_MIN_DIGITS: - name: OC_PASSWORD_POLICY_MIN_DIGITS;FRONTEND_PASSWORD_POLICY_MIN_DIGITS - defaultValue: "1" - type: int - description: Define the minimum number of digits. Defaults to 1 if not set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS: - name: OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS;FRONTEND_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS - defaultValue: "1" - type: int - description: Define the minimum number of uppercase letters. Defaults to 1 if not - set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS: - name: OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS;FRONTEND_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS - defaultValue: "1" - type: int - description: Define the minimum number of characters from the special characters - list to be present. Defaults to 1 if not set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS: - name: OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS;FRONTEND_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS - defaultValue: "1" - type: int - description: Define the minimum number of lowercase letters. Defaults to 1 if not - set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_PUBLIC_URL: - name: OC_URL;FRONTEND_PUBLIC_URL - defaultValue: https://localhost:9200 - type: string - description: The public facing URL of the oCIS frontend. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_READONLY_USER_ATTRIBUTES: - name: FRONTEND_READONLY_USER_ATTRIBUTES - defaultValue: '[]' - type: '[]string' - description: 'A list of user attributes to indicate as read-only. Supported values: - ''user.onPremisesSamAccountName'' (username), ''user.displayName'', ''user.mail'', - ''user.passwordProfile'' (password), ''user.appRoleAssignments'' (role), ''user.memberOf'' - (groups), ''user.accountEnabled'' (login allowed), ''drive.quota'' (quota). See - the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_SEARCH_MIN_LENGTH: - name: FRONTEND_SEARCH_MIN_LENGTH - defaultValue: "3" - type: int - description: Minimum number of characters to enter before a client should start - a search for Share receivers. This setting can be used to customize the user experience - if e.g too many results are displayed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_SERVICE_ACCOUNT_ID: - name: OC_SERVICE_ACCOUNT_ID;FRONTEND_SERVICE_ACCOUNT_ID - defaultValue: "" - type: string - description: The ID of the service account the service should use. See the 'auth-service' - service description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_SERVICE_ACCOUNT_SECRET: - name: OC_SERVICE_ACCOUNT_SECRET;FRONTEND_SERVICE_ACCOUNT_SECRET - defaultValue: "" - type: string - description: The service account secret. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_SKIP_USER_GROUPS_IN_TOKEN: - name: FRONTEND_SKIP_USER_GROUPS_IN_TOKEN - defaultValue: "false" - type: bool - description: Disables the loading of user's group memberships from the reva access - token. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;FRONTEND_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_TRACING_ENABLED: - name: OC_TRACING_ENABLED;FRONTEND_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;FRONTEND_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_TRACING_TYPE: - name: OC_TRACING_TYPE;FRONTEND_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_UPLOAD_HTTP_METHOD_OVERRIDE: - name: FRONTEND_UPLOAD_HTTP_METHOD_OVERRIDE - defaultValue: "" - type: string - description: Advise TUS to replace PATCH requests by POST requests. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -FRONTEND_UPLOAD_MAX_CHUNK_SIZE: - name: FRONTEND_UPLOAD_MAX_CHUNK_SIZE - defaultValue: "10000000" - type: int - description: Sets the max chunk sizes in bytes for uploads via the clients. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_APP_REGISTRY_ENDPOINT: - name: GATEWAY_APP_REGISTRY_ENDPOINT - defaultValue: eu.opencloud.api.app-registry - type: string - description: The endpoint of the app-registry service. Can take a service name or - a gRPC URI with the dns, kubernetes or unix protocol. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_AUTH_APP_ENDPOINT: - name: GATEWAY_AUTH_APP_ENDPOINT - defaultValue: eu.opencloud.api.auth-app - type: string - description: The endpoint of the auth-app service. Can take a service name or a - gRPC URI with the dns, kubernetes or unix protocol. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_AUTH_BASIC_ENDPOINT: - name: GATEWAY_AUTH_BASIC_ENDPOINT - defaultValue: eu.opencloud.api.auth-basic - type: string - description: The endpoint of the auth-basic service. Can take a service name or - a gRPC URI with the dns, kubernetes or unix protocol. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_AUTH_BEARER_ENDPOINT: - name: GATEWAY_AUTH_BEARER_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the auth-bearer service. Can take a service name or - a gRPC URI with the dns, kubernetes or unix protocol. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_AUTH_MACHINE_ENDPOINT: - name: GATEWAY_AUTH_MACHINE_ENDPOINT - defaultValue: eu.opencloud.api.auth-machine - type: string - description: The endpoint of the auth-machine service. Can take a service name or - a gRPC URI with the dns, kubernetes or unix protocol. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_AUTH_SERVICE_ENDPOINT: - name: GATEWAY_AUTH_SERVICE_ENDPOINT - defaultValue: eu.opencloud.api.auth-service - type: string - description: The endpoint of the auth-service service. Can take a service name or - a gRPC URI with the dns, kubernetes or unix protocol. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_COMMIT_SHARE_TO_STORAGE_GRANT: - name: GATEWAY_COMMIT_SHARE_TO_STORAGE_GRANT - defaultValue: "true" - type: bool - description: Commit shares to storage grants. This grants access to shared resources - for the share receiver directly on the storage. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD: - name: OC_CACHE_AUTH_PASSWORD;GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to use for authentication. Only applies when store type - 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME: - name: OC_CACHE_AUTH_USERNAME;GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to use for authentication. Only applies when store type - 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE: - name: OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE - defaultValue: "false" - type: bool - description: Disables persistence of the create home cache. Only applies when store - type 'nats-js-kv' is configured. Defaults to false. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_CREATE_HOME_CACHE_STORE: - name: OC_CACHE_STORE;GATEWAY_CREATE_HOME_CACHE_STORE - defaultValue: memory - type: string - description: 'The type of the cache store. Supported values are: ''memory'', ''redis-sentinel'', - ''nats-js-kv'', ''noop''. See the text description for details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_CREATE_HOME_CACHE_STORE_NODES: - name: OC_CACHE_STORE_NODES;GATEWAY_CREATE_HOME_CACHE_STORE_NODES - defaultValue: '[127.0.0.1:9233]' - type: '[]string' - description: A list of nodes to access the configured store. This has no effect - when 'memory' store is configured. Note that the behaviour how nodes are used - is dependent on the library of the configured store. See the Environment Variable - Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_CREATE_HOME_CACHE_TTL: - name: OC_CACHE_TTL;GATEWAY_CREATE_HOME_CACHE_TTL - defaultValue: 5m0s - type: Duration - description: Default time to live for user info in the cache. Only applied when - access tokens has no expiration. See the Environment Variable Types description - for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_DEBUG_ADDR: - name: GATEWAY_DEBUG_ADDR - defaultValue: 127.0.0.1:9143 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_DEBUG_PPROF: - name: GATEWAY_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_DEBUG_TOKEN: - name: GATEWAY_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_DEBUG_ZPAGES: - name: GATEWAY_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_DISABLE_HOME_CREATION_ON_LOGIN: - name: GATEWAY_DISABLE_HOME_CREATION_ON_LOGIN - defaultValue: "true" - type: bool - description: Disable creation of the home space on login. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_FRONTEND_PUBLIC_URL: - name: OC_URL;GATEWAY_FRONTEND_PUBLIC_URL - defaultValue: https://localhost:9200 - type: string - description: The public facing URL of the OpenCloud frontend. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_GROUPS_ENDPOINT: - name: GATEWAY_GROUPS_ENDPOINT - defaultValue: eu.opencloud.api.groups - type: string - description: The endpoint of the groups service. Can take a service name or a gRPC - URI with the dns, kubernetes or unix protocol. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_GRPC_ADDR: - name: OC_GATEWAY_GRPC_ADDR;GATEWAY_GRPC_ADDR - defaultValue: 127.0.0.1:9142 - type: string - description: The bind address of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_GRPC_PROTOCOL: - name: OC_GRPC_PROTOCOL;GATEWAY_GRPC_PROTOCOL - defaultValue: tcp - type: string - description: The transport protocol of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_JWT_SECRET: - name: OC_JWT_SECRET;GATEWAY_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_LOG_COLOR: - name: OC_LOG_COLOR;GATEWAY_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_LOG_FILE: - name: OC_LOG_FILE;GATEWAY_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_LOG_LEVEL: - name: OC_LOG_LEVEL;GATEWAY_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_LOG_PRETTY: - name: OC_LOG_PRETTY;GATEWAY_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_OCM_ENDPOINT: - name: GATEWAY_OCM_ENDPOINT - defaultValue: eu.opencloud.api.ocm - type: string - description: The endpoint of the ocm service. Can take a service name or a gRPC - URI with the dns, kubernetes or unix protocol. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_PERMISSIONS_ENDPOINT: - name: GATEWAY_PERMISSIONS_ENDPOINT - defaultValue: eu.opencloud.api.settings - type: string - description: The endpoint of the permissions service. Can take a service name or - a gRPC URI with the dns, kubernetes or unix protocol. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_PROVIDER_CACHE_AUTH_PASSWORD: - name: OC_CACHE_AUTH_PASSWORD;GATEWAY_PROVIDER_CACHE_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to use for authentication. Only applies when store type - 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_PROVIDER_CACHE_AUTH_USERNAME: - name: OC_CACHE_AUTH_USERNAME;GATEWAY_PROVIDER_CACHE_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to use for authentication. Only applies when store type - 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_PROVIDER_CACHE_DISABLE_PERSISTENCE: - name: OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_PROVIDER_CACHE_DISABLE_PERSISTENCE - defaultValue: "false" - type: bool - description: Disables persistence of the provider cache. Only applies when store - type 'nats-js-kv' is configured. Defaults to false. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_PROVIDER_CACHE_STORE: - name: OC_CACHE_STORE;GATEWAY_PROVIDER_CACHE_STORE - defaultValue: noop - type: string - description: 'The type of the cache store. Supported values are: ''memory'', ''redis-sentinel'', - ''nats-js-kv'', ''noop''. See the text description for details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_PROVIDER_CACHE_STORE_NODES: - name: OC_CACHE_STORE_NODES;GATEWAY_PROVIDER_CACHE_STORE_NODES - defaultValue: '[127.0.0.1:9233]' - type: '[]string' - description: A list of nodes to access the configured store. This has no effect - when 'memory' store is configured. Note that the behaviour how nodes are used - is dependent on the library of the configured store. See the Environment Variable - Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_PROVIDER_CACHE_TTL: - name: OC_CACHE_TTL;GATEWAY_PROVIDER_CACHE_TTL - defaultValue: 5m0s - type: Duration - description: Default time to live for user info in the cache. Only applied when - access tokens has no expiration. See the Environment Variable Types description - for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_SHARE_FOLDER_NAME: - name: GATEWAY_SHARE_FOLDER_NAME - defaultValue: Shares - type: string - description: Name of the share folder in users' home space. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_SHARING_ENDPOINT: - name: GATEWAY_SHARING_ENDPOINT - defaultValue: eu.opencloud.api.sharing - type: string - description: The endpoint of the shares service. Can take a service name or a gRPC - URI with the dns, kubernetes or unix protocol. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_SKIP_USER_GROUPS_IN_TOKEN: - name: GATEWAY_SKIP_USER_GROUPS_IN_TOKEN - defaultValue: "false" - type: bool - description: Disables the loading of user's group memberships from the reva access - token. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_STORAGE_PUBLIC_LINK_ENDPOINT: - name: GATEWAY_STORAGE_PUBLIC_LINK_ENDPOINT - defaultValue: eu.opencloud.api.storage-publiclink - type: string - description: The endpoint of the storage-publiclink service. Can take a service - name or a gRPC URI with the dns, kubernetes or unix protocol. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_STORAGE_REGISTRY_CONFIG_JSON: - name: GATEWAY_STORAGE_REGISTRY_CONFIG_JSON - defaultValue: "" - type: string - description: Additional configuration for the storage registry in json format. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_STORAGE_REGISTRY_DRIVER: - name: GATEWAY_STORAGE_REGISTRY_DRIVER - defaultValue: spaces - type: string - description: The driver name of the storage registry to use. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_STORAGE_REGISTRY_RULES: - name: GATEWAY_STORAGE_REGISTRY_RULES - defaultValue: '[]' - type: '[]string' - description: The rules for the storage registry. See the Environment Variable Types - description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_STORAGE_SHARES_ENDPOINT: - name: GATEWAY_STORAGE_SHARES_ENDPOINT - defaultValue: eu.opencloud.api.storage-shares - type: string - description: The endpoint of the storage-shares service. Can take a service name - or a gRPC URI with the dns, kubernetes or unix protocol. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_STORAGE_USERS_ENDPOINT: - name: GATEWAY_STORAGE_USERS_ENDPOINT - defaultValue: eu.opencloud.api.storage-users - type: string - description: The endpoint of the storage-users service. Can take a service name - or a gRPC URI with the dns, kubernetes or unix protocol. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_STORAGE_USERS_MOUNT_ID: - name: GATEWAY_STORAGE_USERS_MOUNT_ID - defaultValue: "" - type: string - description: Mount ID of this storage. Admins can set the ID for the storage in - this config option manually which is then used to reference the storage. Any reasonable - long string is possible, preferably this would be an UUIDv4 format. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;GATEWAY_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_TRACING_ENABLED: - name: OC_TRACING_ENABLED;GATEWAY_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;GATEWAY_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_TRACING_TYPE: - name: OC_TRACING_TYPE;GATEWAY_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_TRANSFER_EXPIRES: - name: GATEWAY_TRANSFER_EXPIRES - defaultValue: "86400" - type: int - description: Expiry for the gateway tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GATEWAY_USERS_ENDPOINT: - name: GATEWAY_USERS_ENDPOINT - defaultValue: eu.opencloud.api.users - type: string - description: The endpoint of the users service. Can take a service name or a gRPC - URI with the dns, kubernetes or unix protocol. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_APPLICATION_DISPLAYNAME: - name: GRAPH_APPLICATION_DISPLAYNAME - defaultValue: ownCloud Infinite Scale - type: string - description: The ocis application name. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_APPLICATION_ID: - name: GRAPH_APPLICATION_ID - defaultValue: "" - type: string - description: The ocis application ID shown in the graph. All app roles are tied - to this ID. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_ASSIGN_DEFAULT_USER_ROLE: - name: GRAPH_ASSIGN_DEFAULT_USER_ROLE - defaultValue: "true" - type: bool - description: Whether to assign newly created users the default role 'User'. Set - this to 'false' if you want to assign roles manually, or if the role assignment - should happen at first login. Set this to 'true' (the default) to assign the role - 'User' when creating a new user. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_AVAILABLE_ROLES: - name: GRAPH_AVAILABLE_ROLES - defaultValue: '[b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5 a8d5fe5e-96e3-418d-825b-534dbdf22b99 - fb6c3e19-e378-47e5-b277-9732f9de6e21 58c63c02-1d89-4572-916a-870abc5a1b7d 2d00ce52-1fc2-4dbc-8b95-a73b73395f5a - 1c996275-f1c9-4e71-abdf-a42f6495e960 312c0871-5ef7-4b3a-85b6-0e4074c64049]' - type: '[]string' - description: A comma separated list of roles that are available for assignment. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_CACHE_AUTH_PASSWORD: - name: OC_CACHE_AUTH_PASSWORD;GRAPH_CACHE_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the cache. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_CACHE_AUTH_USERNAME: - name: OC_CACHE_AUTH_USERNAME;GRAPH_CACHE_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the cache. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_CACHE_DISABLE_PERSISTENCE: - name: OC_CACHE_DISABLE_PERSISTENCE;GRAPH_CACHE_DISABLE_PERSISTENCE - defaultValue: "false" - type: bool - description: Disables persistence of the cache. Only applies when store type 'nats-js-kv' - is configured. Defaults to false. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_CACHE_STORE: - name: OC_CACHE_STORE;GRAPH_CACHE_STORE - defaultValue: memory - type: string - description: 'The type of the cache store. Supported values are: ''memory'', ''redis-sentinel'', - ''nats-js-kv'', ''noop''. See the text description for details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_CACHE_STORE_DATABASE: - name: GRAPH_CACHE_STORE_DATABASE - defaultValue: cache-roles - type: string - description: The database name the configured store should use. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_CACHE_STORE_NODES: - name: OC_CACHE_STORE_NODES;GRAPH_CACHE_STORE_NODES - defaultValue: '[127.0.0.1:9233]' - type: '[]string' - description: A list of nodes to access the configured store. This has no effect - when 'memory' store are configured. Note that the behaviour how nodes are used - is dependent on the library of the configured store. See the Environment Variable - Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_CACHE_STORE_TABLE: - name: GRAPH_CACHE_STORE_TABLE - defaultValue: "" - type: string - description: The database table the store should use. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_CACHE_TTL: - name: OC_CACHE_TTL;GRAPH_CACHE_TTL - defaultValue: 336h0m0s - type: Duration - description: Time to live for cache records in the graph. Defaults to '336h' (2 - weeks). See the Environment Variable Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_CORS_ALLOW_CREDENTIALS: - name: OC_CORS_ALLOW_CREDENTIALS;GRAPH_CORS_ALLOW_CREDENTIALS - defaultValue: "true" - type: bool - description: 'Allow credentials for CORS.See following chapter for more details: - *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_CORS_ALLOW_HEADERS: - name: OC_CORS_ALLOW_HEADERS;GRAPH_CORS_ALLOW_HEADERS - defaultValue: '[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id - Purge Restore]' - type: '[]string' - description: 'A list of allowed CORS headers. See following chapter for more details: - *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_CORS_ALLOW_METHODS: - name: OC_CORS_ALLOW_METHODS;GRAPH_CORS_ALLOW_METHODS - defaultValue: '[GET POST PUT PATCH DELETE OPTIONS]' - type: '[]string' - description: 'A list of allowed CORS methods. See following chapter for more details: - *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_CORS_ALLOW_ORIGINS: - name: OC_CORS_ALLOW_ORIGINS;GRAPH_CORS_ALLOW_ORIGINS - defaultValue: '[*]' - type: '[]string' - description: 'A list of allowed CORS origins. See following chapter for more details: - *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_DEBUG_ADDR: - name: GRAPH_DEBUG_ADDR - defaultValue: 127.0.0.1:9124 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_DEBUG_PPROF: - name: GRAPH_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_DEBUG_TOKEN: - name: GRAPH_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_DEBUG_ZPAGES: - name: GRAPH_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_DISABLE_USER_MECHANISM: - name: OC_LDAP_DISABLE_USER_MECHANISM;GRAPH_DISABLE_USER_MECHANISM - defaultValue: attribute - type: string - description: An option to control the behavior for disabling users. Supported options - are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API - will add the user to the configured group for disabled users, if set to 'attribute' - this will be done in the ldap user entry, if set to 'none' the disable request - is not processed. Default is 'attribute'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_DISABLED_USERS_GROUP_DN: - name: OC_LDAP_DISABLED_USERS_GROUP_DN;GRAPH_DISABLED_USERS_GROUP_DN - defaultValue: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm - type: string - description: The distinguished name of the group to which added users will be classified - as disabled when 'disable_user_mechanism' is set to 'group'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_EVENTS_AUTH_PASSWORD: - name: OC_EVENTS_AUTH_PASSWORD;GRAPH_EVENTS_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_EVENTS_AUTH_USERNAME: - name: OC_EVENTS_AUTH_USERNAME;GRAPH_EVENTS_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_EVENTS_CLUSTER: - name: OC_EVENTS_CLUSTER;GRAPH_EVENTS_CLUSTER - defaultValue: opencloud-cluster - type: string - description: The clusterID of the event system. The event system is the message - queuing service. It is used as message broker for the microservice architecture. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_EVENTS_ENABLE_TLS: - name: OC_EVENTS_ENABLE_TLS;GRAPH_EVENTS_ENABLE_TLS - defaultValue: "false" - type: bool - description: Enable TLS for the connection to the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_EVENTS_ENDPOINT: - name: OC_EVENTS_ENDPOINT;GRAPH_EVENTS_ENDPOINT - defaultValue: 127.0.0.1:9233 - type: string - description: The address of the event system. The event system is the message queuing - service. It is used as message broker for the microservice architecture. Set to - a empty string to disable emitting events. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_EVENTS_TLS_INSECURE: - name: OC_INSECURE;GRAPH_EVENTS_TLS_INSECURE - defaultValue: "false" - type: bool - description: Whether to verify the server TLS certificates. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_EVENTS_TLS_ROOT_CA_CERTIFICATE: - name: OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;GRAPH_EVENTS_TLS_ROOT_CA_CERTIFICATE - defaultValue: "" - type: string - description: The root CA certificate used to validate the server's TLS certificate. - If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_GROUP_MEMBERS_PATCH_LIMIT: - name: GRAPH_GROUP_MEMBERS_PATCH_LIMIT - defaultValue: "20" - type: int - description: The amount of group members allowed to be added with a single patch - request. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_HTTP_ADDR: - name: GRAPH_HTTP_ADDR - defaultValue: 127.0.0.1:9120 - type: string - description: The bind address of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_HTTP_API_TOKEN: - name: GRAPH_HTTP_API_TOKEN - defaultValue: "" - type: string - description: An optional API bearer token - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_HTTP_ROOT: - name: GRAPH_HTTP_ROOT - defaultValue: /graph - type: string - description: Subdirectory that serves as the root for this HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_IDENTITY_BACKEND: - name: GRAPH_IDENTITY_BACKEND - defaultValue: ldap - type: string - description: The user identity backend to use. Supported backend types are 'ldap' - and 'cs3'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_IDENTITY_SEARCH_MIN_LENGTH: - name: GRAPH_IDENTITY_SEARCH_MIN_LENGTH - defaultValue: "3" - type: int - description: The minimum length the search term needs to have for unprivileged users - when searching for users or groups. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_INCLUDE_OCM_SHAREES: - name: OC_ENABLE_OCM;GRAPH_INCLUDE_OCM_SHAREES - defaultValue: "false" - type: bool - description: Include OCM sharees when listing users. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_JWT_SECRET: - name: OC_JWT_SECRET;GRAPH_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_KEYCLOAK_BASE_PATH: - name: OC_KEYCLOAK_BASE_PATH;GRAPH_KEYCLOAK_BASE_PATH - defaultValue: "" - type: string - description: The URL to access keycloak. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_KEYCLOAK_CLIENT_ID: - name: OC_KEYCLOAK_CLIENT_ID;GRAPH_KEYCLOAK_CLIENT_ID - defaultValue: "" - type: string - description: The client id to authenticate with keycloak. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_KEYCLOAK_CLIENT_REALM: - name: OC_KEYCLOAK_CLIENT_REALM;GRAPH_KEYCLOAK_CLIENT_REALM - defaultValue: "" - type: string - description: The realm the client is defined in. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_KEYCLOAK_CLIENT_SECRET: - name: OC_KEYCLOAK_CLIENT_SECRET;GRAPH_KEYCLOAK_CLIENT_SECRET - defaultValue: "" - type: string - description: The client secret to use in authentication. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_KEYCLOAK_INSECURE_SKIP_VERIFY: - name: OC_KEYCLOAK_INSECURE_SKIP_VERIFY;GRAPH_KEYCLOAK_INSECURE_SKIP_VERIFY - defaultValue: "false" - type: bool - description: Disable TLS certificate validation for Keycloak connections. Do not - set this in production environments. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_KEYCLOAK_USER_REALM: - name: OC_KEYCLOAK_USER_REALM;GRAPH_KEYCLOAK_USER_REALM - defaultValue: "" - type: string - description: The realm users are defined. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_BIND_DN: - name: OC_LDAP_BIND_DN;GRAPH_LDAP_BIND_DN - defaultValue: uid=libregraph,ou=sysusers,o=libregraph-idm - type: string - description: LDAP DN to use for simple bind authentication with the target LDAP - server. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_BIND_PASSWORD: - name: OC_LDAP_BIND_PASSWORD;GRAPH_LDAP_BIND_PASSWORD - defaultValue: "" - type: string - description: Password to use for authenticating the 'bind_dn'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_CACERT: - name: OC_LDAP_CACERT;GRAPH_LDAP_CACERT - defaultValue: /var/lib/opencloud/idm/ldap.crt - type: string - description: Path/File name for the root CA certificate (in PEM format) used to - validate TLS server certificates of the LDAP service. If not defined, the root - directory derives from $OC_BASE_DATA_PATH/idm. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_EDUCATION_RESOURCES_ENABLED: - name: GRAPH_LDAP_EDUCATION_RESOURCES_ENABLED - defaultValue: "false" - type: bool - description: Enable LDAP support for managing education related resources. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_GROUP_BASE_DN: - name: OC_LDAP_GROUP_BASE_DN;GRAPH_LDAP_GROUP_BASE_DN - defaultValue: ou=groups,o=libregraph-idm - type: string - description: Search base DN for looking up LDAP groups. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_GROUP_CREATE_BASE_DN: - name: GRAPH_LDAP_GROUP_CREATE_BASE_DN - defaultValue: ou=groups,o=libregraph-idm - type: string - description: Parent DN under which new groups are created. This DN needs to be subordinate - to the 'GRAPH_LDAP_GROUP_BASE_DN'. This setting is only relevant when 'GRAPH_LDAP_SERVER_WRITE_ENABLED' - is 'true'. It defaults to the value of 'GRAPH_LDAP_GROUP_BASE_DN'. All groups - outside of this subtree are treated as readonly groups and cannot be updated. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_GROUP_FILTER: - name: OC_LDAP_GROUP_FILTER;GRAPH_LDAP_GROUP_FILTER - defaultValue: "" - type: string - description: LDAP filter to add to the default filters for group searches. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_GROUP_ID_ATTRIBUTE: - name: OC_LDAP_GROUP_SCHEMA_ID;GRAPH_LDAP_GROUP_ID_ATTRIBUTE - defaultValue: owncloudUUID - type: string - description: LDAP Attribute to use as the unique id for groups. This should be a - stable globally unique ID like a UUID. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_GROUP_MEMBER_ATTRIBUTE: - name: OC_LDAP_GROUP_SCHEMA_MEMBER;GRAPH_LDAP_GROUP_MEMBER_ATTRIBUTE - defaultValue: member - type: string - description: LDAP Attribute that is used for group members. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_GROUP_NAME_ATTRIBUTE: - name: OC_LDAP_GROUP_SCHEMA_GROUPNAME;GRAPH_LDAP_GROUP_NAME_ATTRIBUTE - defaultValue: cn - type: string - description: LDAP Attribute to use for the name of groups. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_GROUP_OBJECTCLASS: - name: OC_LDAP_GROUP_OBJECTCLASS;GRAPH_LDAP_GROUP_OBJECTCLASS - defaultValue: groupOfNames - type: string - description: The object class to use for groups in the default group search filter - ('groupOfNames'). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING: - name: OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING;GRAPH_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING - defaultValue: "false" - type: bool - description: Set this to true if the defined 'ID' attribute for groups is of the - 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of - Active Directory for the group ID's. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_GROUP_SEARCH_SCOPE: - name: OC_LDAP_GROUP_SCOPE;GRAPH_LDAP_GROUP_SEARCH_SCOPE - defaultValue: sub - type: string - description: LDAP search scope to use when looking up groups. Supported scopes are - 'base', 'one' and 'sub'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_INSECURE: - name: OC_LDAP_INSECURE;GRAPH_LDAP_INSECURE - defaultValue: "false" - type: bool - description: Disable TLS certificate validation for the LDAP connections. Do not - set this in production environments. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_REFINT_ENABLED: - name: GRAPH_LDAP_REFINT_ENABLED - defaultValue: "false" - type: bool - description: Signals that the server has the refint plugin enabled, which makes - some actions not needed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_SCHOOL_BASE_DN: - name: GRAPH_LDAP_SCHOOL_BASE_DN - defaultValue: "" - type: string - description: Search base DN for looking up LDAP schools. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_SCHOOL_FILTER: - name: GRAPH_LDAP_SCHOOL_FILTER - defaultValue: "" - type: string - description: LDAP filter to add to the default filters for school searches. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_SCHOOL_ID_ATTRIBUTE: - name: GRAPH_LDAP_SCHOOL_ID_ATTRIBUTE - defaultValue: "" - type: string - description: LDAP Attribute to use as the unique id for schools. This should be - a stable globally unique ID like a UUID. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_SCHOOL_NAME_ATTRIBUTE: - name: GRAPH_LDAP_SCHOOL_NAME_ATTRIBUTE - defaultValue: "" - type: string - description: LDAP Attribute to use for the name of a school. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_SCHOOL_NUMBER_ATTRIBUTE: - name: GRAPH_LDAP_SCHOOL_NUMBER_ATTRIBUTE - defaultValue: "" - type: string - description: LDAP Attribute to use for the number of a school. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_SCHOOL_OBJECTCLASS: - name: GRAPH_LDAP_SCHOOL_OBJECTCLASS - defaultValue: "" - type: string - description: The object class to use for schools in the default school search filter. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_SCHOOL_SEARCH_SCOPE: - name: GRAPH_LDAP_SCHOOL_SEARCH_SCOPE - defaultValue: "" - type: string - description: LDAP search scope to use when looking up schools. Supported scopes - are 'base', 'one' and 'sub'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_SCHOOL_TERMINATION_MIN_GRACE_DAYS: - name: GRAPH_LDAP_SCHOOL_TERMINATION_MIN_GRACE_DAYS - defaultValue: "0" - type: int - description: When setting a 'terminationDate' for a school, require the date to - be at least this number of days in the future. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_SERVER_USE_PASSWORD_MODIFY_EXOP: - name: GRAPH_LDAP_SERVER_USE_PASSWORD_MODIFY_EXOP - defaultValue: "true" - type: bool - description: Use the 'Password Modify Extended Operation' for updating user passwords. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_SERVER_UUID: - name: GRAPH_LDAP_SERVER_UUID - defaultValue: "false" - type: bool - description: If set to true, rely on the LDAP Server to generate a unique ID for - users and groups, like when using 'entryUUID' as the user ID attribute. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_SERVER_WRITE_ENABLED: - name: OC_LDAP_SERVER_WRITE_ENABLED;GRAPH_LDAP_SERVER_WRITE_ENABLED - defaultValue: "true" - type: bool - description: Allow creating, modifying and deleting LDAP users via the GRAPH API. - This can only be set to 'true' when keeping default settings for the LDAP user - and group attribute types (the 'OC_LDAP_USER_SCHEMA_* and 'OC_LDAP_GROUP_SCHEMA_* - variables). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_URI: - name: OC_LDAP_URI;GRAPH_LDAP_URI - defaultValue: ldaps://localhost:9235 - type: string - description: URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' - and 'ldap://' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_USER_BASE_DN: - name: OC_LDAP_USER_BASE_DN;GRAPH_LDAP_USER_BASE_DN - defaultValue: ou=users,o=libregraph-idm - type: string - description: Search base DN for looking up LDAP users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_USER_DISPLAYNAME_ATTRIBUTE: - name: OC_LDAP_USER_SCHEMA_DISPLAYNAME;LDAP_USER_SCHEMA_DISPLAY_NAME;GRAPH_LDAP_USER_DISPLAYNAME_ATTRIBUTE - defaultValue: displayName - type: string - description: LDAP Attribute to use for the display name of users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: LDAP_USER_SCHEMA_DISPLAY_NAME changing name for consistency | | | | - LDAP_USER_SCHEMA_DISPLAY_NAME changing name for consistency | LDAP_USER_SCHEMA_DISPLAY_NAME - changing name for consistency | LDAP_USER_SCHEMA_DISPLAY_NAME changing name for - consistency | LDAP_USER_SCHEMA_DISPLAY_NAME changing name for consistency -GRAPH_LDAP_USER_EMAIL_ATTRIBUTE: - name: OC_LDAP_USER_SCHEMA_MAIL;GRAPH_LDAP_USER_EMAIL_ATTRIBUTE - defaultValue: mail - type: string - description: LDAP Attribute to use for the email address of users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_USER_FILTER: - name: OC_LDAP_USER_FILTER;GRAPH_LDAP_USER_FILTER - defaultValue: "" - type: string - description: LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_USER_NAME_ATTRIBUTE: - name: OC_LDAP_USER_SCHEMA_USERNAME;GRAPH_LDAP_USER_NAME_ATTRIBUTE - defaultValue: uid - type: string - description: LDAP Attribute to use for username of users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_USER_OBJECTCLASS: - name: OC_LDAP_USER_OBJECTCLASS;GRAPH_LDAP_USER_OBJECTCLASS - defaultValue: inetOrgPerson - type: string - description: The object class to use for users in the default user search filter - ('inetOrgPerson'). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING: - name: OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING;GRAPH_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING - defaultValue: "false" - type: bool - description: Set this to true if the defined 'ID' attribute for users is of the - 'OCTETSTRING' syntax. This is required when using the 'objectGUID' attribute of - Active Directory for the user ID's. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_USER_SCOPE: - name: OC_LDAP_USER_SCOPE;GRAPH_LDAP_USER_SCOPE - defaultValue: sub - type: string - description: LDAP search scope to use when looking up users. Supported scopes are - 'base', 'one' and 'sub'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_USER_TYPE_ATTRIBUTE: - name: OC_LDAP_USER_SCHEMA_USER_TYPE;GRAPH_LDAP_USER_TYPE_ATTRIBUTE - defaultValue: ownCloudUserType - type: string - description: LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default - is 'ownCloudUserType'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LDAP_USER_UID_ATTRIBUTE: - name: OC_LDAP_USER_SCHEMA_ID;GRAPH_LDAP_USER_UID_ATTRIBUTE - defaultValue: owncloudUUID - type: string - description: LDAP Attribute to use as the unique ID for users. This should be a - stable globally unique ID like a UUID. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LOG_COLOR: - name: OC_LOG_COLOR;GRAPH_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LOG_FILE: - name: OC_LOG_FILE;GRAPH_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LOG_LEVEL: - name: OC_LOG_LEVEL;GRAPH_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_LOG_PRETTY: - name: OC_LOG_PRETTY;GRAPH_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_MAX_CONCURRENCY: - name: OC_MAX_CONCURRENCY;GRAPH_MAX_CONCURRENCY - defaultValue: "20" - type: int - description: The maximum number of concurrent requests the service will handle. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_SERVICE_ACCOUNT_ID: - name: OC_SERVICE_ACCOUNT_ID;GRAPH_SERVICE_ACCOUNT_ID - defaultValue: "" - type: string - description: The ID of the service account the service should use. See the 'auth-service' - service description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_SERVICE_ACCOUNT_SECRET: - name: OC_SERVICE_ACCOUNT_SECRET;GRAPH_SERVICE_ACCOUNT_SECRET - defaultValue: "" - type: string - description: The service account secret. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_SPACES_DEFAULT_QUOTA: - name: GRAPH_SPACES_DEFAULT_QUOTA - defaultValue: "1000000000" - type: string - description: The default quota in bytes. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_SPACES_EXTENDED_SPACE_PROPERTIES_CACHE_TTL: - name: GRAPH_SPACES_EXTENDED_SPACE_PROPERTIES_CACHE_TTL - defaultValue: "60000000000" - type: int - description: Max TTL in seconds for the spaces property cache. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_SPACES_GROUPS_CACHE_TTL: - name: GRAPH_SPACES_GROUPS_CACHE_TTL - defaultValue: "60000000000" - type: int - description: Max TTL in seconds for the spaces groups cache. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_SPACES_STORAGE_USERS_ADDRESS: - name: GRAPH_SPACES_STORAGE_USERS_ADDRESS - defaultValue: eu.opencloud.api.storage-users - type: string - description: The address of the storage-users service. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_SPACES_USERS_CACHE_TTL: - name: GRAPH_SPACES_USERS_CACHE_TTL - defaultValue: "60000000000" - type: int - description: Max TTL in seconds for the spaces users cache. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_SPACES_WEBDAV_BASE: - name: OC_URL;GRAPH_SPACES_WEBDAV_BASE - defaultValue: https://localhost:9200 - type: string - description: The public facing URL of WebDAV. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_SPACES_WEBDAV_PATH: - name: GRAPH_SPACES_WEBDAV_PATH - defaultValue: /dav/spaces/ - type: string - description: The WebDAV sub-path for spaces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;GRAPH_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_TRACING_ENABLED: - name: OC_TRACING_ENABLED;GRAPH_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;GRAPH_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_TRACING_TYPE: - name: OC_TRACING_TYPE;GRAPH_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_TRANSLATION_PATH: - name: OC_TRANSLATION_PATH;GRAPH_TRANSLATION_PATH - defaultValue: "" - type: string - description: (optional) Set this to a path with custom translations to overwrite - the builtin translations. Note that file and folder naming rules apply, see the - documentation for more details. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_USER_ENABLED_ATTRIBUTE: - name: OC_LDAP_USER_ENABLED_ATTRIBUTE;GRAPH_USER_ENABLED_ATTRIBUTE - defaultValue: ownCloudUserEnabled - type: string - description: LDAP Attribute to use as a flag telling if the user is enabled or disabled. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GRAPH_USERNAME_MATCH: - name: GRAPH_USERNAME_MATCH - defaultValue: default - type: string - description: Apply restrictions to usernames. Supported values are 'default' and - 'none'. When set to 'default', user names must not start with a number and are - restricted to ASCII characters. When set to 'none', no restrictions are applied. - The default value is 'default'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_DEBUG_ADDR: - name: GROUPS_DEBUG_ADDR - defaultValue: 127.0.0.1:9161 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_DEBUG_PPROF: - name: GROUPS_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_DEBUG_TOKEN: - name: GROUPS_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_DEBUG_ZPAGES: - name: GROUPS_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_DRIVER: - name: GROUPS_DRIVER - defaultValue: ldap - type: string - description: The driver which should be used by the groups service. Supported values - are 'ldap' and 'owncloudsql'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_GRPC_ADDR: - name: GROUPS_GRPC_ADDR - defaultValue: 127.0.0.1:9160 - type: string - description: The bind address of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_GRPC_PROTOCOL: - name: OC_GRPC_PROTOCOL;GROUPS_GRPC_PROTOCOL - defaultValue: tcp - type: string - description: The transport protocol of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_IDP_URL: - name: OC_URL;OC_OIDC_ISSUER;GROUPS_IDP_URL - defaultValue: https://localhost:9200 - type: string - description: The identity provider value to set in the group IDs of the CS3 group - objects for groups returned by this group provider. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_JWT_SECRET: - name: OC_JWT_SECRET;GROUPS_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_BIND_DN: - name: OC_LDAP_BIND_DN;GROUPS_LDAP_BIND_DN - defaultValue: uid=reva,ou=sysusers,o=libregraph-idm - type: string - description: LDAP DN to use for simple bind authentication with the target LDAP - server. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_BIND_PASSWORD: - name: OC_LDAP_BIND_PASSWORD;GROUPS_LDAP_BIND_PASSWORD - defaultValue: "" - type: string - description: Password to use for authenticating the 'bind_dn'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_CACERT: - name: OC_LDAP_CACERT;GROUPS_LDAP_CACERT - defaultValue: /var/lib/opencloud/idm/ldap.crt - type: string - description: Path/File name for the root CA certificate (in PEM format) used to - validate TLS server certificates of the LDAP service. If not defined, the root - directory derives from $OC_BASE_DATA_PATH/idm. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_GROUP_BASE_DN: - name: OC_LDAP_GROUP_BASE_DN;GROUPS_LDAP_GROUP_BASE_DN - defaultValue: ou=groups,o=libregraph-idm - type: string - description: Search base DN for looking up LDAP groups. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_GROUP_FILTER: - name: OC_LDAP_GROUP_FILTER;GROUPS_LDAP_GROUP_FILTER - defaultValue: "" - type: string - description: LDAP filter to add to the default filters for group searches. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_GROUP_OBJECTCLASS: - name: OC_LDAP_GROUP_OBJECTCLASS;GROUPS_LDAP_GROUP_OBJECTCLASS - defaultValue: groupOfNames - type: string - description: The object class to use for groups in the default group search filter - ('groupOfNames'). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_GROUP_SCHEMA_DISPLAYNAME: - name: OC_LDAP_GROUP_SCHEMA_DISPLAYNAME;GROUPS_LDAP_GROUP_SCHEMA_DISPLAYNAME - defaultValue: cn - type: string - description: LDAP Attribute to use for the displayname of groups (often the same - as groupname attribute). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_GROUP_SCHEMA_GROUPNAME: - name: OC_LDAP_GROUP_SCHEMA_GROUPNAME;GROUPS_LDAP_GROUP_SCHEMA_GROUPNAME - defaultValue: cn - type: string - description: LDAP Attribute to use for the name of groups. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_GROUP_SCHEMA_ID: - name: OC_LDAP_GROUP_SCHEMA_ID;GROUPS_LDAP_GROUP_SCHEMA_ID - defaultValue: ownclouduuid - type: string - description: LDAP Attribute to use as the unique id for groups. This should be a - stable globally unique ID like a UUID. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING: - name: OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING;GROUPS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING - defaultValue: "false" - type: bool - description: Set this to true if the defined 'id' attribute for groups is of the - 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute - of Active Directory for the group ID's. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_GROUP_SCHEMA_MAIL: - name: OC_LDAP_GROUP_SCHEMA_MAIL;GROUPS_LDAP_GROUP_SCHEMA_MAIL - defaultValue: mail - type: string - description: LDAP Attribute to use for the email address of groups (can be empty). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_GROUP_SCHEMA_MEMBER: - name: OC_LDAP_GROUP_SCHEMA_MEMBER;GROUPS_LDAP_GROUP_SCHEMA_MEMBER - defaultValue: member - type: string - description: LDAP Attribute that is used for group members. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_GROUP_SCOPE: - name: OC_LDAP_GROUP_SCOPE;GROUPS_LDAP_GROUP_SCOPE - defaultValue: sub - type: string - description: LDAP search scope to use when looking up groups. Supported scopes are - 'base', 'one' and 'sub'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_GROUP_SUBSTRING_FILTER_TYPE: - name: LDAP_GROUP_SUBSTRING_FILTER_TYPE;GROUPS_LDAP_GROUP_SUBSTRING_FILTER_TYPE - defaultValue: any - type: string - description: Type of substring search filter to use for substring searches for groups. - Supported values are 'initial', 'final' and 'any'. The value 'initial' is used - for doing prefix only searches, 'final' for doing suffix only searches or 'any' - for doing full substring searches - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_INSECURE: - name: OC_LDAP_INSECURE;GROUPS_LDAP_INSECURE - defaultValue: "false" - type: bool - description: Disable TLS certificate validation for the LDAP connections. Do not - set this in production environments. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_URI: - name: OC_LDAP_URI;GROUPS_LDAP_URI - defaultValue: ldaps://localhost:9235 - type: string - description: URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' - and 'ldap://' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_USER_BASE_DN: - name: OC_LDAP_USER_BASE_DN;GROUPS_LDAP_USER_BASE_DN - defaultValue: ou=users,o=libregraph-idm - type: string - description: Search base DN for looking up LDAP users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_USER_FILTER: - name: OC_LDAP_USER_FILTER;GROUPS_LDAP_USER_FILTER - defaultValue: "" - type: string - description: LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_USER_OBJECTCLASS: - name: OC_LDAP_USER_OBJECTCLASS;GROUPS_LDAP_USER_OBJECTCLASS - defaultValue: inetOrgPerson - type: string - description: The object class to use for users in the default user search filter - ('inetOrgPerson'). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_USER_SCHEMA_DISPLAYNAME: - name: OC_LDAP_USER_SCHEMA_DISPLAYNAME;GROUPS_LDAP_USER_SCHEMA_DISPLAYNAME - defaultValue: displayname - type: string - description: LDAP Attribute to use for the displayname of users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_USER_SCHEMA_ID: - name: OC_LDAP_USER_SCHEMA_ID;GROUPS_LDAP_USER_SCHEMA_ID - defaultValue: ownclouduuid - type: string - description: LDAP Attribute to use as the unique id for users. This should be a - stable globally unique id like a UUID. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING: - name: OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING;GROUPS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING - defaultValue: "false" - type: bool - description: Set this to true if the defined 'ID' attribute for users is of the - 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute - of Active Directory for the user ID's. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_USER_SCHEMA_MAIL: - name: OC_LDAP_USER_SCHEMA_MAIL;GROUPS_LDAP_USER_SCHEMA_MAIL - defaultValue: mail - type: string - description: LDAP Attribute to use for the email address of users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_USER_SCHEMA_USERNAME: - name: OC_LDAP_USER_SCHEMA_USERNAME;GROUPS_LDAP_USER_SCHEMA_USERNAME - defaultValue: uid - type: string - description: LDAP Attribute to use for username of users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LDAP_USER_SCOPE: - name: OC_LDAP_USER_SCOPE;GROUPS_LDAP_USER_SCOPE - defaultValue: sub - type: string - description: LDAP search scope to use when looking up users. Supported scopes are - 'base', 'one' and 'sub'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LOG_COLOR: - name: OC_LOG_COLOR;GROUPS_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LOG_FILE: - name: OC_LOG_FILE;GROUPS_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LOG_LEVEL: - name: OC_LOG_LEVEL;GROUPS_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_LOG_PRETTY: - name: OC_LOG_PRETTY;GROUPS_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_OWNCLOUDSQL_DB_HOST: - name: GROUPS_OWNCLOUDSQL_DB_HOST - defaultValue: mysql - type: string - description: Hostname of the database server. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_OWNCLOUDSQL_DB_NAME: - name: GROUPS_OWNCLOUDSQL_DB_NAME - defaultValue: owncloud - type: string - description: Name of the owncloud database. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_OWNCLOUDSQL_DB_PASSWORD: - name: GROUPS_OWNCLOUDSQL_DB_PASSWORD - defaultValue: "" - type: string - description: Password for the database user. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_OWNCLOUDSQL_DB_PORT: - name: GROUPS_OWNCLOUDSQL_DB_PORT - defaultValue: "3306" - type: int - description: Network port to use for the database connection. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_OWNCLOUDSQL_DB_USERNAME: - name: GROUPS_OWNCLOUDSQL_DB_USERNAME - defaultValue: owncloud - type: string - description: Database user to use for authenticating with the owncloud database. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_OWNCLOUDSQL_ENABLE_MEDIAL_SEARCH: - name: GROUPS_OWNCLOUDSQL_ENABLE_MEDIAL_SEARCH - defaultValue: "false" - type: bool - description: Allow 'medial search' when searching for users instead of just doing - a prefix search. This allows finding 'Alice' when searching for 'lic'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_OWNCLOUDSQL_IDP: - name: GROUPS_OWNCLOUDSQL_IDP - defaultValue: https://localhost:9200 - type: string - description: The identity provider value to set in the userids of the CS3 user objects - for users returned by this user provider. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID: - name: GROUPS_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID - defaultValue: "false" - type: bool - description: Join the user properties table to read user IDs. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_OWNCLOUDSQL_JOIN_USERNAME: - name: GROUPS_OWNCLOUDSQL_JOIN_USERNAME - defaultValue: "false" - type: bool - description: Join the user properties table to read usernames. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_OWNCLOUDSQL_NOBODY: - name: GROUPS_OWNCLOUDSQL_NOBODY - defaultValue: "90" - type: int64 - description: Fallback number if no numeric UID and GID properties are provided. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_SKIP_USER_GROUPS_IN_TOKEN: - name: GROUPS_SKIP_USER_GROUPS_IN_TOKEN - defaultValue: "false" - type: bool - description: Disables the loading of user's group memberships from the reva access - token. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;GROUPS_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_TRACING_ENABLED: - name: OC_TRACING_ENABLED;GROUPS_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;GROUPS_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -GROUPS_TRACING_TYPE: - name: OC_TRACING_TYPE;GROUPS_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_ADMIN_PASSWORD: - name: IDM_ADMIN_PASSWORD - defaultValue: "" - type: string - description: Password to set for the oCIS 'admin' user. Either cleartext or an argon2id - hash. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_ADMIN_USER_ID: - name: OC_ADMIN_USER_ID;IDM_ADMIN_USER_ID - defaultValue: "" - type: string - description: ID of the user that should receive admin privileges. Consider that - the UUID can be encoded in some LDAP deployment configurations like in .ldif files. - These need to be decoded beforehand. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_CREATE_DEMO_USERS: - name: SETTINGS_SETUP_DEFAULT_ASSIGNMENTS;IDM_CREATE_DEMO_USERS - defaultValue: "false" - type: bool - description: The default role assignments the demo users should be setup. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_DATABASE_PATH: - name: IDM_DATABASE_PATH - defaultValue: /var/lib/opencloud/idm/ocis.boltdb - type: string - description: Full path to the IDM backend database. If not defined, the root directory - derives from $OC_BASE_DATA_PATH/idm. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_DEBUG_ADDR: - name: IDM_DEBUG_ADDR - defaultValue: 127.0.0.1:9239 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_DEBUG_PPROF: - name: IDM_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_DEBUG_TOKEN: - name: IDM_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_DEBUG_ZPAGES: - name: IDM_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_IDPSVC_PASSWORD: - name: IDM_IDPSVC_PASSWORD - defaultValue: "" - type: string - description: Password to set for the 'idp' service user. Either cleartext or an - argon2id hash. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_LDAPS_ADDR: - name: IDM_LDAPS_ADDR - defaultValue: 127.0.0.1:9235 - type: string - description: Listen address for the LDAPS listener (ip-addr:port). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_LDAPS_CERT: - name: IDM_LDAPS_CERT - defaultValue: /var/lib/opencloud/idm/ldap.crt - type: string - description: File name of the TLS server certificate for the LDAPS listener. If - not defined, the root directory derives from $OC_BASE_DATA_PATH/idm. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_LDAPS_KEY: - name: IDM_LDAPS_KEY - defaultValue: /var/lib/opencloud/idm/ldap.key - type: string - description: File name for the TLS certificate key for the server certificate. If - not defined, the root directory derives from $OC_BASE_DATA_PATH/idm. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_LOG_COLOR: - name: OC_LOG_COLOR;IDM_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_LOG_FILE: - name: OC_LOG_FILE;IDM_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_LOG_LEVEL: - name: OC_LOG_LEVEL;IDM_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_LOG_PRETTY: - name: OC_LOG_PRETTY;IDM_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_REVASVC_PASSWORD: - name: IDM_REVASVC_PASSWORD - defaultValue: "" - type: string - description: Password to set for the 'reva' service user. Either cleartext or an - argon2id hash. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_SVC_PASSWORD: - name: IDM_SVC_PASSWORD - defaultValue: "" - type: string - description: Password to set for the 'idm' service user. Either cleartext or an - argon2id hash. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;IDM_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_TRACING_ENABLED: - name: OC_TRACING_ENABLED;IDM_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;IDM_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDM_TRACING_TYPE: - name: OC_TRACING_TYPE;IDM_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_ACCESS_TOKEN_EXPIRATION: - name: IDP_ACCESS_TOKEN_EXPIRATION - defaultValue: "300" - type: uint64 - description: '''Access token lifespan in seconds (time before an access token is - expired).''' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_ALLOW_CLIENT_GUESTS: - name: IDP_ALLOW_CLIENT_GUESTS - defaultValue: "false" - type: bool - description: Allow guest clients to access OpenCloud. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_ALLOW_DYNAMIC_CLIENT_REGISTRATION: - name: IDP_ALLOW_DYNAMIC_CLIENT_REGISTRATION - defaultValue: "false" - type: bool - description: Allow dynamic client registration. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_ASSET_PATH: - name: IDP_ASSET_PATH - defaultValue: "" - type: string - description: Serve IDP assets from a path on the filesystem instead of the builtin - assets. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_DEBUG_ADDR: - name: IDP_DEBUG_ADDR - defaultValue: 127.0.0.1:9134 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_DEBUG_PPROF: - name: IDP_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_DEBUG_TOKEN: - name: IDP_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_DEBUG_ZPAGES: - name: IDP_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_DYNAMIC_CLIENT_SECRET_DURATION: - name: IDP_DYNAMIC_CLIENT_SECRET_DURATION - defaultValue: "0" - type: uint64 - description: Lifespan in seconds of a dynamically registered OIDC client. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_ENCRYPTION_SECRET_FILE: - name: IDP_ENCRYPTION_SECRET_FILE - defaultValue: /var/lib/opencloud/idp/encryption.key - type: string - description: Path to the encryption secret file, if unset, a new certificate will - be autogenerated upon each restart, thus invalidating all existing sessions. If - not defined, the root directory derives from $OC_BASE_DATA_PATH/idp. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_ENDPOINT_URI: - name: IDP_ENDPOINT_URI - defaultValue: "" - type: string - description: URL of the IDP endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_HTTP_ADDR: - name: IDP_HTTP_ADDR - defaultValue: 127.0.0.1:9130 - type: string - description: The bind address of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_HTTP_ROOT: - name: IDP_HTTP_ROOT - defaultValue: / - type: string - description: Subdirectory that serves as the root for this HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_ID_TOKEN_EXPIRATION: - name: IDP_ID_TOKEN_EXPIRATION - defaultValue: "300" - type: uint64 - description: ID token lifespan in seconds (time before an ID token is expired). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_IDENTITY_MANAGER: - name: IDP_IDENTITY_MANAGER - defaultValue: ldap - type: string - description: The identity manager implementation to use. Supported identity managers - are 'ldap', 'cs3', 'libregraph' and 'guest'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_INSECURE: - name: OC_LDAP_INSECURE;IDP_INSECURE - defaultValue: "false" - type: bool - description: Disable TLS certificate validation for the LDAP connections. Do not - set this in production environments. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_ISS: - name: OC_URL;OC_OIDC_ISSUER;IDP_ISS - defaultValue: https://localhost:9200 - type: string - description: The OIDC issuer URL to use. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_LDAP_BASE_DN: - name: OC_LDAP_USER_BASE_DN;IDP_LDAP_BASE_DN - defaultValue: ou=users,o=libregraph-idm - type: string - description: Search base DN for looking up LDAP users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_LDAP_BIND_DN: - name: OC_LDAP_BIND_DN;IDP_LDAP_BIND_DN - defaultValue: uid=idp,ou=sysusers,o=libregraph-idm - type: string - description: LDAP DN to use for simple bind authentication with the target LDAP - server. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_LDAP_BIND_PASSWORD: - name: OC_LDAP_BIND_PASSWORD;IDP_LDAP_BIND_PASSWORD - defaultValue: "" - type: string - description: Password to use for authenticating the 'bind_dn'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_LDAP_EMAIL_ATTRIBUTE: - name: OC_LDAP_USER_SCHEMA_MAIL;IDP_LDAP_EMAIL_ATTRIBUTE - defaultValue: mail - type: string - description: LDAP User email attribute like 'mail'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_LDAP_FILTER: - name: OC_LDAP_USER_FILTER;IDP_LDAP_FILTER - defaultValue: "" - type: string - description: LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_LDAP_LOGIN_ATTRIBUTE: - name: IDP_LDAP_LOGIN_ATTRIBUTE - defaultValue: uid - type: string - description: LDAP User attribute to use for login like 'uid'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_LDAP_NAME_ATTRIBUTE: - name: OC_LDAP_USER_SCHEMA_USERNAME;IDP_LDAP_NAME_ATTRIBUTE - defaultValue: displayName - type: string - description: LDAP User name attribute like 'displayName'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_LDAP_OBJECTCLASS: - name: OC_LDAP_USER_OBJECTCLASS;IDP_LDAP_OBJECTCLASS - defaultValue: inetOrgPerson - type: string - description: LDAP User ObjectClass like 'inetOrgPerson'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_LDAP_SCOPE: - name: OC_LDAP_USER_SCOPE;IDP_LDAP_SCOPE - defaultValue: sub - type: string - description: LDAP search scope to use when looking up users. Supported scopes are - 'base', 'one' and 'sub'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_LDAP_TLS_CACERT: - name: OC_LDAP_CACERT;IDP_LDAP_TLS_CACERT - defaultValue: /var/lib/opencloud/idm/ldap.crt - type: string - description: Path/File name for the root CA certificate (in PEM format) used to - validate TLS server certificates of the LDAP service. If not defined, the root - directory derives from $OC_BASE_DATA_PATH/idp. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_LDAP_URI: - name: OC_LDAP_URI;IDP_LDAP_URI - defaultValue: ldaps://localhost:9235 - type: string - description: Url of the LDAP service to use as IDP. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_LDAP_UUID_ATTRIBUTE: - name: OC_LDAP_USER_SCHEMA_ID;IDP_LDAP_UUID_ATTRIBUTE - defaultValue: ownCloudUUID - type: string - description: LDAP User UUID attribute like 'uid'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_LDAP_UUID_ATTRIBUTE_TYPE: - name: IDP_LDAP_UUID_ATTRIBUTE_TYPE - defaultValue: text - type: string - description: LDAP User uuid attribute type like 'text'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_LOG_COLOR: - name: OC_LOG_COLOR;IDP_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_LOG_FILE: - name: OC_LOG_FILE;IDP_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_LOG_LEVEL: - name: OC_LOG_LEVEL;IDP_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_LOG_PRETTY: - name: OC_LOG_PRETTY;IDP_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_LOGIN_BACKGROUND_URL: - name: IDP_LOGIN_BACKGROUND_URL - defaultValue: "" - type: string - description: Configure an alternative URL to the background image for the login - page. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_MACHINE_AUTH_API_KEY: - name: OC_MACHINE_AUTH_API_KEY;IDP_MACHINE_AUTH_API_KEY - defaultValue: "" - type: string - description: Machine auth API key used to validate internal requests necessary for - the access to resources from other services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_PASSWORD_RESET_URI: - name: IDP_PASSWORD_RESET_URI - defaultValue: "" - type: string - description: The URI where a user can reset their password. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_REFRESH_TOKEN_EXPIRATION: - name: IDP_REFRESH_TOKEN_EXPIRATION - defaultValue: "2592000" - type: uint64 - description: Refresh token lifespan in seconds (time before an refresh token is - expired). This also limits the duration of an idle offline session. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_SIGN_IN_URI: - name: IDP_SIGN_IN_URI - defaultValue: "" - type: string - description: IDP sign-in url. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_SIGN_OUT_URI: - name: IDP_SIGN_OUT_URI - defaultValue: "" - type: string - description: IDP sign-out url. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_SIGNING_KID: - name: IDP_SIGNING_KID - defaultValue: private-key - type: string - description: Value of the KID (Key ID) field which is used in created tokens to - uniquely identify the signing-private-key. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_SIGNING_METHOD: - name: IDP_SIGNING_METHOD - defaultValue: PS256 - type: string - description: Signing method of IDP requests like 'PS256' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_SIGNING_PRIVATE_KEY_FILES: - name: IDP_SIGNING_PRIVATE_KEY_FILES - defaultValue: '[/var/lib/opencloud/idp/private-key.pem]' - type: '[]string' - description: A list of private key files for signing IDP requests. If not defined, - the root directory derives from $OC_BASE_DATA_PATH/idp. See the Environment Variable - Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_TLS: - name: IDP_TLS - defaultValue: "false" - type: bool - description: Disable or Enable HTTPS for the communication between the Proxy service - and the IDP service. If set to 'true', the key and cert files need to be configured - and present. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;IDP_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_TRACING_ENABLED: - name: OC_TRACING_ENABLED;IDP_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;IDP_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_TRACING_TYPE: - name: OC_TRACING_TYPE;IDP_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_TRANSPORT_TLS_CERT: - name: IDP_TRANSPORT_TLS_CERT - defaultValue: /var/lib/opencloud/idp/server.crt - type: string - description: Path/File name of the TLS server certificate (in PEM format) for the - IDP service. If not defined, the root directory derives from $OC_BASE_DATA_PATH/idp. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_TRANSPORT_TLS_KEY: - name: IDP_TRANSPORT_TLS_KEY - defaultValue: /var/lib/opencloud/idp/server.key - type: string - description: Path/File name for the TLS certificate key (in PEM format) for the - server certificate to use for the IDP service. If not defined, the root directory - derives from $OC_BASE_DATA_PATH/idp. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_URI_BASE_PATH: - name: IDP_URI_BASE_PATH - defaultValue: "" - type: string - description: IDP uri base path (defaults to ''). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_USER_ENABLED_ATTRIBUTE: - name: OC_LDAP_USER_ENABLED_ATTRIBUTE;IDP_USER_ENABLED_ATTRIBUTE - defaultValue: ownCloudUserEnabled - type: string - description: LDAP Attribute to use as a flag telling if the user is enabled or disabled. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -IDP_VALIDATION_KEYS_PATH: - name: IDP_VALIDATION_KEYS_PATH - defaultValue: "" - type: string - description: Path to validation keys for IDP requests. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_CORS_ALLOW_CREDENTIALS: - name: OC_CORS_ALLOW_CREDENTIALS;INVITATIONS_CORS_ALLOW_CREDENTIALS - defaultValue: "false" - type: bool - description: 'Allow credentials for CORS.See following chapter for more details: - *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_CORS_ALLOW_HEADERS: - name: OC_CORS_ALLOW_HEADERS;INVITATIONS_CORS_ALLOW_HEADERS - defaultValue: '[]' - type: '[]string' - description: 'A list of allowed CORS headers. See following chapter for more details: - *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_CORS_ALLOW_METHODS: - name: OC_CORS_ALLOW_METHODS;INVITATIONS_CORS_ALLOW_METHODS - defaultValue: '[]' - type: '[]string' - description: 'A list of allowed CORS methods. See following chapter for more details: - *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_CORS_ALLOW_ORIGINS: - name: OC_CORS_ALLOW_ORIGINS;INVITATIONS_CORS_ALLOW_ORIGINS - defaultValue: '[https://localhost:9200]' - type: '[]string' - description: 'A list of allowed CORS origins. See following chapter for more details: - *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_DEBUG_ADDR: - name: INVITATIONS_DEBUG_ADDR - defaultValue: 127.0.0.1:9269 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_DEBUG_PPROF: - name: INVITATIONS_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_DEBUG_TOKEN: - name: INVITATIONS_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_DEBUG_ZPAGES: - name: INVITATIONS_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_HTTP_ADDR: - name: INVITATIONS_HTTP_ADDR - defaultValue: 127.0.0.1:9265 - type: string - description: The bind address of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_HTTP_ROOT: - name: INVITATIONS_HTTP_ROOT - defaultValue: /graph/v1.0 - type: string - description: Subdirectory that serves as the root for this HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_JWT_SECRET: - name: OC_JWT_SECRET;INVITATIONS_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_KEYCLOAK_BASE_PATH: - name: OC_KEYCLOAK_BASE_PATH;INVITATIONS_KEYCLOAK_BASE_PATH - defaultValue: "" - type: string - description: The URL to access keycloak. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_KEYCLOAK_CLIENT_ID: - name: OC_KEYCLOAK_CLIENT_ID;INVITATIONS_KEYCLOAK_CLIENT_ID - defaultValue: "" - type: string - description: The client ID to authenticate with keycloak. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_KEYCLOAK_CLIENT_REALM: - name: OC_KEYCLOAK_CLIENT_REALM;INVITATIONS_KEYCLOAK_CLIENT_REALM - defaultValue: "" - type: string - description: The realm the client is defined in. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_KEYCLOAK_CLIENT_SECRET: - name: OC_KEYCLOAK_CLIENT_SECRET;INVITATIONS_KEYCLOAK_CLIENT_SECRET - defaultValue: "" - type: string - description: The client secret to use in authentication. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_KEYCLOAK_INSECURE_SKIP_VERIFY: - name: OC_KEYCLOAK_INSECURE_SKIP_VERIFY;INVITATIONS_KEYCLOAK_INSECURE_SKIP_VERIFY - defaultValue: "false" - type: bool - description: Disable TLS certificate validation for Keycloak connections. Do not - set this in production environments. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_KEYCLOAK_USER_REALM: - name: OC_KEYCLOAK_USER_REALM;INVITATIONS_KEYCLOAK_USER_REALM - defaultValue: "" - type: string - description: The realm users are defined. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_LOG_COLOR: - name: OC_LOG_COLOR;INVITATIONS_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_LOG_FILE: - name: OC_LOG_FILE;INVITATIONS_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_LOG_LEVEL: - name: OC_LOG_LEVEL;INVITATIONS_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_LOG_PRETTY: - name: OC_LOG_PRETTY;INVITATIONS_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;INVITATIONS_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_TRACING_ENABLED: - name: OC_TRACING_ENABLED;INVITATIONS_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;INVITATIONS_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -INVITATIONS_TRACING_TYPE: - name: OC_TRACING_TYPE;INVITATIONS_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -LDAP_GROUP_SUBSTRING_FILTER_TYPE: - name: LDAP_GROUP_SUBSTRING_FILTER_TYPE;GROUPS_LDAP_GROUP_SUBSTRING_FILTER_TYPE - defaultValue: any - type: string - description: Type of substring search filter to use for substring searches for groups. - Supported values are 'initial', 'final' and 'any'. The value 'initial' is used - for doing prefix only searches, 'final' for doing suffix only searches or 'any' - for doing full substring searches - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -LDAP_LOGIN_ATTRIBUTES: - name: LDAP_LOGIN_ATTRIBUTES;AUTH_BASIC_LDAP_LOGIN_ATTRIBUTES - defaultValue: '[uid]' - type: '[]string' - description: A list of user object attributes that can be used for login. See the - Environment Variable Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -LDAP_USER_SCHEMA_DISPLAY_NAME: - name: OC_LDAP_USER_SCHEMA_DISPLAYNAME;LDAP_USER_SCHEMA_DISPLAY_NAME;GRAPH_LDAP_USER_DISPLAYNAME_ATTRIBUTE - defaultValue: displayName - type: string - description: LDAP Attribute to use for the display name of users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: LDAP_USER_SCHEMA_DISPLAY_NAME changing name for consistency | | | | - LDAP_USER_SCHEMA_DISPLAY_NAME changing name for consistency | LDAP_USER_SCHEMA_DISPLAY_NAME - changing name for consistency | LDAP_USER_SCHEMA_DISPLAY_NAME changing name for - consistency | LDAP_USER_SCHEMA_DISPLAY_NAME changing name for consistency -LDAP_USER_SUBSTRING_FILTER_TYPE: - name: LDAP_USER_SUBSTRING_FILTER_TYPE;USERS_LDAP_USER_SUBSTRING_FILTER_TYPE - defaultValue: any - type: string - description: 'Type of substring search filter to use for substring searches for - users. Possible values: ''initial'' for doing prefix only searches, ''final'' - for doing suffix only searches or ''any'' for doing full substring searches' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NATS_DEBUG_ADDR: - name: NATS_DEBUG_ADDR - defaultValue: 127.0.0.1:9234 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NATS_DEBUG_PPROF: - name: NATS_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NATS_DEBUG_TOKEN: - name: NATS_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NATS_DEBUG_ZPAGES: - name: NATS_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NATS_EVENTS_ENABLE_TLS: - name: OC_EVENTS_ENABLE_TLS;NATS_EVENTS_ENABLE_TLS - defaultValue: "false" - type: bool - description: Enable TLS for the connection to the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NATS_LOG_COLOR: - name: OC_LOG_COLOR;NATS_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NATS_LOG_FILE: - name: OC_LOG_FILE;NATS_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NATS_LOG_LEVEL: - name: OC_LOG_LEVEL;NATS_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NATS_LOG_PRETTY: - name: OC_LOG_PRETTY;NATS_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NATS_NATS_CLUSTER_ID: - name: NATS_NATS_CLUSTER_ID - defaultValue: opencloud-cluster - type: string - description: ID of the NATS cluster. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NATS_NATS_HOST: - name: NATS_NATS_HOST - defaultValue: 127.0.0.1 - type: string - description: Bind address. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NATS_NATS_PORT: - name: NATS_NATS_PORT - defaultValue: "9233" - type: int - description: Bind port. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NATS_NATS_STORE_DIR: - name: NATS_NATS_STORE_DIR - defaultValue: /var/lib/opencloud/nats - type: string - description: The directory where the filesystem storage will store NATS JetStream - data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/nats. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NATS_TLS_CERT: - name: NATS_TLS_CERT - defaultValue: /var/lib/opencloud/nats/tls.crt - type: string - description: Path/File name of the TLS server certificate (in PEM format) for the - NATS listener. If not defined, the root directory derives from $OC_BASE_DATA_PATH/nats. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NATS_TLS_KEY: - name: NATS_TLS_KEY - defaultValue: /var/lib/opencloud/nats/tls.key - type: string - description: Path/File name for the TLS certificate key (in PEM format) for the - NATS listener. If not defined, the root directory derives from $OC_BASE_DATA_PATH/nats. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NATS_TLS_SKIP_VERIFY_CLIENT_CERT: - name: OC_INSECURE;NATS_TLS_SKIP_VERIFY_CLIENT_CERT - defaultValue: "false" - type: bool - description: Whether the NATS server should skip the client certificate verification - during the TLS handshake. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NATS_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;NATS_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NATS_TRACING_ENABLED: - name: OC_TRACING_ENABLED;NATS_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NATS_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;NATS_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NATS_TRACING_TYPE: - name: OC_TRACING_TYPE;NATS_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_DEBUG_ADDR: - name: NOTIFICATIONS_DEBUG_ADDR - defaultValue: 127.0.0.1:9174 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_DEBUG_PPROF: - name: NOTIFICATIONS_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_DEBUG_TOKEN: - name: NOTIFICATIONS_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_DEBUG_ZPAGES: - name: NOTIFICATIONS_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_EMAIL_TEMPLATE_PATH: - name: OC_EMAIL_TEMPLATE_PATH;NOTIFICATIONS_EMAIL_TEMPLATE_PATH - defaultValue: "" - type: string - description: Path to Email notification templates overriding embedded ones. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_EVENTS_AUTH_PASSWORD: - name: OC_EVENTS_AUTH_PASSWORD;NOTIFICATIONS_EVENTS_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_EVENTS_AUTH_USERNAME: - name: OC_EVENTS_AUTH_USERNAME;NOTIFICATIONS_EVENTS_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_EVENTS_CLUSTER: - name: OC_EVENTS_CLUSTER;NOTIFICATIONS_EVENTS_CLUSTER - defaultValue: opencloud-cluster - type: string - description: The clusterID of the event system. The event system is the message - queuing service. It is used as message broker for the microservice architecture. - Mandatory when using NATS as event system. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_EVENTS_ENABLE_TLS: - name: OC_EVENTS_ENABLE_TLS;NOTIFICATIONS_EVENTS_ENABLE_TLS - defaultValue: "false" - type: bool - description: Enable TLS for the connection to the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_EVENTS_ENDPOINT: - name: OC_EVENTS_ENDPOINT;NOTIFICATIONS_EVENTS_ENDPOINT - defaultValue: 127.0.0.1:9233 - type: string - description: The address of the event system. The event system is the message queuing - service. It is used as message broker for the microservice architecture. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_EVENTS_TLS_INSECURE: - name: OC_INSECURE;NOTIFICATIONS_EVENTS_TLS_INSECURE - defaultValue: "false" - type: bool - description: Whether to verify the server TLS certificates. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_EVENTS_TLS_ROOT_CA_CERTIFICATE: - name: OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;NOTIFICATIONS_EVENTS_TLS_ROOT_CA_CERTIFICATE - defaultValue: "" - type: string - description: The root CA certificate used to validate the server's TLS certificate. - If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_LOG_COLOR: - name: OC_LOG_COLOR;NOTIFICATIONS_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_LOG_FILE: - name: OC_LOG_FILE;NOTIFICATIONS_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_LOG_LEVEL: - name: OC_LOG_LEVEL;NOTIFICATIONS_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_LOG_PRETTY: - name: OC_LOG_PRETTY;NOTIFICATIONS_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_SERVICE_ACCOUNT_ID: - name: OC_SERVICE_ACCOUNT_ID;NOTIFICATIONS_SERVICE_ACCOUNT_ID - defaultValue: "" - type: string - description: The ID of the service account the service should use. See the 'auth-service' - service description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_SERVICE_ACCOUNT_SECRET: - name: OC_SERVICE_ACCOUNT_SECRET;NOTIFICATIONS_SERVICE_ACCOUNT_SECRET - defaultValue: "" - type: string - description: The service account secret. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_SMTP_AUTHENTICATION: - name: NOTIFICATIONS_SMTP_AUTHENTICATION - defaultValue: "" - type: string - description: Authentication method for the SMTP communication. Possible values are - 'login', 'plain', 'crammd5', 'none' or 'auto'. If set to 'auto' or unset, the - authentication method is automatically negotiated with the server. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_SMTP_ENCRYPTION: - name: NOTIFICATIONS_SMTP_ENCRYPTION - defaultValue: none - type: string - description: Encryption method for the SMTP communication. Possible values are 'starttls', - 'ssltls' and 'none'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_SMTP_HOST: - name: NOTIFICATIONS_SMTP_HOST - defaultValue: "" - type: string - description: SMTP host to connect to. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_SMTP_INSECURE: - name: NOTIFICATIONS_SMTP_INSECURE - defaultValue: "false" - type: bool - description: Allow insecure connections to the SMTP server. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_SMTP_PASSWORD: - name: NOTIFICATIONS_SMTP_PASSWORD - defaultValue: "" - type: string - description: Password for the SMTP host to connect to. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_SMTP_PORT: - name: NOTIFICATIONS_SMTP_PORT - defaultValue: "0" - type: int - description: Port of the SMTP host to connect to. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_SMTP_SENDER: - name: NOTIFICATIONS_SMTP_SENDER - defaultValue: "" - type: string - description: Sender address of emails that will be sent (e.g. 'ownCloud '. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_SMTP_USERNAME: - name: NOTIFICATIONS_SMTP_USERNAME - defaultValue: "" - type: string - description: Username for the SMTP host to connect to. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_STORE: - name: OC_PERSISTENT_STORE;NOTIFICATIONS_STORE - defaultValue: nats-js-kv - type: string - description: 'The type of the store. Supported values are: ''memory'', ''nats-js-kv'', - ''redis-sentinel'', ''noop''. See the text description for details.' - introductionVersion: "7.1" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_STORE_AUTH_PASSWORD: - name: OC_PERSISTENT_STORE_AUTH_PASSWORD;NOTIFICATIONS_STORE_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the store. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "7.1" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_STORE_AUTH_USERNAME: - name: OC_PERSISTENT_STORE_AUTH_USERNAME;NOTIFICATIONS_STORE_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the store. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "7.1" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_STORE_DATABASE: - name: NOTIFICATIONS_STORE_DATABASE - defaultValue: notifications - type: string - description: The database name the configured store should use. - introductionVersion: "7.1" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_STORE_NODES: - name: OC_PERSISTENT_STORE_NODES;NOTIFICATIONS_STORE_NODES - defaultValue: '[127.0.0.1:9233]' - type: '[]string' - description: A list of nodes to access the configured store. This has no effect - when 'memory' store is configured. Note that the behaviour how nodes are used - is dependent on the library of the configured store. See the Environment Variable - Types description for more details. - introductionVersion: "7.1" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_STORE_TABLE: - name: NOTIFICATIONS_STORE_TABLE - defaultValue: "" - type: string - description: The database table the store should use. - introductionVersion: "7.1" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_STORE_TTL: - name: OC_PERSISTENT_STORE_TTL;NOTIFICATIONS_STORE_TTL - defaultValue: 336h0m0s - type: Duration - description: Time to live for notifications in the store. Defaults to '336h' (2 - weeks). See the Environment Variable Types description for more details. - introductionVersion: "7.1" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;NOTIFICATIONS_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_TRACING_ENABLED: - name: OC_TRACING_ENABLED;NOTIFICATIONS_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;NOTIFICATIONS_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_TRACING_TYPE: - name: OC_TRACING_TYPE;NOTIFICATIONS_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_TRANSLATION_PATH: - name: OC_TRANSLATION_PATH;NOTIFICATIONS_TRANSLATION_PATH - defaultValue: "" - type: string - description: (optional) Set this to a path with custom translations to overwrite - the builtin translations. Note that file and folder naming rules apply, see the - documentation for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -NOTIFICATIONS_WEB_UI_URL: - name: OC_URL;NOTIFICATIONS_WEB_UI_URL - defaultValue: https://localhost:9200 - type: string - description: The public facing URL of the oCIS Web UI, used e.g. when sending notification - eMails - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_ADMIN_USER_ID: - name: OC_ADMIN_USER_ID;STORAGE_USERS_PURGE_TRASH_BIN_USER_ID - defaultValue: "" - type: string - description: ID of the user who collects all necessary information for deletion. - Consider that the UUID can be encoded in some LDAP deployment configurations like - in .ldif files. These need to be decoded beforehand. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_ASSET_THEMES_PATH: - name: OC_ASSET_THEMES_PATH;WEB_ASSET_THEMES_PATH - defaultValue: /var/lib/opencloud/web/assets/themes - type: string - description: Serve ownCloud themes from a path on the filesystem instead of the - builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/themes - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_ASYNC_UPLOADS: - name: OC_ASYNC_UPLOADS - defaultValue: "true" - type: bool - description: Enable asynchronous file uploads. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_CACHE_AUTH_PASSWORD: - name: OC_CACHE_AUTH_PASSWORD;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the store. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_CACHE_AUTH_USERNAME: - name: OC_CACHE_AUTH_USERNAME;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the store. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_CACHE_DATABASE: - name: OC_CACHE_DATABASE - defaultValue: cache-createhome - type: string - description: The database name the configured store should use. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_CACHE_DISABLE_PERSISTENCE: - name: OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE - defaultValue: "false" - type: bool - description: Disables persistence of the create home cache. Only applies when store - type 'nats-js-kv' is configured. Defaults to false. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_CACHE_STORE: - name: OC_CACHE_STORE;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE - defaultValue: nats-js-kv - type: string - description: 'The type of the signing key store. Supported values are: ''redis-sentinel'' - and ''nats-js-kv''. See the text description for details.' - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_CACHE_STORE_NODES: - name: OC_CACHE_STORE_NODES;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES - defaultValue: '[127.0.0.1:9233]' - type: '[]string' - description: A list of nodes to access the configured store. Note that the behaviour - how nodes are used is dependent on the library of the configured store. See the - Environment Variable Types description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_CACHE_TTL: - name: OC_CACHE_TTL;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL - defaultValue: 12h0m0s - type: Duration - description: Default time to live for signing keys. See the Environment Variable - Types description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_CORS_ALLOW_CREDENTIALS: - name: OC_CORS_ALLOW_CREDENTIALS;WEBFINGER_CORS_ALLOW_CREDENTIALS - defaultValue: "false" - type: bool - description: 'Allow credentials for CORS.See following chapter for more details: - *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_CORS_ALLOW_HEADERS: - name: OC_CORS_ALLOW_HEADERS;WEBFINGER_CORS_ALLOW_HEADERS - defaultValue: '[]' - type: '[]string' - description: 'A list of allowed CORS headers. See following chapter for more details: - *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_CORS_ALLOW_METHODS: - name: OC_CORS_ALLOW_METHODS;WEBFINGER_CORS_ALLOW_METHODS - defaultValue: '[]' - type: '[]string' - description: 'A list of allowed CORS methods. See following chapter for more details: - *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_CORS_ALLOW_ORIGINS: - name: OC_CORS_ALLOW_ORIGINS;WEBFINGER_CORS_ALLOW_ORIGINS - defaultValue: '[https://localhost:9200]' - type: '[]string' - description: 'A list of allowed CORS origins. See following chapter for more details: - *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_CORS_EXPOSE_HEADERS: - name: OC_CORS_EXPOSE_HEADERS;STORAGE_USERS_CORS_EXPOSE_HEADERS - defaultValue: '[Upload-Offset Location Upload-Length Tus-Version Tus-Resumable Tus-Max-Size - Tus-Extension Upload-Metadata Upload-Defer-Length Upload-Concat Upload-Incomplete - Upload-Draft-Interop-Version]' - type: '[]string' - description: 'A list of exposed CORS headers. See following chapter for more details: - *Access-Control-Expose-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_CORS_MAX_AGE: - name: OC_CORS_MAX_AGE;STORAGE_USERS_CORS_MAX_AGE - defaultValue: "86400" - type: uint - description: 'The max cache duration of preflight headers. See following chapter - for more details: *Access-Control-Max-Age* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_DECOMPOSEDFS_PROPAGATOR: - name: OC_DECOMPOSEDFS_PROPAGATOR;STORAGE_USERS_S3NG_PROPAGATOR - defaultValue: sync - type: string - description: The propagator used for decomposedfs. At the moment, only 'sync' is - fully supported, 'async' is available as an experimental option. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_DEFAULT_LANGUAGE: - name: OC_DEFAULT_LANGUAGE - defaultValue: "" - type: string - description: The default language used by services and the WebUI. If not defined, - English will be used as default. See the documentation for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_DISABLE_PREVIEWS: - name: OC_DISABLE_PREVIEWS;WEBDAV_DISABLE_PREVIEWS - defaultValue: "false" - type: bool - description: Set this option to 'true' to disable rendering of thumbnails triggered - via webdav access. Note that when disabled, all access to preview related webdav - paths will return a 404. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_DISABLE_SSE: - name: OC_DISABLE_SSE;FRONTEND_DISABLE_SSE - defaultValue: "false" - type: bool - description: When set to true, clients are informed that the Server-Sent Events - endpoint is not accessible. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_DISABLE_SSE,USERLOG_DISABLE_SSE: - name: OC_DISABLE_SSE,USERLOG_DISABLE_SSE - defaultValue: "false" - type: bool - description: Disables server-sent events (sse). When disabled, clients will no longer - receive sse notifications. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_DISABLE_VERSIONING: - name: OC_DISABLE_VERSIONING - defaultValue: "false" - type: bool - description: Disables versioning of files. When set to true, new uploads with the - same filename will overwrite existing files instead of creating a new version. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_EDITION: - name: OC_EDITION;OCDAV_EDITION - defaultValue: Community - type: string - description: Edition of oCIS. Used for branding purposes. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_EMAIL_TEMPLATE_PATH: - name: OC_EMAIL_TEMPLATE_PATH;NOTIFICATIONS_EMAIL_TEMPLATE_PATH - defaultValue: "" - type: string - description: Path to Email notification templates overriding embedded ones. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_ENABLE_OCM: - name: OC_ENABLE_OCM;GRAPH_INCLUDE_OCM_SHAREES - defaultValue: "false" - type: bool - description: Include OCM sharees when listing users. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_EVENTS_AUTH_PASSWORD: - name: OC_EVENTS_AUTH_PASSWORD;ANTIVIRUS_EVENTS_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_EVENTS_AUTH_USERNAME: - name: OC_EVENTS_AUTH_USERNAME;ANTIVIRUS_EVENTS_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_EVENTS_CLUSTER: - name: OC_EVENTS_CLUSTER;ANTIVIRUS_EVENTS_CLUSTER - defaultValue: opencloud-cluster - type: string - description: The clusterID of the event system. The event system is the message - queuing service. It is used as message broker for the microservice architecture. - Mandatory when using NATS as event system. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_EVENTS_ENABLE_TLS: - name: OC_EVENTS_ENABLE_TLS;ANTIVIRUS_EVENTS_ENABLE_TLS - defaultValue: "false" - type: bool - description: Enable TLS for the connection to the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_EVENTS_ENDPOINT: - name: OC_EVENTS_ENDPOINT;ANTIVIRUS_EVENTS_ENDPOINT - defaultValue: 127.0.0.1:9233 - type: string - description: The address of the event system. The event system is the message queuing - service. It is used as message broker for the microservice architecture. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_EVENTS_TLS_ROOT_CA_CERTIFICATE: - name: OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;ANTIVIRUS_EVENTS_TLS_ROOT_CA_CERTIFICATE - defaultValue: "" - type: string - description: The root CA certificate used to validate the server's TLS certificate. - If provided ANTIVIRUS_EVENTS_TLS_INSECURE will be seen as false. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_GATEWAY_GRPC_ADDR: - name: OC_GATEWAY_GRPC_ADDR;GATEWAY_GRPC_ADDR - defaultValue: 127.0.0.1:9142 - type: string - description: The bind address of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_GRPC_CLIENT_TLS_CACERT: - name: OC_GRPC_CLIENT_TLS_CACERT - defaultValue: "" - type: string - description: Path/File name for the root CA certificate (in PEM format) used to - validate TLS server certificates of the go-micro based grpc services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_GRPC_CLIENT_TLS_MODE: - name: OC_GRPC_CLIENT_TLS_MODE - defaultValue: "" - type: string - description: 'TLS mode for grpc connection to the go-micro based grpc services. - Possible values are ''off'', ''insecure'' and ''on''. ''off'': disables transport - security for the clients. ''insecure'' allows using transport security, but disables - certificate verification (to be used with the autogenerated self-signed certificates). - ''on'' enables transport security, including server certificate verification.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_GRPC_PROTOCOL: - name: OC_GRPC_PROTOCOL;GROUPS_GRPC_PROTOCOL - defaultValue: "" - type: string - description: The transport protocol of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_HTTP_TLS_CERTIFICATE: - name: OC_HTTP_TLS_CERTIFICATE - defaultValue: "" - type: string - description: Path/File name of the TLS server certificate (in PEM format) for the - http services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_HTTP_TLS_ENABLED: - name: OC_HTTP_TLS_ENABLED - defaultValue: "false" - type: bool - description: Activates TLS for the http based services using the server certifcate - and key configured via OC_HTTP_TLS_CERTIFICATE and OC_HTTP_TLS_KEY. If OC_HTTP_TLS_CERTIFICATE - is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_HTTP_TLS_KEY: - name: OC_HTTP_TLS_KEY - defaultValue: "" - type: string - description: Path/File name for the TLS certificate key (in PEM format) for the - server certificate to use for the http services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_INSECURE: - name: OC_INSECURE;WEBFINGER_INSECURE - defaultValue: "false" - type: bool - description: Allow insecure connections to the WEBFINGER service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_JWT_SECRET: - name: OC_JWT_SECRET;OCS_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_KEYCLOAK_BASE_PATH: - name: OC_KEYCLOAK_BASE_PATH;INVITATIONS_KEYCLOAK_BASE_PATH - defaultValue: "" - type: string - description: The URL to access keycloak. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_KEYCLOAK_CLIENT_ID: - name: OC_KEYCLOAK_CLIENT_ID;INVITATIONS_KEYCLOAK_CLIENT_ID - defaultValue: "" - type: string - description: The client ID to authenticate with keycloak. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_KEYCLOAK_CLIENT_REALM: - name: OC_KEYCLOAK_CLIENT_REALM;INVITATIONS_KEYCLOAK_CLIENT_REALM - defaultValue: "" - type: string - description: The realm the client is defined in. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_KEYCLOAK_CLIENT_SECRET: - name: OC_KEYCLOAK_CLIENT_SECRET;INVITATIONS_KEYCLOAK_CLIENT_SECRET - defaultValue: "" - type: string - description: The client secret to use in authentication. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_KEYCLOAK_INSECURE_SKIP_VERIFY: - name: OC_KEYCLOAK_INSECURE_SKIP_VERIFY;INVITATIONS_KEYCLOAK_INSECURE_SKIP_VERIFY - defaultValue: "false" - type: bool - description: Disable TLS certificate validation for Keycloak connections. Do not - set this in production environments. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_KEYCLOAK_USER_REALM: - name: OC_KEYCLOAK_USER_REALM;INVITATIONS_KEYCLOAK_USER_REALM - defaultValue: "" - type: string - description: The realm users are defined. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_BIND_DN: - name: OC_LDAP_BIND_DN;GROUPS_LDAP_BIND_DN - defaultValue: uid=reva,ou=sysusers,o=libregraph-idm - type: string - description: LDAP DN to use for simple bind authentication with the target LDAP - server. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_BIND_PASSWORD: - name: OC_LDAP_BIND_PASSWORD;GROUPS_LDAP_BIND_PASSWORD - defaultValue: "" - type: string - description: Password to use for authenticating the 'bind_dn'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_CACERT: - name: OC_LDAP_CACERT;GROUPS_LDAP_CACERT - defaultValue: /var/lib/opencloud/idm/ldap.crt - type: string - description: Path/File name for the root CA certificate (in PEM format) used to - validate TLS server certificates of the LDAP service. If not defined, the root - directory derives from $OC_BASE_DATA_PATH/idm. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_DISABLE_USER_MECHANISM: - name: OC_LDAP_DISABLE_USER_MECHANISM;GRAPH_DISABLE_USER_MECHANISM - defaultValue: attribute - type: string - description: An option to control the behavior for disabling users. Supported options - are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API - will add the user to the configured group for disabled users, if set to 'attribute' - this will be done in the ldap user entry, if set to 'none' the disable request - is not processed. Default is 'attribute'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_DISABLED_USERS_GROUP_DN: - name: OC_LDAP_DISABLED_USERS_GROUP_DN;GRAPH_DISABLED_USERS_GROUP_DN - defaultValue: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm - type: string - description: The distinguished name of the group to which added users will be classified - as disabled when 'disable_user_mechanism' is set to 'group'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_GROUP_BASE_DN: - name: OC_LDAP_GROUP_BASE_DN;GROUPS_LDAP_GROUP_BASE_DN - defaultValue: ou=groups,o=libregraph-idm - type: string - description: Search base DN for looking up LDAP groups. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_GROUP_FILTER: - name: OC_LDAP_GROUP_FILTER;GROUPS_LDAP_GROUP_FILTER - defaultValue: "" - type: string - description: LDAP filter to add to the default filters for group searches. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_GROUP_OBJECTCLASS: - name: OC_LDAP_GROUP_OBJECTCLASS;GROUPS_LDAP_GROUP_OBJECTCLASS - defaultValue: groupOfNames - type: string - description: The object class to use for groups in the default group search filter - ('groupOfNames'). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_GROUP_SCHEMA_DISPLAYNAME: - name: OC_LDAP_GROUP_SCHEMA_DISPLAYNAME;GROUPS_LDAP_GROUP_SCHEMA_DISPLAYNAME - defaultValue: cn - type: string - description: LDAP Attribute to use for the displayname of groups (often the same - as groupname attribute). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_GROUP_SCHEMA_GROUPNAME: - name: OC_LDAP_GROUP_SCHEMA_GROUPNAME;GROUPS_LDAP_GROUP_SCHEMA_GROUPNAME - defaultValue: cn - type: string - description: LDAP Attribute to use for the name of groups. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_GROUP_SCHEMA_ID: - name: OC_LDAP_GROUP_SCHEMA_ID;GROUPS_LDAP_GROUP_SCHEMA_ID - defaultValue: ownclouduuid - type: string - description: LDAP Attribute to use as the unique id for groups. This should be a - stable globally unique ID like a UUID. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING: - name: OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING;GROUPS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING - defaultValue: "false" - type: bool - description: Set this to true if the defined 'id' attribute for groups is of the - 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute - of Active Directory for the group ID's. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_GROUP_SCHEMA_MAIL: - name: OC_LDAP_GROUP_SCHEMA_MAIL;GROUPS_LDAP_GROUP_SCHEMA_MAIL - defaultValue: mail - type: string - description: LDAP Attribute to use for the email address of groups (can be empty). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_GROUP_SCHEMA_MEMBER: - name: OC_LDAP_GROUP_SCHEMA_MEMBER;GROUPS_LDAP_GROUP_SCHEMA_MEMBER - defaultValue: member - type: string - description: LDAP Attribute that is used for group members. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_GROUP_SCOPE: - name: OC_LDAP_GROUP_SCOPE;GROUPS_LDAP_GROUP_SCOPE - defaultValue: sub - type: string - description: LDAP search scope to use when looking up groups. Supported scopes are - 'base', 'one' and 'sub'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_INSECURE: - name: OC_LDAP_INSECURE;GROUPS_LDAP_INSECURE - defaultValue: "false" - type: bool - description: Disable TLS certificate validation for the LDAP connections. Do not - set this in production environments. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_SERVER_WRITE_ENABLED: - name: OC_LDAP_SERVER_WRITE_ENABLED;GRAPH_LDAP_SERVER_WRITE_ENABLED - defaultValue: "true" - type: bool - description: Allow creating, modifying and deleting LDAP users via the GRAPH API. - This can only be set to 'true' when keeping default settings for the LDAP user - and group attribute types (the 'OC_LDAP_USER_SCHEMA_* and 'OC_LDAP_GROUP_SCHEMA_* - variables). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_URI: - name: OC_LDAP_URI;GROUPS_LDAP_URI - defaultValue: ldaps://localhost:9235 - type: string - description: URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' - and 'ldap://' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_USER_BASE_DN: - name: OC_LDAP_USER_BASE_DN;GROUPS_LDAP_USER_BASE_DN - defaultValue: ou=users,o=libregraph-idm - type: string - description: Search base DN for looking up LDAP users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_USER_ENABLED_ATTRIBUTE: - name: OC_LDAP_USER_ENABLED_ATTRIBUTE;GRAPH_USER_ENABLED_ATTRIBUTE - defaultValue: ownCloudUserEnabled - type: string - description: LDAP Attribute to use as a flag telling if the user is enabled or disabled. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_USER_FILTER: - name: OC_LDAP_USER_FILTER;GROUPS_LDAP_USER_FILTER - defaultValue: "" - type: string - description: LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_USER_OBJECTCLASS: - name: OC_LDAP_USER_OBJECTCLASS;GROUPS_LDAP_USER_OBJECTCLASS - defaultValue: inetOrgPerson - type: string - description: The object class to use for users in the default user search filter - ('inetOrgPerson'). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_USER_SCHEMA_DISPLAYNAME: - name: OC_LDAP_USER_SCHEMA_DISPLAYNAME;GROUPS_LDAP_USER_SCHEMA_DISPLAYNAME - defaultValue: displayname - type: string - description: LDAP Attribute to use for the displayname of users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: 'LDAP_USER_SCHEMA_DISPLAY_NAME changing name for consistency | | | | | | | - LDAP_USER_SCHEMA_DISPLAY_NAME changing name for consistency | | | | LDAP_USER_SCHEMA_DISPLAY_NAME - changing name for consistency | | | LDAP_USER_SCHEMA_DISPLAY_NAME changing name - for consistency | | | | LDAP_USER_SCHEMA_DISPLAY_NAME changing name for consistency - | ' -OC_LDAP_USER_SCHEMA_ID: - name: OC_LDAP_USER_SCHEMA_ID;GROUPS_LDAP_USER_SCHEMA_ID - defaultValue: ownclouduuid - type: string - description: LDAP Attribute to use as the unique id for users. This should be a - stable globally unique id like a UUID. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING: - name: OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING;GROUPS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING - defaultValue: "false" - type: bool - description: Set this to true if the defined 'ID' attribute for users is of the - 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute - of Active Directory for the user ID's. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_USER_SCHEMA_MAIL: - name: OC_LDAP_USER_SCHEMA_MAIL;GROUPS_LDAP_USER_SCHEMA_MAIL - defaultValue: mail - type: string - description: LDAP Attribute to use for the email address of users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_USER_SCHEMA_USER_TYPE: - name: OC_LDAP_USER_SCHEMA_USER_TYPE;GRAPH_LDAP_USER_TYPE_ATTRIBUTE - defaultValue: ownCloudUserType - type: string - description: LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default - is 'ownCloudUserType'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_USER_SCHEMA_USERNAME: - name: OC_LDAP_USER_SCHEMA_USERNAME;GROUPS_LDAP_USER_SCHEMA_USERNAME - defaultValue: uid - type: string - description: LDAP Attribute to use for username of users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LDAP_USER_SCOPE: - name: OC_LDAP_USER_SCOPE;GROUPS_LDAP_USER_SCOPE - defaultValue: sub - type: string - description: LDAP search scope to use when looking up users. Supported scopes are - 'base', 'one' and 'sub'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LOG_COLOR: - name: OC_LOG_COLOR;WEBFINGER_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LOG_FILE: - name: OC_LOG_FILE;WEBFINGER_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LOG_LEVEL: - name: OC_LOG_LEVEL;WEBFINGER_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_LOG_PRETTY: - name: OC_LOG_PRETTY;WEBFINGER_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_MACHINE_AUTH_API_KEY: - name: OC_MACHINE_AUTH_API_KEY;AUTH_APP_MACHINE_AUTH_API_KEY - defaultValue: "" - type: string - description: The machine auth API key used to validate internal requests necessary - to access resources from other services. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_MAX_CONCURRENCY: - name: OC_MAX_CONCURRENCY;STORAGE_USERS_S3NG_MAX_CONCURRENCY - defaultValue: "5" - type: int - description: Maximum number of concurrent go-routines. Higher values can potentially - get work done faster but will also cause more load on the system. Values of 0 - or below will be ignored and the default value of 100 will be used. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_OIDC_CLIENT_ID: - name: OC_OIDC_CLIENT_ID;WEB_OIDC_CLIENT_ID - defaultValue: web - type: string - description: The OIDC client ID which ownCloud Web uses. This client needs to be - set up in your IDP. Note that this setting has no effect when using the builtin - IDP. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_OIDC_ISSUER: - name: OC_URL;OC_OIDC_ISSUER;WEBFINGER_OIDC_ISSUER - defaultValue: https://localhost:9200 - type: string - description: The identity provider href for the openid-discovery relation. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: - name: OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST;SHARING_PASSWORD_POLICY_BANNED_PASSWORDS_LIST - defaultValue: "" - type: string - description: Path to the 'banned passwords list' file. This only impacts public - link password validation. See the documentation for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_PASSWORD_POLICY_DISABLED: - name: OC_PASSWORD_POLICY_DISABLED;SHARING_PASSWORD_POLICY_DISABLED - defaultValue: "false" - type: bool - description: Disable the password policy. Defaults to false if not set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_PASSWORD_POLICY_MIN_CHARACTERS: - name: OC_PASSWORD_POLICY_MIN_CHARACTERS;SHARING_PASSWORD_POLICY_MIN_CHARACTERS - defaultValue: "8" - type: int - description: Define the minimum password length. Defaults to 8 if not set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_PASSWORD_POLICY_MIN_DIGITS: - name: OC_PASSWORD_POLICY_MIN_DIGITS;SHARING_PASSWORD_POLICY_MIN_DIGITS - defaultValue: "1" - type: int - description: Define the minimum number of digits. Defaults to 1 if not set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS: - name: OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS;SHARING_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS - defaultValue: "1" - type: int - description: Define the minimum number of uppercase letters. Defaults to 1 if not - set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS: - name: OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS;SHARING_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS - defaultValue: "1" - type: int - description: Define the minimum number of characters from the special characters - list to be present. Defaults to 1 if not set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS: - name: OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS;SHARING_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS - defaultValue: "1" - type: int - description: Define the minimum number of lowercase letters. Defaults to 1 if not - set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_PERSISTENT_STORE: - name: OC_PERSISTENT_STORE;POSTPROCESSING_STORE - defaultValue: nats-js-kv - type: string - description: 'The type of the store. Supported values are: ''memory'', ''redis-sentinel'', - ''nats-js-kv'', ''noop''. See the text description for details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_PERSISTENT_STORE_AUTH_PASSWORD: - name: OC_PERSISTENT_STORE_AUTH_PASSWORD;POSTPROCESSING_STORE_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the store. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_PERSISTENT_STORE_AUTH_USERNAME: - name: OC_PERSISTENT_STORE_AUTH_USERNAME;POSTPROCESSING_STORE_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the store. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_PERSISTENT_STORE_NODES: - name: OC_PERSISTENT_STORE_NODES;POSTPROCESSING_STORE_NODES - defaultValue: '[127.0.0.1:9233]' - type: '[]string' - description: A list of nodes to access the configured store. This has no effect - when 'memory' store is configured. Note that the behaviour how nodes are used - is dependent on the library of the configured store. See the Environment Variable - Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_PERSISTENT_STORE_TTL: - name: OC_PERSISTENT_STORE_TTL;POSTPROCESSING_STORE_TTL - defaultValue: 0s - type: Duration - description: Time to live for events in the store. See the Environment Variable - Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_PUBLIC_URL: - name: OC_URL;OC_PUBLIC_URL - defaultValue: https://127.0.0.1:9200 - type: string - description: URL, where oCIS is reachable for users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_REVA_GATEWAY: - name: OC_REVA_GATEWAY - defaultValue: eu.opencloud.api.gateway - type: string - description: The CS3 gateway endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_REVA_GATEWAY_TLS_CACERT: - name: OC_REVA_GATEWAY_TLS_CACERT - defaultValue: "" - type: string - description: The root CA certificate used to validate the gateway's TLS certificate. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_REVA_GATEWAY_TLS_MODE: - name: OC_REVA_GATEWAY_TLS_MODE - defaultValue: "" - type: string - description: 'TLS mode for grpc connection to the CS3 gateway endpoint. Possible - values are ''off'', ''insecure'' and ''on''. ''off'': disables transport security - for the clients. ''insecure'' allows using transport security, but disables certificate - verification (to be used with the autogenerated self-signed certificates). ''on'' - enables transport security, including server certificate verification.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_SERVICE_ACCOUNT_ID: - name: OC_SERVICE_ACCOUNT_ID;PROXY_SERVICE_ACCOUNT_ID - defaultValue: "" - type: string - description: The ID of the service account the service should use. See the 'auth-service' - service description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_SERVICE_ACCOUNT_SECRET: - name: OC_SERVICE_ACCOUNT_SECRET;PROXY_SERVICE_ACCOUNT_SECRET - defaultValue: "" - type: string - description: The service account secret. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD: - name: OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD;SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD - defaultValue: "true" - type: bool - description: Set this to true if you want to enforce passwords on all public shares. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: 'FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD, the OCS API is deprecated - | | FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD, the OCS API is deprecated | | | - FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD, the OCS API is deprecated | | FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD, - the OCS API is deprecated | FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD, the - OCS API is deprecated | ' -OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD: - name: OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD;SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD - defaultValue: "false" - type: bool - description: Set this to true if you want to enforce passwords on Uploader, Editor - or Contributor shares. If not using the global OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD, - you must define the FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD (deprecated) - in the frontend service. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: 'FRONTEND_OCS_PUBLIC_WRITABLE_SHARE_MUST_HAVE_PASSWORD, the OCS - API is deprecated | | FRONTEND_OCS_PUBLIC_WRITABLE_SHARE_MUST_HAVE_PASSWORD, - the OCS API is deprecated | | | FRONTEND_OCS_PUBLIC_WRITABLE_SHARE_MUST_HAVE_PASSWORD, - the OCS API is deprecated | | FRONTEND_OCS_PUBLIC_WRITABLE_SHARE_MUST_HAVE_PASSWORD, - the OCS API is deprecated | FRONTEND_OCS_PUBLIC_WRITABLE_SHARE_MUST_HAVE_PASSWORD, - the OCS API is deprecated | ' -OC_SHOW_USER_EMAIL_IN_RESULTS: - name: OC_SHOW_USER_EMAIL_IN_RESULTS - defaultValue: "false" - type: bool - description: Include user email addresses in responses. If absent or set to false - emails will be omitted from results. Please note that admin users can always see - all email addresses. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_SPACES_MAX_QUOTA: - name: OC_SPACES_MAX_QUOTA;STORAGE_USERS_OCIS_MAX_QUOTA - defaultValue: "0" - type: uint64 - description: Set a global max quota for spaces in bytes. A value of 0 equals unlimited. - If not using the global OC_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA - in the frontend service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_SYSTEM_USER_API_KEY: - name: OC_SYSTEM_USER_API_KEY - defaultValue: "" - type: string - description: API key for the STORAGE-SYSTEM system user. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_SYSTEM_USER_ID: - name: OC_SYSTEM_USER_ID;SETTINGS_SYSTEM_USER_ID - defaultValue: "" - type: string - description: ID of the oCIS STORAGE-SYSTEM system user. Admins need to set the ID - for the STORAGE-SYSTEM system user in this config option which is then used to - reference the user. Any reasonable long string is possible, preferably this would - be an UUIDv4 format. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_SYSTEM_USER_IDP: - name: OC_SYSTEM_USER_IDP;SETTINGS_SYSTEM_USER_IDP - defaultValue: internal - type: string - description: IDP of the oCIS STORAGE-SYSTEM system user. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;WEBFINGER_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_TRACING_ENABLED: - name: OC_TRACING_ENABLED;WEBFINGER_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;WEBFINGER_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_TRACING_TYPE: - name: OC_TRACING_TYPE;WEBFINGER_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_TRANSFER_SECRET: - name: OC_TRANSFER_SECRET - defaultValue: "" - type: string - description: The storage transfer secret. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_TRANSLATION_PATH: - name: OC_TRANSLATION_PATH;GRAPH_TRANSLATION_PATH - defaultValue: "" - type: string - description: (optional) Set this to a path with custom translations to overwrite - the builtin translations. Note that file and folder naming rules apply, see the - documentation for more details. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_URL: - name: OC_URL;WEBFINGER_OPENCLOUD_SERVER_INSTANCE_URL - defaultValue: https://localhost:9200 - type: string - description: The URL for the legacy OpenCloud server instance relation (not to be - confused with the product OpenCloud Server). It defaults to the OC_URL but can - be overridden to support some reverse proxy corner cases. To shard the deployment, - multiple instances can be configured in the configuration file. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OC_WOPI_DISABLE_CHAT: - name: COLLABORATION_WOPI_DISABLE_CHAT;OC_WOPI_DISABLE_CHAT - defaultValue: "false" - type: bool - description: Disable chat in the office web frontend. This feature applies to OnlyOffice - and Microsoft. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY: - name: OCDAV_ALLOW_PROPFIND_DEPTH_INFINITY - defaultValue: "false" - type: bool - description: Allow the use of depth infinity in PROPFINDS. When enabled, a propfind - will traverse through all subfolders. If many subfolders are expected, depth infinity - can cause heavy server load and/or delayed response times. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_CORS_ALLOW_CREDENTIALS: - name: OC_CORS_ALLOW_CREDENTIALS;OCDAV_CORS_ALLOW_CREDENTIALS - defaultValue: "false" - type: bool - description: 'Allow credentials for CORS.See following chapter for more details: - *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_CORS_ALLOW_HEADERS: - name: OC_CORS_ALLOW_HEADERS;OCDAV_CORS_ALLOW_HEADERS - defaultValue: '[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match - If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm - Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires - Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control]' - type: '[]string' - description: 'A list of allowed CORS headers. See following chapter for more details: - *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_CORS_ALLOW_METHODS: - name: OC_CORS_ALLOW_METHODS;OCDAV_CORS_ALLOW_METHODS - defaultValue: '[OPTIONS HEAD GET PUT POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY - REPORT SEARCH]' - type: '[]string' - description: 'A list of allowed CORS methods. See following chapter for more details: - *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_CORS_ALLOW_ORIGINS: - name: OC_CORS_ALLOW_ORIGINS;OCDAV_CORS_ALLOW_ORIGINS - defaultValue: '[https://localhost:9200]' - type: '[]string' - description: 'A list of allowed CORS origins. See following chapter for more details: - *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_DEBUG_ADDR: - name: OCDAV_DEBUG_ADDR - defaultValue: 127.0.0.1:9163 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_DEBUG_PPROF: - name: OCDAV_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_DEBUG_TOKEN: - name: OCDAV_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_DEBUG_ZPAGES: - name: OCDAV_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_EDITION: - name: OC_EDITION;OCDAV_EDITION - defaultValue: Community - type: string - description: Edition of oCIS. Used for branding purposes. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_FILES_NAMESPACE: - name: OCDAV_FILES_NAMESPACE - defaultValue: /users/{{.Id.OpaqueId}} - type: string - description: Jail requests to /dav/files/{username} into this CS3 namespace. Supports - template layouting with CS3 User properties. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_GATEWAY_REQUEST_TIMEOUT: - name: OCDAV_GATEWAY_REQUEST_TIMEOUT - defaultValue: "84300" - type: int64 - description: Request timeout in seconds for requests from the oCDAV service to the - GATEWAY service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_HTTP_ADDR: - name: OCDAV_HTTP_ADDR - defaultValue: 127.0.0.1:9350 - type: string - description: The bind address of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_HTTP_PREFIX: - name: OCDAV_HTTP_PREFIX - defaultValue: "" - type: string - description: A URL path prefix for the handler. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_HTTP_PROTOCOL: - name: OCDAV_HTTP_PROTOCOL - defaultValue: tcp - type: string - description: The transport protocol of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_INSECURE: - name: OC_INSECURE;OCDAV_INSECURE - defaultValue: "false" - type: bool - description: Allow insecure connections to the GATEWAY service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_JWT_SECRET: - name: OC_JWT_SECRET;OCDAV_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_LOG_COLOR: - name: OC_LOG_COLOR;OCDAV_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_LOG_FILE: - name: OC_LOG_FILE;OCDAV_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_LOG_LEVEL: - name: OC_LOG_LEVEL;OCDAV_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_LOG_PRETTY: - name: OC_LOG_PRETTY;OCDAV_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_MACHINE_AUTH_API_KEY: - name: OC_MACHINE_AUTH_API_KEY;OCDAV_MACHINE_AUTH_API_KEY - defaultValue: "" - type: string - description: Machine auth API key used to validate internal requests necessary for - the access to resources from other services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_OCM_NAMESPACE: - name: OCDAV_OCM_NAMESPACE - defaultValue: /public - type: string - description: The human readable path prefix for the ocm shares. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_PUBLIC_URL: - name: OC_URL;OCDAV_PUBLIC_URL - defaultValue: https://localhost:9200 - type: string - description: URL where oCIS is reachable for users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_SHARES_NAMESPACE: - name: OCDAV_SHARES_NAMESPACE - defaultValue: /Shares - type: string - description: The human readable path for the share jail. Relative to a users personal - space root. Upcased intentionally. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_SKIP_USER_GROUPS_IN_TOKEN: - name: OCDAV_SKIP_USER_GROUPS_IN_TOKEN - defaultValue: "false" - type: bool - description: Disables the loading of user's group memberships from the reva access - token. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;OCDAV_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_TRACING_ENABLED: - name: OC_TRACING_ENABLED;OCDAV_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;OCDAV_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_TRACING_TYPE: - name: OC_TRACING_TYPE;OCDAV_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCDAV_WEBDAV_NAMESPACE: - name: OCDAV_WEBDAV_NAMESPACE - defaultValue: /users/{{.Id.OpaqueId}} - type: string - description: Jail requests to /dav/webdav into this CS3 namespace. Supports template - layouting with CS3 User properties. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_CORS_ALLOW_CREDENTIALS: - name: OC_CORS_ALLOW_CREDENTIALS;OCM_CORS_ALLOW_CREDENTIALS - defaultValue: "false" - type: bool - description: 'Allow credentials for CORS.See following chapter for more details: - *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.' - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_CORS_ALLOW_HEADERS: - name: OC_CORS_ALLOW_HEADERS;OCM_CORS_ALLOW_HEADERS - defaultValue: '[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match - If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm - Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires - Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control]' - type: '[]string' - description: 'A list of allowed CORS headers. See following chapter for more details: - *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. - See the Environment Variable Types description for more details.' - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_CORS_ALLOW_METHODS: - name: OC_CORS_ALLOW_METHODS;OCM_CORS_ALLOW_METHODS - defaultValue: '[OPTIONS HEAD GET PUT POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY - REPORT SEARCH]' - type: '[]string' - description: 'A list of allowed CORS methods. See following chapter for more details: - *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. - See the Environment Variable Types description for more details.' - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_CORS_ALLOW_ORIGINS: - name: OC_CORS_ALLOW_ORIGINS;OCM_CORS_ALLOW_ORIGINS - defaultValue: '[https://localhost:9200]' - type: '[]string' - description: 'A list of allowed CORS origins. See following chapter for more details: - *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. - See the Environment Variable Types description for more details.' - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_DEBUG_ADDR: - name: OCM_DEBUG_ADDR - defaultValue: 127.0.0.1:9281 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_DEBUG_PPROF: - name: OCM_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_DEBUG_TOKEN: - name: OCM_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_DEBUG_ZPAGES: - name: OCM_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_EVENTS_AUTH_PASSWORD: - name: OC_EVENTS_AUTH_PASSWORD;OCM_EVENTS_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_EVENTS_AUTH_USERNAME: - name: OC_EVENTS_AUTH_USERNAME;OCM_EVENTS_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_EVENTS_CLUSTER: - name: OC_EVENTS_CLUSTER;OCM_EVENTS_CLUSTER - defaultValue: opencloud-cluster - type: string - description: The clusterID of the event system. The event system is the message - queuing service. It is used as message broker for the microservice architecture. - Mandatory when using NATS as event system. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_EVENTS_ENABLE_TLS: - name: OC_EVENTS_ENABLE_TLS;OCM_EVENTS_ENABLE_TLS - defaultValue: "false" - type: bool - description: Enable TLS for the connection to the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_EVENTS_ENDPOINT: - name: OC_EVENTS_ENDPOINT;OCM_EVENTS_ENDPOINT - defaultValue: 127.0.0.1:9233 - type: string - description: The address of the event system. The event system is the message queuing - service. It is used as message broker for the microservice architecture. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_EVENTS_TLS_INSECURE: - name: OC_INSECURE;OCM_EVENTS_TLS_INSECURE - defaultValue: "false" - type: bool - description: Whether to verify the server TLS certificates. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_EVENTS_TLS_ROOT_CA_CERTIFICATE: - name: OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;OCM_EVENTS_TLS_ROOT_CA_CERTIFICATE - defaultValue: "" - type: string - description: The root CA certificate used to validate the server's TLS certificate. - If provided OCM_EVENTS_TLS_INSECURE will be seen as false. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_GRPC_ADDR: - name: OCM_GRPC_ADDR - defaultValue: 127.0.0.1:9282 - type: string - description: The bind address of the GRPC service. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_GRPC_PROTOCOL: - name: OC_GRPC_PROTOCOL;OCM_GRPC_PROTOCOL - defaultValue: "" - type: string - description: The transport protocol of the GRPC service. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_HTTP_ADDR: - name: OCM_HTTP_ADDR - defaultValue: 127.0.0.1:9280 - type: string - description: The bind address of the HTTP service. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_HTTP_PREFIX: - name: OCM_HTTP_PREFIX - defaultValue: "" - type: string - description: The path prefix where OCM can be accessed (defaults to /). - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_HTTP_PROTOCOL: - name: OCM_HTTP_PROTOCOL - defaultValue: tcp - type: string - description: The transport protocol of the HTTP service. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_JWT_SECRET: - name: OC_JWT_SECRET;OCM_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_LOG_COLOR: - name: OC_LOG_COLOR;OCM_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_LOG_FILE: - name: OC_LOG_FILE;OCM_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_LOG_LEVEL: - name: OC_LOG_LEVEL;OCM_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_LOG_PRETTY: - name: OC_LOG_PRETTY;OCM_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_MESH_DIRECTORY_URL: - name: OCM_MESH_DIRECTORY_URL - defaultValue: "" - type: string - description: URL of the mesh directory service. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_OCM_CORE_DRIVER: - name: OCM_OCM_CORE_DRIVER - defaultValue: json - type: string - description: Driver to be used for the OCM core. Supported value is only 'json'. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_OCM_CORE_JSON_FILE: - name: OCM_OCM_CORE_JSON_FILE - defaultValue: /var/lib/opencloud/storage/ocm/ocmshares.json - type: string - description: Path to the JSON file where OCM share data will be stored. If not defined, - the root directory derives from $OC_BASE_DATA_PATH/storage. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_OCM_INVITE_MANAGER_DRIVER: - name: OCM_OCM_INVITE_MANAGER_DRIVER - defaultValue: json - type: string - description: Driver to be used to persist OCM invites. Supported value is only 'json'. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_OCM_INVITE_MANAGER_INSECURE: - name: OCM_OCM_INVITE_MANAGER_INSECURE - defaultValue: "false" - type: bool - description: Disable TLS certificate validation for the OCM connections. Do not - set this in production environments. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_OCM_INVITE_MANAGER_JSON_FILE: - name: OCM_OCM_INVITE_MANAGER_JSON_FILE - defaultValue: /var/lib/opencloud/storage/ocm/ocminvites.json - type: string - description: Path to the JSON file where OCM invite data will be stored. This file - is maintained by the instance and must not be changed manually. If not defined, - the root directory derives from $OC_BASE_DATA_PATH/storage/ocm. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_OCM_INVITE_MANAGER_TIMEOUT: - name: OCM_OCM_INVITE_MANAGER_TIMEOUT - defaultValue: 30s - type: Duration - description: Timeout specifies a time limit for requests made to OCM endpoints. - introductionVersion: 6.0.1 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_OCM_INVITE_MANAGER_TOKEN_EXPIRATION: - name: OCM_OCM_INVITE_MANAGER_TOKEN_EXPIRATION - defaultValue: 24h0m0s - type: Duration - description: Expiry duration for invite tokens. - introductionVersion: 6.0.1 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_OCM_PROVIDER_AUTHORIZER_PROVIDERS_FILE: - name: OCM_OCM_PROVIDER_AUTHORIZER_PROVIDERS_FILE - defaultValue: /etc/opencloud/ocmproviders.json - type: string - description: Path to the JSON file where ocm invite data will be stored. Defaults - to $OC_CONFIG_DIR/ocmproviders.json. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_OCM_SHARE_PROVIDER_DRIVER: - name: OCM_OCM_SHARE_PROVIDER_DRIVER - defaultValue: json - type: string - description: Driver to be used for the OCM share provider. Supported value is only - 'json'. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_OCM_SHARE_PROVIDER_INSECURE: - name: OCM_OCM_SHARE_PROVIDER_INSECURE - defaultValue: "false" - type: bool - description: Disable TLS certificate validation for the OCM connections. Do not - set this in production environments. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_OCM_SHAREPROVIDER_JSON_FILE: - name: OCM_OCM_SHAREPROVIDER_JSON_FILE - defaultValue: /var/lib/opencloud/storage/ocm/ocmshares.json - type: string - description: Path to the JSON file where OCM share data will be stored. If not defined, - the root directory derives from $OC_BASE_DATA_PATH/storage. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_OCM_STORAGE_DATA_SERVER_URL: - name: OCM_OCM_STORAGE_DATA_SERVER_URL - defaultValue: http://localhost:9280/data - type: string - description: URL of the data server, needs to be reachable by the data gateway provided - by the frontend service or the user if directly exposed. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_OCM_STORAGE_PROVIDER_INSECURE: - name: OCM_OCM_STORAGE_PROVIDER_INSECURE - defaultValue: "false" - type: bool - description: Disable TLS certificate validation for the OCM connections. Do not - set this in production environments. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_OCM_STORAGE_PROVIDER_STORAGE_ROOT: - name: OCM_OCM_STORAGE_PROVIDER_STORAGE_ROOT - defaultValue: /var/lib/opencloud/storage/ocm - type: string - description: Directory where the ocm storage provider persists its data like tus - upload info files. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_OCMD_EXPOSE_RECIPIENT_DISPLAY_NAME: - name: OCM_OCMD_EXPOSE_RECIPIENT_DISPLAY_NAME - defaultValue: "false" - type: bool - description: Expose the display name of OCM share recipients. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_OCMD_PREFIX: - name: OCM_OCMD_PREFIX - defaultValue: ocm - type: string - description: URL path prefix for the OCMD service. Note that the string must not - start with '/'. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_SCIENCEMESH_PREFIX: - name: OCM_SCIENCEMESH_PREFIX - defaultValue: sciencemesh - type: string - description: URL path prefix for the ScienceMesh service. Note that the string must - not start with '/'. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_SERVICE_ACCOUNT_ID: - name: OC_SERVICE_ACCOUNT_ID;OCM_SERVICE_ACCOUNT_ID - defaultValue: "" - type: string - description: The ID of the service account the service should use. See the 'auth-service' - service description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_SERVICE_ACCOUNT_SECRET: - name: OC_SERVICE_ACCOUNT_SECRET;OCM_SERVICE_ACCOUNT_SECRET - defaultValue: "" - type: string - description: The service account secret. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;OCM_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_TRACING_ENABLED: - name: OC_TRACING_ENABLED;OCM_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;OCM_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_TRACING_TYPE: - name: OC_TRACING_TYPE;OCM_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCM_WEBAPP_TEMPLATE: - name: OCM_WEBAPP_TEMPLATE - defaultValue: "" - type: string - description: Template for the webapp url. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_CORS_ALLOW_CREDENTIALS: - name: OC_CORS_ALLOW_CREDENTIALS;OCS_CORS_ALLOW_CREDENTIALS - defaultValue: "true" - type: bool - description: 'Allow credentials for CORS.See following chapter for more details: - *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_CORS_ALLOW_HEADERS: - name: OC_CORS_ALLOW_HEADERS;OCS_CORS_ALLOW_HEADERS - defaultValue: '[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id - Cache-Control]' - type: '[]string' - description: 'A list of allowed CORS headers. See following chapter for more details: - *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_CORS_ALLOW_METHODS: - name: OC_CORS_ALLOW_METHODS;OCS_CORS_ALLOW_METHODS - defaultValue: '[GET POST PUT PATCH DELETE OPTIONS]' - type: '[]string' - description: 'A list of allowed CORS methods. See following chapter for more details: - *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_CORS_ALLOW_ORIGINS: - name: OC_CORS_ALLOW_ORIGINS;OCS_CORS_ALLOW_ORIGINS - defaultValue: '[*]' - type: '[]string' - description: 'A list of allowed CORS origins. See following chapter for more details: - *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_DEBUG_ADDR: - name: OCS_DEBUG_ADDR - defaultValue: 127.0.0.1:9114 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_DEBUG_PPROF: - name: OCS_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_DEBUG_TOKEN: - name: OCS_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_DEBUG_ZPAGES: - name: OCS_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_EVENTS_TLS_ROOT_CA_CERTIFICATE: - name: FRONTEND_EVENTS_TLS_ROOT_CA_CERTIFICATE;OCS_EVENTS_TLS_ROOT_CA_CERTIFICATE - defaultValue: "" - type: string - description: The root CA certificate used to validate the server's TLS certificate. - If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_HTTP_ADDR: - name: OCS_HTTP_ADDR - defaultValue: 127.0.0.1:9110 - type: string - description: The bind address of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_HTTP_ROOT: - name: OCS_HTTP_ROOT - defaultValue: /ocs - type: string - description: Subdirectory that serves as the root for this HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_JWT_SECRET: - name: OC_JWT_SECRET;OCS_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_LOG_COLOR: - name: OC_LOG_COLOR;OCS_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_LOG_FILE: - name: OC_LOG_FILE;OCS_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_LOG_LEVEL: - name: OC_LOG_LEVEL;OCS_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_LOG_PRETTY: - name: OC_LOG_PRETTY;OCS_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_PRESIGNEDURL_SIGNING_KEYS_STORE: - name: OC_CACHE_STORE;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE - defaultValue: nats-js-kv - type: string - description: 'The type of the signing key store. Supported values are: ''redis-sentinel'' - and ''nats-js-kv''. See the text description for details.' - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD: - name: OC_CACHE_AUTH_PASSWORD;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the store. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME: - name: OC_CACHE_AUTH_USERNAME;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the store. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES: - name: OC_CACHE_STORE_NODES;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES - defaultValue: '[127.0.0.1:9233]' - type: '[]string' - description: A list of nodes to access the configured store. Note that the behaviour - how nodes are used is dependent on the library of the configured store. See the - Environment Variable Types description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL: - name: OC_CACHE_TTL;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL - defaultValue: 12h0m0s - type: Duration - description: Default time to live for signing keys. See the Environment Variable - Types description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;OCS_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_TRACING_ENABLED: - name: OC_TRACING_ENABLED;OCS_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;OCS_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -OCS_TRACING_TYPE: - name: OC_TRACING_TYPE;OCS_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_DEBUG_ADDR: - name: POLICIES_DEBUG_ADDR - defaultValue: 127.0.0.1:9129 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_DEBUG_PPROF: - name: POLICIES_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_DEBUG_TOKEN: - name: POLICIES_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_DEBUG_ZPAGES: - name: POLICIES_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_ENGINE_MIMES: - name: POLICIES_ENGINE_MIMES - defaultValue: "" - type: string - description: Sets the mimes file path which maps mimetypes to associated file extensions. - See the text description for details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_ENGINE_TIMEOUT: - name: POLICIES_ENGINE_TIMEOUT - defaultValue: 10s - type: Duration - description: Sets the timeout the rego expression evaluation can take. Rules default - to deny if the timeout was reached. See the Environment Variable Types description - for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_EVENTS_AUTH_PASSWORD: - name: OC_EVENTS_AUTH_PASSWORD;POLICIES_EVENTS_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_EVENTS_AUTH_USERNAME: - name: OC_EVENTS_AUTH_USERNAME;POLICIES_EVENTS_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_EVENTS_CLUSTER: - name: OC_EVENTS_CLUSTER;POLICIES_EVENTS_CLUSTER - defaultValue: opencloud-cluster - type: string - description: The clusterID of the event system. The event system is the message - queuing service. It is used as message broker for the microservice architecture. - Mandatory when using NATS as event system. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_EVENTS_ENABLE_TLS: - name: OC_EVENTS_ENABLE_TLS;POLICIES_EVENTS_ENABLE_TLS - defaultValue: "false" - type: bool - description: Enable TLS for the connection to the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_EVENTS_ENDPOINT: - name: OC_EVENTS_ENDPOINT;POLICIES_EVENTS_ENDPOINT - defaultValue: 127.0.0.1:9233 - type: string - description: The address of the event system. The event system is the message queuing - service. It is used as message broker for the microservice architecture. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_EVENTS_TLS_INSECURE: - name: OC_INSECURE;POLICIES_EVENTS_TLS_INSECURE - defaultValue: "false" - type: bool - description: Whether the server should skip the client certificate verification - during the TLS handshake. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_EVENTS_TLS_ROOT_CA_CERTIFICATE: - name: OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;POLICIES_EVENTS_TLS_ROOT_CA_CERTIFICATE - defaultValue: "" - type: string - description: The root CA certificate used to validate the server's TLS certificate. - If provided POLICIES_EVENTS_TLS_INSECURE will be seen as false. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_GRPC_ADDR: - name: POLICIES_GRPC_ADDR - defaultValue: 127.0.0.1:9125 - type: string - description: The bind address of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_LOG_COLOR: - name: OC_LOG_COLOR;POLICIES_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_LOG_FILE: - name: OC_LOG_FILE;POLICIES_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_LOG_LEVEL: - name: OC_LOG_LEVEL;POLICIES_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_LOG_PRETTY: - name: OC_LOG_PRETTY;POLICIES_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_POSTPROCESSING_QUERY: - name: POLICIES_POSTPROCESSING_QUERY - defaultValue: "" - type: string - description: Defines the 'Complete Rules' variable defined in the rego rule set - this step uses for its evaluation. Defaults to deny if the variable was not found. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;POLICIES_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_TRACING_ENABLED: - name: OC_TRACING_ENABLED;POLICIES_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;POLICIES_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POLICIES_TRACING_TYPE: - name: OC_TRACING_TYPE;POLICIES_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_DEBUG_ADDR: - name: POSTPROCESSING_DEBUG_ADDR - defaultValue: 127.0.0.1:9255 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_DEBUG_PPROF: - name: POSTPROCESSING_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_DEBUG_TOKEN: - name: POSTPROCESSING_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_DEBUG_ZPAGES: - name: POSTPROCESSING_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_DELAY: - name: POSTPROCESSING_DELAY - defaultValue: 0s - type: Duration - description: After uploading a file but before making it available for download, - a delay step can be added. Intended for developing purposes only. If a duration - is set but the keyword 'delay' is not explicitely added to 'POSTPROCESSING_STEPS', - the delay step will be processed as last step. In such a case, a log entry will - be written on service startup to remind the admin about that situation. See the - Environment Variable Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_EVENTS_AUTH_PASSWORD: - name: OC_EVENTS_AUTH_PASSWORD;POSTPROCESSING_EVENTS_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_EVENTS_AUTH_USERNAME: - name: OC_EVENTS_AUTH_USERNAME;POSTPROCESSING_EVENTS_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_EVENTS_CLUSTER: - name: OC_EVENTS_CLUSTER;POSTPROCESSING_EVENTS_CLUSTER - defaultValue: opencloud-cluster - type: string - description: The clusterID of the event system. The event system is the message - queuing service. It is used as message broker for the microservice architecture. - Mandatory when using NATS as event system. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_EVENTS_ENABLE_TLS: - name: OC_EVENTS_ENABLE_TLS;POSTPROCESSING_EVENTS_ENABLE_TLS - defaultValue: "false" - type: bool - description: Enable TLS for the connection to the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_EVENTS_ENDPOINT: - name: OC_EVENTS_ENDPOINT;POSTPROCESSING_EVENTS_ENDPOINT - defaultValue: 127.0.0.1:9233 - type: string - description: The address of the event system. The event system is the message queuing - service. It is used as message broker for the microservice architecture. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_EVENTS_TLS_INSECURE: - name: OC_INSECURE;POSTPROCESSING_EVENTS_TLS_INSECURE - defaultValue: "false" - type: bool - description: Whether the ocis server should skip the client certificate verification - during the TLS handshake. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_EVENTS_TLS_ROOT_CA_CERTIFICATE: - name: OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;POSTPROCESSING_EVENTS_TLS_ROOT_CA_CERTIFICATE - defaultValue: "" - type: string - description: The root CA certificate used to validate the server's TLS certificate. - If provided POSTPROCESSING_EVENTS_TLS_INSECURE will be seen as false. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_LOG_COLOR: - name: OC_LOG_COLOR;POSTPROCESSING_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_LOG_FILE: - name: OC_LOG_FILE;POSTPROCESSING_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_LOG_LEVEL: - name: OC_LOG_LEVEL;POSTPROCESSING_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_LOG_PRETTY: - name: OC_LOG_PRETTY;POSTPROCESSING_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_MAX_RETRIES: - name: POSTPROCESSING_MAX_RETRIES - defaultValue: "14" - type: int - description: The maximum number of retries for a failed postprocessing step. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_RETRY_BACKOFF_DURATION: - name: POSTPROCESSING_RETRY_BACKOFF_DURATION - defaultValue: 5s - type: Duration - description: The base for the exponential backoff duration before retrying a failed - postprocessing step. See the Environment Variable Types description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_STEPS: - name: POSTPROCESSING_STEPS - defaultValue: '[]' - type: '[]string' - description: 'A list of postprocessing steps processed in order of their appearance. - Currently supported values by the system are: ''virusscan'', ''policies'' and - ''delay''. Custom steps are allowed. See the documentation for instructions. See - the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_STORE: - name: OC_PERSISTENT_STORE;POSTPROCESSING_STORE - defaultValue: nats-js-kv - type: string - description: 'The type of the store. Supported values are: ''memory'', ''redis-sentinel'', - ''nats-js-kv'', ''noop''. See the text description for details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_STORE_AUTH_PASSWORD: - name: OC_PERSISTENT_STORE_AUTH_PASSWORD;POSTPROCESSING_STORE_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the store. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_STORE_AUTH_USERNAME: - name: OC_PERSISTENT_STORE_AUTH_USERNAME;POSTPROCESSING_STORE_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the store. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_STORE_DATABASE: - name: POSTPROCESSING_STORE_DATABASE - defaultValue: postprocessing - type: string - description: The database name the configured store should use. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_STORE_NODES: - name: OC_PERSISTENT_STORE_NODES;POSTPROCESSING_STORE_NODES - defaultValue: '[127.0.0.1:9233]' - type: '[]string' - description: A list of nodes to access the configured store. This has no effect - when 'memory' store is configured. Note that the behaviour how nodes are used - is dependent on the library of the configured store. See the Environment Variable - Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_STORE_TABLE: - name: POSTPROCESSING_STORE_TABLE - defaultValue: "" - type: string - description: The database table the store should use. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_STORE_TTL: - name: OC_PERSISTENT_STORE_TTL;POSTPROCESSING_STORE_TTL - defaultValue: 0s - type: Duration - description: Time to live for events in the store. See the Environment Variable - Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;POSTPROCESSING_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_TRACING_ENABLED: - name: OC_TRACING_ENABLED;POSTPROCESSING_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;POSTPROCESSING_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_TRACING_TYPE: - name: OC_TRACING_TYPE;POSTPROCESSING_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -POSTPROCESSING_WORKERS: - name: POSTPROCESSING_WORKERS - defaultValue: "3" - type: int - description: The number of concurrent go routines that fetch events from the event - queue. - introductionVersion: "6.7" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_ACCOUNT_BACKEND_TYPE: - name: PROXY_ACCOUNT_BACKEND_TYPE - defaultValue: cs3 - type: string - description: Account backend the PROXY service should use. Currently only 'cs3' - is possible here. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_AUTOPROVISION_ACCOUNTS: - name: PROXY_AUTOPROVISION_ACCOUNTS - defaultValue: "false" - type: bool - description: Set this to 'true' to automatically provision users that do not yet - exist in the users service on-demand upon first sign-in. To use this a write-enabled - libregraph user backend needs to be setup an running. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME: - name: PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME - defaultValue: name - type: string - description: The name of the OIDC claim that holds the display name. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_AUTOPROVISION_CLAIM_EMAIL: - name: PROXY_AUTOPROVISION_CLAIM_EMAIL - defaultValue: email - type: string - description: The name of the OIDC claim that holds the email. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_AUTOPROVISION_CLAIM_GROUPS: - name: PROXY_AUTOPROVISION_CLAIM_GROUPS - defaultValue: groups - type: string - description: The name of the OIDC claim that holds the groups. - introductionVersion: 6.1.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_AUTOPROVISION_CLAIM_USERNAME: - name: PROXY_AUTOPROVISION_CLAIM_USERNAME - defaultValue: preferred_username - type: string - description: The name of the OIDC claim that holds the username. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_CSP_CONFIG_FILE_LOCATION: - name: PROXY_CSP_CONFIG_FILE_LOCATION - defaultValue: "" - type: string - description: The location of the CSP configuration file. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_DEBUG_ADDR: - name: PROXY_DEBUG_ADDR - defaultValue: 127.0.0.1:9205 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_DEBUG_PPROF: - name: PROXY_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_DEBUG_TOKEN: - name: PROXY_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_DEBUG_ZPAGES: - name: PROXY_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_ENABLE_APP_AUTH: - name: PROXY_ENABLE_APP_AUTH - defaultValue: "false" - type: bool - description: Allow app authentication. This can be used to authenticate 3rd party - applications. Note that auth-app service must be running for this feature to work. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_ENABLE_BASIC_AUTH: - name: PROXY_ENABLE_BASIC_AUTH - defaultValue: "false" - type: bool - description: Set this to true to enable 'basic authentication' (username/password). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_ENABLE_PRESIGNEDURLS: - name: PROXY_ENABLE_PRESIGNEDURLS - defaultValue: "true" - type: bool - description: Allow OCS to get a signing key to sign requests. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_EVENTS_AUTH_PASSWORD: - name: OC_EVENTS_AUTH_PASSWORD;PROXY_EVENTS_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_EVENTS_AUTH_USERNAME: - name: OC_EVENTS_AUTH_USERNAME;PROXY_EVENTS_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_EVENTS_CLUSTER: - name: OC_EVENTS_CLUSTER;PROXY_EVENTS_CLUSTER - defaultValue: opencloud-cluster - type: string - description: The clusterID of the event system. The event system is the message - queuing service. It is used as message broker for the microservice architecture. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_EVENTS_ENABLE_TLS: - name: OC_EVENTS_ENABLE_TLS;PROXY_EVENTS_ENABLE_TLS - defaultValue: "false" - type: bool - description: Enable TLS for the connection to the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_EVENTS_ENDPOINT: - name: OC_EVENTS_ENDPOINT;PROXY_EVENTS_ENDPOINT - defaultValue: 127.0.0.1:9233 - type: string - description: The address of the event system. The event system is the message queuing - service. It is used as message broker for the microservice architecture. Set to - a empty string to disable emitting events. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_EVENTS_TLS_INSECURE: - name: OC_INSECURE;PROXY_EVENTS_TLS_INSECURE - defaultValue: "false" - type: bool - description: Whether to verify the server TLS certificates. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_EVENTS_TLS_ROOT_CA_CERTIFICATE: - name: OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;PROXY_EVENTS_TLS_ROOT_CA_CERTIFICATE - defaultValue: "" - type: string - description: The root CA certificate used to validate the server's TLS certificate. - If provided PROXY_EVENTS_TLS_INSECURE will be seen as false. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_HTTP_ADDR: - name: PROXY_HTTP_ADDR - defaultValue: 0.0.0.0:9200 - type: string - description: The bind address of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_HTTP_ROOT: - name: PROXY_HTTP_ROOT - defaultValue: / - type: string - description: Subdirectory that serves as the root for this HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_HTTPS_CACERT: - name: PROXY_HTTPS_CACERT - defaultValue: "" - type: string - description: Path/File for the root CA certificate used to validate the server’s - TLS certificate for https enabled backend services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_INSECURE_BACKENDS: - name: PROXY_INSECURE_BACKENDS - defaultValue: "false" - type: bool - description: Disable TLS certificate validation for all HTTP backend connections. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_LOG_COLOR: - name: OC_LOG_COLOR;PROXY_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_LOG_FILE: - name: OC_LOG_FILE;PROXY_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_LOG_LEVEL: - name: OC_LOG_LEVEL;PROXY_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_LOG_PRETTY: - name: OC_LOG_PRETTY;PROXY_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_MACHINE_AUTH_API_KEY: - name: OC_MACHINE_AUTH_API_KEY;PROXY_MACHINE_AUTH_API_KEY - defaultValue: "" - type: string - description: Machine auth API key used to validate internal requests necessary to - access resources from other services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD: - name: PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD - defaultValue: jwt - type: string - description: Sets how OIDC access tokens should be verified. Possible values are - 'none' and 'jwt'. When using 'none', no special validation apart from using it - for accessing the IPD's userinfo endpoint will be done. When using 'jwt', it tries - to parse the access token as a jwt token and verifies the signature using the - keys published on the IDP's 'jwks_uri'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_OIDC_INSECURE: - name: OC_INSECURE;PROXY_OIDC_INSECURE - defaultValue: "false" - type: bool - description: Disable TLS certificate validation for connections to the IDP. Note - that this is not recommended for production environments. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_OIDC_ISSUER: - name: OC_URL;OC_OIDC_ISSUER;PROXY_OIDC_ISSUER - defaultValue: https://localhost:9200 - type: string - description: URL of the OIDC issuer. It defaults to URL of the builtin IDP. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_OIDC_JWKS_REFRESH_INTERVAL: - name: PROXY_OIDC_JWKS_REFRESH_INTERVAL - defaultValue: "60" - type: uint64 - description: The interval for refreshing the JWKS (JSON Web Key Set) in minutes - in the background via a new HTTP request to the IDP. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_OIDC_JWKS_REFRESH_RATE_LIMIT: - name: PROXY_OIDC_JWKS_REFRESH_RATE_LIMIT - defaultValue: "60" - type: uint64 - description: Limits the rate in seconds at which refresh requests are performed - for unknown keys. This is used to prevent malicious clients from imposing high - network load on the IDP via ocis. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_OIDC_JWKS_REFRESH_TIMEOUT: - name: PROXY_OIDC_JWKS_REFRESH_TIMEOUT - defaultValue: "10" - type: uint64 - description: The timeout in seconds for an outgoing JWKS request. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_OIDC_JWKS_REFRESH_UNKNOWN_KID: - name: PROXY_OIDC_JWKS_REFRESH_UNKNOWN_KID - defaultValue: "true" - type: bool - description: If set to 'true', the JWKS refresh request will occur every time an - unknown KEY ID (KID) is seen. Always set a 'refresh_limit' when enabling this. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_OIDC_REWRITE_WELLKNOWN: - name: PROXY_OIDC_REWRITE_WELLKNOWN - defaultValue: "false" - type: bool - description: Enables rewriting the /.well-known/openid-configuration to the configured - OIDC issuer. Needed by the Desktop Client, Android Client and iOS Client to discover - the OIDC provider. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_OIDC_SKIP_USER_INFO: - name: PROXY_OIDC_SKIP_USER_INFO - defaultValue: "false" - type: bool - description: Do not look up user claims at the userinfo endpoint and directly read - them from the access token. Incompatible with 'PROXY_OIDC_ACCESS_TOKEN_VERIFY_METHOD=none'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD: - name: OC_CACHE_AUTH_PASSWORD;PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the cache. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME: - name: OC_CACHE_AUTH_USERNAME;PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the cache. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE: - name: OC_CACHE_DISABLE_PERSISTENCE;PROXY_OIDC_USERINFO_CACHE_DISABLE_PERSISTENCE - defaultValue: "false" - type: bool - description: Disables persistence of the cache. Only applies when store type 'nats-js-kv' - is configured. Defaults to false. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_OIDC_USERINFO_CACHE_STORE: - name: OC_CACHE_STORE;PROXY_OIDC_USERINFO_CACHE_STORE - defaultValue: memory - type: string - description: 'The type of the cache store. Supported values are: ''memory'', ''redis-sentinel'', - ''nats-js-kv'', ''noop''. See the text description for details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_OIDC_USERINFO_CACHE_STORE_NODES: - name: OC_CACHE_STORE_NODES;PROXY_OIDC_USERINFO_CACHE_STORE_NODES - defaultValue: '[127.0.0.1:9233]' - type: '[]string' - description: A list of nodes to access the configured store. This has no effect - when 'memory' store is configured. Note that the behaviour how nodes are used - is dependent on the library of the configured store. See the Environment Variable - Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_OIDC_USERINFO_CACHE_TABLE: - name: PROXY_OIDC_USERINFO_CACHE_TABLE - defaultValue: "" - type: string - description: The database table the store should use. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_OIDC_USERINFO_CACHE_TTL: - name: OC_CACHE_TTL;PROXY_OIDC_USERINFO_CACHE_TTL - defaultValue: 10s - type: Duration - description: Default time to live for user info in the user info cache. Only applied - when access tokens has no expiration. See the Environment Variable Types description - for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_POLICIES_QUERY: - name: PROXY_POLICIES_QUERY - defaultValue: "" - type: string - description: Defines the 'Complete Rules' variable defined in the rego rule set - this step uses for its evaluation. Rules default to deny if the variable was not - found. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE: - name: OC_CACHE_STORE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE - defaultValue: nats-js-kv - type: string - description: 'The type of the signing key store. Supported values are: ''redis-sentinel'', - ''nats-js-kv'' and ''ocisstoreservice'' (deprecated). See the text description - for details.' - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD: - name: OC_CACHE_AUTH_PASSWORD;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the store. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME: - name: OC_CACHE_AUTH_USERNAME;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the store. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE: - name: OC_CACHE_DISABLE_PERSISTENCE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE - defaultValue: "true" - type: bool - description: Disables persistence of the store. Only applies when store type 'nats-js-kv' - is configured. Defaults to true. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES: - name: OC_CACHE_STORE_NODES;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES - defaultValue: '[127.0.0.1:9233]' - type: '[]string' - description: A list of nodes to access the configured store. Note that the behaviour - how nodes are used is dependent on the library of the configured store. See the - Environment Variable Types description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL: - name: OC_CACHE_TTL;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL - defaultValue: 12h0m0s - type: Duration - description: Default time to live for signing keys. See the Environment Variable - Types description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_ROLE_ASSIGNMENT_DRIVER: - name: PROXY_ROLE_ASSIGNMENT_DRIVER - defaultValue: default - type: string - description: 'The mechanism that should be used to assign roles to user upon login. - Supported values: ''default'' or ''oidc''. ''default'' will assign the role ''user'' - to users which don''t have a role assigned at the time they login. ''oidc'' will - assign the role based on the value of a claim (configured via PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM) - from the users OIDC claims.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: - name: PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM - defaultValue: roles - type: string - description: The OIDC claim used to create the users role assignment. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_SERVICE_ACCOUNT_ID: - name: OC_SERVICE_ACCOUNT_ID;PROXY_SERVICE_ACCOUNT_ID - defaultValue: "" - type: string - description: The ID of the service account the service should use. See the 'auth-service' - service description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_SERVICE_ACCOUNT_SECRET: - name: OC_SERVICE_ACCOUNT_SECRET;PROXY_SERVICE_ACCOUNT_SECRET - defaultValue: "" - type: string - description: The service account secret. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_TLS: - name: PROXY_TLS - defaultValue: "true" - type: bool - description: Enable/Disable HTTPS for external HTTP services. Must be set to 'true' - if the built-in IDP service an no reverse proxy is used. See the text description - for details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;PROXY_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_TRACING_ENABLED: - name: OC_TRACING_ENABLED;PROXY_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;PROXY_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_TRACING_TYPE: - name: OC_TRACING_TYPE;PROXY_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_TRANSPORT_TLS_CERT: - name: PROXY_TRANSPORT_TLS_CERT - defaultValue: /var/lib/opencloud/proxy/server.crt - type: string - description: Path/File name of the TLS server certificate (in PEM format) for the - external http services. If not defined, the root directory derives from $OC_BASE_DATA_PATH/proxy. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_TRANSPORT_TLS_KEY: - name: PROXY_TRANSPORT_TLS_KEY - defaultValue: /var/lib/opencloud/proxy/server.key - type: string - description: Path/File name for the TLS certificate key (in PEM format) for the - server certificate to use for the external http services. If not defined, the - root directory derives from $OC_BASE_DATA_PATH/proxy. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_USER_CS3_CLAIM: - name: PROXY_USER_CS3_CLAIM - defaultValue: username - type: string - description: The name of a CS3 user attribute (claim) that should be mapped to the - 'user_oidc_claim'. Supported values are 'username', 'mail' and 'userid'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -PROXY_USER_OIDC_CLAIM: - name: PROXY_USER_OIDC_CLAIM - defaultValue: preferred_username - type: string - description: The name of an OpenID Connect claim that is used for resolving users - with the account backend. The value of the claim must hold a per user unique, - stable and non re-assignable identifier. The availability of claims depends on - your Identity Provider. There are common claims available for most Identity providers - like 'email' or 'preferred_username' but you can also add your own claim. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_CONTENT_EXTRACTION_SIZE_LIMIT: - name: SEARCH_CONTENT_EXTRACTION_SIZE_LIMIT - defaultValue: "20971520" - type: uint64 - description: Maximum file size in bytes that is allowed for content extraction. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_DEBUG_ADDR: - name: SEARCH_DEBUG_ADDR - defaultValue: 127.0.0.1:9224 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_DEBUG_PPROF: - name: SEARCH_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_DEBUG_TOKEN: - name: SEARCH_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_DEBUG_ZPAGES: - name: SEARCH_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_ENGINE_BLEVE_DATA_PATH: - name: SEARCH_ENGINE_BLEVE_DATA_PATH - defaultValue: /var/lib/opencloud/search - type: string - description: The directory where the filesystem will store search data. If not defined, - the root directory derives from $OC_BASE_DATA_PATH/search. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_ENGINE_TYPE: - name: SEARCH_ENGINE_TYPE - defaultValue: bleve - type: string - description: 'Defines which search engine to use. Defaults to ''bleve''. Supported - values are: ''bleve''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_EVENTS_ASYNC_UPLOADS: - name: OC_ASYNC_UPLOADS;SEARCH_EVENTS_ASYNC_UPLOADS - defaultValue: "true" - type: bool - description: Enable asynchronous file uploads. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_EVENTS_AUTH_PASSWORD: - name: OC_EVENTS_AUTH_PASSWORD;SEARCH_EVENTS_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_EVENTS_AUTH_USERNAME: - name: OC_EVENTS_AUTH_USERNAME;SEARCH_EVENTS_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_EVENTS_CLUSTER: - name: OC_EVENTS_CLUSTER;SEARCH_EVENTS_CLUSTER - defaultValue: opencloud-cluster - type: string - description: The clusterID of the event system. The event system is the message - queuing service. It is used as message broker for the microservice architecture. - Mandatory when using NATS as event system. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_EVENTS_ENABLE_TLS: - name: OC_EVENTS_ENABLE_TLS;SEARCH_EVENTS_ENABLE_TLS - defaultValue: "false" - type: bool - description: Enable TLS for the connection to the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_EVENTS_ENDPOINT: - name: OC_EVENTS_ENDPOINT;SEARCH_EVENTS_ENDPOINT - defaultValue: 127.0.0.1:9233 - type: string - description: The address of the event system. The event system is the message queuing - service. It is used as message broker for the microservice architecture. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_EVENTS_NUM_CONSUMERS: - name: SEARCH_EVENTS_NUM_CONSUMERS - defaultValue: "0" - type: int - description: The amount of concurrent event consumers to start. Event consumers - are used for searching files. Multiple consumers increase parallelisation, but - will also increase CPU and memory demands. The default value is 0. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_EVENTS_REINDEX_DEBOUNCE_DURATION: - name: SEARCH_EVENTS_REINDEX_DEBOUNCE_DURATION - defaultValue: "1000" - type: int - description: The duration in milliseconds the reindex debouncer waits before triggering - a reindex of a space that was modified. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_EVENTS_TLS_INSECURE: - name: OC_INSECURE;SEARCH_EVENTS_TLS_INSECURE - defaultValue: "false" - type: bool - description: Whether to verify the server TLS certificates. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_EVENTS_TLS_ROOT_CA_CERTIFICATE: - name: OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;SEARCH_EVENTS_TLS_ROOT_CA_CERTIFICATE - defaultValue: "" - type: string - description: The root CA certificate used to validate the server's TLS certificate. - If provided SEARCH_EVENTS_TLS_INSECURE will be seen as false. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_EXTRACTOR_CS3SOURCE_INSECURE: - name: OC_INSECURE;SEARCH_EXTRACTOR_CS3SOURCE_INSECURE - defaultValue: "false" - type: bool - description: Ignore untrusted SSL certificates when connecting to the CS3 source. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_EXTRACTOR_TIKA_CLEAN_STOP_WORDS: - name: SEARCH_EXTRACTOR_TIKA_CLEAN_STOP_WORDS - defaultValue: "true" - type: bool - description: Defines if stop words should be cleaned or not. See the documentation - for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_EXTRACTOR_TIKA_TIKA_URL: - name: SEARCH_EXTRACTOR_TIKA_TIKA_URL - defaultValue: http://127.0.0.1:9998 - type: string - description: URL of the tika server. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_EXTRACTOR_TYPE: - name: SEARCH_EXTRACTOR_TYPE - defaultValue: basic - type: string - description: 'Defines the content extraction engine. Defaults to ''basic''. Supported - values are: ''basic'' and ''tika''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_GRPC_ADDR: - name: SEARCH_GRPC_ADDR - defaultValue: 127.0.0.1:9220 - type: string - description: The bind address of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_JWT_SECRET: - name: OC_JWT_SECRET;SEARCH_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_LOG_COLOR: - name: OC_LOG_COLOR;SEARCH_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_LOG_FILE: - name: OC_LOG_FILE;SEARCH_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_LOG_LEVEL: - name: OC_LOG_LEVEL;SEARCH_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_LOG_PRETTY: - name: OC_LOG_PRETTY;SEARCH_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_SERVICE_ACCOUNT_ID: - name: OC_SERVICE_ACCOUNT_ID;SEARCH_SERVICE_ACCOUNT_ID - defaultValue: "" - type: string - description: The ID of the service account the service should use. See the 'auth-service' - service description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_SERVICE_ACCOUNT_SECRET: - name: OC_SERVICE_ACCOUNT_SECRET;SEARCH_SERVICE_ACCOUNT_SECRET - defaultValue: "" - type: string - description: The service account secret. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;SEARCH_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_TRACING_ENABLED: - name: OC_TRACING_ENABLED;SEARCH_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;SEARCH_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SEARCH_TRACING_TYPE: - name: OC_TRACING_TYPE;SEARCH_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_ADMIN_USER_ID: - name: OC_ADMIN_USER_ID;SETTINGS_ADMIN_USER_ID - defaultValue: "" - type: string - description: ID of the user that should receive admin privileges. Consider that - the UUID can be encoded in some LDAP deployment configurations like in .ldif files. - These need to be decoded beforehand. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_BUNDLES_PATH: - name: SETTINGS_BUNDLES_PATH - defaultValue: "" - type: string - description: The path to a JSON file with a list of bundles. If not defined, the - default bundles will be loaded. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_CACHE_AUTH_PASSWORD: - name: OC_CACHE_AUTH_PASSWORD;SETTINGS_CACHE_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the cache. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_CACHE_AUTH_USERNAME: - name: OC_CACHE_AUTH_USERNAME;SETTINGS_CACHE_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the cache. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_CACHE_DISABLE_PERSISTENCE: - name: OC_CACHE_DISABLE_PERSISTENCE;SETTINGS_CACHE_DISABLE_PERSISTENCE - defaultValue: "false" - type: bool - description: Disables persistence of the cache. Only applies when store type 'nats-js-kv' - is configured. Defaults to false. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_CACHE_STORE: - name: OC_CACHE_STORE;SETTINGS_CACHE_STORE - defaultValue: memory - type: string - description: 'The type of the cache store. Supported values are: ''memory'', ''redis-sentinel'', - ''nats-js-kv'', ''noop''. See the text description for details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_CACHE_STORE_NODES: - name: OC_CACHE_STORE_NODES;SETTINGS_CACHE_STORE_NODES - defaultValue: '[127.0.0.1:9233]' - type: '[]string' - description: A list of nodes to access the configured store. This has no effect - when 'memory' store is configured. Note that the behaviour how nodes are used - is dependent on the library of the configured store. See the Environment Variable - Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_CACHE_TTL: - name: OC_CACHE_TTL;SETTINGS_CACHE_TTL - defaultValue: 10m0s - type: Duration - description: Default time to live for entries in the cache. Only applied when access - tokens has no expiration. See the Environment Variable Types description for more - details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_CORS_ALLOW_CREDENTIALS: - name: OC_CORS_ALLOW_CREDENTIALS;SETTINGS_CORS_ALLOW_CREDENTIALS - defaultValue: "true" - type: bool - description: 'Allow credentials for CORS.See following chapter for more details: - *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_CORS_ALLOW_HEADERS: - name: OC_CORS_ALLOW_HEADERS;SETTINGS_CORS_ALLOW_HEADERS - defaultValue: '[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id]' - type: '[]string' - description: 'A list of allowed CORS headers. See following chapter for more details: - *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_CORS_ALLOW_METHODS: - name: OC_CORS_ALLOW_METHODS;SETTINGS_CORS_ALLOW_METHODS - defaultValue: '[GET POST PUT PATCH DELETE OPTIONS]' - type: '[]string' - description: 'A list of allowed CORS methods. See following chapter for more details: - *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_CORS_ALLOW_ORIGINS: - name: OC_CORS_ALLOW_ORIGINS;SETTINGS_CORS_ALLOW_ORIGINS - defaultValue: '[*]' - type: '[]string' - description: 'A list of allowed CORS origins. See following chapter for more details: - *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_DEBUG_ADDR: - name: SETTINGS_DEBUG_ADDR - defaultValue: 127.0.0.1:9194 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_DEBUG_PPROF: - name: SETTINGS_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_DEBUG_TOKEN: - name: SETTINGS_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_DEBUG_ZPAGES: - name: SETTINGS_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_DIRECTORY_CACHE_TABLE: - name: SETTINGS_DIRECTORY_CACHE_TABLE - defaultValue: settings_dirs - type: string - description: The database table the store should use for the directory cache. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_FILE_CACHE_TABLE: - name: SETTINGS_FILE_CACHE_TABLE - defaultValue: settings_files - type: string - description: The database table the store should use for the file cache. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_GRPC_ADDR: - name: SETTINGS_GRPC_ADDR - defaultValue: 127.0.0.1:9191 - type: string - description: The bind address of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_HTTP_ADDR: - name: SETTINGS_HTTP_ADDR - defaultValue: 127.0.0.1:9190 - type: string - description: The bind address of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_HTTP_ROOT: - name: SETTINGS_HTTP_ROOT - defaultValue: / - type: string - description: Subdirectory that serves as the root for this HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_JWT_SECRET: - name: OC_JWT_SECRET;SETTINGS_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_LOG_COLOR: - name: OC_LOG_COLOR;SETTINGS_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_LOG_FILE: - name: OC_LOG_FILE;SETTINGS_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_LOG_LEVEL: - name: OC_LOG_LEVEL;SETTINGS_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_LOG_PRETTY: - name: OC_LOG_PRETTY;SETTINGS_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_SERVICE_ACCOUNT_IDS: - name: SETTINGS_SERVICE_ACCOUNT_IDS;OC_SERVICE_ACCOUNT_ID - defaultValue: '[service-user-id]' - type: '[]string' - description: 'The list of all service account IDs. These will be assigned the hidden - ''service-account'' role. Note: When using ''OC_SERVICE_ACCOUNT_ID'' this will - contain only one value while ''SETTINGS_SERVICE_ACCOUNT_IDS'' can have multiple. - See the ''auth-service'' service description for more details about service accounts.' - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_SETUP_DEFAULT_ASSIGNMENTS: - name: SETTINGS_SETUP_DEFAULT_ASSIGNMENTS;IDM_CREATE_DEMO_USERS - defaultValue: "false" - type: bool - description: The default role assignments the demo users should be setup. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_STORAGE_GATEWAY_GRPC_ADDR: - name: SETTINGS_STORAGE_GATEWAY_GRPC_ADDR;STORAGE_GATEWAY_GRPC_ADDR - defaultValue: eu.opencloud.api.storage-system - type: string - description: GRPC address of the STORAGE-SYSTEM service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_STORAGE_GRPC_ADDR: - name: SETTINGS_STORAGE_GRPC_ADDR;STORAGE_GRPC_ADDR - defaultValue: eu.opencloud.api.storage-system - type: string - description: GRPC address of the STORAGE-SYSTEM service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_SYSTEM_USER_ID: - name: OC_SYSTEM_USER_ID;SETTINGS_SYSTEM_USER_ID - defaultValue: "" - type: string - description: ID of the oCIS STORAGE-SYSTEM system user. Admins need to set the ID - for the STORAGE-SYSTEM system user in this config option which is then used to - reference the user. Any reasonable long string is possible, preferably this would - be an UUIDv4 format. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_SYSTEM_USER_IDP: - name: OC_SYSTEM_USER_IDP;SETTINGS_SYSTEM_USER_IDP - defaultValue: internal - type: string - description: IDP of the oCIS STORAGE-SYSTEM system user. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;SETTINGS_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_TRACING_ENABLED: - name: OC_TRACING_ENABLED;SETTINGS_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;SETTINGS_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_TRACING_TYPE: - name: OC_TRACING_TYPE;SETTINGS_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SETTINGS_TRANSLATION_PATH: - name: OC_TRANSLATION_PATH;SETTINGS_TRANSLATION_PATH - defaultValue: "" - type: string - description: (optional) Set this to a path with custom translations to overwrite - the builtin translations. Note that file and folder naming rules apply, see the - documentation for more details. - introductionVersion: "7.1" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_DEBUG_ADDR: - name: SHARING_DEBUG_ADDR - defaultValue: 127.0.0.1:9151 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_DEBUG_PPROF: - name: SHARING_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_DEBUG_TOKEN: - name: SHARING_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_DEBUG_ZPAGES: - name: SHARING_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_EVENTS_AUTH_PASSWORD: - name: OC_EVENTS_AUTH_PASSWORD;SHARING_EVENTS_AUTH_PASSWORD - defaultValue: "" - type: string - description: Password for the events broker. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_EVENTS_AUTH_USERNAME: - name: OC_EVENTS_AUTH_USERNAME;SHARING_EVENTS_AUTH_USERNAME - defaultValue: "" - type: string - description: Username for the events broker. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_EVENTS_CLUSTER: - name: OC_EVENTS_CLUSTER;SHARING_EVENTS_CLUSTER - defaultValue: opencloud-cluster - type: string - description: The clusterID of the event system. The event system is the message - queuing service. It is used as message broker for the microservice architecture. - Mandatory when using NATS as event system. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_EVENTS_ENABLE_TLS: - name: OC_EVENTS_ENABLE_TLS;SHARING_EVENTS_ENABLE_TLS - defaultValue: "false" - type: bool - description: Enable TLS for the connection to the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_EVENTS_ENDPOINT: - name: OC_EVENTS_ENDPOINT;SHARING_EVENTS_ENDPOINT - defaultValue: 127.0.0.1:9233 - type: string - description: The address of the event system. The event system is the message queuing - service. It is used as message broker for the microservice architecture. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_EVENTS_TLS_INSECURE: - name: OC_INSECURE;SHARING_EVENTS_TLS_INSECURE - defaultValue: "false" - type: bool - description: Whether to verify the server TLS certificates. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_EVENTS_TLS_ROOT_CA_CERTIFICATE: - name: OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;SHARING_EVENTS_TLS_ROOT_CA_CERTIFICATE - defaultValue: "" - type: string - description: The root CA certificate used to validate the server's TLS certificate. - If provided SHARING_EVENTS_TLS_INSECURE will be seen as false. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_GRPC_ADDR: - name: SHARING_GRPC_ADDR - defaultValue: 127.0.0.1:9150 - type: string - description: The bind address of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_GRPC_PROTOCOL: - name: OC_GRPC_PROTOCOL;SHARING_GRPC_PROTOCOL - defaultValue: tcp - type: string - description: The transport protocol of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_JWT_SECRET: - name: OC_JWT_SECRET;SHARING_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_LOG_COLOR: - name: OC_LOG_COLOR;SHARING_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_LOG_FILE: - name: OC_LOG_FILE;SHARING_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_LOG_LEVEL: - name: OC_LOG_LEVEL;SHARING_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_LOG_PRETTY: - name: OC_LOG_PRETTY;SHARING_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_OCM_PROVIDER_AUTHORIZER_DRIVER: - name: SHARING_OCM_PROVIDER_AUTHORIZER_DRIVER - defaultValue: json - type: string - description: Driver to be used to persist ocm invites. Supported value is only 'json'. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_PASSWORD_POLICY_BANNED_PASSWORDS_LIST: - name: OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST;SHARING_PASSWORD_POLICY_BANNED_PASSWORDS_LIST - defaultValue: "" - type: string - description: Path to the 'banned passwords list' file. This only impacts public - link password validation. See the documentation for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_PASSWORD_POLICY_DISABLED: - name: OC_PASSWORD_POLICY_DISABLED;SHARING_PASSWORD_POLICY_DISABLED - defaultValue: "false" - type: bool - description: Disable the password policy. Defaults to false if not set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_PASSWORD_POLICY_MIN_CHARACTERS: - name: OC_PASSWORD_POLICY_MIN_CHARACTERS;SHARING_PASSWORD_POLICY_MIN_CHARACTERS - defaultValue: "8" - type: int - description: Define the minimum password length. Defaults to 8 if not set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_PASSWORD_POLICY_MIN_DIGITS: - name: OC_PASSWORD_POLICY_MIN_DIGITS;SHARING_PASSWORD_POLICY_MIN_DIGITS - defaultValue: "1" - type: int - description: Define the minimum number of digits. Defaults to 1 if not set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS: - name: OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS;SHARING_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS - defaultValue: "1" - type: int - description: Define the minimum number of uppercase letters. Defaults to 1 if not - set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS: - name: OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS;SHARING_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS - defaultValue: "1" - type: int - description: Define the minimum number of characters from the special characters - list to be present. Defaults to 1 if not set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS: - name: OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS;SHARING_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS - defaultValue: "1" - type: int - description: Define the minimum number of lowercase letters. Defaults to 1 if not - set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_PUBLIC_CS3_PROVIDER_ADDR: - name: SHARING_PUBLIC_CS3_PROVIDER_ADDR - defaultValue: eu.opencloud.api.storage-system - type: string - description: GRPC address of the STORAGE-SYSTEM service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_PUBLIC_CS3_SYSTEM_USER_API_KEY: - name: OC_SYSTEM_USER_API_KEY;SHARING_PUBLIC_CS3_SYSTEM_USER_API_KEY - defaultValue: "" - type: string - description: API key for the STORAGE-SYSTEM system user. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_PUBLIC_CS3_SYSTEM_USER_ID: - name: OC_SYSTEM_USER_ID;SHARING_PUBLIC_CS3_SYSTEM_USER_ID - defaultValue: "" - type: string - description: ID of the oCIS STORAGE-SYSTEM system user. Admins need to set the ID - for the STORAGE-SYSTEM system user in this config option which is then used to - reference the user. Any reasonable long string is possible, preferably this would - be an UUIDv4 format. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_PUBLIC_CS3_SYSTEM_USER_IDP: - name: OC_SYSTEM_USER_IDP;SHARING_PUBLIC_CS3_SYSTEM_USER_IDP - defaultValue: internal - type: string - description: IDP of the oCIS STORAGE-SYSTEM system user. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_PUBLIC_DRIVER: - name: SHARING_PUBLIC_DRIVER - defaultValue: jsoncs3 - type: string - description: Driver to be used to persist public shares. Supported values are 'jsoncs3', - 'json' and 'cs3' (deprecated). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_PUBLIC_JSON_FILE: - name: SHARING_PUBLIC_JSON_FILE - defaultValue: /var/lib/opencloud/storage/publicshares.json - type: string - description: Path to the JSON file where public share meta-data will be stored. - This JSON file contains the information about public shares that have been created. - If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_PUBLIC_JSONCS3_PROVIDER_ADDR: - name: SHARING_PUBLIC_JSONCS3_PROVIDER_ADDR - defaultValue: eu.opencloud.api.storage-system - type: string - description: GRPC address of the STORAGE-SYSTEM service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_PUBLIC_JSONCS3_SYSTEM_USER_API_KEY: - name: OC_SYSTEM_USER_API_KEY;SHARING_PUBLIC_JSONCS3_SYSTEM_USER_API_KEY - defaultValue: "" - type: string - description: API key for the STORAGE-SYSTEM system user. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_PUBLIC_JSONCS3_SYSTEM_USER_ID: - name: OC_SYSTEM_USER_ID;SHARING_PUBLIC_JSONCS3_SYSTEM_USER_ID - defaultValue: "" - type: string - description: ID of the oCIS STORAGE-SYSTEM system user. Admins need to set the ID - for the STORAGE-SYSTEM system user in this config option which is then used to - reference the user. Any reasonable long string is possible, preferably this would - be an UUIDv4 format. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_PUBLIC_JSONCS3_SYSTEM_USER_IDP: - name: OC_SYSTEM_USER_IDP;SHARING_PUBLIC_JSONCS3_SYSTEM_USER_IDP - defaultValue: internal - type: string - description: IDP of the oCIS STORAGE-SYSTEM system user. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD: - name: OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD;SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD - defaultValue: "true" - type: bool - description: Set this to true if you want to enforce passwords on all public shares. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD: - name: OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD;SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD - defaultValue: "false" - type: bool - description: Set this to true if you want to enforce passwords on Uploader, Editor - or Contributor shares. If not using the global OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD, - you must define the FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD (deprecated) - in the frontend service. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_SKIP_USER_GROUPS_IN_TOKEN: - name: SHARING_SKIP_USER_GROUPS_IN_TOKEN - defaultValue: "false" - type: bool - description: Disables the loading of user's group memberships from the reva access - token. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;SHARING_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_TRACING_ENABLED: - name: OC_TRACING_ENABLED;SHARING_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;SHARING_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_TRACING_TYPE: - name: OC_TRACING_TYPE;SHARING_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_USER_CS3_PROVIDER_ADDR: - name: SHARING_USER_CS3_PROVIDER_ADDR - defaultValue: eu.opencloud.api.storage-system - type: string - description: GRPC address of the STORAGE-SYSTEM service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_USER_CS3_SYSTEM_USER_API_KEY: - name: OC_SYSTEM_USER_API_KEY;SHARING_USER_CS3_SYSTEM_USER_API_KEY - defaultValue: "" - type: string - description: API key for the STORAGE-SYSTEM system user. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_USER_CS3_SYSTEM_USER_ID: - name: OC_SYSTEM_USER_ID;SHARING_USER_CS3_SYSTEM_USER_ID - defaultValue: "" - type: string - description: ID of the oCIS STORAGE-SYSTEM system user. Admins need to set the ID - for the STORAGE-SYSTEM system user in this config option which is then used to - reference the user. Any reasonable long string is possible, preferably this would - be an UUIDv4 format. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_USER_CS3_SYSTEM_USER_IDP: - name: OC_SYSTEM_USER_IDP;SHARING_USER_CS3_SYSTEM_USER_IDP - defaultValue: internal - type: string - description: IDP of the oCIS STORAGE-SYSTEM system user. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_USER_DRIVER: - name: SHARING_USER_DRIVER - defaultValue: jsoncs3 - type: string - description: Driver to be used to persist shares. Supported values are 'jsoncs3', - 'json', 'cs3' (deprecated) and 'owncloudsql'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_USER_JSON_FILE: - name: SHARING_USER_JSON_FILE - defaultValue: /var/lib/opencloud/storage/shares.json - type: string - description: Path to the JSON file where shares will be persisted. If not defined, - the root directory derives from $OC_BASE_DATA_PATH/storage. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_USER_JSONCS3_CACHE_TTL: - name: SHARING_USER_JSONCS3_CACHE_TTL - defaultValue: "0" - type: int - description: TTL for the internal caches in seconds. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_USER_JSONCS3_MAX_CONCURRENCY: - name: OC_MAX_CONCURRENCY;SHARING_USER_JSONCS3_MAX_CONCURRENCY - defaultValue: "1" - type: int - description: Maximum number of concurrent go-routines. Higher values can potentially - get work done faster but will also cause more load on the system. Values of 0 - or below will be ignored and the default value will be used. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_USER_JSONCS3_PROVIDER_ADDR: - name: SHARING_USER_JSONCS3_PROVIDER_ADDR - defaultValue: eu.opencloud.api.storage-system - type: string - description: GRPC address of the STORAGE-SYSTEM service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_USER_JSONCS3_SYSTEM_USER_API_KEY: - name: OC_SYSTEM_USER_API_KEY;SHARING_USER_JSONCS3_SYSTEM_USER_API_KEY - defaultValue: "" - type: string - description: API key for the STORAGE-SYSTEM system user. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_USER_JSONCS3_SYSTEM_USER_ID: - name: OC_SYSTEM_USER_ID;SHARING_USER_JSONCS3_SYSTEM_USER_ID - defaultValue: "" - type: string - description: ID of the oCIS STORAGE-SYSTEM system user. Admins need to set the ID - for the STORAGE-SYSTEM system user in this config option which is then used to - reference the user. Any reasonable long string is possible, preferably this would - be an UUIDv4 format. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_USER_JSONCS3_SYSTEM_USER_IDP: - name: OC_SYSTEM_USER_IDP;SHARING_USER_JSONCS3_SYSTEM_USER_IDP - defaultValue: internal - type: string - description: IDP of the oCIS STORAGE-SYSTEM system user. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_USER_OWNCLOUDSQL_DB_HOST: - name: SHARING_USER_OWNCLOUDSQL_DB_HOST - defaultValue: mysql - type: string - description: Hostname or IP of the database server. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_USER_OWNCLOUDSQL_DB_NAME: - name: SHARING_USER_OWNCLOUDSQL_DB_NAME - defaultValue: owncloud - type: string - description: Name of the database to be used. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_USER_OWNCLOUDSQL_DB_PASSWORD: - name: SHARING_USER_OWNCLOUDSQL_DB_PASSWORD - defaultValue: "" - type: string - description: Password for the database. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_USER_OWNCLOUDSQL_DB_PORT: - name: SHARING_USER_OWNCLOUDSQL_DB_PORT - defaultValue: "3306" - type: int - description: Port that the database server is listening on. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_USER_OWNCLOUDSQL_DB_USERNAME: - name: SHARING_USER_OWNCLOUDSQL_DB_USERNAME - defaultValue: owncloud - type: string - description: Username for the database. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SHARING_USER_OWNCLOUDSQL_USER_STORAGE_MOUNT_ID: - name: SHARING_USER_OWNCLOUDSQL_USER_STORAGE_MOUNT_ID - defaultValue: "" - type: string - description: Mount ID of the ownCloudSQL users storage for mapping ownCloud 10 shares. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_CORS_ALLOW_CREDENTIALS: - name: OC_CORS_ALLOW_CREDENTIALS;SSE_CORS_ALLOW_CREDENTIALS - defaultValue: "true" - type: bool - description: 'Allow credentials for CORS.See following chapter for more details: - *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.' - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_CORS_ALLOW_HEADERS: - name: OC_CORS_ALLOW_HEADERS;SSE_CORS_ALLOW_HEADERS - defaultValue: '[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id - Ocs-Apirequest]' - type: '[]string' - description: 'A list of allowed CORS headers. See following chapter for more details: - *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. - See the Environment Variable Types description for more details.' - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_CORS_ALLOW_METHODS: - name: OC_CORS_ALLOW_METHODS;SSE_CORS_ALLOW_METHODS - defaultValue: '[GET]' - type: '[]string' - description: 'A list of allowed CORS methods. See following chapter for more details: - *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. - See the Environment Variable Types description for more details.' - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_CORS_ALLOW_ORIGINS: - name: OC_CORS_ALLOW_ORIGINS;SSE_CORS_ALLOW_ORIGINS - defaultValue: '[*]' - type: '[]string' - description: 'A list of allowed CORS origins. See following chapter for more details: - *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. - See the Environment Variable Types description for more details.' - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_DEBUG_ADDR: - name: SSE_DEBUG_ADDR - defaultValue: 127.0.0.1:9139 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_DEBUG_PPROF: - name: SSE_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_DEBUG_TOKEN: - name: SSE_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_DEBUG_ZPAGES: - name: SSE_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_EVENTS_AUTH_PASSWORD: - name: OC_EVENTS_AUTH_PASSWORD;SSE_EVENTS_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_EVENTS_AUTH_USERNAME: - name: OC_EVENTS_AUTH_USERNAME;SSE_EVENTS_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_EVENTS_CLUSTER: - name: OC_EVENTS_CLUSTER;SSE_EVENTS_CLUSTER - defaultValue: opencloud-cluster - type: string - description: The clusterID of the event system. The event system is the message - queuing service. It is used as message broker for the microservice architecture. - Mandatory when using NATS as event system. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_EVENTS_ENABLE_TLS: - name: OC_EVENTS_ENABLE_TLS;SSE_EVENTS_ENABLE_TLS - defaultValue: "false" - type: bool - description: Enable TLS for the connection to the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_EVENTS_ENDPOINT: - name: OC_EVENTS_ENDPOINT;SSE_EVENTS_ENDPOINT - defaultValue: 127.0.0.1:9233 - type: string - description: The address of the event system. The event system is the message queuing - service. It is used as message broker for the microservice architecture. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_EVENTS_TLS_INSECURE: - name: OC_INSECURE;SSE_EVENTS_TLS_INSECURE - defaultValue: "false" - type: bool - description: Whether to verify the server TLS certificates. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_EVENTS_TLS_ROOT_CA_CERTIFICATE: - name: OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;SSE_EVENTS_TLS_ROOT_CA_CERTIFICATE - defaultValue: "" - type: string - description: The root CA certificate used to validate the server's TLS certificate. - If provided SSE_EVENTS_TLS_INSECURE will be seen as false. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_HTTP_ADDR: - name: SSE_HTTP_ADDR - defaultValue: 127.0.0.1:9135 - type: string - description: The bind address of the HTTP service. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_HTTP_ROOT: - name: SSE_HTTP_ROOT - defaultValue: / - type: string - description: Subdirectory that serves as the root for this HTTP service. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_JWT_SECRET: - name: OC_JWT_SECRET;SSE_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_KEEPALIVE_INTERVAL: - name: SSE_KEEPALIVE_INTERVAL - defaultValue: 0s - type: Duration - description: To prevent intermediate proxies from closing the SSE connection, send - periodic SSE comments to keep it open. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_LOG_COLOR: - name: OC_LOG_COLOR;SSE_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_LOG_FILE: - name: OC_LOG_FILE;SSE_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_LOG_LEVEL: - name: OC_LOG_LEVEL;SSE_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_LOG_PRETTY: - name: OC_LOG_PRETTY;SSE_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;SSE_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_TRACING_ENABLED: - name: OC_TRACING_ENABLED;SSE_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;SSE_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -SSE_TRACING_TYPE: - name: OC_TRACING_TYPE;SSE_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_GATEWAY_GRPC_ADDR: - name: SETTINGS_STORAGE_GATEWAY_GRPC_ADDR;STORAGE_GATEWAY_GRPC_ADDR - defaultValue: eu.opencloud.api.storage-system - type: string - description: GRPC address of the STORAGE-SYSTEM service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_GRPC_ADDR: - name: SETTINGS_STORAGE_GRPC_ADDR;STORAGE_GRPC_ADDR - defaultValue: eu.opencloud.api.storage-system - type: string - description: GRPC address of the STORAGE-SYSTEM service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_PUBLICLINK_DEBUG_ADDR: - name: STORAGE_PUBLICLINK_DEBUG_ADDR - defaultValue: 127.0.0.1:9179 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_PUBLICLINK_DEBUG_PPROF: - name: STORAGE_PUBLICLINK_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_PUBLICLINK_DEBUG_TOKEN: - name: STORAGE_PUBLICLINK_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_PUBLICLINK_DEBUG_ZPAGES: - name: STORAGE_PUBLICLINK_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_PUBLICLINK_GRPC_ADDR: - name: STORAGE_PUBLICLINK_GRPC_ADDR - defaultValue: 127.0.0.1:9178 - type: string - description: The bind address of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_PUBLICLINK_GRPC_PROTOCOL: - name: OC_GRPC_PROTOCOL;STORAGE_PUBLICLINK_GRPC_PROTOCOL - defaultValue: tcp - type: string - description: The transport protocol of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_PUBLICLINK_JWT_SECRET: - name: OC_JWT_SECRET;STORAGE_PUBLICLINK_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_PUBLICLINK_LOG_COLOR: - name: OC_LOG_COLOR;STORAGE_PUBLICLINK_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_PUBLICLINK_LOG_FILE: - name: OC_LOG_FILE;STORAGE_PUBLICLINK_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_PUBLICLINK_LOG_LEVEL: - name: OC_LOG_LEVEL;STORAGE_PUBLICLINK_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_PUBLICLINK_LOG_PRETTY: - name: OC_LOG_PRETTY;STORAGE_PUBLICLINK_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_PUBLICLINK_SKIP_USER_GROUPS_IN_TOKEN: - name: STORAGE_PUBLICLINK_SKIP_USER_GROUPS_IN_TOKEN - defaultValue: "false" - type: bool - description: Disables the loading of user's group memberships from the reva access - token. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_PUBLICLINK_STORAGE_PROVIDER_MOUNT_ID: - name: STORAGE_PUBLICLINK_STORAGE_PROVIDER_MOUNT_ID - defaultValue: 7993447f-687f-490d-875c-ac95e89a62a4 - type: string - description: Mount ID of this storage. Admins can set the ID for the storage in - this config option manually which is then used to reference the storage. Any reasonable - long string is possible, preferably this would be an UUIDv4 format. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_PUBLICLINK_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;STORAGE_PUBLICLINK_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_PUBLICLINK_TRACING_ENABLED: - name: OC_TRACING_ENABLED;STORAGE_PUBLICLINK_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_PUBLICLINK_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;STORAGE_PUBLICLINK_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_PUBLICLINK_TRACING_TYPE: - name: OC_TRACING_TYPE;STORAGE_PUBLICLINK_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SHARES_DEBUG_ADDR: - name: STORAGE_SHARES_DEBUG_ADDR - defaultValue: 127.0.0.1:9156 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SHARES_DEBUG_PPROF: - name: STORAGE_SHARES_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SHARES_DEBUG_TOKEN: - name: STORAGE_SHARES_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SHARES_DEBUG_ZPAGES: - name: STORAGE_SHARES_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SHARES_GRPC_ADDR: - name: STORAGE_SHARES_GRPC_ADDR - defaultValue: 127.0.0.1:9154 - type: string - description: The bind address of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SHARES_GRPC_PROTOCOL: - name: OC_GRPC_PROTOCOL;STORAGE_SHARES_GRPC_PROTOCOL - defaultValue: tcp - type: string - description: The transport protocol of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SHARES_JWT_SECRET: - name: OC_JWT_SECRET;STORAGE_SHARES_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SHARES_LOG_COLOR: - name: OC_LOG_COLOR;STORAGE_SHARES_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SHARES_LOG_FILE: - name: OC_LOG_FILE;STORAGE_SHARES_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SHARES_LOG_LEVEL: - name: OC_LOG_LEVEL;STORAGE_SHARES_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SHARES_LOG_PRETTY: - name: OC_LOG_PRETTY;STORAGE_SHARES_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SHARES_MOUNT_ID: - name: STORAGE_SHARES_MOUNT_ID - defaultValue: 7639e57c-4433-4a12-8201-722fd0009154 - type: string - description: Mount ID of this storage. Admins can set the ID for the storage in - this config option manually which is then used to reference the storage. Any reasonable - long string is possible, preferably this would be an UUIDv4 format. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SHARES_READ_ONLY: - name: STORAGE_SHARES_READ_ONLY - defaultValue: "false" - type: bool - description: Set this storage to be read-only. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SHARES_SKIP_USER_GROUPS_IN_TOKEN: - name: STORAGE_SHARES_SKIP_USER_GROUPS_IN_TOKEN - defaultValue: "false" - type: bool - description: Disables the loading of user's group memberships from the reva access - token. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SHARES_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;STORAGE_SHARES_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SHARES_TRACING_ENABLED: - name: OC_TRACING_ENABLED;STORAGE_SHARES_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SHARES_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;STORAGE_SHARES_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SHARES_TRACING_TYPE: - name: OC_TRACING_TYPE;STORAGE_SHARES_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SHARES_USER_SHARE_PROVIDER_ENDPOINT: - name: STORAGE_SHARES_USER_SHARE_PROVIDER_ENDPOINT - defaultValue: eu.opencloud.api.sharing - type: string - description: GRPC endpoint of the SHARING service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_CACHE_AUTH_PASSWORD: - name: OC_CACHE_AUTH_PASSWORD;STORAGE_SYSTEM_CACHE_AUTH_PASSWORD - defaultValue: "" - type: string - description: Password for the configured store. Only applies when store type 'nats-js-kv' - is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_CACHE_AUTH_USERNAME: - name: OC_CACHE_AUTH_USERNAME;STORAGE_SYSTEM_CACHE_AUTH_USERNAME - defaultValue: "" - type: string - description: Username for the configured store. Only applies when store type 'nats-js-kv' - is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_CACHE_DISABLE_PERSISTENCE: - name: OC_CACHE_DISABLE_PERSISTENCE;STORAGE_SYSTEM_CACHE_DISABLE_PERSISTENCE - defaultValue: "false" - type: bool - description: Disables persistence of the cache. Only applies when store type 'nats-js-kv' - is configured. Defaults to false. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_CACHE_STORE: - name: OC_CACHE_STORE;STORAGE_SYSTEM_CACHE_STORE - defaultValue: memory - type: string - description: 'The type of the cache store. Supported values are: ''memory'', ''redis-sentinel'', - ''nats-js-kv'', ''noop''. See the text description for details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_CACHE_STORE_NODES: - name: OC_CACHE_STORE_NODES;STORAGE_SYSTEM_CACHE_STORE_NODES - defaultValue: '[127.0.0.1:9233]' - type: '[]string' - description: A list of nodes to access the configured store. This has no effect - when 'memory' store is configured. Note that the behaviour how nodes are used - is dependent on the library of the configured store. See the Environment Variable - Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_CACHE_TTL: - name: OC_CACHE_TTL;STORAGE_SYSTEM_CACHE_TTL - defaultValue: 24m0s - type: Duration - description: Default time to live for user info in the user info cache. Only applied - when access tokens has no expiration. See the Environment Variable Types description - for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_DATA_SERVER_URL: - name: STORAGE_SYSTEM_DATA_SERVER_URL - defaultValue: http://localhost:9216/data - type: string - description: URL of the data server, needs to be reachable by other services using - this service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_DEBUG_ADDR: - name: STORAGE_SYSTEM_DEBUG_ADDR - defaultValue: 127.0.0.1:9217 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_DEBUG_PPROF: - name: STORAGE_SYSTEM_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_DEBUG_TOKEN: - name: STORAGE_SYSTEM_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_DEBUG_ZPAGES: - name: STORAGE_SYSTEM_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_DRIVER: - name: STORAGE_SYSTEM_DRIVER - defaultValue: ocis - type: string - description: The driver which should be used by the service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_GRPC_ADDR: - name: STORAGE_SYSTEM_GRPC_ADDR - defaultValue: 127.0.0.1:9215 - type: string - description: The bind address of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_GRPC_PROTOCOL: - name: OC_GRPC_PROTOCOL;STORAGE_SYSTEM_GRPC_PROTOCOL - defaultValue: tcp - type: string - description: The transport protocol of the GPRC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_HTTP_ADDR: - name: STORAGE_SYSTEM_HTTP_ADDR - defaultValue: 127.0.0.1:9216 - type: string - description: The bind address of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_HTTP_PROTOCOL: - name: STORAGE_SYSTEM_HTTP_PROTOCOL - defaultValue: tcp - type: string - description: The transport protocol of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_JWT_SECRET: - name: OC_JWT_SECRET;STORAGE_SYSTEM_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_LOG_COLOR: - name: OC_LOG_COLOR;STORAGE_SYSTEM_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_LOG_FILE: - name: OC_LOG_FILE;STORAGE_SYSTEM_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_LOG_LEVEL: - name: OC_LOG_LEVEL;STORAGE_SYSTEM_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_LOG_PRETTY: - name: OC_LOG_PRETTY;STORAGE_SYSTEM_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_OC_LOCK_CYCLE_DURATION_FACTOR: - name: STORAGE_SYSTEM_OC_LOCK_CYCLE_DURATION_FACTOR - defaultValue: "30" - type: int - description: When trying to lock files, ocis will multiply the cycle with this factor - and use it as a millisecond timeout. Values of 0 or below will be ignored and - the default value of 30 will be used. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_OC_MAX_ACQUIRE_LOCK_CYCLES: - name: STORAGE_SYSTEM_OC_MAX_ACQUIRE_LOCK_CYCLES - defaultValue: "20" - type: int - description: When trying to lock files, ocis will try this amount of times to acquire - the lock before failing. After each try it will wait for an increasing amount - of time. Values of 0 or below will be ignored and the default value of 20 will - be used. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_OC_ROOT: - name: STORAGE_SYSTEM_OC_ROOT - defaultValue: /var/lib/opencloud/storage/metadata - type: string - description: Path for the directory where the STORAGE-SYSTEM service stores it's - persistent data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_SKIP_USER_GROUPS_IN_TOKEN: - name: STORAGE_SYSTEM_SKIP_USER_GROUPS_IN_TOKEN - defaultValue: "false" - type: bool - description: Disables the loading of user's group memberships from the reva access - token. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;STORAGE_SYSTEM_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_TRACING_ENABLED: - name: OC_TRACING_ENABLED;STORAGE_SYSTEM_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;STORAGE_SYSTEM_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_SYSTEM_TRACING_TYPE: - name: OC_TRACING_TYPE;STORAGE_SYSTEM_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY: - name: STORAGE_USERS_ASYNC_PROPAGATOR_PROPAGATION_DELAY - defaultValue: 0s - type: Duration - description: The delay between a change made to a tree and the propagation start - on treesize and treetime. Multiple propagations are computed to a single one. - See the Environment Variable Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_CLI_MAX_ATTEMPTS_RENAME_FILE: - name: STORAGE_USERS_CLI_MAX_ATTEMPTS_RENAME_FILE - defaultValue: "0" - type: int - description: The maximum number of attempts to rename a file when a user restores - a file to an existing destination with the same name. The minimum value is 100. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_CORS_ALLOW_CREDENTIALS: - name: OC_CORS_ALLOW_CREDENTIALS;STORAGE_USERS_CORS_ALLOW_CREDENTIALS - defaultValue: "false" - type: bool - description: 'Allow credentials for CORS.See following chapter for more details: - *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_CORS_ALLOW_HEADERS: - name: OC_CORS_ALLOW_HEADERS;STORAGE_USERS_CORS_ALLOW_HEADERS - defaultValue: '[Authorization Origin X-Requested-With X-Request-Id X-HTTP-Method-Override - Content-Type Upload-Length Upload-Offset Tus-Resumable Upload-Metadata Upload-Defer-Length - Upload-Concat Upload-Incomplete Upload-Draft-Interop-Version]' - type: '[]string' - description: 'A list of allowed CORS headers. See following chapter for more details: - *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_CORS_ALLOW_METHODS: - name: OC_CORS_ALLOW_METHODS;STORAGE_USERS_CORS_ALLOW_METHODS - defaultValue: '[POST HEAD PATCH OPTIONS GET DELETE]' - type: '[]string' - description: 'A list of allowed CORS methods. See following chapter for more details: - *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_CORS_ALLOW_ORIGINS: - name: OC_CORS_ALLOW_ORIGINS;STORAGE_USERS_CORS_ALLOW_ORIGINS - defaultValue: '[https://localhost:9200]' - type: '[]string' - description: 'A list of allowed CORS origins. See following chapter for more details: - *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_CORS_EXPOSE_HEADERS: - name: OC_CORS_EXPOSE_HEADERS;STORAGE_USERS_CORS_EXPOSE_HEADERS - defaultValue: '[Upload-Offset Location Upload-Length Tus-Version Tus-Resumable Tus-Max-Size - Tus-Extension Upload-Metadata Upload-Defer-Length Upload-Concat Upload-Incomplete - Upload-Draft-Interop-Version]' - type: '[]string' - description: 'A list of exposed CORS headers. See following chapter for more details: - *Access-Control-Expose-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Expose-Headers. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_CORS_MAX_AGE: - name: OC_CORS_MAX_AGE;STORAGE_USERS_CORS_MAX_AGE - defaultValue: "86400" - type: uint - description: 'The max cache duration of preflight headers. See following chapter - for more details: *Access-Control-Max-Age* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Max-Age. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_DATA_GATEWAY_URL: - name: STORAGE_USERS_DATA_GATEWAY_URL - defaultValue: https://localhost:9200/data - type: string - description: URL of the data gateway server - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_DATA_SERVER_URL: - name: STORAGE_USERS_DATA_SERVER_URL - defaultValue: http://localhost:9158/data - type: string - description: URL of the data server, needs to be reachable by the data gateway provided - by the frontend service or the user if directly exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_DEBUG_ADDR: - name: STORAGE_USERS_DEBUG_ADDR - defaultValue: 127.0.0.1:9159 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_DEBUG_PPROF: - name: STORAGE_USERS_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_DEBUG_TOKEN: - name: STORAGE_USERS_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_DEBUG_ZPAGES: - name: STORAGE_USERS_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_DRIVER: - name: STORAGE_USERS_DRIVER - defaultValue: ocis - type: string - description: 'The storage driver which should be used by the service. Defaults to - ''ocis'', Supported values are: ''ocis'', ''s3ng'' and ''owncloudsql''. The ''ocis'' - driver stores all data (blob and meta data) in an POSIX compliant volume. The - ''s3ng'' driver stores metadata in a POSIX compliant volume and uploads blobs - to the s3 bucket.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_EVENTS_AUTH_PASSWORD: - name: OC_EVENTS_AUTH_PASSWORD;STORAGE_USERS_EVENTS_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_EVENTS_AUTH_USERNAME: - name: OC_EVENTS_AUTH_USERNAME;STORAGE_USERS_EVENTS_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_EVENTS_CLUSTER: - name: OC_EVENTS_CLUSTER;STORAGE_USERS_EVENTS_CLUSTER - defaultValue: opencloud-cluster - type: string - description: The clusterID of the event system. The event system is the message - queuing service. It is used as message broker for the microservice architecture. - Mandatory when using NATS as event system. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_EVENTS_ENABLE_TLS: - name: OC_EVENTS_ENABLE_TLS;STORAGE_USERS_EVENTS_ENABLE_TLS - defaultValue: "false" - type: bool - description: Enable TLS for the connection to the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_EVENTS_ENDPOINT: - name: OC_EVENTS_ENDPOINT;STORAGE_USERS_EVENTS_ENDPOINT - defaultValue: 127.0.0.1:9233 - type: string - description: The address of the event system. The event system is the message queuing - service. It is used as message broker for the microservice architecture. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_EVENTS_NUM_CONSUMERS: - name: STORAGE_USERS_EVENTS_NUM_CONSUMERS - defaultValue: "0" - type: int - description: The amount of concurrent event consumers to start. Event consumers - are used for post-processing files. Multiple consumers increase parallelisation, - but will also increase CPU and memory demands. The setting has no effect when - the OC_ASYNC_UPLOADS is set to false. The default and minimum value is 1. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_EVENTS_TLS_INSECURE: - name: OC_INSECURE;STORAGE_USERS_EVENTS_TLS_INSECURE - defaultValue: "false" - type: bool - description: Whether to verify the server TLS certificates. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_EVENTS_TLS_ROOT_CA_CERTIFICATE: - name: OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;STORAGE_USERS_EVENTS_TLS_ROOT_CA_CERTIFICATE - defaultValue: "" - type: string - description: The root CA certificate used to validate the server's TLS certificate. - If provided STORAGE_USERS_EVENTS_TLS_INSECURE will be seen as false. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_EXPOSE_DATA_SERVER: - name: STORAGE_USERS_EXPOSE_DATA_SERVER - defaultValue: "false" - type: bool - description: Exposes the data server directly to users and bypasses the data gateway. - Ensure that the data server address is reachable by users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_FILEMETADATA_CACHE_AUTH_PASSWORD: - name: OC_CACHE_AUTH_PASSWORD;STORAGE_USERS_FILEMETADATA_CACHE_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the cache store. Only applies when - store type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_FILEMETADATA_CACHE_AUTH_USERNAME: - name: OC_CACHE_AUTH_USERNAME;STORAGE_USERS_FILEMETADATA_CACHE_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the cache store. Only applies when - store type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_FILEMETADATA_CACHE_DISABLE_PERSISTENCE: - name: OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_FILEMETADATA_CACHE_DISABLE_PERSISTENCE - defaultValue: "false" - type: bool - description: Disables persistence of the cache. Only applies when store type 'nats-js-kv' - is configured. Defaults to false. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_FILEMETADATA_CACHE_STORE: - name: OC_CACHE_STORE;STORAGE_USERS_FILEMETADATA_CACHE_STORE - defaultValue: memory - type: string - description: 'The type of the cache store. Supported values are: ''memory'', ''redis-sentinel'', - ''nats-js-kv'', ''noop''. See the text description for details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_FILEMETADATA_CACHE_STORE_NODES: - name: OC_CACHE_STORE_NODES;STORAGE_USERS_FILEMETADATA_CACHE_STORE_NODES - defaultValue: '[127.0.0.1:9233]' - type: '[]string' - description: A list of nodes to access the configured store. This has no effect - when 'memory' store is configured. Note that the behaviour how nodes are used - is dependent on the library of the configured store. See the Environment Variable - Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_FILEMETADATA_CACHE_TTL: - name: OC_CACHE_TTL;STORAGE_USERS_FILEMETADATA_CACHE_TTL - defaultValue: 24m0s - type: Duration - description: Default time to live for user info in the user info cache. Only applied - when access tokens has no expiration. See the Environment Variable Types description - for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_GATEWAY_GRPC_ADDR: - name: OC_GATEWAY_GRPC_ADDR;STORAGE_USERS_GATEWAY_GRPC_ADDR - defaultValue: 127.0.0.1:9142 - type: string - description: The bind address of the gateway GRPC address. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_GRACEFUL_SHUTDOWN_TIMEOUT: - name: STORAGE_USERS_GRACEFUL_SHUTDOWN_TIMEOUT - defaultValue: "30" - type: int - description: 'The number of seconds to wait for the ''storage-users'' service to - shutdown cleanly before exiting with an error that gets logged. Note: This setting - is only applicable when running the ''storage-users'' service as a standalone - service. See the text description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_GRPC_ADDR: - name: STORAGE_USERS_GRPC_ADDR - defaultValue: 127.0.0.1:9157 - type: string - description: The bind address of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_GRPC_PROTOCOL: - name: OC_GRPC_PROTOCOL;STORAGE_USERS_GRPC_PROTOCOL - defaultValue: "" - type: string - description: The transport protocol of the GPRC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_HTTP_ADDR: - name: STORAGE_USERS_HTTP_ADDR - defaultValue: 127.0.0.1:9158 - type: string - description: The bind address of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_HTTP_PROTOCOL: - name: STORAGE_USERS_HTTP_PROTOCOL - defaultValue: tcp - type: string - description: The transport protocol of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_ID_CACHE_AUTH_PASSWORD: - name: OC_CACHE_AUTH_PASSWORD;STORAGE_USERS_ID_CACHE_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the cache store. Only applies when - store type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_ID_CACHE_AUTH_USERNAME: - name: OC_CACHE_AUTH_USERNAME;STORAGE_USERS_ID_CACHE_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the cache store. Only applies when - store type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_ID_CACHE_DISABLE_PERSISTENCE: - name: OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_ID_CACHE_DISABLE_PERSISTENCE - defaultValue: "false" - type: bool - description: Disables persistence of the cache. Only applies when store type 'nats-js-kv' - is configured. Defaults to false. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_ID_CACHE_STORE: - name: OC_CACHE_STORE;STORAGE_USERS_ID_CACHE_STORE - defaultValue: memory - type: string - description: 'The type of the cache store. Supported values are: ''memory'', ''redis-sentinel'', - ''nats-js-kv'', ''noop''. See the text description for details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_ID_CACHE_STORE_NODES: - name: OC_CACHE_STORE_NODES;STORAGE_USERS_ID_CACHE_STORE_NODES - defaultValue: '[127.0.0.1:9233]' - type: '[]string' - description: A list of nodes to access the configured store. This has no effect - when 'memory' store is configured. Note that the behaviour how nodes are used - is dependent on the library of the configured store. See the Environment Variable - Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_ID_CACHE_TTL: - name: OC_CACHE_TTL;STORAGE_USERS_ID_CACHE_TTL - defaultValue: 24m0s - type: Duration - description: Default time to live for user info in the user info cache. Only applied - when access tokens have no expiration. Defaults to 300s which is derived from - the underlaying package though not explicitly set as default. See the Environment - Variable Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_JWT_SECRET: - name: OC_JWT_SECRET;STORAGE_USERS_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_LOG_COLOR: - name: OC_LOG_COLOR;STORAGE_USERS_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_LOG_FILE: - name: OC_LOG_FILE;STORAGE_USERS_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_LOG_LEVEL: - name: OC_LOG_LEVEL;STORAGE_USERS_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_LOG_PRETTY: - name: OC_LOG_PRETTY;STORAGE_USERS_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_MACHINE_AUTH_API_KEY: - name: OC_MACHINE_AUTH_API_KEY;STORAGE_USERS_MACHINE_AUTH_API_KEY - defaultValue: "" - type: string - description: Machine auth API key used to validate internal requests necessary for - the access to resources from other services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_MOUNT_ID: - name: STORAGE_USERS_MOUNT_ID - defaultValue: "" - type: string - description: Mount ID of this storage. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OCIS_GENERAL_SPACE_ALIAS_TEMPLATE: - name: STORAGE_USERS_OCIS_GENERAL_SPACE_ALIAS_TEMPLATE - defaultValue: '{{.SpaceType}}/{{.SpaceName \| replace " " "-" \| - lower}}' - type: string - description: Template string to construct general space aliases. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OCIS_GENERAL_SPACE_PATH_TEMPLATE: - name: STORAGE_USERS_OCIS_GENERAL_SPACE_PATH_TEMPLATE - defaultValue: "" - type: string - description: Template string to construct the paths of the projects space roots. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OCIS_LOCK_CYCLE_DURATION_FACTOR: - name: STORAGE_USERS_OCIS_LOCK_CYCLE_DURATION_FACTOR - defaultValue: "30" - type: int - description: When trying to lock files, ocis will multiply the cycle with this factor - and use it as a millisecond timeout. Values of 0 or below will be ignored and - the default value will be used. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OCIS_MAX_ACQUIRE_LOCK_CYCLES: - name: STORAGE_USERS_OCIS_MAX_ACQUIRE_LOCK_CYCLES - defaultValue: "20" - type: int - description: When trying to lock files, ocis will try this amount of times to acquire - the lock before failing. After each try it will wait for an increasing amount - of time. Values of 0 or below will be ignored and the default value will be used. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OCIS_MAX_CONCURRENCY: - name: OC_MAX_CONCURRENCY;STORAGE_USERS_OCIS_MAX_CONCURRENCY - defaultValue: "5" - type: int - description: Maximum number of concurrent go-routines. Higher values can potentially - get work done faster but will also cause more load on the system. Values of 0 - or below will be ignored and the default value will be used. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OCIS_MAX_QUOTA: - name: OC_SPACES_MAX_QUOTA;STORAGE_USERS_OCIS_MAX_QUOTA - defaultValue: "0" - type: uint64 - description: Set a global max quota for spaces in bytes. A value of 0 equals unlimited. - If not using the global OC_SPACES_MAX_QUOTA, you must define the FRONTEND_MAX_QUOTA - in the frontend service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OCIS_PERMISSIONS_ENDPOINT: - name: STORAGE_USERS_PERMISSION_ENDPOINT;STORAGE_USERS_OCIS_PERMISSIONS_ENDPOINT - defaultValue: eu.opencloud.api.settings - type: string - description: Endpoint of the permissions service. The endpoints can differ for 'ocis' - and 's3ng'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OCIS_PERSONAL_SPACE_ALIAS_TEMPLATE: - name: STORAGE_USERS_OCIS_PERSONAL_SPACE_ALIAS_TEMPLATE - defaultValue: '{{.SpaceType}}/{{.User.Username \| lower}}' - type: string - description: Template string to construct personal space aliases. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OCIS_PERSONAL_SPACE_PATH_TEMPLATE: - name: STORAGE_USERS_OCIS_PERSONAL_SPACE_PATH_TEMPLATE - defaultValue: "" - type: string - description: Template string to construct the paths of the personal space roots. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OCIS_PROPAGATOR: - name: OC_DECOMPOSEDFS_PROPAGATOR;STORAGE_USERS_OCIS_PROPAGATOR - defaultValue: sync - type: string - description: The propagator used for decomposedfs. At the moment, only 'sync' is - fully supported, 'async' is available as an experimental option. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OCIS_ROOT: - name: STORAGE_USERS_OCIS_ROOT - defaultValue: /var/lib/opencloud/storage/users - type: string - description: The directory where the filesystem storage will store blobs and metadata. - If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OCIS_SHARE_FOLDER: - name: STORAGE_USERS_OCIS_SHARE_FOLDER - defaultValue: /Shares - type: string - description: Name of the folder jailing all shares. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OCIS_USER_LAYOUT: - name: STORAGE_USERS_OCIS_USER_LAYOUT - defaultValue: '{{.Id.OpaqueId}}' - type: string - description: Template string for the user storage layout in the user directory. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OWNCLOUDSQL_DATADIR: - name: STORAGE_USERS_OWNCLOUDSQL_DATADIR - defaultValue: /var/lib/opencloud/storage/owncloud - type: string - description: The directory where the filesystem storage will store SQL migration - data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/owncloud. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OWNCLOUDSQL_DB_HOST: - name: STORAGE_USERS_OWNCLOUDSQL_DB_HOST - defaultValue: "" - type: string - description: Hostname or IP of the database server. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OWNCLOUDSQL_DB_NAME: - name: STORAGE_USERS_OWNCLOUDSQL_DB_NAME - defaultValue: owncloud - type: string - description: Name of the database to be used. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OWNCLOUDSQL_DB_PASSWORD: - name: STORAGE_USERS_OWNCLOUDSQL_DB_PASSWORD - defaultValue: owncloud - type: string - description: Password for the database. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OWNCLOUDSQL_DB_PORT: - name: STORAGE_USERS_OWNCLOUDSQL_DB_PORT - defaultValue: "3306" - type: int - description: Port that the database server is listening on. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OWNCLOUDSQL_DB_USERNAME: - name: STORAGE_USERS_OWNCLOUDSQL_DB_USERNAME - defaultValue: owncloud - type: string - description: Username for the database. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OWNCLOUDSQL_LAYOUT: - name: STORAGE_USERS_OWNCLOUDSQL_LAYOUT - defaultValue: '{{.Username}}' - type: string - description: Path layout to use to navigate into a users folder in an owncloud data - directory - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OWNCLOUDSQL_SHARE_FOLDER: - name: STORAGE_USERS_OWNCLOUDSQL_SHARE_FOLDER - defaultValue: /Shares - type: string - description: Name of the folder jailing all shares. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OWNCLOUDSQL_UPLOADINFO_DIR: - name: STORAGE_USERS_OWNCLOUDSQL_UPLOADINFO_DIR - defaultValue: /var/lib/opencloud/storage/uploadinfo - type: string - description: The directory where the filesystem will store uploads temporarily. - If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/uploadinfo. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_OWNCLOUDSQL_USERS_PROVIDER_ENDPOINT: - name: STORAGE_USERS_OWNCLOUDSQL_USERS_PROVIDER_ENDPOINT - defaultValue: eu.opencloud.api.users - type: string - description: Endpoint of the users provider. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_PERMISSION_ENDPOINT: - name: STORAGE_USERS_PERMISSION_ENDPOINT;STORAGE_USERS_POSIX_PERMISSIONS_ENDPOINT - defaultValue: eu.opencloud.api.settings - type: string - description: Endpoint of the permissions service. The endpoints can differ for 'ocis', - 'posix' and 's3ng'. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_POSIX_GENERAL_SPACE_PATH_TEMPLATE: - name: STORAGE_USERS_POSIX_GENERAL_SPACE_PATH_TEMPLATE - defaultValue: projects/{{.SpaceId}} - type: string - description: Template string to construct the paths of the projects space roots. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_POSIX_PERMISSIONS_ENDPOINT: - name: STORAGE_USERS_PERMISSION_ENDPOINT;STORAGE_USERS_POSIX_PERMISSIONS_ENDPOINT - defaultValue: eu.opencloud.api.settings - type: string - description: Endpoint of the permissions service. The endpoints can differ for 'ocis', - 'posix' and 's3ng'. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_POSIX_PERSONAL_SPACE_PATH_TEMPLATE: - name: STORAGE_USERS_POSIX_PERSONAL_SPACE_PATH_TEMPLATE - defaultValue: users/{{.User.Username}} - type: string - description: Template string to construct the paths of the personal space roots. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_POSIX_ROOT: - name: STORAGE_USERS_POSIX_ROOT - defaultValue: /var/lib/opencloud/storage/users - type: string - description: The directory where the filesystem storage will store its data. If - not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_POSIX_SCAN_DEBOUNCE_DELAY: - name: STORAGE_USERS_POSIX_SCAN_DEBOUNCE_DELAY - defaultValue: 1s - type: Duration - description: The time in milliseconds to wait before scanning the filesystem for - changes after a change has been detected. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_POSIX_USE_SPACE_GROUPS: - name: STORAGE_USERS_POSIX_USE_SPACE_GROUPS - defaultValue: "false" - type: bool - description: Use space groups to manage permissions on spaces. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_POSIX_WATCH_FOLDER_KAFKA_BROKERS: - name: STORAGE_USERS_POSIX_WATCH_FOLDER_KAFKA_BROKERS - defaultValue: "" - type: string - description: Comma-separated list of kafka brokers to read the watchfolder events - from. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_POSIX_WATCH_PATH: - name: STORAGE_USERS_POSIX_WATCH_PATH - defaultValue: "" - type: string - description: Path to the watch directory/file. Only applies to the 'gpfsfileauditlogging' - and 'inotifywait' watcher, in which case it is the path of the file audit log - file/base directory to watch. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_POSIX_WATCH_TYPE: - name: STORAGE_USERS_POSIX_WATCH_TYPE - defaultValue: "" - type: string - description: Type of the watcher to use for getting notified about changes to the - filesystem. Currently available options are 'inotifywait' (default), 'gpfswatchfolder' - and 'gpfsfileauditlogging'. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_PURGE_TRASH_BIN_PERSONAL_DELETE_BEFORE: - name: STORAGE_USERS_PURGE_TRASH_BIN_PERSONAL_DELETE_BEFORE - defaultValue: 720h0m0s - type: Duration - description: Specifies the period of time in which items that have been in the personal - trash-bin for longer than this value should be deleted. A value of 0 means no - automatic deletion. See the Environment Variable Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_PURGE_TRASH_BIN_PROJECT_DELETE_BEFORE: - name: STORAGE_USERS_PURGE_TRASH_BIN_PROJECT_DELETE_BEFORE - defaultValue: 720h0m0s - type: Duration - description: Specifies the period of time in which items that have been in the project - trash-bin for longer than this value should be deleted. A value of 0 means no - automatic deletion. See the Environment Variable Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_PURGE_TRASH_BIN_USER_ID: - name: OC_ADMIN_USER_ID;STORAGE_USERS_PURGE_TRASH_BIN_USER_ID - defaultValue: "" - type: string - description: ID of the user who collects all necessary information for deletion. - Consider that the UUID can be encoded in some LDAP deployment configurations like - in .ldif files. These need to be decoded beforehand. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_READ_ONLY: - name: STORAGE_USERS_READ_ONLY - defaultValue: "false" - type: bool - description: Set this storage to be read-only. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_ACCESS_KEY: - name: STORAGE_USERS_S3NG_ACCESS_KEY - defaultValue: "" - type: string - description: Access key for the S3 bucket. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_BUCKET: - name: STORAGE_USERS_S3NG_BUCKET - defaultValue: "" - type: string - description: Name of the S3 bucket. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_ENDPOINT: - name: STORAGE_USERS_S3NG_ENDPOINT - defaultValue: "" - type: string - description: Endpoint for the S3 bucket. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_GENERAL_SPACE_ALIAS_TEMPLATE: - name: STORAGE_USERS_S3NG_GENERAL_SPACE_ALIAS_TEMPLATE - defaultValue: '{{.SpaceType}}/{{.SpaceName \| replace " " "-" \| - lower}}' - type: string - description: Template string to construct general space aliases. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_GENERAL_SPACE_PATH_TEMPLATE: - name: STORAGE_USERS_S3NG_GENERAL_SPACE_PATH_TEMPLATE - defaultValue: "" - type: string - description: Template string to construct the paths of the projects space roots. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_LOCK_CYCLE_DURATION_FACTOR: - name: STORAGE_USERS_S3NG_LOCK_CYCLE_DURATION_FACTOR - defaultValue: "30" - type: int - description: When trying to lock files, ocis will multiply the cycle with this factor - and use it as a millisecond timeout. Values of 0 or below will be ignored and - the default value of 30 will be used. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_MAX_ACQUIRE_LOCK_CYCLES: - name: STORAGE_USERS_S3NG_MAX_ACQUIRE_LOCK_CYCLES - defaultValue: "20" - type: int - description: When trying to lock files, ocis will try this amount of times to acquire - the lock before failing. After each try it will wait for an increasing amount - of time. Values of 0 or below will be ignored and the default value of 20 will - be used. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_MAX_CONCURRENCY: - name: OC_MAX_CONCURRENCY;STORAGE_USERS_S3NG_MAX_CONCURRENCY - defaultValue: "5" - type: int - description: Maximum number of concurrent go-routines. Higher values can potentially - get work done faster but will also cause more load on the system. Values of 0 - or below will be ignored and the default value of 100 will be used. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_PERMISSIONS_ENDPOINT: - name: STORAGE_USERS_PERMISSION_ENDPOINT;STORAGE_USERS_S3NG_PERMISSIONS_ENDPOINT - defaultValue: eu.opencloud.api.settings - type: string - description: Endpoint of the permissions service. The endpoints can differ for 'ocis' - and 's3ng'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_PERSONAL_SPACE_ALIAS_TEMPLATE: - name: STORAGE_USERS_S3NG_PERSONAL_SPACE_ALIAS_TEMPLATE - defaultValue: '{{.SpaceType}}/{{.User.Username \| lower}}' - type: string - description: Template string to construct personal space aliases. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_PERSONAL_SPACE_PATH_TEMPLATE: - name: STORAGE_USERS_S3NG_PERSONAL_SPACE_PATH_TEMPLATE - defaultValue: "" - type: string - description: Template string to construct the paths of the personal space roots. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_PROPAGATOR: - name: OC_DECOMPOSEDFS_PROPAGATOR;STORAGE_USERS_S3NG_PROPAGATOR - defaultValue: sync - type: string - description: The propagator used for decomposedfs. At the moment, only 'sync' is - fully supported, 'async' is available as an experimental option. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_PUT_OBJECT_CONCURRENT_STREAM_PARTS: - name: STORAGE_USERS_S3NG_PUT_OBJECT_CONCURRENT_STREAM_PARTS - defaultValue: "true" - type: bool - description: Always precreate parts when copying objects to S3. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_PUT_OBJECT_DISABLE_CONTENT_SHA256: - name: STORAGE_USERS_S3NG_PUT_OBJECT_DISABLE_CONTENT_SHA256 - defaultValue: "false" - type: bool - description: Disable sending content sha256 when copying objects to S3. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_PUT_OBJECT_DISABLE_MULTIPART: - name: STORAGE_USERS_S3NG_PUT_OBJECT_DISABLE_MULTIPART - defaultValue: "true" - type: bool - description: Disable multipart uploads when copying objects to S3 - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_PUT_OBJECT_NUM_THREADS: - name: STORAGE_USERS_S3NG_PUT_OBJECT_NUM_THREADS - defaultValue: "4" - type: uint - description: Number of concurrent uploads to use when copying objects to S3. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_PUT_OBJECT_PART_SIZE: - name: STORAGE_USERS_S3NG_PUT_OBJECT_PART_SIZE - defaultValue: "0" - type: uint64 - description: Part size for concurrent uploads to S3. If no value or 0 is set, the - library's default value of 16MB is used. The value range is min 5MB and max 5GB. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_PUT_OBJECT_SEND_CONTENT_MD5: - name: STORAGE_USERS_S3NG_PUT_OBJECT_SEND_CONTENT_MD5 - defaultValue: "true" - type: bool - description: Send a Content-MD5 header when copying objects to S3. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_REGION: - name: STORAGE_USERS_S3NG_REGION - defaultValue: default - type: string - description: Region of the S3 bucket. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_ROOT: - name: STORAGE_USERS_S3NG_ROOT - defaultValue: /var/lib/opencloud/storage/users - type: string - description: The directory where the filesystem storage will store metadata for - blobs. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_SECRET_KEY: - name: STORAGE_USERS_S3NG_SECRET_KEY - defaultValue: "" - type: string - description: Secret key for the S3 bucket. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_SHARE_FOLDER: - name: STORAGE_USERS_S3NG_SHARE_FOLDER - defaultValue: /Shares - type: string - description: Name of the folder jailing all shares. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_S3NG_USER_LAYOUT: - name: STORAGE_USERS_S3NG_USER_LAYOUT - defaultValue: '{{.Id.OpaqueId}}' - type: string - description: Template string for the user storage layout in the user directory. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_SERVICE_ACCOUNT_ID: - name: OC_SERVICE_ACCOUNT_ID;STORAGE_USERS_SERVICE_ACCOUNT_ID - defaultValue: "" - type: string - description: The ID of the service account the service should use. See the 'auth-service' - service description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_SERVICE_ACCOUNT_SECRET: - name: OC_SERVICE_ACCOUNT_SECRET;STORAGE_USERS_SERVICE_ACCOUNT_SECRET - defaultValue: "" - type: string - description: The service account secret. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_SERVICE_NAME: - name: STORAGE_USERS_SERVICE_NAME - defaultValue: storage-users - type: string - description: Service name to use. Change this when starting an additional storage - provider with a custom configuration to prevent it from colliding with the default - 'storage-users' service. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_SKIP_USER_GROUPS_IN_TOKEN: - name: STORAGE_USERS_SKIP_USER_GROUPS_IN_TOKEN - defaultValue: "false" - type: bool - description: Disables the loading of user's group memberships from the reva access - token. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;STORAGE_USERS_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_TRACING_ENABLED: - name: OC_TRACING_ENABLED;STORAGE_USERS_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;STORAGE_USERS_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_TRACING_TYPE: - name: OC_TRACING_TYPE;STORAGE_USERS_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_TRANSFER_EXPIRES: - name: STORAGE_USERS_TRANSFER_EXPIRES - defaultValue: "86400" - type: int64 - description: The time after which the token for upload postprocessing expires - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -STORAGE_USERS_UPLOAD_EXPIRATION: - name: STORAGE_USERS_UPLOAD_EXPIRATION - defaultValue: "86400" - type: int64 - description: Duration in seconds after which uploads will expire. Note that when - setting this to a low number, uploads could be cancelled before they are finished - and return a 403 to the user. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_CORS_ALLOW_CREDENTIALS: - name: OC_CORS_ALLOW_CREDENTIALS;THUMBNAILS_CORS_ALLOW_CREDENTIALS - defaultValue: "true" - type: bool - description: 'Allow credentials for CORS.See following chapter for more details: - *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.' - introductionVersion: "6.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_CORS_ALLOW_HEADERS: - name: OC_CORS_ALLOW_HEADERS;THUMBNAILS_CORS_ALLOW_HEADERS - defaultValue: '[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id - Cache-Control]' - type: '[]string' - description: 'A list of allowed CORS headers. See following chapter for more details: - *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. - See the Environment Variable Types description for more details.' - introductionVersion: "6.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_CORS_ALLOW_METHODS: - name: OC_CORS_ALLOW_METHODS;THUMBNAILS_CORS_ALLOW_METHODS - defaultValue: '[GET POST PUT PATCH DELETE OPTIONS]' - type: '[]string' - description: 'A list of allowed CORS methods. See following chapter for more details: - *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. - See the Environment Variable Types description for more details.' - introductionVersion: "6.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_CORS_ALLOW_ORIGINS: - name: OC_CORS_ALLOW_ORIGINS;THUMBNAILS_CORS_ALLOW_ORIGINS - defaultValue: '[*]' - type: '[]string' - description: 'A list of allowed CORS origins. See following chapter for more details: - *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. - See the Environment Variable Types description for more details.' - introductionVersion: "6.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_CS3SOURCE_INSECURE: - name: OC_INSECURE;THUMBNAILS_CS3SOURCE_INSECURE - defaultValue: "false" - type: bool - description: Ignore untrusted SSL certificates when connecting to the CS3 source. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_DATA_ENDPOINT: - name: THUMBNAILS_DATA_ENDPOINT - defaultValue: http://127.0.0.1:9186/thumbnails/data - type: string - description: The HTTP endpoint where the actual thumbnail file can be downloaded. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_DEBUG_ADDR: - name: THUMBNAILS_DEBUG_ADDR - defaultValue: 127.0.0.1:9189 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_DEBUG_PPROF: - name: THUMBNAILS_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_DEBUG_TOKEN: - name: THUMBNAILS_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_DEBUG_ZPAGES: - name: THUMBNAILS_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_FILESYSTEMSTORAGE_ROOT: - name: THUMBNAILS_FILESYSTEMSTORAGE_ROOT - defaultValue: /var/lib/opencloud/thumbnails - type: string - description: The directory where the filesystem storage will store the thumbnails. - If not defined, the root directory derives from $OC_BASE_DATA_PATH/thumbnails. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_GRPC_ADDR: - name: THUMBNAILS_GRPC_ADDR - defaultValue: 127.0.0.1:9185 - type: string - description: The bind address of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_HTTP_ADDR: - name: THUMBNAILS_HTTP_ADDR - defaultValue: 127.0.0.1:9186 - type: string - description: The bind address of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_HTTP_ROOT: - name: THUMBNAILS_HTTP_ROOT - defaultValue: /thumbnails - type: string - description: Subdirectory that serves as the root for this HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_LOG_COLOR: - name: OC_LOG_COLOR;THUMBNAILS_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_LOG_FILE: - name: OC_LOG_FILE;THUMBNAILS_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_LOG_LEVEL: - name: OC_LOG_LEVEL;THUMBNAILS_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_LOG_PRETTY: - name: OC_LOG_PRETTY;THUMBNAILS_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_MAX_CONCURRENT_REQUESTS: - name: THUMBNAILS_MAX_CONCURRENT_REQUESTS - defaultValue: "0" - type: int - description: Number of maximum concurrent thumbnail requests. Default is 0 which - is unlimited. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_MAX_INPUT_HEIGHT: - name: THUMBNAILS_MAX_INPUT_HEIGHT - defaultValue: "7680" - type: int - description: The maximum height of an input image which is being processed. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_MAX_INPUT_IMAGE_FILE_SIZE: - name: THUMBNAILS_MAX_INPUT_IMAGE_FILE_SIZE - defaultValue: 50MB - type: string - description: 'The maximum file size of an input image which is being processed. - Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, - EiB], example: 2GB.' - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_MAX_INPUT_WIDTH: - name: THUMBNAILS_MAX_INPUT_WIDTH - defaultValue: "7680" - type: int - description: The maximum width of an input image which is being processed. - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_RESOLUTIONS: - name: THUMBNAILS_RESOLUTIONS - defaultValue: '[16x16 32x32 64x64 128x128 1080x1920 1920x1080 2160x3840 3840x2160 - 4320x7680 7680x4320]' - type: '[]string' - description: The supported list of target resolutions in the format WidthxHeight - like 32x32. You can define any resolution as required. See the Environment Variable - Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;THUMBNAILS_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_TRACING_ENABLED: - name: OC_TRACING_ENABLED;THUMBNAILS_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;THUMBNAILS_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_TRACING_TYPE: - name: OC_TRACING_TYPE;THUMBNAILS_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_TRANSFER_TOKEN: - name: THUMBNAILS_TRANSFER_TOKEN - defaultValue: "" - type: string - description: The secret to sign JWT to download the actual thumbnail file. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_TXT_FONTMAP_FILE: - name: THUMBNAILS_TXT_FONTMAP_FILE - defaultValue: "" - type: string - description: The path to a font file for txt thumbnails. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -THUMBNAILS_WEBDAVSOURCE_INSECURE: - name: OC_INSECURE;THUMBNAILS_WEBDAVSOURCE_INSECURE - defaultValue: "false" - type: bool - description: Ignore untrusted SSL certificates when connecting to the webdav source. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_CORS_ALLOW_CREDENTIALS: - name: OC_CORS_ALLOW_CREDENTIALS;USERLOG_CORS_ALLOW_CREDENTIALS - defaultValue: "true" - type: bool - description: 'Allow credentials for CORS.See following chapter for more details: - *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_CORS_ALLOW_HEADERS: - name: OC_CORS_ALLOW_HEADERS;USERLOG_CORS_ALLOW_HEADERS - defaultValue: '[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id - Ocs-Apirequest]' - type: '[]string' - description: 'A list of allowed CORS headers. See following chapter for more details: - *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_CORS_ALLOW_METHODS: - name: OC_CORS_ALLOW_METHODS;USERLOG_CORS_ALLOW_METHODS - defaultValue: '[GET]' - type: '[]string' - description: 'A list of allowed CORS methods. See following chapter for more details: - *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_CORS_ALLOW_ORIGINS: - name: OC_CORS_ALLOW_ORIGINS;USERLOG_CORS_ALLOW_ORIGINS - defaultValue: '[*]' - type: '[]string' - description: 'A list of allowed CORS origins. See following chapter for more details: - *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_DEBUG_ADDR: - name: USERLOG_DEBUG_ADDR - defaultValue: 127.0.0.1:9214 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_DEBUG_PPROF: - name: USERLOG_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_DEBUG_TOKEN: - name: USERLOG_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_DEBUG_ZPAGES: - name: USERLOG_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_EVENTS_AUTH_PASSWORD: - name: OC_EVENTS_AUTH_PASSWORD;USERLOG_EVENTS_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_EVENTS_AUTH_USERNAME: - name: OC_EVENTS_AUTH_USERNAME;USERLOG_EVENTS_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_EVENTS_CLUSTER: - name: OC_EVENTS_CLUSTER;USERLOG_EVENTS_CLUSTER - defaultValue: opencloud-cluster - type: string - description: The clusterID of the event system. The event system is the message - queuing service. It is used as message broker for the microservice architecture. - Mandatory when using NATS as event system. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_EVENTS_ENABLE_TLS: - name: OC_EVENTS_ENABLE_TLS;USERLOG_EVENTS_ENABLE_TLS - defaultValue: "false" - type: bool - description: Enable TLS for the connection to the events broker. The events broker - is the OpenCloud service which receives and delivers events between the services. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_EVENTS_ENDPOINT: - name: OC_EVENTS_ENDPOINT;USERLOG_EVENTS_ENDPOINT - defaultValue: 127.0.0.1:9233 - type: string - description: The address of the event system. The event system is the message queuing - service. It is used as message broker for the microservice architecture. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_EVENTS_TLS_INSECURE: - name: OC_INSECURE;USERLOG_EVENTS_TLS_INSECURE - defaultValue: "false" - type: bool - description: Whether to verify the server TLS certificates. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_EVENTS_TLS_ROOT_CA_CERTIFICATE: - name: OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;USERLOG_EVENTS_TLS_ROOT_CA_CERTIFICATE - defaultValue: "" - type: string - description: The root CA certificate used to validate the server's TLS certificate. - If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_GLOBAL_NOTIFICATIONS_SECRET: - name: USERLOG_GLOBAL_NOTIFICATIONS_SECRET - defaultValue: "" - type: string - description: The secret to secure the global notifications endpoint. Only system - admins and users knowing that secret can call the global notifications POST/DELETE - endpoints. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_HTTP_ADDR: - name: USERLOG_HTTP_ADDR - defaultValue: 127.0.0.1:9210 - type: string - description: The bind address of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_HTTP_ROOT: - name: USERLOG_HTTP_ROOT - defaultValue: / - type: string - description: Subdirectory that serves as the root for this HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_JWT_SECRET: - name: OC_JWT_SECRET;USERLOG_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_LOG_COLOR: - name: OC_LOG_COLOR;USERLOG_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_LOG_FILE: - name: OC_LOG_FILE;USERLOG_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_LOG_LEVEL: - name: OC_LOG_LEVEL;USERLOG_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_LOG_PRETTY: - name: OC_LOG_PRETTY;USERLOG_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_MAX_CONCURRENCY: - name: OC_MAX_CONCURRENCY;USERLOG_MAX_CONCURRENCY - defaultValue: "1" - type: int - description: Maximum number of concurrent go-routines. Higher values can potentially - get work done faster but will also cause more load on the system. Values of 0 - or below will be ignored and the default value will be used. - introductionVersion: 7.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_SERVICE_ACCOUNT_ID: - name: OC_SERVICE_ACCOUNT_ID;USERLOG_SERVICE_ACCOUNT_ID - defaultValue: "" - type: string - description: The ID of the service account the service should use. See the 'auth-service' - service description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_SERVICE_ACCOUNT_SECRET: - name: OC_SERVICE_ACCOUNT_SECRET;USERLOG_SERVICE_ACCOUNT_SECRET - defaultValue: "" - type: string - description: The service account secret. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_STORE: - name: OC_PERSISTENT_STORE;USERLOG_STORE - defaultValue: memory - type: string - description: 'The type of the store. Supported values are: ''memory'', ''nats-js-kv'', - ''redis-sentinel'', ''noop''. See the text description for details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_STORE_AUTH_PASSWORD: - name: OC_PERSISTENT_STORE_AUTH_PASSWORD;USERLOG_STORE_AUTH_PASSWORD - defaultValue: "" - type: string - description: The password to authenticate with the store. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_STORE_AUTH_USERNAME: - name: OC_PERSISTENT_STORE_AUTH_USERNAME;USERLOG_STORE_AUTH_USERNAME - defaultValue: "" - type: string - description: The username to authenticate with the store. Only applies when store - type 'nats-js-kv' is configured. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_STORE_DATABASE: - name: USERLOG_STORE_DATABASE - defaultValue: userlog - type: string - description: The database name the configured store should use. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_STORE_NODES: - name: OC_PERSISTENT_STORE_NODES;USERLOG_STORE_NODES - defaultValue: '[]' - type: '[]string' - description: A list of nodes to access the configured store. This has no effect - when 'memory' store is configured. Note that the behaviour how nodes are used - is dependent on the library of the configured store. See the Environment Variable - Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_STORE_TABLE: - name: USERLOG_STORE_TABLE - defaultValue: events - type: string - description: The database table the store should use. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_STORE_TTL: - name: OC_PERSISTENT_STORE_TTL;USERLOG_STORE_TTL - defaultValue: 336h0m0s - type: Duration - description: Time to live for events in the store. Defaults to '336h' (2 weeks). - See the Environment Variable Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;USERLOG_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_TRACING_ENABLED: - name: OC_TRACING_ENABLED;USERLOG_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;USERLOG_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_TRACING_TYPE: - name: OC_TRACING_TYPE;USERLOG_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERLOG_TRANSLATION_PATH: - name: OC_TRANSLATION_PATH;USERLOG_TRANSLATION_PATH - defaultValue: "" - type: string - description: (optional) Set this to a path with custom translations to overwrite - the builtin translations. Note that file and folder naming rules apply, see the - documentation for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_DEBUG_ADDR: - name: USERS_DEBUG_ADDR - defaultValue: 127.0.0.1:9145 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_DEBUG_PPROF: - name: USERS_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_DEBUG_TOKEN: - name: USERS_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_DEBUG_ZPAGES: - name: USERS_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_DRIVER: - name: USERS_DRIVER - defaultValue: ldap - type: string - description: The driver which should be used by the users service. Supported values - are 'ldap' and 'owncloudsql'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_GRPC_ADDR: - name: USERS_GRPC_ADDR - defaultValue: 127.0.0.1:9144 - type: string - description: The bind address of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_GRPC_PROTOCOL: - name: OC_GRPC_PROTOCOL;USERS_GRPC_PROTOCOL - defaultValue: tcp - type: string - description: The transport protocol of the GPRC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_IDP_URL: - name: OC_URL;OC_OIDC_ISSUER;USERS_IDP_URL - defaultValue: https://localhost:9200 - type: string - description: The identity provider value to set in the userids of the CS3 user objects - for users returned by this user provider. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_JWT_SECRET: - name: OC_JWT_SECRET;USERS_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_BIND_DN: - name: OC_LDAP_BIND_DN;USERS_LDAP_BIND_DN - defaultValue: uid=reva,ou=sysusers,o=libregraph-idm - type: string - description: LDAP DN to use for simple bind authentication with the target LDAP - server. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_BIND_PASSWORD: - name: OC_LDAP_BIND_PASSWORD;USERS_LDAP_BIND_PASSWORD - defaultValue: "" - type: string - description: Password to use for authenticating the 'bind_dn'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_CACERT: - name: OC_LDAP_CACERT;USERS_LDAP_CACERT - defaultValue: /var/lib/opencloud/idm/ldap.crt - type: string - description: Path/File name for the root CA certificate (in PEM format) used to - validate TLS server certificates of the LDAP service. If not defined, the root - directory derives from $OC_BASE_DATA_PATH/idm. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_DISABLE_USER_MECHANISM: - name: OC_LDAP_DISABLE_USER_MECHANISM;USERS_LDAP_DISABLE_USER_MECHANISM - defaultValue: attribute - type: string - description: An option to control the behavior for disabling users. Valid options - are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API - will add the user to the configured group for disabled users, if set to 'attribute' - this will be done in the ldap user entry, if set to 'none' the disable request - is not processed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_DISABLED_USERS_GROUP_DN: - name: OC_LDAP_DISABLED_USERS_GROUP_DN;USERS_LDAP_DISABLED_USERS_GROUP_DN - defaultValue: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm - type: string - description: The distinguished name of the group to which added users will be classified - as disabled when 'disable_user_mechanism' is set to 'group'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_GROUP_BASE_DN: - name: OC_LDAP_GROUP_BASE_DN;USERS_LDAP_GROUP_BASE_DN - defaultValue: ou=groups,o=libregraph-idm - type: string - description: Search base DN for looking up LDAP groups. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_GROUP_FILTER: - name: OC_LDAP_GROUP_FILTER;USERS_LDAP_GROUP_FILTER - defaultValue: "" - type: string - description: LDAP filter to add to the default filters for group searches. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_GROUP_OBJECTCLASS: - name: OC_LDAP_GROUP_OBJECTCLASS;USERS_LDAP_GROUP_OBJECTCLASS - defaultValue: groupOfNames - type: string - description: The object class to use for groups in the default group search filter - like 'groupOfNames'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_GROUP_SCHEMA_DISPLAYNAME: - name: OC_LDAP_GROUP_SCHEMA_DISPLAYNAME;USERS_LDAP_GROUP_SCHEMA_DISPLAYNAME - defaultValue: cn - type: string - description: LDAP Attribute to use for the displayname of groups (often the same - as groupname attribute). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_GROUP_SCHEMA_GROUPNAME: - name: OC_LDAP_GROUP_SCHEMA_GROUPNAME;USERS_LDAP_GROUP_SCHEMA_GROUPNAME - defaultValue: cn - type: string - description: LDAP Attribute to use for the name of groups. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_GROUP_SCHEMA_ID: - name: OC_LDAP_GROUP_SCHEMA_ID;USERS_LDAP_GROUP_SCHEMA_ID - defaultValue: ownclouduuid - type: string - description: LDAP Attribute to use as the unique ID for groups. This should be a - stable globally unique ID like a UUID. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING: - name: OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING;USERS_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING - defaultValue: "false" - type: bool - description: Set this to true if the defined 'id' attribute for groups is of the - 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute - of Active Directory for the group ID's. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_GROUP_SCHEMA_MAIL: - name: OC_LDAP_GROUP_SCHEMA_MAIL;USERS_LDAP_GROUP_SCHEMA_MAIL - defaultValue: mail - type: string - description: LDAP Attribute to use for the email address of groups (can be empty). - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_GROUP_SCHEMA_MEMBER: - name: OC_LDAP_GROUP_SCHEMA_MEMBER;USERS_LDAP_GROUP_SCHEMA_MEMBER - defaultValue: member - type: string - description: LDAP Attribute that is used for group members. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_GROUP_SCOPE: - name: OC_LDAP_GROUP_SCOPE;USERS_LDAP_GROUP_SCOPE - defaultValue: sub - type: string - description: LDAP search scope to use when looking up groups. Supported values are - 'base', 'one' and 'sub'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_INSECURE: - name: OC_LDAP_INSECURE;USERS_LDAP_INSECURE - defaultValue: "false" - type: bool - description: Disable TLS certificate validation for the LDAP connections. Do not - set this in production environments. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_URI: - name: OC_LDAP_URI;USERS_LDAP_URI - defaultValue: ldaps://localhost:9235 - type: string - description: URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' - and 'ldap://' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_USER_BASE_DN: - name: OC_LDAP_USER_BASE_DN;USERS_LDAP_USER_BASE_DN - defaultValue: ou=users,o=libregraph-idm - type: string - description: Search base DN for looking up LDAP users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_USER_ENABLED_ATTRIBUTE: - name: OC_LDAP_USER_ENABLED_ATTRIBUTE;USERS_LDAP_USER_ENABLED_ATTRIBUTE - defaultValue: ownCloudUserEnabled - type: string - description: LDAP attribute to use as a flag telling if the user is enabled or disabled. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_USER_FILTER: - name: OC_LDAP_USER_FILTER;USERS_LDAP_USER_FILTER - defaultValue: "" - type: string - description: LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_USER_OBJECTCLASS: - name: OC_LDAP_USER_OBJECTCLASS;USERS_LDAP_USER_OBJECTCLASS - defaultValue: inetOrgPerson - type: string - description: The object class to use for users in the default user search filter - like 'inetOrgPerson'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_USER_SCHEMA_DISPLAYNAME: - name: OC_LDAP_USER_SCHEMA_DISPLAYNAME;USERS_LDAP_USER_SCHEMA_DISPLAYNAME - defaultValue: displayname - type: string - description: LDAP Attribute to use for the displayname of users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_USER_SCHEMA_ID: - name: OC_LDAP_USER_SCHEMA_ID;USERS_LDAP_USER_SCHEMA_ID - defaultValue: ownclouduuid - type: string - description: LDAP Attribute to use as the unique ID for users. This should be a - stable globally unique ID like a UUID. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING: - name: OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING;USERS_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING - defaultValue: "false" - type: bool - description: Set this to true if the defined 'ID' attribute for users is of the - 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute - of Active Directory for the user ID's. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_USER_SCHEMA_MAIL: - name: OC_LDAP_USER_SCHEMA_MAIL;USERS_LDAP_USER_SCHEMA_MAIL - defaultValue: mail - type: string - description: LDAP Attribute to use for the email address of users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_USER_SCHEMA_USERNAME: - name: OC_LDAP_USER_SCHEMA_USERNAME;USERS_LDAP_USER_SCHEMA_USERNAME - defaultValue: uid - type: string - description: LDAP Attribute to use for username of users. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_USER_SCOPE: - name: OC_LDAP_USER_SCOPE;USERS_LDAP_USER_SCOPE - defaultValue: sub - type: string - description: LDAP search scope to use when looking up users. Supported values are - 'base', 'one' and 'sub'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_USER_SUBSTRING_FILTER_TYPE: - name: LDAP_USER_SUBSTRING_FILTER_TYPE;USERS_LDAP_USER_SUBSTRING_FILTER_TYPE - defaultValue: any - type: string - description: 'Type of substring search filter to use for substring searches for - users. Possible values: ''initial'' for doing prefix only searches, ''final'' - for doing suffix only searches or ''any'' for doing full substring searches' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LDAP_USER_TYPE_ATTRIBUTE: - name: OC_LDAP_USER_SCHEMA_USER_TYPE;USERS_LDAP_USER_TYPE_ATTRIBUTE - defaultValue: ownCloudUserType - type: string - description: LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default - is 'ownCloudUserType'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LOG_COLOR: - name: OC_LOG_COLOR;USERS_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LOG_FILE: - name: OC_LOG_FILE;USERS_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LOG_LEVEL: - name: OC_LOG_LEVEL;USERS_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_LOG_PRETTY: - name: OC_LOG_PRETTY;USERS_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_OWNCLOUDSQL_DB_HOST: - name: USERS_OWNCLOUDSQL_DB_HOST - defaultValue: mysql - type: string - description: Hostname of the database server. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_OWNCLOUDSQL_DB_NAME: - name: USERS_OWNCLOUDSQL_DB_NAME - defaultValue: owncloud - type: string - description: Name of the owncloud database. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_OWNCLOUDSQL_DB_PASSWORD: - name: USERS_OWNCLOUDSQL_DB_PASSWORD - defaultValue: secret - type: string - description: Password for the database user. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_OWNCLOUDSQL_DB_PORT: - name: USERS_OWNCLOUDSQL_DB_PORT - defaultValue: "3306" - type: int - description: Network port to use for the database connection. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_OWNCLOUDSQL_DB_USERNAME: - name: USERS_OWNCLOUDSQL_DB_USERNAME - defaultValue: owncloud - type: string - description: Database user to use for authenticating with the owncloud database. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_OWNCLOUDSQL_ENABLE_MEDIAL_SEARCH: - name: USERS_OWNCLOUDSQL_ENABLE_MEDIAL_SEARCH - defaultValue: "false" - type: bool - description: Allow 'medial search' when searching for users instead of just doing - a prefix search. This allows finding 'Alice' when searching for 'lic'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_OWNCLOUDSQL_IDP: - name: USERS_OWNCLOUDSQL_IDP - defaultValue: https://localhost:9200 - type: string - description: The identity provider value to set in the userids of the CS3 user objects - for users returned by this user provider. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID: - name: USERS_OWNCLOUDSQL_JOIN_OWNCLOUD_UUID - defaultValue: "false" - type: bool - description: Join the user properties table to read user IDs. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_OWNCLOUDSQL_JOIN_USERNAME: - name: USERS_OWNCLOUDSQL_JOIN_USERNAME - defaultValue: "false" - type: bool - description: Join the user properties table to read usernames - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_OWNCLOUDSQL_NOBODY: - name: USERS_OWNCLOUDSQL_NOBODY - defaultValue: "90" - type: int64 - description: Fallback number if no numeric UID and GID properties are provided. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_SKIP_USER_GROUPS_IN_TOKEN: - name: USERS_SKIP_USER_GROUPS_IN_TOKEN - defaultValue: "false" - type: bool - description: Disables the loading of user's group memberships from the reva access - token. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;USERS_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_TRACING_ENABLED: - name: OC_TRACING_ENABLED;USERS_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;USERS_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -USERS_TRACING_TYPE: - name: OC_TRACING_TYPE;USERS_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_ASSET_APPS_PATH: - name: WEB_ASSET_APPS_PATH - defaultValue: /var/lib/opencloud/web/assets/apps - type: string - description: Serve ownCloud Web apps assets from a path on the filesystem instead - of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/apps - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_ASSET_CORE_PATH: - name: WEB_ASSET_CORE_PATH - defaultValue: /var/lib/opencloud/web/assets/core - type: string - description: Serve ownCloud Web assets from a path on the filesystem instead of - the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/core - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_ASSET_THEMES_PATH: - name: OC_ASSET_THEMES_PATH;WEB_ASSET_THEMES_PATH - defaultValue: /var/lib/opencloud/web/assets/themes - type: string - description: Serve ownCloud themes from a path on the filesystem instead of the - builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/themes - introductionVersion: 6.0.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_CACHE_TTL: - name: WEB_CACHE_TTL - defaultValue: "604800" - type: int - description: Cache policy in seconds for ownCloud Web assets. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_CORS_ALLOW_CREDENTIALS: - name: OC_CORS_ALLOW_CREDENTIALS;WEB_CORS_ALLOW_CREDENTIALS - defaultValue: "false" - type: bool - description: 'Allow credentials for CORS. See following chapter for more details: - *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_CORS_ALLOW_HEADERS: - name: OC_CORS_ALLOW_HEADERS;WEB_CORS_ALLOW_HEADERS - defaultValue: '[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match - If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm - Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires - Upload-Checksum Upload-Offset X-HTTP-Method-Override]' - type: '[]string' - description: 'A list of allowed CORS headers. See following chapter for more details: - *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_CORS_ALLOW_METHODS: - name: OC_CORS_ALLOW_METHODS;WEB_CORS_ALLOW_METHODS - defaultValue: '[OPTIONS HEAD GET PUT PATCH POST DELETE MKCOL PROPFIND PROPPATCH - MOVE COPY REPORT SEARCH]' - type: '[]string' - description: 'A list of allowed CORS methods. See following chapter for more details: - *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_CORS_ALLOW_ORIGINS: - name: OC_CORS_ALLOW_ORIGINS;WEB_CORS_ALLOW_ORIGINS - defaultValue: '[https://localhost:9200]' - type: '[]string' - description: 'A list of allowed CORS origins. See following chapter for more details: - *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_DEBUG_ADDR: - name: WEB_DEBUG_ADDR - defaultValue: 127.0.0.1:9104 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_DEBUG_PPROF: - name: WEB_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_DEBUG_TOKEN: - name: WEB_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_DEBUG_ZPAGES: - name: WEB_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_GATEWAY_GRPC_ADDR: - name: WEB_GATEWAY_GRPC_ADDR - defaultValue: eu.opencloud.api.gateway - type: string - description: The bind address of the GRPC service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_HTTP_ADDR: - name: WEB_HTTP_ADDR - defaultValue: 127.0.0.1:9100 - type: string - description: The bind address of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_HTTP_ROOT: - name: WEB_HTTP_ROOT - defaultValue: / - type: string - description: Subdirectory that serves as the root for this HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_JWT_SECRET: - name: OC_JWT_SECRET;WEB_JWT_SECRET - defaultValue: "" - type: string - description: The secret to mint and validate jwt tokens. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_LOG_COLOR: - name: OC_LOG_COLOR;WEB_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_LOG_FILE: - name: OC_LOG_FILE;WEB_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_LOG_LEVEL: - name: OC_LOG_LEVEL;WEB_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_LOG_PRETTY: - name: OC_LOG_PRETTY;WEB_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OIDC_AUTHORITY: - name: OC_URL;OC_OIDC_ISSUER;WEB_OIDC_AUTHORITY - defaultValue: https://localhost:9200 - type: string - description: URL of the OIDC issuer. It defaults to URL of the builtin IDP. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OIDC_CLIENT_ID: - name: OC_OIDC_CLIENT_ID;WEB_OIDC_CLIENT_ID - defaultValue: web - type: string - description: The OIDC client ID which ownCloud Web uses. This client needs to be - set up in your IDP. Note that this setting has no effect when using the builtin - IDP. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OIDC_METADATA_URL: - name: WEB_OIDC_METADATA_URL - defaultValue: https://localhost:9200/.well-known/openid-configuration - type: string - description: URL for the OIDC well-known configuration endpoint. Defaults to the - oCIS API URL + '/.well-known/openid-configuration'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OIDC_POST_LOGOUT_REDIRECT_URI: - name: WEB_OIDC_POST_LOGOUT_REDIRECT_URI - defaultValue: "" - type: string - description: This value needs to point to a valid and reachable web page. The web - client will trigger a redirect to that page directly after the logout action. - The default value is empty and redirects to the login page. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OIDC_RESPONSE_TYPE: - name: WEB_OIDC_RESPONSE_TYPE - defaultValue: code - type: string - description: The OIDC response type to use for authentication. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OIDC_SCOPE: - name: WEB_OIDC_SCOPE - defaultValue: openid profile email - type: string - description: OIDC scopes to request during authentication to authorize access to - user details. Defaults to 'openid profile email'. Values are separated by blank. - More example values but not limited to are 'address' or 'phone' etc. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OPTION_CONCURRENT_REQUESTS_RESOURCE_BATCH_ACTIONS: - name: WEB_OPTION_CONCURRENT_REQUESTS_RESOURCE_BATCH_ACTIONS - defaultValue: "0" - type: int - description: Defines the maximum number of concurrent requests per file/folder/space - batch action. Defaults to 4. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OPTION_CONCURRENT_REQUESTS_SHARES_CREATE: - name: WEB_OPTION_CONCURRENT_REQUESTS_SHARES_CREATE - defaultValue: "0" - type: int - description: Defines the maximum number of concurrent requests per sharing invite - batch. Defaults to 4. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OPTION_CONCURRENT_REQUESTS_SHARES_LIST: - name: WEB_OPTION_CONCURRENT_REQUESTS_SHARES_LIST - defaultValue: "0" - type: int - description: Defines the maximum number of concurrent requests when loading individual - share information inside listings. Defaults to 2. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OPTION_CONCURRENT_REQUESTS_SSE: - name: WEB_OPTION_CONCURRENT_REQUESTS_SSE - defaultValue: "0" - type: int - description: Defines the maximum number of concurrent requests in SSE event handlers. - Defaults to 4. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OPTION_CONTEXTHELPERS_READ_MORE: - name: WEB_OPTION_CONTEXTHELPERS_READ_MORE - defaultValue: "true" - type: bool - description: Specifies whether the 'Read more' link should be displayed or not. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OPTION_DISABLE_FEEDBACK_LINK: - name: WEB_OPTION_DISABLE_FEEDBACK_LINK - defaultValue: "false" - type: bool - description: Set this option to 'true' to disable the feedback link in the top bar. - Keeping it enabled by setting the value to 'false' or with the absence of the - option, allows ownCloud to get feedback from your user base through a dedicated - survey website. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OPTION_DISABLED_EXTENSIONS: - name: WEB_OPTION_DISABLED_EXTENSIONS - defaultValue: '[]' - type: '[]string' - description: 'A list to disable specific Web extensions identified by their ID. - The ID can e.g. be taken from the ''index.ts'' file of the web extension. Example: - ''com.github.owncloud.web.files.search,com.github.owncloud.web.files.print''. - See the Environment Variable Types description for more details.' - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OPTION_EMBED_DELEGATE_AUTHENTICATION: - name: WEB_OPTION_EMBED_DELEGATE_AUTHENTICATION - defaultValue: "false" - type: bool - description: Defines whether Web should require authentication to be done by the - parent application when running in 'embed' mode. If set to 'true' Web will not - try to authenticate the user on its own but will require an access token coming - from the parent application. Defaults to being unset. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OPTION_EMBED_DELEGATE_AUTHENTICATION_ORIGIN: - name: WEB_OPTION_EMBED_DELEGATE_AUTHENTICATION_ORIGIN - defaultValue: "" - type: string - description: Defines the host to validate the message event origin against when - running Web in 'embed' mode with delegated authentication. Defaults to event message - origin validation being omitted, which is only recommended for development setups. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OPTION_EMBED_ENABLED: - name: WEB_OPTION_EMBED_ENABLED - defaultValue: "" - type: string - description: Defines whether Web should be running in 'embed' mode. Setting this - to 'true' will enable a stripped down version of Web with reduced functionality - used to integrate Web into other applications like via iFrame. Setting it to 'false' - or not setting it (default) will run Web as usual with all functionality enabled. - See the text description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OPTION_EMBED_MESSAGES_ORIGIN: - name: WEB_OPTION_EMBED_MESSAGES_ORIGIN - defaultValue: "" - type: string - description: Defines a URL under which Web can be integrated via iFrame in 'embed' - mode. Note that setting this is mandatory when running Web in 'embed' mode. Use - '*' as value to allow running the iFrame under any URL, although this is not recommended - for security reasons. See the text description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OPTION_EMBED_TARGET: - name: WEB_OPTION_EMBED_TARGET - defaultValue: "" - type: string - description: Defines how Web is being integrated when running in 'embed' mode. Currently, - the only supported options are '' (empty) and 'location'. With '' which is the - default, Web will run regular as defined via the 'embed.enabled' config option. - With 'location', Web will run embedded as location picker. Resource selection - will be disabled and the selected resources array always includes the current - folder as the only item. See the text description for more details. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OPTION_LOGIN_URL: - name: WEB_OPTION_LOGIN_URL - defaultValue: "" - type: string - description: 'Specifies the target URL to the login page. This is helpful when an - external IdP is used. This option is disabled by default. Example URL like: https://www.myidp.com/login.' - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OPTION_LOGOUT_URL: - name: WEB_OPTION_LOGOUT_URL - defaultValue: "" - type: string - description: Adds a link to the user's profile page to point him to an external - page, where he can manage his session and devices. This is helpful when an external - IdP is used. This option is disabled by default. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OPTION_OPEN_APPS_IN_TAB: - name: WEB_OPTION_OPEN_APPS_IN_TAB - defaultValue: "false" - type: bool - description: Configures whether apps and extensions should generally open in a new - tab. Defaults to false. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OPTION_RUNNING_ON_EOS: - name: WEB_OPTION_RUNNING_ON_EOS - defaultValue: "false" - type: bool - description: Set this option to 'true' if running on an EOS storage backend (https://eos-web.web.cern.ch/eos-web/) - to enable its specific features. Defaults to 'false'. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OPTION_TOKEN_STORAGE_LOCAL: - name: WEB_OPTION_TOKEN_STORAGE_LOCAL - defaultValue: "true" - type: bool - description: Specifies whether the access token will be stored in the local storage - when set to 'true' or in the session storage when set to 'false'. If stored in - the local storage, login state will be persisted across multiple browser tabs, - means no additional logins are required. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_OPTION_USER_LIST_REQUIRES_FILTER: - name: WEB_OPTION_USER_LIST_REQUIRES_FILTER - defaultValue: "false" - type: bool - description: Defines whether one or more filters must be set in order to list users - in the Web admin settings. Set this option to 'true' if running in an environment - with a lot of users and listing all users could slow down performance. Defaults - to 'false'. - introductionVersion: "5.0" - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;WEB_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_TRACING_ENABLED: - name: OC_TRACING_ENABLED;WEB_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;WEB_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_TRACING_TYPE: - name: OC_TRACING_TYPE;WEB_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_UI_CONFIG_FILE: - name: WEB_UI_CONFIG_FILE - defaultValue: "" - type: string - description: Read the ownCloud Web json based configuration from this path/file. - The config file takes precedence over WEB_OPTION_xxx environment variables. See - the text description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_UI_CONFIG_SERVER: - name: OC_URL;WEB_UI_CONFIG_SERVER - defaultValue: https://localhost:9200 - type: string - description: URL, where the oCIS APIs are reachable for ownCloud Web. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_UI_THEME_PATH: - name: WEB_UI_THEME_PATH - defaultValue: /themes/opencloud/theme.json - type: string - description: Path to the theme json file. Will be appended to the URL of the theme - server. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEB_UI_THEME_SERVER: - name: OC_URL;WEB_UI_THEME_SERVER - defaultValue: https://localhost:9200 - type: string - description: Base URL to load themes from. Will be prepended to the theme path. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBDAV_CORS_ALLOW_CREDENTIALS: - name: OC_CORS_ALLOW_CREDENTIALS;WEBDAV_CORS_ALLOW_CREDENTIALS - defaultValue: "true" - type: bool - description: 'Allow credentials for CORS.See following chapter for more details: - *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBDAV_CORS_ALLOW_HEADERS: - name: OC_CORS_ALLOW_HEADERS;WEBDAV_CORS_ALLOW_HEADERS - defaultValue: '[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id - Cache-Control]' - type: '[]string' - description: 'A list of allowed CORS headers. See following chapter for more details: - *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBDAV_CORS_ALLOW_METHODS: - name: OC_CORS_ALLOW_METHODS;WEBDAV_CORS_ALLOW_METHODS - defaultValue: '[GET POST PUT PATCH DELETE OPTIONS]' - type: '[]string' - description: 'A list of allowed CORS methods. See following chapter for more details: - *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBDAV_CORS_ALLOW_ORIGINS: - name: OC_CORS_ALLOW_ORIGINS;WEBDAV_CORS_ALLOW_ORIGINS - defaultValue: '[*]' - type: '[]string' - description: 'A list of allowed CORS origins. See following chapter for more details: - *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBDAV_DEBUG_ADDR: - name: WEBDAV_DEBUG_ADDR - defaultValue: 127.0.0.1:9119 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBDAV_DEBUG_PPROF: - name: WEBDAV_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBDAV_DEBUG_TOKEN: - name: WEBDAV_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBDAV_DEBUG_ZPAGES: - name: WEBDAV_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBDAV_DISABLE_PREVIEWS: - name: OC_DISABLE_PREVIEWS;WEBDAV_DISABLE_PREVIEWS - defaultValue: "false" - type: bool - description: Set this option to 'true' to disable rendering of thumbnails triggered - via webdav access. Note that when disabled, all access to preview related webdav - paths will return a 404. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBDAV_HTTP_ADDR: - name: WEBDAV_HTTP_ADDR - defaultValue: 127.0.0.1:9115 - type: string - description: The bind address of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBDAV_HTTP_ROOT: - name: WEBDAV_HTTP_ROOT - defaultValue: / - type: string - description: Subdirectory that serves as the root for this HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBDAV_LOG_COLOR: - name: OC_LOG_COLOR;WEBDAV_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBDAV_LOG_FILE: - name: OC_LOG_FILE;WEBDAV_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBDAV_LOG_LEVEL: - name: OC_LOG_LEVEL;WEBDAV_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBDAV_LOG_PRETTY: - name: OC_LOG_PRETTY;WEBDAV_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBDAV_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;WEBDAV_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBDAV_TRACING_ENABLED: - name: OC_TRACING_ENABLED;WEBDAV_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBDAV_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;WEBDAV_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBDAV_TRACING_TYPE: - name: OC_TRACING_TYPE;WEBDAV_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBDAV_WEBDAV_NAMESPACE: - name: WEBDAV_WEBDAV_NAMESPACE - defaultValue: /users/{{.Id.OpaqueId}} - type: string - description: CS3 path layout to use when forwarding /webdav requests - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_CORS_ALLOW_CREDENTIALS: - name: OC_CORS_ALLOW_CREDENTIALS;WEBFINGER_CORS_ALLOW_CREDENTIALS - defaultValue: "false" - type: bool - description: 'Allow credentials for CORS.See following chapter for more details: - *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_CORS_ALLOW_HEADERS: - name: OC_CORS_ALLOW_HEADERS;WEBFINGER_CORS_ALLOW_HEADERS - defaultValue: '[]' - type: '[]string' - description: 'A list of allowed CORS headers. See following chapter for more details: - *Access-Control-Request-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_CORS_ALLOW_METHODS: - name: OC_CORS_ALLOW_METHODS;WEBFINGER_CORS_ALLOW_METHODS - defaultValue: '[]' - type: '[]string' - description: 'A list of allowed CORS methods. See following chapter for more details: - *Access-Control-Request-Method* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_CORS_ALLOW_ORIGINS: - name: OC_CORS_ALLOW_ORIGINS;WEBFINGER_CORS_ALLOW_ORIGINS - defaultValue: '[https://localhost:9200]' - type: '[]string' - description: 'A list of allowed CORS origins. See following chapter for more details: - *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. - See the Environment Variable Types description for more details.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_DEBUG_ADDR: - name: WEBFINGER_DEBUG_ADDR - defaultValue: 127.0.0.1:9279 - type: string - description: Bind address of the debug server, where metrics, health, config and - debug endpoints will be exposed. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_DEBUG_PPROF: - name: WEBFINGER_DEBUG_PPROF - defaultValue: "false" - type: bool - description: Enables pprof, which can be used for profiling. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_DEBUG_TOKEN: - name: WEBFINGER_DEBUG_TOKEN - defaultValue: "" - type: string - description: Token to secure the metrics endpoint. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_DEBUG_ZPAGES: - name: WEBFINGER_DEBUG_ZPAGES - defaultValue: "false" - type: bool - description: Enables zpages, which can be used for collecting and viewing in-memory - traces. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_HTTP_ADDR: - name: WEBFINGER_HTTP_ADDR - defaultValue: 127.0.0.1:9275 - type: string - description: The bind address of the HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_HTTP_ROOT: - name: WEBFINGER_HTTP_ROOT - defaultValue: / - type: string - description: Subdirectory that serves as the root for this HTTP service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_INSECURE: - name: OC_INSECURE;WEBFINGER_INSECURE - defaultValue: "false" - type: bool - description: Allow insecure connections to the WEBFINGER service. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_LOG_COLOR: - name: OC_LOG_COLOR;WEBFINGER_LOG_COLOR - defaultValue: "false" - type: bool - description: Activates colorized log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_LOG_FILE: - name: OC_LOG_FILE;WEBFINGER_LOG_FILE - defaultValue: "" - type: string - description: The path to the log file. Activates logging to this file if set. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_LOG_LEVEL: - name: OC_LOG_LEVEL;WEBFINGER_LOG_LEVEL - defaultValue: "" - type: string - description: 'The log level. Valid values are: ''panic'', ''fatal'', ''error'', - ''warn'', ''info'', ''debug'', ''trace''.' - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_LOG_PRETTY: - name: OC_LOG_PRETTY;WEBFINGER_LOG_PRETTY - defaultValue: "false" - type: bool - description: Activates pretty log output. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_OIDC_ISSUER: - name: OC_URL;OC_OIDC_ISSUER;WEBFINGER_OIDC_ISSUER - defaultValue: https://localhost:9200 - type: string - description: The identity provider href for the openid-discovery relation. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_OPENCLOUD_SERVER_INSTANCE_URL: - name: OC_URL;WEBFINGER_OPENCLOUD_SERVER_INSTANCE_URL - defaultValue: https://localhost:9200 - type: string - description: The URL for the legacy OpenCloud server instance relation (not to be - confused with the product OpenCloud Server). It defaults to the OC_URL but can - be overridden to support some reverse proxy corner cases. To shard the deployment, - multiple instances can be configured in the configuration file. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_OWNCLOUD_SERVER_INSTANCE_URL: - name: OC_URL;WEBFINGER_OWNCLOUD_SERVER_INSTANCE_URL - defaultValue: https://localhost:9200 - type: string - description: The URL for the legacy ownCloud server instance relation (not to be - confused with the product ownCloud Server). It defaults to the OC_URL but can - be overridden to support some reverse proxy corner cases. To shard the deployment, - multiple instances can be configured in the configuration file. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_RELATIONS: - name: WEBFINGER_RELATIONS - defaultValue: '[http://openid.net/specs/connect/1.0/issuer http://webfinger.opencloud/rel/server-instance]' - type: '[]string' - description: A list of relation URIs or registered relation types to add to webfinger - responses. See the Environment Variable Types description for more details. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_TRACING_COLLECTOR: - name: OC_TRACING_COLLECTOR;WEBFINGER_TRACING_COLLECTOR - defaultValue: "" - type: string - description: The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. - Only used if the tracing endpoint is unset. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_TRACING_ENABLED: - name: OC_TRACING_ENABLED;WEBFINGER_TRACING_ENABLED - defaultValue: "false" - type: bool - description: Activates tracing. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_TRACING_ENDPOINT: - name: OC_TRACING_ENDPOINT;WEBFINGER_TRACING_ENDPOINT - defaultValue: "" - type: string - description: The endpoint of the tracing agent. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" -WEBFINGER_TRACING_TYPE: - name: OC_TRACING_TYPE;WEBFINGER_TRACING_TYPE - defaultValue: "" - type: string - description: The type of tracing. Defaults to '', which is the same as 'jaeger'. - Allowed tracing types are 'jaeger' and '' as of now. - introductionVersion: pre5.0 - deprecationVersion: "" - removalVersion: "" - deprecationInfo: "" diff --git a/docs/helpers/extendedEnv.go b/docs/helpers/extendedEnv.go deleted file mode 100644 index 3dee523b98..0000000000 --- a/docs/helpers/extendedEnv.go +++ /dev/null @@ -1,178 +0,0 @@ -package main - -import ( - "fmt" - "log" - "os" - "os/exec" - "path/filepath" - "regexp" - "sort" - "strings" - "text/template" - - "gopkg.in/yaml.v2" -) - -const yamlSource = "extended_vars.yaml" - -// ConfigVars is the main yaml source -type ConfigVars struct { - Variables []Variable `yaml:"variables"` -} - -// Variable contains all information about one rogue envvar -type Variable struct { - // These field structs are automatically filled: - // RawName can be the name of the envvar or the name of its var - RawName string `yaml:"rawname"` - // Path to the envvar with linenumber - Path string `yaml:"path"` - // FoundInCode indicates if the variable is still found in the codebase. TODO: delete immediately? - FoundInCode bool `yaml:"foundincode"` - // Name is equal to RawName but will not be overwritten in consecutive runs - Name string `yaml:"name"` - - // These field structs need manual filling: - // Type of the envvar - Type string `yaml:"type"` - // DefaultValue of the envvar - DefaultValue string `yaml:"default_value"` - // Description of what this envvar does - Description string `yaml:"description"` - // Ignore this envvar when creating docs? - Ignore bool `yaml:"do_ignore"` - - // For simplicity ignored for now: - // DependendServices []Service `yaml:"dependend_services"` -} - -// GetRogueEnvs extracts the rogue envs from the code -func GetRogueEnvs() { - curdir, err := os.Getwd() - if err != nil { - log.Fatal(err) - } - fullYamlPath := filepath.Join(curdir, yamlSource) - re := regexp.MustCompile(`os.Getenv\(([^\)]+)\)`) - vars := &ConfigVars{} - fmt.Printf("Reading existing variable definitions from %s\n", fullYamlPath) - yfile, err := os.ReadFile(fullYamlPath) - if err == nil { - err := yaml.Unmarshal(yfile, &vars) - if err != nil { - log.Fatal(err) - } - } - - if err := os.Chdir("../../"); err != nil { - log.Fatal(err) - } - fmt.Println("Gathering variable definitions from source") - out, err := exec.Command("sh", "-c", "grep -RHn os.Getenv --exclude-dir=vendor | grep -v extendedEnv.go |grep \\.go").Output() - if err != nil { - log.Fatal(err) - } - lines := strings.Split(string(out), "\n") - - // find current vars - currentVars := make(map[string]Variable) - for _, l := range lines { - fmt.Printf("Parsing %s\n", l) - r := strings.SplitN(l, ":\t", 2) - if len(r) != 2 || r[0] == "" || r[1] == "" { - continue - } - - res := re.FindAllSubmatch([]byte(r[1]), -1) - if len(res) < 1 { - fmt.Printf("Error envvar not matching pattern: %s", r[1]) - continue - } - - for _, m := range res { - path := r[0] - name := strings.Trim(string(m[1]), "\"") - currentVars[path+name] = Variable{ - RawName: name, - Path: path, - FoundInCode: true, - Name: name, - } - } - } - - // adjust existing vars - for i, v := range vars.Variables { - _, ok := currentVars[v.Path+v.RawName] - if !ok { - vars.Variables[i].FoundInCode = false - continue - } - - vars.Variables[i].FoundInCode = true - delete(currentVars, v.Path+v.RawName) - } - - // add new envvars - for _, v := range currentVars { - vars.Variables = append(vars.Variables, v) - } - - less := func(i, j int) bool { - return vars.Variables[i].Name < vars.Variables[j].Name - } - - sort.Slice(vars.Variables, less) - - output, err := yaml.Marshal(vars) - if err != nil { - log.Fatal(err) - } - fmt.Printf("Writing new variable definitions to %s\n", fullYamlPath) - err = os.WriteFile(fullYamlPath, output, 0666) - if err != nil { - log.Fatalf("could not write %s", fullYamlPath) - } - if err := os.Chdir(curdir); err != nil { - log.Fatal(err) - } -} - -// RenderGlobalVarsTemplate renders the global vars template -func RenderGlobalVarsTemplate() { - curdir, err := os.Getwd() - if err != nil { - log.Fatal(err) - } - fullYamlPath := filepath.Join(curdir, yamlSource) - - content, err := os.ReadFile("../../docs/templates/ADOC_extended.tmpl") - if err != nil { - log.Fatal(err) - } - - targetFolder := "../../docs/services/_includes/adoc/" - - vars := &ConfigVars{} - fmt.Printf("Reading existing variable definitions from %s\n", fullYamlPath) - yfile, err := os.ReadFile(fullYamlPath) - if err != nil { - log.Fatal(err) - } - err = yaml.Unmarshal(yfile, &vars) - if err != nil { - log.Fatal(err) - } - - targetFile, err := os.Create(filepath.Join(targetFolder, "extended_configvars.adoc")) - if err != nil { - log.Fatalf("Failed to create target file: %s", err) - } - defer targetFile.Close() - - tpl := template.Must(template.New("").Parse(string(content))) - if err = tpl.Execute(targetFile, *vars); err != nil { - log.Fatalf("Failed to execute template: %s", err) - } -} diff --git a/docs/helpers/extended_vars.yaml b/docs/helpers/extended_vars.yaml deleted file mode 100644 index 36639e8a59..0000000000 --- a/docs/helpers/extended_vars.yaml +++ /dev/null @@ -1,170 +0,0 @@ -variables: -- rawname: CS3_GATEWAY - path: services/idp/pkg/backends/cs3/bootstrap/cs3.go:77 - foundincode: true - name: CS3_GATEWAY - type: "" - default_value: "" - description: "" - do_ignore: true -- rawname: CS3_MACHINE_AUTH_API_KEY - path: services/idp/pkg/backends/cs3/bootstrap/cs3.go:78 - foundincode: true - name: CS3_MACHINE_AUTH_API_KEY - type: "" - default_value: "" - description: "" - do_ignore: true -- rawname: DAYS - path: tests/qa-activity-report/generate-qa-activity-report.go:94 - foundincode: true - name: DAYS - type: "" - default_value: "" - description: "" - do_ignore: true -- rawname: _registryRegisterIntervalEnv - path: ocis-pkg/registry/expiry.go:19 - foundincode: true - name: EXPERIMENTAL_REGISTER_INTERVAL - type: "" - default_value: "" - description: "" - do_ignore: true -- rawname: _registryRegisterTTLEnv - path: ocis-pkg/registry/expiry.go:28 - foundincode: true - name: EXPERIMENTAL_REGISTER_TTL - type: "" - default_value: "" - description: "" - do_ignore: true -- rawname: _serverMaxConnectionAgeEnv - path: ocis-pkg/service/grpc/keepalive.go:19 - foundincode: true - name: GRPC_MAX_CONNECTION_AGE - type: Duration - default_value: "9223372036854775807" - description: Timeout for GRPC connections. After timeout, a new connection will - be established automatically. The default value is in ns and is about 2.5 mio - h. - do_ignore: false -- rawname: MICRO_LOG_LEVEL - path: ocis-pkg/log/log.go:34 - foundincode: true - name: MICRO_LOG_LEVEL - type: "" - default_value: "" - description: "" - do_ignore: true -- rawname: MICRO_LOG_LEVEL - path: ocis-pkg/log/log.go:31 - foundincode: false - name: MICRO_LOG_LEVEL - type: string - default_value: Error - description: Set the log level for the internal go micro framework. Only change - on supervision of ownCloud Support. - do_ignore: false -- rawname: MICRO_LOG_LEVEL - path: ocis-pkg/log/log.go:30 - foundincode: true - name: MICRO_LOG_LEVEL - type: "" - default_value: "" - description: "" - do_ignore: true -- rawname: _registryEnv - path: ocis-pkg/registry/registry.go:87 - foundincode: true - name: MICRO_REGISTRY - type: string - default_value: nats-js-kv - description: 'The Go micro registry type to use. Supported types are: ''memory'' - and ''nats-js-kv'' (default). Only change on supervision of ownCloud Support.' - do_ignore: false -- rawname: _registryAddressEnv - path: ocis-pkg/registry/registry.go:91 - foundincode: true - name: MICRO_REGISTRY_ADDRESS - type: "" - default_value: "" - description: "" - do_ignore: true -- rawname: _registryAddressEnv - path: ocis-pkg/natsjsregistry/registry.go:192 - foundincode: true - name: MICRO_REGISTRY_ADDRESS - type: string - default_value: 127.0.0.1:9233 - description: The bind address of the internal go micro framework. Only change on - supervision of ownCloud Support. - do_ignore: false -- rawname: _registryPasswordEnv - path: ocis-pkg/natsjsregistry/registry.go:220 - foundincode: true - name: MICRO_REGISTRY_AUTH_PASSWORD - type: string - default_value: "" - description: Optional when using nats to authenticate with the nats cluster. - do_ignore: false -- rawname: _registryUsernameEnv - path: ocis-pkg/natsjsregistry/registry.go:220 - foundincode: true - name: MICRO_REGISTRY_AUTH_USERNAME - type: string - default_value: "" - description: Optional when using nats to authenticate with the nats cluster. - do_ignore: false -- rawname: MONTH - path: tests/qa-activity-report/generate-qa-activity-report.go:92 - foundincode: true - name: MONTH - type: "" - default_value: "" - description: "" - do_ignore: true -- rawname: OC_BASE_DATA_PATH - path: ocis-pkg/config/defaults/paths.go:23 - foundincode: true - name: OC_BASE_DATA_PATH - type: string - default_value: "" - description: The base directory location used by several services and for user data. - See the General Info section in the documentation for more details on defaults. - Services can have, if available, an individual setting with an own environment - variable. - do_ignore: false -- rawname: OC_CONFIG_DIR - path: ocis-pkg/config/defaults/paths.go:56 - foundincode: true - name: OC_CONFIG_DIR - type: string - default_value: "" - description: The default directory location for config files. See the General Info - section in the documentation for more details on defaults. - do_ignore: false -- rawname: RUN_CMD_TEST - path: internal/testenv/test.go:32 - foundincode: true - name: RUN_CMD_TEST - type: "" - default_value: "" - description: "" - do_ignore: true -- rawname: YEAR - path: tests/qa-activity-report/generate-qa-activity-report.go:93 - foundincode: true - name: YEAR - type: "" - default_value: "" - description: "" - do_ignore: true -- rawname: parts[0] - path: ocis-pkg/config/envdecode/envdecode.go:382 - foundincode: true - name: parts[0] - type: "" - default_value: "" - description: false positive - code that extract envvars for config structs - do_ignore: true diff --git a/docs/helpers/main.go b/docs/helpers/main.go deleted file mode 100644 index c0770d066f..0000000000 --- a/docs/helpers/main.go +++ /dev/null @@ -1,45 +0,0 @@ -package main - -import ( - "fmt" - "os" -) - -func main() { - if len(os.Args) > 1 { - switch os.Args[1] { - case "templates": - RenderTemplates() - case "rogue": - GetRogueEnvs() - case "globals": - RenderGlobalVarsTemplate() - case "service-index": - GenerateServiceIndexMarkdowns() - case "env-var-delta-table": - // This step is not covered by the all or default case, because it needs explicit arguments - if len(os.Args) != 4 { - fmt.Println("Needs two arguments: env-var-delta-table ") - fmt.Println("Example: env-var-delta-table v5.0.0 v6.0.0") - fmt.Println("Will not generate usable results for versions Prior to v5.0.0") - } else { - RenderEnvVarDeltaTable(os.Args) - } - case "all": - RenderTemplates() - GetRogueEnvs() - RenderGlobalVarsTemplate() - GenerateServiceIndexMarkdowns() - case "help": - fallthrough - default: - fmt.Printf("Usage: %s [templates|rogue|globals|service-index|env-var-delta-table|all|help]\n", os.Args[0]) - } - } else { - // Left here, even though present in the switch case, for backwards compatibility - RenderTemplates() - GetRogueEnvs() - RenderGlobalVarsTemplate() - GenerateServiceIndexMarkdowns() - } -} diff --git a/docs/helpers/markdowncreation.go b/docs/helpers/markdowncreation.go deleted file mode 100644 index 87aace4831..0000000000 --- a/docs/helpers/markdowncreation.go +++ /dev/null @@ -1,76 +0,0 @@ -package main - -import ( - "bytes" - "errors" - "fmt" - "log" - "os" - "path/filepath" - "text/template" - "time" - - "github.com/opencloud-eu/opencloud/pkg/markdown" -) - -var _configMarkdown = `{{< include file="services/_includes/%s-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/%s_configvars.md" >}} -` - -// GenerateServiceIndexMarkdowns generates the _index.md files for the dev docu -func GenerateServiceIndexMarkdowns() { - paths, err := filepath.Glob("../../services/*/README.md") - if err != nil { - log.Fatal(err) - } - - for _, p := range paths { - service := filepath.Base(filepath.Dir(p)) - if err := generateMarkdown(p, service); err != nil { - fmt.Printf("error generating markdown for %s: %s\n", service, err) - } - } -} - -func generateMarkdown(filepath string, servicename string) error { - f, err := os.ReadFile(filepath) - if err != nil { - return err - } - - md := markdown.NewMD(f) - if len(md.Headings) == 0 || md.Headings[0].Level != 1 { - return errors.New("readme has invalid format") - } - - // we don't need the main title, we add in our template - head := md.Headings[0] - md.Headings = md.Headings[1:] - md.Headings = append(md.Headings, markdown.Heading{ - Level: 2, - Header: "Example Yaml Config", - Content: fmt.Sprintf(_configMarkdown, servicename, servicename), - }) - - tpl := template.Must(template.ParseFiles("templates/index.tmpl")) - b := bytes.NewBuffer(nil) - if err := tpl.Execute(b, map[string]interface{}{ - "ServiceName": head.Header, - "CreationTime": time.Now().Format(time.RFC3339Nano), - "service": servicename, - "Abstract": head.Content, - "TocTree": md.TocString(), - "Content": md.String(), - }); err != nil { - return err - } - - path := fmt.Sprintf("../../docs/services/%s", servicename) - - if err := os.Mkdir(path, os.ModePerm); err != nil && !os.IsExist(err) { - return err - } - - return os.WriteFile(path+"/_index.md", b.Bytes(), os.ModePerm) -} diff --git a/docs/helpers/templates/adoc-generator.go.tmpl b/docs/helpers/templates/adoc-generator.go.tmpl deleted file mode 100644 index 262876c5ca..0000000000 --- a/docs/helpers/templates/adoc-generator.go.tmpl +++ /dev/null @@ -1,272 +0,0 @@ -package main - -import ( - "fmt" - "log" - "os" - "path/filepath" - "reflect" - "regexp" - "strings" - "text/template" - "time" - "sort" - - {{- range $key, $value := .}} - pkg{{$key}} "{{$value}}" - {{- end}} -) - -// ConfigField is the representation of one configuration field -type ConfigField struct { - EnvVars []string - DefaultValue string - IntroductionVersion string - Type string - Description string - VersionInfo string - DeprecationLink string -} - -// DeprecationField holds information about deprecation -type DeprecationField struct { - DeprecationVersion string - DeprecationInfo string - DeprecationReplacement string - RemovalVersion string -} - -// EnvVar holds information about one envvar -type EnvVar struct { - Name string - IntroductionVersion string - DefaultValue string - Type string - Description string - Services []string -} - -type templateData struct { - ExtensionName string - Fields []ConfigField - Deprecations []DeprecationField - HasDeprecations bool - Timestamp string -} - -func main() { - fmt.Println("Generating adoc documentation for environment variables:") - adoc, err := os.ReadFile("../../docs/templates/ADOC.tmpl") - if err != nil { - log.Fatal(err) - } - dpr, err := os.ReadFile("../../docs/templates/ADOC_deprecation.tmpl") - if err != nil { - log.Fatal(err) - } - replacer := strings.NewReplacer( - "github.com/owncloud/ocis/v2/services/", "", - "/pkg/config/defaults", "", - ) - var ( - fields []ConfigField - deprecations []DeprecationField - adocFile *os.File - dprFile *os.File - ) - adoctpl := template.Must(template.New("").Parse(string(adoc))) - dprtpl := template.Must(template.New("").Parse(string(dpr))) - - m := map[string]interface{}{ - {{- range $key, $value := .}} - "{{$value}}": *pkg{{$key}}.FullDefaultConfig(), - {{- end }} - } - - targetFolder := "../../docs/services/_includes/adoc/" - all := make(map[string]EnvVar) - for pkg, conf := range m { - service := replacer.Replace(pkg) - timestamp := time.Now().Format("2006-01-02-15-04-05") - fields, deprecations = GetAnnotatedVariables(conf, timestamp) - var hasDeprecations bool - if len(deprecations) > 0 { - hasDeprecations = true - } - - for _, f := range fields { - for _, e := range f.EnvVars { - if env, ok := all[e]; ok { - env.Services = append(env.Services, service) - sort.Slice(env.Services, func(i, j int) bool { - return env.Services[i] < env.Services[j] - }) - all[e] = env - } else { - all[e] = EnvVar{ - Name: e, - IntroductionVersion: replaceEnvVarPlaceHolder(f.IntroductionVersion), - Description: f.Description, - Type: f.Type, - DefaultValue: f.DefaultValue, - Services: []string{service}, - } - } - } - } - - if len(fields) > 0 || len(deprecations) > 0 { - fmt.Printf("... %s\n", pkg) - td := templateData{ - ExtensionName: service, - Fields: fields, - Deprecations: deprecations, - HasDeprecations: hasDeprecations, - Timestamp: timestamp, - } - adocFile, err = os.Create(filepath.Join(targetFolder, service + "_configvars.adoc")) - if err != nil { - log.Fatalf("Failed to create target file: %s", err) - } - defer adocFile.Close() - - if err := adoctpl.Execute(adocFile, td); err != nil { - log.Fatalf("Failed to execute template: %s", err) - } - - dprFile, err = os.Create(filepath.Join(targetFolder, service + "_deprecation.adoc")) - if err != nil { - log.Fatalf("Failed to create target file: %s", err) - } - defer dprFile.Close() - - if err := dprtpl.Execute(dprFile, td); err != nil { - log.Fatalf("Failed to execute template: %s", err) - } - } - } - - // render global env vars - tmplValues := make([]map[string]interface{}, 0) - for _, env := range all { - if len(env.Services) > 1 { - tmplValues = append(tmplValues, map[string]interface{}{ - "Name": env.Name, - "IntroductionVersion": replaceEnvVarPlaceHolder(env.IntroductionVersion), - "Services": env.Services, - "Description": env.Description, - "DefaultValue": env.DefaultValue, - "Type": env.Type, - }) - } - } - - // sort - sort.Slice(tmplValues, func(i, j int) bool { - return tmplValues[i]["Name"].(string) < tmplValues[j]["Name"].(string) - }) - - glc, err := os.ReadFile("../../docs/templates/ADOC_global.tmpl") - if err != nil { - log.Fatal(err) - } - - gltpl := template.Must(template.New("").Parse(string(glc))) - glfile, err := os.Create(filepath.Join(targetFolder, "global_configvars.adoc")) - if err != nil { - log.Fatalf("Failed to create target file: %s", err) - } - - if err := gltpl.Execute(glfile, tmplValues); err != nil { - log.Printf("Failed to execute template: %s", err) - } - - fmt.Println("done") -} - -func replaceEnvVarPlaceHolder(s string) string { - return strings.Replace( - strings.Replace(s, "%%NEXT%%", "next", -1), - "%%NEXT_PRODUCTION_VERSION%%", - "next-prod", - -1, - ) -} - -func GetAnnotatedVariables(s interface{}, timestamp string) ([]ConfigField, []DeprecationField) { - t := reflect.TypeOf(s) - v := reflect.ValueOf(s) - - var fields []ConfigField - var deprecations []DeprecationField - for i := 0; i < t.NumField(); i++ { - field := t.Field(i) - value := v.Field(i) - - switch value.Kind() { - default: - desc := field.Tag.Get("desc") - env, ok := field.Tag.Lookup("env") - deprecationLink := "" - if !ok { - continue - } - introductionVersion, _ := field.Tag.Lookup("introductionVersion") - deprecationVersion, _ := field.Tag.Lookup("deprecationVersion") - removalVersion, _ := field.Tag.Lookup("removalVersion") - deprecationInfo, _ := field.Tag.Lookup("deprecationInfo") - deprecationReplacement, _ := field.Tag.Lookup("deprecationReplacement") - if deprecationVersion != "" || - removalVersion != "" || - deprecationInfo != "" || - deprecationReplacement != "" { - deprecationLink = fmt.Sprintf("xref:deprecation-note-%s[Deprecation Note]", timestamp) - } - v := fmt.Sprintf("%v", value.Interface()) - td := strings.Split(env, ";") - // re := regexp.MustCompile(`^(https?:\/\/)`) - // v = re.ReplaceAllString(v,"\\$1") - re := regexp.MustCompile(`(https?:\/\/)`) - desc = re.ReplaceAllString(desc, "\\$1") - re = regexp.MustCompile(`(\|)`) - v = re.ReplaceAllString(v, "\\$1") - typeName := value.Type().Name() - if typeName == "" { - typeName = value.Type().String() - } - fields = append(fields, - ConfigField{ - EnvVars: td, - IntroductionVersion: replaceEnvVarPlaceHolder(introductionVersion), - DefaultValue: v, - Description: desc, - Type: typeName, - DeprecationLink: deprecationLink, - }) - if deprecationLink != "" { - deprecations = append(deprecations, - DeprecationField{ - DeprecationVersion: replaceEnvVarPlaceHolder(deprecationVersion), - DeprecationInfo: deprecationInfo, - DeprecationReplacement: deprecationReplacement, - RemovalVersion: replaceEnvVarPlaceHolder(removalVersion), - }) - } - case reflect.Ptr: - // PolicySelectors in the Proxy are being skipped atm - // they are not configurable via env vars, if that changes - // they are probably added to the Sanitize() function - // and this should not be an issue then - if !value.IsZero() && value.Elem().CanInterface() { - f, d := GetAnnotatedVariables(value.Elem().Interface(), timestamp) - fields = append(fields, f...) - deprecations = append(deprecations, d...) - } - case reflect.Struct: - f, d := GetAnnotatedVariables(value.Interface(), timestamp) - fields = append(fields, f...) - deprecations = append(deprecations, d...) - } - } - return fields, deprecations -} diff --git a/docs/helpers/templates/env-vars-added.md.tmpl b/docs/helpers/templates/env-vars-added.md.tmpl deleted file mode 100644 index 5e3725933a..0000000000 --- a/docs/helpers/templates/env-vars-added.md.tmpl +++ /dev/null @@ -1,7 +0,0 @@ -Added between Version {{ .StartVersion }} and {{ .EndVersion }}. - -| Variable | Description | -| --- | --- | -{{- range $key, $value := .DeltaFields}} -| {{$value.Name}} | {{$value.Description}} | -{{- end}} diff --git a/docs/helpers/templates/env-vars-deprecated.md.tmpl b/docs/helpers/templates/env-vars-deprecated.md.tmpl deleted file mode 100644 index 53c42afd64..0000000000 --- a/docs/helpers/templates/env-vars-deprecated.md.tmpl +++ /dev/null @@ -1,7 +0,0 @@ -Deprecated between Version {{ .StartVersion }} and {{ .EndVersion }}. - -| Variable | Description | Deprecation Info | -| --- | --- | -{{- range $key, $value := .DeltaFields}} -| {{$value.Name}} | {{$value.Description}} | {{$value.DeprecationInfo}} | -{{- end}} diff --git a/docs/helpers/templates/env-vars-removed.md.tmpl b/docs/helpers/templates/env-vars-removed.md.tmpl deleted file mode 100644 index c342027873..0000000000 --- a/docs/helpers/templates/env-vars-removed.md.tmpl +++ /dev/null @@ -1,7 +0,0 @@ -Removed between Version {{ .StartVersion }} and {{ .EndVersion }}. - -| Variable | Description | Deprecation Info | -| --- | --- | -{{- range $key, $value := .DeltaFields}} -| {{$value.Name}} | {{$value.Description}} | {{$value.DeprecationInfo}} | -{{- end}} diff --git a/docs/helpers/templates/envar-delta-table.go.tmpl b/docs/helpers/templates/envar-delta-table.go.tmpl deleted file mode 100644 index fe173e6a57..0000000000 --- a/docs/helpers/templates/envar-delta-table.go.tmpl +++ /dev/null @@ -1,154 +0,0 @@ -package main - -import ( - "fmt" - "gopkg.in/yaml.v2" - "html" - "reflect" - "strings" - "log" - "os" - "path/filepath" - - {{- range $key, $value :=.}} - pkg{{$key}} "{{$value}}" - {{- end}} -) - -const yamlSource = "env_vars.yaml" - -type ConfigField struct { - Name string `yaml:"name"` - DefaultValue string `yaml:"defaultValue"` - Type string `yaml:"type"` - Description string `yaml:"description"` - IntroductionVersion string `yaml:"introductionVersion"` - DeprecationVersion string `yaml:"deprecationVersion"` - RemovalVersion string `yaml:"removalVersion"` - DeprecationInfo string `yaml:"deprecationInfo"` -} - -func main() { - fmt.Println("Generating tables for env-var deltas...") - curdir, err := os.Getwd() - if err != nil { - log.Fatal(err) - } - fullYamlPath := filepath.Join(curdir, yamlSource) - var fields []ConfigField - configFields := make(map[string]*ConfigField) - fmt.Printf("Reading existing variable definitions from %s\n", fullYamlPath) - yfile, err := os.ReadFile(fullYamlPath) - if err == nil { - err := yaml.Unmarshal(yfile, configFields) - if err != nil { - log.Fatal(err) - } - } - m := map[string]interface{}{ - {{- range $key, $value := .}} - "{{$value}}": *pkg{{$key}}.FullDefaultConfig(), - {{- end }} - } - for _, conf := range m { - fields = GetAnnotatedVariables(conf) - for _, field := range fields { - variants := strings.Split(field.Name, ";") - for _, variant := range variants { - if (configFields[variant] != nil && configFields[variant].Name == "") || configFields[variant] == nil { - configFields[variant] = &field - } else { - fmt.Printf("%v, duplicate key, merging\n", variant) - if strings.TrimSpace(configFields[variant].DefaultValue) != "" && configFields[variant].DefaultValue != field.DefaultValue { - configFields[variant].DefaultValue = field.DefaultValue - } - if strings.TrimSpace(configFields[variant].Description) != "" && configFields[variant].Description != field.Description { - configFields[variant].Description = field.Description - } - if strings.TrimSpace(configFields[variant].Type) != "" && configFields[variant].Type != field.Type { - configFields[variant].Type = field.Type - } - if strings.TrimSpace(configFields[variant].IntroductionVersion) != "" && configFields[variant].IntroductionVersion != field.IntroductionVersion { - configFields[variant].IntroductionVersion = field.IntroductionVersion - } - if strings.TrimSpace(configFields[variant].DeprecationVersion) != "" && configFields[variant].DeprecationVersion != field.DeprecationVersion { - configFields[variant].DeprecationVersion = field.DeprecationVersion - } - if strings.TrimSpace(configFields[variant].RemovalVersion) != "" && configFields[variant].RemovalVersion != field.RemovalVersion { - configFields[variant].RemovalVersion = field.RemovalVersion - } - if strings.TrimSpace(configFields[variant].Name) != "" && configFields[variant].Name != field.Name { - configFields[variant].Name = field.Name - } - if strings.TrimSpace(configFields[variant].DeprecationInfo) != "" && configFields[variant].DeprecationInfo != field.DeprecationInfo { - // there might be multiple superseeding DeprecationInformations, we might want to keep track of those, that's why we are not overwriting the field - configFields[variant].DeprecationInfo = configFields[variant].DeprecationInfo + " | " + field.DeprecationInfo - } - } - } - } - } - - output, err := yaml.Marshal(configFields) - if err != nil { - log.Fatalf("Could not marshall variables: %v", err) - } - err = os.WriteFile(fullYamlPath, output, 0666) - if err != nil { - log.Fatalf("could not write %s", fullYamlPath) - } - if err := os.Chdir(curdir); err != nil { - log.Fatal(err) - } -} - -func GetAnnotatedVariables(s interface{}) []ConfigField { - t := reflect.TypeOf(s) - v := reflect.ValueOf(s) - - var fields []ConfigField - for i := 0; i < t.NumField(); i++ { - field := t.Field(i) - value := v.Field(i) - - switch value.Kind() { - default: - desc := field.Tag.Get("desc") - env, ok := field.Tag.Lookup("env") - if !ok { - continue - } - introductionVersion := field.Tag.Get("introductionVersion") - deprecationVersion := field.Tag.Get("deprecationVersion") - removalVersion := field.Tag.Get("removalVersion") - deprecationInfo := field.Tag.Get("deprecationInfo") - v := fmt.Sprintf("%v", value.Interface()) - typeName := value.Type().Name() - if typeName == "" { - typeName = value.Type().String() - } - //fields = append(fields, ConfigField{Name: strings.ReplaceAll(env, ";", "
"), DefaultValue: html.EscapeString(strings.Replace(v, "|", "\\|", -1)), Description: desc, Type: typeName}) - fields = append(fields, ConfigField{ - Name: env, - DefaultValue: html.EscapeString(strings.Replace(v, "|", "\\|", -1)), - Description: desc, - Type: typeName, - IntroductionVersion: introductionVersion, - DeprecationVersion: deprecationVersion, - RemovalVersion: removalVersion, - DeprecationInfo: deprecationInfo, - }) - case reflect.Ptr: - // PolicySelectors in the Proxy are being skipped atm - // they are not configurable via env vars, if that changes - // they are probably added to the Sanitize() function - // and this should not be an issue then - if !value.IsZero() && value.Elem().CanInterface() { - fields = append(fields, GetAnnotatedVariables(value.Elem().Interface())...) - } - case reflect.Struct: - fields = append(fields, GetAnnotatedVariables(value.Interface())...) - } - } - return fields -} diff --git a/docs/helpers/templates/environment-variable-docs-generator.go.tmpl b/docs/helpers/templates/environment-variable-docs-generator.go.tmpl deleted file mode 100644 index 475a6d760d..0000000000 --- a/docs/helpers/templates/environment-variable-docs-generator.go.tmpl +++ /dev/null @@ -1,97 +0,0 @@ -package main - -import ( - "fmt" - "html" - "log" - "os" - "path/filepath" - "reflect" - "strings" - "text/template" - - {{- range $key, $value := .}} - pkg{{$key}} "{{$value}}" - {{- end}}) - -type ConfigField struct { - Name string - DefaultValue string - Type string - Description string -} - -func main() { -fmt.Println("Generating documentation for environment variables:") -content, err := os.ReadFile("../../docs/templates/CONFIGURATION.tmpl") -if err != nil { - log.Fatal(err) -} -replacer := strings.NewReplacer( - "github.com/owncloud/ocis/v2/services/", "", - "/pkg/config/defaults", "", - ) -var fields []ConfigField -var targetFile *os.File -tpl := template.Must(template.New("").Parse(string(content))) - -m := map[string]interface{}{ -{{- range $key, $value := .}} - "{{$value}}": *pkg{{$key}}.FullDefaultConfig(), -{{- end }} -} - - targetFolder := "../../docs/services/_includes/" - for pkg, conf := range m { - fields = GetAnnotatedVariables(conf) - if len(fields) > 0 { - fmt.Printf("... %s\n", pkg) - targetFile, err = os.Create(filepath.Join(targetFolder, replacer.Replace(pkg) + "_configvars.md")) - if err != nil { - log.Fatalf("Failed to create target file: %s", err) - } - defer targetFile.Close() - if err := tpl.Execute(targetFile, fields); err != nil { - log.Fatalf("Failed to execute template: %s", err) - } - } - } - fmt.Println("done") -} - -func GetAnnotatedVariables(s interface{}) []ConfigField { - t := reflect.TypeOf(s) - v := reflect.ValueOf(s) - - var fields []ConfigField - for i := 0; i < t.NumField(); i++ { - field := t.Field(i) - value := v.Field(i) - - switch value.Kind() { - default: - desc := field.Tag.Get("desc") - env, ok := field.Tag.Lookup("env") - if !ok { - continue - } - v := fmt.Sprintf("%v", value.Interface()) - typeName := value.Type().Name() - if typeName == "" { - typeName = value.Type().String() - } - fields = append(fields, ConfigField{Name: strings.ReplaceAll(env, ";", "
"), DefaultValue: html.EscapeString(strings.Replace(v, "|", "\\|", -1)), Description: desc, Type: typeName}) - case reflect.Ptr: - // PolicySelectors in the Proxy are being skipped atm - // they are not configurable via env vars, if that changes - // they are probably added to the Sanitize() function - // and this should not be an issue then - if !value.IsZero() && value.Elem().CanInterface() { - fields = append(fields, GetAnnotatedVariables(value.Elem().Interface())...) - } - case reflect.Struct: - fields = append(fields, GetAnnotatedVariables(value.Interface())...) - } - } - return fields -} diff --git a/docs/helpers/templates/example-config-generator.go.tmpl b/docs/helpers/templates/example-config-generator.go.tmpl deleted file mode 100644 index c678a46ff0..0000000000 --- a/docs/helpers/templates/example-config-generator.go.tmpl +++ /dev/null @@ -1,50 +0,0 @@ -package main - -import ( - "fmt" - "log" - "os" - "path/filepath" - "strings" - - "gopkg.in/yaml.v2" - {{- range $key, $value := .}} - pkg{{$key}} "{{$value}}" - {{- end}} -) - -func main() { - replacer := strings.NewReplacer( - "github.com/owncloud/ocis/v2/services/", "", - "/pkg/config/defaults", "", - ) - cfg := map[string]string{ - {{- range $key, $value := .}} - replacer.Replace("{{$value}}"): func() string { - fmt.Println("Generating example YAML config for {{ $value -}}") - c := pkg{{$key}}.FullDefaultConfig() - yml, err := yaml.Marshal(c) - if err != nil { - log.Fatalf("Marshalling yaml for pkg0 failed: %s\n", err) - } - return fmt.Sprintf("# Autogenerated\n# Filename: %s-config-example.yaml\n\n%s", replacer.Replace("{{ $value }}"),string(yml)) - }(), - {{- end}} - } - for pkg, yml := range cfg { - targetFolders := []string{ - // TODO: comment in when it is clear how to commit this to the structure of the master|main branch - // filepath.Join("../../", pkg, "/config"), - "../../docs/services/_includes/", - } - for _, targetFolder := range targetFolders { - os.MkdirAll(targetFolder, 0700) - targetYamlFile, err := os.Create(filepath.Join(targetFolder, replacer.Replace(pkg) + "-config-example.yaml")) - if err != nil { - log.Fatalf("Failed to create target file for : %s", err) - } - defer targetYamlFile.Close() - targetYamlFile.WriteString(yml) - } - } -} diff --git a/docs/helpers/templates/index.tmpl b/docs/helpers/templates/index.tmpl deleted file mode 100644 index 2c011dc652..0000000000 --- a/docs/helpers/templates/index.tmpl +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: {{ .ServiceName }} -date: {{ .CreationTime }} -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/services/{{ .service }} -geekdocFilePath: README.md -geekdocCollapseSection: true ---- - - - -## Abstract - -{{ .Abstract }} -## Table of Contents - -{{ .TocTree }} -{{ .Content }} diff --git a/docs/mutagen.yml b/docs/mutagen.yml deleted file mode 100644 index 09c2d9b885..0000000000 --- a/docs/mutagen.yml +++ /dev/null @@ -1,14 +0,0 @@ -sync: - docs: - mode: one-way-replica - alpha: . - beta: ./hugo/content - flushOnCreate: true - ignore: - paths: - - .gitignore - - mutagen.yml - - mutagen.yml.lock - - hugo - - README.md - - Makefile diff --git a/docs/ocis/.gitignore b/docs/ocis/.gitignore deleted file mode 100644 index 422034a72a..0000000000 --- a/docs/ocis/.gitignore +++ /dev/null @@ -1 +0,0 @@ -configuration.md \ No newline at end of file diff --git a/docs/ocis/_index.md b/docs/ocis/_index.md deleted file mode 100644 index 256f547a70..0000000000 --- a/docs/ocis/_index.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -title: "oCIS - ownCloud Infinite Scale" -date: 2020-02-27T20:35:00+01:00 -weight: -10 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -{{< figure class="floatright" src="/media/is.png" width="70%" height="auto" >}} - -## ownCloud Infinite Scale -Welcome to oCIS, the modern file-sync and share platform, which is based on our knowledge and experience with the PHP based [ownCloud server](https://owncloud.com/#server). - -### The idea of federated storage -To create a truly federated storage architecture oCIS breaks down the old ownCloud 10 user specific namespace, which is assembled on the server side, and makes the individual parts accessible to clients as storage spaces and storage space registries. - -The diagram below shows the core concepts that are the foundation for the new architecture: -- End user devices can fetch the list of *storage spaces* a user has access to, by querying one or multiple *storage space registries*. The list contains a unique endpoint for every *storage space*. -- [*Storage space registries*]({{< ref "./storage/terminology#storage-space-registries" >}}) manage the list of storage spaces a user has access to. They may subscribe to *storage spaces* in order to receive notifications about changes on behalf of an end users mobile or desktop client. -- [*Storage spaces*]({{< ref "./storage/terminology#storage-spaces" >}}) represent a collection of files and folders. A users personal files are contained in a *storage space*, a group or project drive is a *storage space*, and even incoming shares are treated and implemented as *storage spaces*. Each with properties like owners, permissions, quota and type. -- [*Storage providers*]({{< ref "./storage/terminology#storage-providers" >}}) can hold multiple *storage spaces*. At an oCIS instance, there might be a dedicated *storage provider* responsible for users personal storage spaces. There might be multiple, either to shard the load, provide different levels of redundancy or support custom workflows. Or there might be just one, hosting all types of *storage spaces*. - -{{< figure src="/ocis/static/idea.drawio.svg" >}} - -As an example, Einstein might want to share something with Marie, who has an account at a different identity provider and uses a different storage space registry. The process makes use of [OpenID Connect (OIDC)](https://openid.net/specs/openid-connect-core-1_0.html) for authentication and would look something like this: - -To share something with Marie, Einstein would open `https://cloud.zurich.test`. His browser loads oCIS web and presents a login form that uses the [OpenID Connect Discovery](https://openid.net/specs/openid-connect-discovery-1_0.html#EmailSyntax) to look up the OIDC issuer. For `einstein@zurich.test` he will end up at `https://idp.zurich.test`, authenticate and get redirected back to `https://cloud.zurich.test`. Now, oCIS web will use a similar discovery to look up the *storage space registry* for the account, based on the email (or username). He will discover that `https://cloud.zurich.test` is also his *storage registry* that the web UI will use to load the list of *storage spaces* that are available to him. - -After locating a folder that he wants to share with Marie he enters her email `marie@paris.test` in the sharing dialog to grant her the editor role. This, in effect, creates a new *storage space* that is registered with the *storage space registry* at `https://cloud.zurich.test`. - -Einstein copies the URL in the browser (or an email with the same URL is sent automatically, or the storage registries use a back-channel mechanism). It contains the most specific `storage space id` and a path relative to it: `https://cloud.zurich.test/#/spaces/716199a6-00c0-4fec-93d2-7e00150b1c84/a/rel/path`. - -When Marie enters that URL she will be presented with a login form on the `https://cloud.zurich.test` instance, because the share was created on that domain. If `https://cloud.zurich.test` trusts her OpenID Connect identity provider `https://idp.paris.test` she can log in. This time, the *storage space registry* discovery will come up with `https://cloud.paris.test` though. Since that registry is different than the registry tied to `https://cloud.zurich.test` oCIS web can look up the *storage space* `716199a6-00c0-4fec-93d2-7e00150b1c84` and register the WebDAV URL `https://cloud.zurich.test/dav/spaces/716199a6-00c0-4fec-93d2-7e00150b1c84/a/rel/path` in Marie's *storage space registry* at `https://cloud.paris.test`. When she accepts that share her clients will be able to sync the new *storage space* at `https://cloud.zurich.test`. - -### oCIS microservice runtime - -The oCIS runtime allows us to dynamically manage services running in a single process. We use [suture](https://github.com/thejerf/suture) to create a supervisor tree that starts each service in a dedicated goroutine. By default oCIS will start all built-in oCIS services in a single process. Individual services can be moved to other nodes to scale-out and meet specific performance requirements. A [go-micro](https://github.com/asim/go-micro/blob/master/registry/registry.go) based registry allows services in multiple nodes to form a distributed microservice architecture. - -### oCIS Services - -Every oCIS service uses [ocis-pkg](https://github.com/owncloud/ocis/tree/master/ocis-pkg), which implements the [go-micro](https://go-micro.dev/) interfaces for [servers](https://github.com/asim/go-micro/blob/v3.5.0/server/server.go#L17-L37) to register and [clients](https://github.com/asim/go-micro/blob/v3.5.0/client/client.go#L11-L23) to lookup nodes with a service [registry](https://github.com/asim/go-micro/blob/v3.5.0/registry/registry.go). -We are following the [12 Factor](https://12factor.net/) methodology with oCIS. The uniformity of services also allows us to use the same command, logging and configuration mechanism. Configurations are forwarded from the -oCIS runtime to the individual extensions. - - -### go-micro - -While the [go-micro](https://go-micro.dev/) framework provides abstractions as well as implementations for the different components in a microservice architecture, it uses a more developer focused runtime philosophy: It is used to download services from a repo, compile them on the fly and start them as individual processes. For oCIS we decided to use a more admin friendly runtime: You can download a single binary and start the contained oCIS services with a single `bin/ocis server`. This also makes packaging easier. - -We use [ocis-pkg](https://github.com/owncloud/ocis/tree/master/ocis-pkg) to configure the default implementations for the go-micro [grpc server](https://github.com/asim/go-micro/tree/v3.5.0/plugins/server/grpc), [client](https://github.com/asim/go-micro/tree/v3.5.0/plugins/client/grpc) and [mdns registry](https://github.com/asim/go-micro/blob/v3.5.0/registry/mdns_registry.go), swapping them out as needed, e.g. to use the [kubernetes registry plugin](https://github.com/asim/go-micro/tree/v3.5.0/plugins/registry/kubernetes). - -### REVA -A lot of embedded services in oCIS are built upon the [REVA](https://reva.link/) runtime. We decided to bundle some of the [CS3 services](https://github.com/cs3org/cs3apis) to logically group them. A [home storage provider](https://github.com/owncloud/ocis/blob/v1.2.0/storage/pkg/command/storagehome.go#L93-L108), which is dealing with [metadata](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.ProviderAPI), and the corresponding [data provider](https://github.com/owncloud/ocis/blob/v1.2.0/storage/pkg/command/storagehome.go#L109-L123), which is dealing with [up and download](https://cs3org.github.io/cs3apis/#cs3.gateway.v1beta1.FileUploadProtocol), are one example. The [frontend](https://github.com/owncloud/ocis/blob/v1.2.0/storage/pkg/command/frontend.go) with the [oc flavoured webdav](https://github.com/owncloud/ocis/blob/v1.2.0/storage/pkg/command/frontend.go#L132-L138), [ocs handlers](https://github.com/owncloud/ocis/blob/v1.2.0/storage/pkg/command/frontend.go#L139-L148) and a [data-gateway](https://github.com/owncloud/ocis/blob/v1.2.0/storage/pkg/command/frontend.go#L126-L131) are another. - -### Protocol driven development -Interacting with oCIS involves a multitude af APIs. The server and all clients rely on [OpenID Connect](https://openid.net/connect/) for authentication. The [embedded LibreGraph Connect](https://owncloud.dev/services/idp/) can be replaced with any other OpenID Connect Identity Provider. Clients use the [WebDAV](http://webdav.org/) based [oc sync protocol](https://github.com/cernbox/smashbox/blob/master/protocol/protocol.md) to manage files and folders, [ocs to manage shares](https://doc.owncloud.com/server/developer_manual/core/apis/ocs-share-api.html) and [TUS](https://tus.io/protocols/resumable-upload.html) to upload files in a resumable way. On the server side [REVA](https://reva.link/) is the reference implementation of the [CS3 apis](https://github.com/cs3org/cs3apis) which is defined using [protobuf](https://developers.google.com/protocol-buffers/). By embedding [libregraph/idm](https://github.com/libregraph/idm), oCIS provides a [LDAP](https://tools.ietf.org/html/rfc2849) interface to make accounts, including guests available to firewalls and other systems. In the future, we are looking into [the Microsoft Graph API](https://docs.microsoft.com/en-us/graph/api/overview?view=graph-rest-1.0), which is based on [odata](http://docs.oasis-open.org/odata/odata/v4.0/odata-v4.0-part1-protocol.html), as a well-defined REST/JSON dialect for the existing endpoints. - -### Acceptance test suite -We run a huge [test suite](https://github.com/owncloud/core/tree/master/tests), which originated in ownCloud 10 and continues to grow. A detailed description can be found in the developer docs for [testing]({{< ref "development/testing" >}}). - -### Architecture Overview - -Running `bin/ocis server` will start the following services, all of which can be scaled and deployed on a single node or in a cloud native environment, as needed. - -{{< figure src="/ocis/static/architecture-overview.drawio.svg" >}} diff --git a/docs/ocis/adr/0001-introduce-accounts-service.md b/docs/ocis/adr/0001-introduce-accounts-service.md deleted file mode 100644 index 8aca5b16c7..0000000000 --- a/docs/ocis/adr/0001-introduce-accounts-service.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: "1. Introduce an accounts service" -weight: 1 -date: 2020-06-15T20:21:00+01:00 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0001-introduce-accounts-service.md ---- - -* Status: superseded by [ADR-0003]({{< ref "0003-external-user-management.md" >}}) -* Deciders: [@butonic](https://github.com/butonic), [@felixboehm](https://github.com/felixboehm), [@micbar](https://github.com/micbar), [@pmaier1](https://github.com/pmaier1) -* Date: [2020-06-15](https://github.com/owncloud/ocis-accounts/pull/34/commits/2fd05e2b6fe2a47c687bd0c0bc5e1b5c48a585b2) - -Technical Story: [persist accounts](https://github.com/owncloud/ocis-accounts/pull/34) - -## Context and Problem Statement - -To attach metadata like shares to users ownCloud relies on persistent, non-reassignable, unique identifiers for users (and files). Email und username can change when a user changes his name. But even the OIDC sub+iss combination may change when the IdP changes. While there is [an account porting protocol](https://openid.net/specs/openid-connect-account-porting-1_0.html) that describes how a relying party (RP) such as ownCloud should behave, it still requires the RP to maintain its own user identifiers. - -## Decision Drivers - -* oCIS should be a single binary that can run out of the box without external dependencies like an LDAP server. -* Time: we want to build a release candidate asap. -* Firewalls need access to guests, typically via LDAP. -* Not all external LDAPs are writeable for us to provision Guest accounts. -* We see multiple LDAP servers in deployments. Being able to handle them is important and should be covered by using OIDC + being able to query multiple LDAP servers. - -## Considered Options - -* Accounts service wraps LDAP -* [GLAuth](https://github.com/glauth/glauth) wraps accounts service - -## Decision Outcome - -Chosen option: "GLAuth wraps accounts service", because we need write access to provision guest accounts and GLAuth currently has no write support. - -### Positive Consequences - -* We can build a self-contained user management in the accounts service and can adjust it to our requirements. -* We do not rely on an LDAP server which would only be possible by implementing write support in the LDAP libraries used by GLAuth (hard to estimate effort, when will that be merged upstream). - -### Negative Consequences - -* We need to spend time on implementing user management - -## Pros and Cons of the Options - -### Accounts service wraps LDAP - -* Bad, because not all external LDAPs are writeable for us to provision Guest accounts. diff --git a/docs/ocis/adr/0002-persist-accounts-using-cs3-storage.md b/docs/ocis/adr/0002-persist-accounts-using-cs3-storage.md deleted file mode 100644 index dfbe8b9f7b..0000000000 --- a/docs/ocis/adr/0002-persist-accounts-using-cs3-storage.md +++ /dev/null @@ -1,36 +0,0 @@ ---- -title: "2. Persist accounts in a CS3 storage" -weight: 2 -date: 2020-08-21T20:21:00+01:00 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0002-persist-accounts-using-cs3-storage.md ---- - -* Status: accepted -* Deciders: [@butonic](https://github.com/butonic), [@felixboehm](https://github.com/felixboehm) -* Date: 2020-08-21 - -Technical Story: [File system based indexing](https://github.com/owncloud/ocis-accounts/pull/92) - -## Context and Problem Statement - -To set up High Availability (HA) or a geo-replicated setup we need to persist accounts in a distributed way. To efficiently query the accounts by email or username, and not only by id, they need to be indexed. Unfortunately, the [bleve](https://github.com/blevesearch/bleve) index we currently store locally on disk cannot be shared by multiple instances, preventing a scale out deployment. - -## Considered Options - -* Look into distributed bleve -* Persist users in a CS3 storage - -## Decision Outcome - -Chosen option: "Persist users in a CS3 storage", because we have one service less running and can rely on the filesystem for geo-replication and HA. - -### Positive Consequences - -* We can store accounts on the storage using the CS3 API, pushing geo-distribution to the storage layer. -* Backups of users and storage can be implemented without inconsistencies between using snapshots. - -### Negative Consequences - -* We need to spend time on implementing a reverse index based on files, and symlinks. diff --git a/docs/ocis/adr/0003-external-user-management.md b/docs/ocis/adr/0003-external-user-management.md deleted file mode 100644 index 7d914500b0..0000000000 --- a/docs/ocis/adr/0003-external-user-management.md +++ /dev/null @@ -1,115 +0,0 @@ ---- -title: "3. Use external User Management" -weight: 3 -date: 2020-12-09T20:21:00+01:00 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0003-external-user-management.md ---- - -* Status: superseded by [17. Allow read only external User Management]({{< ref "0017-allow-read-only-external-user-management.md" >}}) -* Deciders: [@butonic](https://github.com/butonic), [@micbar](https://github.com/micbar), [@dragotin](https://github.com/dragotin), [@hodyroff](https://github.com/hodyroff), [@pmaier1](https://github.com/pmaier1) -* Date: 2022-02-08 - -Technical Story: [Skip account-service by talking to CS3 user-api](https://github.com/owncloud/ocis/pull/1020) - -## Context and Problem Statement - -To attach metadata like shares to users ownCloud relies on persistent, non-reassignable, unique identifiers for users (and files). Email and username can change when a user changes his name. But even the OIDC sub+iss combination may change when the IdP changes. While there is [an account porting protocol](https://openid.net/specs/openid-connect-account-porting-1_0.html) that describes how a relying party (RP) such as ownCloud should behave, it still requires the RP to maintain its own user identifiers. - -## Decision Drivers - -* oCIS should be a single binary that can run out of the box without external dependencies like an LDAP server. -* Time: we want to build a release candidate asap. -* oCIS should be able to be easily integrated with standard user management components - -## Considered Options - -* Accounts service wraps LDAP -* [GLAuth](https://github.com/glauth/glauth) wraps accounts service - -## Decision Outcome - -Chosen option: "Move accounts functionality to GLAuth and name it accounts", by moving the existing accounts service file based persistence to GLAuth and use it as a drop in replacement for an LDAP server. The reverse index and web UI existing in the accounts service will move as well in order to make GLAuth a standalone, small scale user management with write capabilities. - -### Product summary -- GLAuth is a drop in user management for small scale deployments that do not rely on an actual LDAP server. -- oCIS admins can either use the web UI to manage users in GLAuth or use existing tools in their IDM. -- We hide the complexity by embedding an OpenID Provider, an LDAP server and a user management web UI. - -### Resulting deployment options -- Use internal user management - - Recommended for small scale use cases and simple deployments - - Users, groups and roles are stored and managed within GLAuth -- Use external user management - - Recommended for mid and large scale use cases - - Users, groups and roles are stored and managed within an external LDAP / AD / IDM - - Separate oCIS and LDAP admin: oCIS admin relies on the LDAP admin to manage users -- User permissions for roles are always managed in oCIS (settings service) because they are specific to oCIS - -### Resulting technical implications -- Make the file based reverse index a standalone library -- Contribute to GLAuth - - Add ms graph based rest API to manage users, groups and roles (the LDAP lib is currently readonly) - - Add web UI to glauth that uses the ms graph based rest API to manage users - - Add a backend that uses the file based reverse index, currently living in the oCIS accounts service - - Move fallback mechanism from ocis/glauth service to upstream GLAuth to support multiple LDAP servers - - Make it a chain to support more than two LDAP servers - - Document the implications for merging result sets when searching for recipients - - At least one writeable backend is needed to support creating guest accounts -- Make all services currently using the accounts service talk to the CS3 userprovider -- To support multiple LDAP servers we need to move the fallback mechanism in ocis/glauth service to upstream GLAuth -- The current CS3 API for user management should be enriched with pagination, field mask and a query language as needed -- properly register an [auxiliary LDAP schema that adds an ownCloudUUID attribute to users and groups](https://github.com/owncloud/ocis/blob/c8668e8cb171860c70fec29e5ae945bca44f1fb7/deployments/examples/cs3_users_ocis/config/ldap/ldif/10_owncloud_schema.ldif) - -### Positive Consequences - -* The accounts service (which is our drop in LDAP solution) can be dropped. The CS3 userprovider service becomes the only service dealing with users. -* No sync - -### Negative Consequences - -* If users want to store users in their IDM and at the same time guests in a separate user management we need to implement GLAuth backends that support more than one LDAP server. - -## Pros and Cons of the Options - -### GLAuth wraps accounts service - -Currently, the accounts service is the source of truth and we use it to implement user management. - -* Good, because it solves the problem of storing and looking up an owncloud UUID for a user (and group) -* Good, because we can manage users out of the box -* Good, because we can persist accounts in a CS3 storage provider -* Bad, because it maintains a separate user repository: it needs to either learn or sync users. - -### Move accounts functionality to GLAuth and name it accounts - -We should use an existing LDAP server and make GLAuth a drop in replacement for it. - -* Good, because we can use an existing user repository (an LDAP server), no need to sync or learn users. -* Good, because admins can rely on existing user management tools. -* Good, because we would have a clear separation of concerns: - - users reside in whatever repository, typically an LDAP server - - could be an existing LDAP server or AD - - could be our embeddable drop in glauth server - - we use a service to wrap the LDAP server with other APIs: - - ms graph API - ODATA based restful API, - - [SCIM](http://www.simplecloud.info/) - designed to manage user identities, supported by some IDPs, - - the current accounts API (which is a protobuf spec following the ms graph API) - - our account management UI can use the ms graph based API service which can have different backends - - an existing LDAP server - - our drop in glauth server (which might serve the ms graph based API itself) - - the CS3 API + a future guest provisioning API + a future CS3 user provisioning API (or [generic space provisioning](https://github.com/cs3org/cs3apis/pull/95)) - - all oCIS services can use the service registry to look up the accounts service that provides an internal API - - could be the CS3 user provider (and API) - - could be the internal protobuf accounts API - - introduce a new guest provisioning API to CS3 which properly captures our requirement to have them in the user repository - - guests need to be made available to the firewall - - storages like EOS that integrate with the os for acl based file permissions need a numeric user and group id -* Good, because we can use the CS3 user provider with the existing LDAP / rest driver. -* Bad, because oCIS admins may not have the rights to manage role assignments. (But this is handled at a different department.) -* Bad, because oCIS admins may not have the rights to disable users if an external LDAP is used instead of the drop in GLAuth. - -## Links -* supersedes [ADR-0001]({{< ref "0001-introduce-accounts-service.md" >}}) -* superseded by [17. Allow read only external User Management]({{< ref "0017-allow-read-only-external-user-management.md" >}}) diff --git a/docs/ocis/adr/0004-support-hot-migration.md b/docs/ocis/adr/0004-support-hot-migration.md deleted file mode 100644 index ab1f7d4d65..0000000000 --- a/docs/ocis/adr/0004-support-hot-migration.md +++ /dev/null @@ -1,80 +0,0 @@ ---- -title: "4. Support Hot Migration" -weight: 4 -date: 2020-12-09T20:21:00+01:00 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0004-support-hot-migration.md ---- - -* Status: proposed -* Deciders: [@butonic](https://github.com/butonic), [@micbar](https://github.com/micbar), [@dragotin](https://github.com/dragotin), [@hodyroff](https://github.com/hodyroff), [@pmaier1](https://github.com/pmaier1) -* Date: 2021-03-16 - -Technical Story: \[description | ticket/issue URL\] - -## Context and Problem Statement - -Migration is one of the most important topics of the oCIS story. We need to provide a concept how to migrate from oC10 to oCIS. - -## Decision Drivers - -- Do not lose file blob or metadata. - - To prevent a sync surge from clients the etag for files should be migrated. - - To prevent internal links from breaking or pointing to wrong files the file id of existing files needs to be migrated. - - To prevent data loss trash and version blobs should be migrated. -- Existing shares like public links and federated shares must remain functional after the migration. - - To prevent internal shares the share type, permissions and expiry needs to be migrated. - - To prevent public links from breaking the url token, permissions, expiry and password needs to be migrated. - - *What about federated shares?* - - *What about additional share permissions, e.g. comment on office files?* -- Legacy clients need to keep working - - To keep existing clients working the `remote.php/webdav` and `dav/files/` webdav endpoints as well as the ocs API need to be available. -- *What about [app passwords/tokens](https://doc.owncloud.com/server/user_manual/personal_settings/security.html#app-passwords-tokens)?* - -## Considered Options - -1. Cold Migration: migrate data while systems are not online, so no user interaction happens in between. -2. Hot Migration: one or both systems are online during migration. - -## Decision Outcome - -Chosen option: "\[option 1\]", because \[justification. e.g., only option, which meets k.o. criterion decision driver | which resolves force force | … | comes out best (see below)\]. - -### Positive Consequences - -- \[e.g., improvement of quality attribute satisfaction, follow-up decisions required, …\] -- … - -### Negative Consequences - -- \[e.g., compromising quality attribute, follow-up decisions required, …\] -- … - -## Pros and Cons of the Options - -### Cold Migration - -The migration happens while the service is offline. File metadata, blobs and share data is exported from ownCloud 10 and imported in oCIS. This can happen user by user, where every user export would contain the file blobs, their metadata, trash, versions, shares and all metadata that belongs to the user's storage. To prevent group shares from breaking, users in the same groups must be migrated in batch. Depending on the actual group shares in an instance this may effectively require a complete migration in a single batch. - -- Good, because oCIS can be tested in a staging system without writing to the production system. -- Good, because file layout on disk can be changed to support new storage driver capabilities. -- Bad, because the export and import might require significant amounts of storage. -- Bad, because a rollback to the state before the migration might cause data loss of the changes that happened in between. -- Bad, because the cold migration can mean significant downtime. - -### Hot Migration - -The migration happens in subsequent stages while the service is online. - -- Good, because the admin can migrate users from old to new backend in a controlled way. -- Good, because users and admins can learn to trust the new system. -- Good, because there can be preparations even long before the migrations happens in parallel on the oC10 codebase, i.e. addition of metadata that is needed while the system operates. -- Good, because the downtime of the system can be fairly small. -- Bad, because it is more complex and might drag on for a long time. - - -## Links - - -- [Clarify responsibilities of share providers and storage providers · Issue #1377 · cs3org/reva (github.com)](https://github.com/cs3org/reva/issues/1377) because the share manager for oCIS should store share information on the storage system. And [storage provider should persist share creator · Issue #93 · cs3org/cs3apis (github.com)](https://github.com/cs3org/cs3apis/issues/93) finally: [eos: store share id in inherited xattr · Issue #543 · cs3org/reva (github.com)](https://github.com/cs3org/reva/issues/543) diff --git a/docs/ocis/adr/0005-cs3-api-account-management.md b/docs/ocis/adr/0005-cs3-api-account-management.md deleted file mode 100644 index 818452a85c..0000000000 --- a/docs/ocis/adr/0005-cs3-api-account-management.md +++ /dev/null @@ -1,210 +0,0 @@ ---- -title: "5. Account Management through CS3 API" -weight: 5 -date: 2021-04-12T15:00:00+01:00 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0005-cs3-api-account-management.md ---- - -* Status: proposed -* Deciders: [@refs](https://github.com/refs), [@butonic](https://github.com/butonic), [@micbar](https://github.com/micbar), [@dragotin](https://github.com/dragotin), [@pmaier1](https://github.com/pmaier1) -* Date: 2021-04-12 - -Technical Story: [Write only management API for User and Group resources](https://github.com/cs3org/cs3apis/pull/119) - -## Context and Problem Statement - -What would be a more effective way of using network resources and handle account management within the oCIS-Reva ecosystem? Separating account management at the service level is pragmatic and allows for fast iterations, but also steadily accumulates inconsistencies and bloats technical debt. - -## Decision Drivers - -* Reduce number of network calls. -* Reduce number of services (merge Account + GLAuth from ADR-0003). -* Formalize account management at the API level. - -## Considered Options - -* Account management delegated to vendors. -* Add account management to the CS3 API. - -## Decision Outcome - -Chosen option: "Add account management to the CS3 API". Making the API declare an API for account management will not only allow a deployment to fail fast (as in: the management node is not running) but would also centralize all management operations that should happen to be constrained within the Reva context. Constrained operations *SHOULD* be by definition more secure, or at least as secure as the rest of the system. - -### Positive Consequences - -* More resilient API. - * Because account management is considered a "first class citizen" changes are forced to go through a more exhaustive revision process. -* Removing Accounts from search users1. -* Replace the provisioning API in favor of the new Reva Admin node. - -(1) the current vendor implementation of searching a user (i.e: when sharing a resource) relies directly on the accounts service, since this is the only source of truth. Searching a user looks like: - -``` -┌────────────────────────────────────────┐ -│user search (no LDAP) │ -│ │ -│ ┌──────────┐ │ -│ │ │ │ -│ │ proxy │ │ -│ │ │ ┌ ─ ─ ─ ─ ─ ┐ │ -│ └──────────┘ go-micro │ -│ ▲ │ │ │ -│ │ Λ │ -│ ▼ │ ╱ ╲ │ │ -│ ┌──────────┐ ╱ ╲ │ -│ │ │ │ ╱ ╲ │ │ -│ │ ocs │◀──(1)───▶registry▏ │ -│ │ │ │ ╲ ╱ │ │ -│ └──────────┘ ╲ ╱ │ -│ ▲ │ ╲ ╱ │ │ -│ │ V │ -│ │ │ │ │ -│ │ │ -│ │ └ ─ ─ ─ ─ ─ ┘ │ -│ │ │ -│ │ │ -│ │ ┌──────────┐ │ -│ │ │ │ │ -│ └─────────────▶│ accounts │ │ -│ │ │ │ -│ └──────────┘ │ -│ │ -│ │ -│(1) ocs requests a connection to the │ -│accounts service to the registry │ -│ │ -└────────────────────────────────────────┘ -``` - -Whereas, as a result of ADR-0003 and this ADR, we can simplify and improve this design: - -``` -┌─────────────────────────────────────────────┐ -│user search │ -│ │ -│ │ -│ ┌──────────┐ │ -│ │ │ │ -│ │ proxy │ │ -│ │ │ │ -│ └──────────┘ │ -│ │ │ -│ ▼ │ -│ ┌──────────┐ │ -│ │ │ │ -│ │ ocs │ │ -│ │ │ │ -│ └──────────┘ │ -│ │ │ -│ │ │ -│ ┌ ─ ─ ─ ─ ─│─ ─ ─ ─ ┌ ─ ─ ─ ─ ─ ─ ─ ─ ┐ │ -│ reva ▼ │ IDM │ -│ │ ┌──────────┐ │ ┌──────────┐ │ │ -│ │ │ │ │ │ │ -│ │ │ users │◀─────┼──▶│ GLAuth │ │ │ -│ │ │ │ │ │ │ -│ │ └──────────┘ │ └──────────┘ │ │ -│ │ │ -│ └ ─ ─ ─ ─ ─ ─ ─ ─ ─ └ ─ ─ ─ ─ ─ ─ ─ ─ ┘ │ -│ │ -└─────────────────────────────────────────────┘ -``` - -And instead rely on the already existing Reva users provider. - - -## Pros and Cons of the Options - -### Account management delegated to vendors - -* Good, because it allows for fast iterations. -* Bad, because account management happens outside of the Reva process. This can potentially end up in invalid account creation / deletion / updates. - * An example with the existing Accounts service is that any client can fire CRUD accounts requests to the Accounts service as long as the client knows where the server is running and provides with an Authorization header (only required by the proxy). This request totally bypasses Reva middlewares and therefore any security measures that should be enforced by the entire system. -* Bad, because leaves teams the task of designing and implementing a way of dealing with account management. Ideally one schema should be provided / suggested. - -Creating an account using the first option looks currently is implemented in vendors as: - -``` -┌──────────────────────────────────────────────────┐ -│ creating a user (webui) │ -│ │ -│ ┌──────────┐ │ -│ │ │ │ -│ │ proxy │ │ -│ │ │ │ -│ └──────────┘ │ -│ │ │ -│ │ │ -│ /api/v0/accounts/accounts-create │ -│ │ │ -│ │ │ -│ │ │ -│ ▼ │ -│ ┌──────────┐ │ -│ │ │ │ -│ │ accounts │ │ -│ │ │ │ -│ └──────────┘ │ -│ │ -│ note that while doing CRUD operations changes │ -│ are instantly reflected for the IDP since out of │ -│ the box oCIS uses an accounts backend for │ -│ GLAuth. │ -└──────────────────────────────────────────────────┘ -``` - -As explained before, during this flow no Reva middlewares are run. Creating an account will only use the embedded accounts js file alongside a minted jwt token (by the oCIS proxy) to communicate with the accounts service. - -### Add account management to the CS3 API - -* Good, because it solidifies what the CS3 API can or cannot do, and account management should be handled at the API level since ultimately accounts would contain a mix of required CS3 and vendor-specific attributes. -* Good, because it centralizes account management and constrains it within the Reva boundaries. -* Good, because there is a clear separation of concerns on what is accounts management logic. -* Good, because we already designed [a similar API for the accounts service](https://github.com/owncloud/ocis/blob/master/accounts/pkg/proto/v0/accounts.proto#L42-L85) the only difference being we (vendors) [define their own messages](https://github.com/owncloud/ocis/blob/master/accounts/pkg/proto/v0/accounts.proto#L252-L408). - * The API would fully include CRUD methods -* Bad, because development cycles are larger. - * an example flow will be: `update api > run prototool > publish language specific packages > update dependencies to fetch latest version of the package > utilize the new changes`. - -The new account management workflow will result in: -``` -┌───────────────────────────────────────────────────┐ -│creating a user (webui) │ -│ - maintain the same route for compatibility │ -│ │ -│ ┌──────────┐ │ -│ │ │ │ -│ │ proxy │ │ -│ │ │ │ -│ └──────────┘ │ -│ │ │ -│ │ │ -│ /api/v0/accounts/accounts-create │ -│ │ │ -│ │ │ -│ ┌ ─ ─ ─ ─ ─│─ ─ ─ ─ ─ ─ ─ ─ ┐ ┌ ─ ─ ─ ─ ─ ─ ─ ─ │ -│ Reva │ IDM │ │ -│ │ │ │ │ │ -│ ▼ │ │ -│ │ ┌──────────┐ │ │ ┌──────────┐ │ -│ │ │ │ │ │ │ -│ │ │ admin │───────────┼──┼──▶│ GLAuth │ │ -│ │ │ │ │ │ │ -│ │ └──────────┘ │ │ └──────────┘ │ -│ │ │ -│ │ │ │ │ -│ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ─ ┘ │ -│ │ -│ │ -│ │ -│ │ -│ │ -│ │ -│ an example of a driver could be GLAuth │ -│ implementing the user management portion of the │ -│ GraphAPI │ -└───────────────────────────────────────────────────┘ -``` - -This flow allows Reva and oCIS Proxy to run any middleware logic in order to validate a request. The communication between the proposed Admin api (CS3 API messages) and the IDM (GLAuth) are specific to the _drivers_. diff --git a/docs/ocis/adr/0006-service-discovery.md b/docs/ocis/adr/0006-service-discovery.md deleted file mode 100644 index 61461b9b77..0000000000 --- a/docs/ocis/adr/0006-service-discovery.md +++ /dev/null @@ -1,58 +0,0 @@ ---- -title: "6. Service Discovery within oCIS and Reva" -weight: 6 -date: 2021-04-19T13:00:00+01:00 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0006-service-discovery.md ---- - -* Status: accepted -* Deciders: [@refs](https://github.com/refs), [@butonic](https://github.com/butonic), [@micbar](https://github.com/micbar), [@dragotin](https://github.com/dragotin), [@pmaier1](https://github.com/pmaier1) -* Date: 2021-04-19 - -Technical Story: [Introduce Named Services.](https://github.com/cs3org/reva/pull/1509) - -## Context and Problem Statement - -Reva relies heavily on config files. A known implication of this approach are having to know a-priori where a service is running (host + port). We want to move away from hardcoded values and rely instead on named services for service discovery. Furthermore, we would like both platforms (Reva + oCIS) to have the same source of truth at any given time, not having one to notify the other whenever a service status changes. - -## Decision Drivers - -* Avoid a-priori knowledge of services. -* Ease of scalability. -* Always up-to-date knowledge of the running services on a given deployment (a service registry doesn't have to necessarily be running on the same machine / network) - -## Considered Options - -* Hardcoded tuples of hostname + port -* Dynamic service registration - -## Decision Outcome - -Chosen option: "Dynamic service registration". There were some drawbacks regarding this due to introducing go-micro to Reva was from start an issue. Given the little usage of go-micro we need, we decided instead to define our very own [Registry interface](https://github.com/refs/reva/blob/58d013a7509d1941834e1bc814e9a9fa8bff00b1/pkg/registry/registry.go#L22-L35) on Reva and extended the runtime arguments to [allow for injecting a registry](https://github.com/refs/reva/blob/58d013a7509d1941834e1bc814e9a9fa8bff00b1/cmd/revad/runtime/option.go#L53-L58). - -### Positive Consequences - -* Having dynamic service registration delegates the entire lifecycle of finding a process to the service registry. -* Removing a-priori knowledge of hostname + port for services. -* Marrying go-micro's registry and a newly defined registry abstraction on Reva. -* We will embrace go-micro interfaces by defining a third merger interface in order to marry go-micro registry and reva registry. -* The ability to fetch a service node relying only on its name (i.e: com.owncloud.proxy) and not on a tuple hostname + port that we rely on being preconfigured during runtime. -* Conceptually speaking, a better framework to tie all the services together. Referring to services by names is less overall confusing than having to add a service name + where it is running. A registry is agnostic to "where is it running" because it, by definition, keeps track of this specific question, so when speaking about design or functionality, it will ease communication. - -## Pros and Cons of the Options - -### Hardcoded tuples of hostname + port - -* Good, because firewalls are easier to configure since IP are static. -* Good, because the mental model required is easier to grasp as IP addresses can be easily bundled. -* Bad, because it requires thorough planning of ports. - -### Dynamic service registration - -* Good, because it abstracts the use of service lookup away to registry logic from the admin or developer. -* Good, because it allows for, through interfaces, registry injection - * This means we can have a service registry that we extensively use in oCIS and inject its functionality onto Reva. -* Bad, because it's yet another abstraction. -* Bad, because firewalls are harder to configure with dynamic IPs.f diff --git a/docs/ocis/adr/0007-api-for-spaces.md b/docs/ocis/adr/0007-api-for-spaces.md deleted file mode 100644 index 9d6ffe8c47..0000000000 --- a/docs/ocis/adr/0007-api-for-spaces.md +++ /dev/null @@ -1,156 +0,0 @@ ---- -title: "7. Open Graph API for oCIS File Spaces" -weight: 7 -date: 2021-05-03T09:00:00+01:00 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0007-api-for-spaces.md ---- - -* Status: accepted -* Deciders: [@butonic](https://github.com/butonic), [@micbar](https://github.com/micbar), [@dragotin](https://github.com/dragotin), [@hodyroff](https://github.com/hodyroff), [@pmaier1](https://github.com/pmaier1) -* Date: 2021-03-19 - -Technical Story: API to enable the concept of [Spaces](https://github.com/owncloud/enterprise/issues/3863) - -## Context and Problem Statement - -As one of the building blocks for Spaces in oCIS we plan to add an API that returns information about available spaces. This ADR discusses the API design oriented on the Microsoft Graph API. - -> Note: The term "spaces" is used here in the context of "a space where files can be saved", similar to a directory. It is not to be confused with space in the sense of free file space for example. - -The purpose of this new API is to give clients a very simple way to query the dynamic list of spaces, that the user has access to. Clients can provide a better user experience with that. - -This API is supposed to be queried often, to give clients a condensed view of the available spaces for a user, but also their eTags and cTags. Hence the clients do not have to perform a PROPFIND for every space separately. - -This API would even allow providing (WebDAV-) endpoints depending on the kind and version of the client asking for it. - -## Decision Drivers - -- Make it easy to work with a dynamic list of spaces of a user for the clients. -- No longer the need to make assumptions about WebDAV- and other routes in clients. -- More meta data available about spaces for a better user experience. -- Part of the bigger spaces plan. -- Important to consider in client migration scenarios, i.e. in CERN. - -## Considered Options - -1. [Microsoft Graph API](https://developer.microsoft.com/en-us/graph) inspired API that provides the requested information. - -## Decision Outcome - -This the DRAFT for the API. - -### API to Get Info about Spaces - -ownCloud servers provide an API to query for available spaces of an user. - -See the openAPI Specification for the [Libre Graph API](https://owncloud.dev/libre-graph-api/). - -Most important, the API returns the WebDAV endpoint for each space. With that, clients do not have to make assumptions about WebDAV routes any more. - -See [Drive item in Microsoft Graph API](https://docs.microsoft.com/en-us/graph/api/resources/onedrive?view=graph-rest-1.0) for an overview of `drive` and `driveItem` resources. The concrete list of drives / spaces a user has access to can be obtained on multiple endpoints. - -### Get "Home folder" - -Retrieve information about the home space of a user. Note: The user has access to more spaces. This call only returns the home space to provide API parity with the Graph API. - -API Call: `/me/drive`: Returns the information about the users home folder. - -### Get All Spaces of a User - -Retrieve a list of available spaces of a user. This includes all spaces the user has access to at that moment, also the home space. - -API Call: `/me/drives`: Returns a list of spaces. - -There is also `/drives`, returning the list of spaces the user has access to. This endpoint is used to access any space by id using `/drives/{drive-id}`. - -### Common Reply - -The reply to both calls is either one or a list of [Drive representation objects](https://docs.microsoft.com/de-de/graph/api/resources/drive?view=graph-rest-1.0): - -``` -{ - "id": "string", - "createdDateTime": "string (timestamp)", - "description": "string", - "driveType": "personal | projectSpaces | shares", - "lastModifiedDateTime": "string (timestamp)", - "name": "string", - "owner": { "@odata.type": "microsoft.graph.identitySet" }, - "quota": { "@odata.type": "microsoft.graph.quota" }, - "root": { "@odata.type": "microsoft.graph.driveItem" }, - "webUrl": "url" -} -``` - -The meaning of the objects in Open Graph API context are: - -1. **id** - a persistent and unique ID identifying the space, called Storage Space ID. -2. **driveType** - describing the type of the space. -3. **owner** - an owner object to whom the space belongs -4. **quota** - quota information about this space -5. **root** - the root driveItem object. -6. **webUrl** - The URL to make this space visible in the browser. - -The following *driveType* values are available in the first step, but might be enhanced later: - -* **personal**: The users home space -* **projectSpaces**: The project spaces available for the user (*) -* **shares**: The share jail, contains all shares for the user (*) - -Other space types such as backup, hidden etc. can be added later as requested. - -> Note: The *projectSpaces* and *shares* space are virtual spaces. They only contain other spaces, and no regular resources. - -The (*) marked types are not defined in the official MS API. They are prefixed with `oc` to avoid namespace clashes. - -The `root` object equals a [driveItem](https://docs.microsoft.com/de-de/graph/api/resources/driveitem?view=graph-rest-1.0) and contains information about the root resource (directory) of the space. - -This is an example object as it can be expected as `root` element. It is not complete, as not all elements will be implemented so far. - -``` -{ - "cTag": "string (etag)", - "webDavUrl": "string", - - /* inherited from baseItem */ - "id": "string (identifier)", - "createdBy": {"@odata.type": "microsoft.graph.identitySet"}, - "createdDateTime": "String (timestamp)", - "eTag": "string", - "lastModifiedBy": {"@odata.type": "microsoft.graph.identitySet"}, - "lastModifiedDateTime": "String (timestamp)", - "name": "string", - "webUrl": "string", -} -``` - -Meaningful fields of the root element in the context of the Open Graph API: - -1. **id** - a persistent and unique ID identifying the root directory node. -2. **webDavUrl** - The webdav path of the top item of the space. -3. **eTag** - an identifier that changes automatically if the content *or* metadata of the node or the underlying resources changes. -4. **cTag** - an identifier that changes automatically if the content of the root node or of one of the underlying resources changes. -5. **webUrl** - The URL to make this space visible in the browser. - -> Note: To indicate that only the metadata of a resource has changed, the eTag has changed, but the cTag not. - -### Positive Consequences - -- A well understood and mature API from Microsoft adopted to our needs. -- Prerequisite for Spaces in oCIS. -- Enables further steps in client development. - -### Negative Consequences - -- Migration impact on existing installations. Still to be investigated. -- Requires additional webdav endpoint that allows accessing an arbitrary storage space, either - - with an id: `/dav/spaces//relative/path/to/file.ext`, or - - with a global path: `/dav/global////relative/path/to/file.ext`, e.g. `/dav/global/projects/Golive 2021/Resources/slides.odt` - -### Open Topics - -- What are the WebDAV paths for Trashbin, Versions - + option: additional entries in the reply struct -- The identitySet object used for "owner" and "coowner" require to implement the [https://docs.microsoft.com/de-de/graph/api/resources/identityset?view=graph-rest-1.0](IdentitySet) JSON object, which contains information that seems to be of limited benefit for oCIS. An alternative would be to implement a simpler identity object for oCIS and use that. diff --git a/docs/ocis/adr/0008-configuration.md b/docs/ocis/adr/0008-configuration.md deleted file mode 100644 index 7a9eb91730..0000000000 --- a/docs/ocis/adr/0008-configuration.md +++ /dev/null @@ -1,194 +0,0 @@ ---- -title: "8. Configuration" -weight: 8 -date: 2021-05-03T15:00:00+01:00 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0008-configuration.md ---- - -* Status: proposed -* Deciders: [@refs](https://github.com/refs), [@butonic](https://github.com/butonic), [@micbar](https://github.com/micbar), [@dragotin](https://github.com/dragotin), [@pmaier1](https://github.com/pmaier1) -* Date: 2021-05-03 - -## Context and Problem Statement - -As per urfave/cli's doc: - ->The precedence for flag value sources is as follows (highest to lowest): -> ->0. Command line flag value from user ->1. Environment variable (if specified) ->2. Configuration file (if specified) ->3. Default defined on the flag - -An issue arises in point 2, in the sense that configuration file refers to a single file containing the value for the env variable. The CLI framework we use for flag parsing does not support merging config structs with CLI flags. This introduces an inconsistency with the framework: config structs are not supported, and we cannot hook to the lifecycle of the flags parsing to use a file as source and conform to these rules. - -Because we solely rely on [structured configuration](https://github.com/owncloud/ocis/blob/master/ocis-pkg/config/config.go) we need a way to modify values in this struct using the provided means urfave/cli gives us (flags, env variables, config files and default value), but since we have different modes of operation (supervised Vs. unsupervised) we have to define a clear line. - -### Decision Drivers -- Improve experience for the end user. -- Improve experience for developers. -- Sane defaults. -- Sane overrides. - -### Considered Options - -- Extend [FlagInputSourceExtension interface](https://github.com/urfave/cli/blob/master/altsrc/flag.go#L12-L17) -- Feature request: support for structured configuration (urfave/cli). -- Clearly defined boundaries of what can and cannot be done. -- Expose structured field values as CLI flags -- Drop support for structure configuration -- Adapt the "structured config files have the highest priority" within oCIS - -### Decision Outcome - -[STILL UNDECIDED] - -#### Positive Consequences - -[TBD, depends on Decision Outcome] - -### Pros and Cons of the Options - -#### Extend FlagInputSourceExtension interface -- Good, because we could still use Viper to load from config files here and apply values to the flags in the context. -- Bad, because urfave/cli team are [actively working on v3 of altsrc](https://github.com/urfave/cli/issues/1051#issuecomment-606311923) and we don't want to maintain yet another slice of the codebase. - -notes: source is [FlagInputSourceExtension interface](https://github.com/urfave/cli/blob/master/altsrc/flag.go#L12-L17) - -#### Feature request: support for structured configuration (urfave/cli). -- Good, because we could remove Viper off the codebase and solely rely on urfave/cli's native code. -- Bad, because there are no plans to support this upstream. - -#### Clearly defined boundaries of what can and cannot be done. - -- Good, because no changes to the codebase required (not drastic changes.) -- Bad, because we're limited by the framework - -#### Expose structured field values as CLI flags - -- Good, because it has been already taken into account on large projects (kubernetes) [here.](https://docs.google.com/document/d/1Dvct469xfjkgy3tjWMAKvRAJo4CmGH4cgSVGTDpay6A) in point 5. -- Bad, because it requires quite a bit1 of custom logic. -- Bad, because how should these flags be present in the `-h` menu of a subcommand? Probably some code generation needed. - -*[1] this is a big uncertainty. - -#### Drop support for structure configuration - -- Good, because it makes the integration with the cli framework easier to grasp. -- Good, because it is not encouraged by the 12factor app spec. -- Bad, because we already support if and users make active use of it. At least for development. - -#### Adapt the "structured config files have the highest priority" within oCIS - -- Good, because that would mean little structural changes to the codebase since the Viper config parsing logic already uses the `Before` hook to parse prior to the command's action executes. - -### Notes - -#### Use Cases and Expected Behaviors - -##### Supervised (`ocis server` or `ocis run extension`) - -![grafik](https://user-images.githubusercontent.com/6905948/116872568-62b1a780-ac16-11eb-9f29-030a651ee39b.png) - -- Use a global config file (ocis.yaml) to configure an entire set of services: `> ocis --config-file /etc/ocis.yaml service` -- Use a global config file (ocis.yaml) to configure a single extension: `> ocis --config-file /etc/ocis/yaml proxy` -- When running in supervised mode, config files from extensions are NOT evaluated (only when running `ocis server`, runs with `ocis run extension` do parse individual config files) - - i.e: present config files: `ocis.yaml` and `proxy.yaml`; only the contents of `ocis.yaml` are loaded1. -- Flag parsing for subcommands are not allowed in this mode, since the runtime is in control. Configuration has to be done solely using config files. - -*[1] see the development section for more on this topic. - -###### Known Gotchas -- `> ocis --config-file /etc/ocis/ocis.yaml server` does not work. It currently only supports reading global config values from the predefined locations. - -##### Unsupervised (`ocis proxy`) - -![grafik](https://user-images.githubusercontent.com/6905948/116872534-54fc2200-ac16-11eb-8267-ffe7b03177b3.png) - -- `ocis.yaml` is parsed first (since `proxy` is a subcommand of `ocis`) -- `proxy.yaml` is parsed if present, overriding values from `ocis.yaml` and any cli flag or env variable present. - -#### Other known use cases - -- Configure via env + some configuration files like WEB_UI_CONFIG or proxy routes -- Configure via flags + some configuration files like WEB_UI_CONFIG or proxy routes -- Configure via global (single file for all extensions) config file + some configuration files like WEB_UI_CONFIG or proxy routes -- configure via per extension config file + some configuration files like WEB_UI_CONFIG or proxy routes - -Each individual use case DOES NOT mix sources (i.e: when using cli flags, do not use environment variables nor cli flags). - -_Limitations on urfave/cli prevent us from providing structured configuration and framework support for cli flags + env variables._ - -#### Use Cases for Development - -#### Config Loading - -Sometimes is desired to decouple the main series of services from an individual instance. We want to use the runtime to startup all services, then do work only on a single service. To achieve that one could use `ocis server && ocis kill proxy && ocis run proxy`. This series of commands will 1. load all config from `ocis.yaml`, 2. kill the supervised proxy service and 3. start the same service with the contents from `proxy.yaml`. - -#### Start an extension multiple times with different configs (in Supervised mode) - -Flag parsing on subcommands in supervised mode is not yet allowed. The runtime will first parse the global `ocis.yaml` (if any) and run with the loaded configuration. This use case should provide support for having 2 different proxy config files and making use of the runtime start 2 proxy services, with different values. - -For this to work, services started via `Service.Start` need to forward any args as flags: - -```go -if err := client.Call("Service.Start", os.Args[2], &reply); err != nil { - log.Fatal(err) -} -``` - -This should provide with enough flexibility for interpreting different config sources as: `> bin/ocis run proxy --config-file /etc/ocis/unexpected/proxy.yaml` - -#### Developing Considered Alternatives Further - -Let's develop further the following concept: Adapt the "structured config files have the highest priority" within oCIS. - -Of course it directly contradicts urfave/cli priorities. When a command finished parsing its cli args and env variables, only after that `Before` is called. This mean by the time we reach a command `Before` hook, flags have already been parsed and its values loaded to their respective destinations within the `Config` struct. - -This should still not prevent a developer from using different config files for a single service. Let's analyze the following use case: - -1. global config file present (ocis.yaml) -2. single proxy.yaml config file -3. another proxy.yaml config file -4. running under supervision mode - -The outcome of the following set of commands should be having all bootstrapped services running + 2 proxies on different addresses: - -```console -> ocis server -> ocis kill proxy -> ocis run proxy --config-file proxy.yaml -> ocis run proxy --config-file proxy2.yaml -``` - -This is a desired use case that is yet not supported due to lacking of flags forwarding. - -#### Follow-up PR's - -- Variadic runtime extensions to run (development mostly) -- Arg forwarding to command (when running in supervised mode, forward any --config-file flag to supervised subcommands) -- Ability to set `OC_URL` from a config file (this would require to extend the ocis-pkg/config/config.go file). - -#### The case for `OC_URL` - -`OC_URL` is a jack-of-all trades configuration. It is meant to ease up providing defaults and ensuring dependant services are well configured. It is an override to the following env vars: - -``` -OC_IDM_ADDRESS -PROXY_OIDC_ISSUER -STORAGE_OIDC_ISSUER -STORAGE_FRONTEND_PUBLIC_URL -STORAGE_LDAP_IDP -WEB_UI_CONFIG_SERVER -WEB_OIDC_AUTHORITY -OC_PUBLIC_URL -``` - -Because this functionality is only available as an env var, there is no current way to "normalize" its usage with a config file. That is, there is no way to individually set `OC_URL` via config file. This is clear technical debt, and should be added functionality. - -#### State of the Art -- [Kubernetes proposal on this very same topic](https://docs.google.com/document/d/1Dvct469xfjkgy3tjWMAKvRAJo4CmGH4cgSVGTDpay6A) -- [Configuration \| Pulumi](https://www.pulumi.com/docs/intro/concepts/config/) - - Configuration can be altered via setters through the CLI. diff --git a/docs/ocis/adr/0009-extension-template.md b/docs/ocis/adr/0009-extension-template.md deleted file mode 100644 index bf4a02ac39..0000000000 --- a/docs/ocis/adr/0009-extension-template.md +++ /dev/null @@ -1,71 +0,0 @@ ---- -title: "9. Extension Template" -weight: 9 -date: 2021-06-10T15:00:00+01:00 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0009-extension-template.md ---- - -* Status: proposed -* Deciders: [@c0rby](https://github.com/c0rby) -* Date: 2021-06-10 - -Technical Story: [description | ticket/issue URL] - -## Context and Problem Statement - -We want to accelerate and simplify extension development by removing the necessity to type or copy the boilerplate code. Can we provide a template or a similar mechanism to aid when developing new extensions? - - -## Decision Drivers - -* The solution should be easily maintainable. - * It should always be up-to-date. -* The solution should be easy to use. - -## Considered Options - -* Use [boilr](https://github.com/tmrts/boilr) -* Create a template git repository. -* Use [ocis-hello](https://github.com/owncloud/ocis-hello/) as a "template" - -## Decision Outcome - -Chosen option: "[option 1]", because [justification. e.g., only option, which meets k.o. criterion decision driver | which resolves force force | … | comes out best (see below)]. - -### Positive Consequences: - -* [e.g., improvement of quality attribute satisfaction, follow-up decisions required, …] -* … - -### Negative consequences: - -* [e.g., compromising quality attribute, follow-up decisions required, …] -* … - -## Pros and Cons of the Options - -### [boilr](https://github.com/tmrts/boilr) - -We have a boilr template already. [boilr-ocis-extension](https://github.com/owncloud/boilr-ocis-extension/) -This approach is nice because it provides placeholders which can be filled during the generation of a new extension from the template. It also provides prompts for the placeholder values during generation. - -* Good, because with the placeholders it is hard to miss values which should be changed -* Bad, because maintaining is more complex - -### Template git repository - -Create a git repository with an extension containing the boilerplate code. - -* Good, because we can use the usual tools for QA and dependency scanning/updating. -* Good, because it doesn't require any additional tool. - -### [ocis-hello](https://github.com/owncloud/ocis-hello/) as a "template" - -We have the ocis-hello repository which acts as an example extension containing a grpc and http service and a web UI. It also demonstrates the usage of the settings service. - -* Good, because it contains a bit more code than just the plain boilerplate -* Good, because the integration into oCIS is already tested for the Hello extension (e.g. with Proxy and Settings). This will ensure, that the example extension is up-to-date. -* Bad, because if you don't require all features you have to delete stuff - diff --git a/docs/ocis/adr/0010-policy-enforcement.md b/docs/ocis/adr/0010-policy-enforcement.md deleted file mode 100644 index 1cc24f8dec..0000000000 --- a/docs/ocis/adr/0010-policy-enforcement.md +++ /dev/null @@ -1,85 +0,0 @@ ---- -title: "10. Extension Policies" -weight: 10 -date: 2021-06-30T14:00:00+01:00 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0010-policy-enforcement.md ---- - -* Status: proposed -* Deciders: [@butonic](https://github.com/butonic), [@micbar](https://github.com/micbar), [@dragotin](https://github.com/dragotin), [@hodyroff](https://github.com/hodyroff), [@pmaier1](https://github.com/pmaier1), [@fschade](https://github.com/fschade) -* Date: 2021-06-30 - -## Context and Problem Statement - -There should be a way to impose certain limitations in areas of the code that require licensing. This document researches an approach to achieve this goal, while limiting the scope to the enforcement side of it. The architecture for a policy system must be composed of 2 parts: - -1. License creation and validation -2. Enforcement - -It is desirable to keep both systems isolated, since the implementation of the latter has to be done within the constraints of the codebase. The alternative is running an enforcement service and have each and every single request evaluating whether the request is valid or not. - -## Decision Drivers - -- As a team, we want to have the licensing code concentrated in a central module -- We don't want to stop/start the extension whenever a policy is updated (hot reload). It must happen during runtime. - -## Considered Options - -1. Build the evaluation engine in-house. -2. Use third party libraries such as Open Policy Agent (a CNCF approved project written in Go) - -## Decision Outcome - -Chosen option: option 2; Use third party libraries such as Open Policy Agent (a CNCF approved project written in Go) - -### Positive Consequences - -- OPA is production battle tested. -- Built around performance - policies evaluations are no longer than 1ms per request. -- Middleware friendly: we use gRPC clients all over our ecosystem; wrappers (or middlewares) is a viable way to solve this problem instead of a dedicated service or its own package. -- Community support. -- Kubernetes friendly. -- Supports envoy, kong, terraform, traefik, php, node and many more. - -### Negative Consequences - -- More vendor code inside the binary (larger attack surface, larger footprint [to be quantified] ) - -## Chosen option approach - -Make use of [overloading Open Policy Agent's input](https://www.openpolicyagent.org/docs/latest/external-data/#option-2-overload-input) along with an external storage source (instead of an OPA service) in conjunction with go-micro's gRPC client wrappers (a.k.a. middlewares) to leverage policy rules evaluation. - -### Terminology - -New terms are defined to refer to new mental models: - -- Policy: self-imposed limitation of a piece of software. i.e: "after 20 users limit the use of thumbnails". -- Checkers: in the context of a middleware, a checker is in charge of defining logical conditions that prevent requests (users) from doing an action. -- Policy file: a [rego file](https://www.openpolicyagent.org/docs/latest/policy-language/). -- Policy evaluation: the act of piecing together input (from a request), data (from an external storage) and policies in order to make a decision. - -#### Temporary new Interfaces part of the PoC - -- IStorage: provides means of extracting data from an external source (in case of the POC an etcd storage cluster). - -### External data storages - -However, for this to be usable it needs state. The Rego engine works with input and data, where data is essentially a database the input is tried against, in order to expand this poc to include functionality such as counters (i.e: give access to the thumbnails only to 50 users) we need an external storage, and consequentially, Rego needs to have an option to load data from an external storage. There is an entire chapter in the documentation regarding external data: https://www.openpolicyagent.org/docs/latest/external-data/. The most "natural" option (option 5) states: - -> OPA includes functionality for reaching out to external servers during evaluation. This functionality handles those cases where there is too much data to synchronize into OPA, JWTs are ineffective, or policy requires information that must be as up-to-date as possible. - -This is a natural option because it requires service-to-service communication, and by definition using microservices it should come "natural to us". Another approach is using JWT (which we already use) to encode the necessary data into the JWT and handing it over to rego as "data". The issue with this approach is that depending on the features of the licenses the JWT might grow and be filled with noise and redundancy (this is, unless a new token is issued for licensing purposes). - -### Future ideas - -[This proof of concept](https://github.com/owncloud/ocis/pull/2236) is very rigid in the sense that the `IStorage` interface only has one implementation that ties it to etcd, meaning running an oCIS cluster without an etcd service will result in a crash. This is by far ideal and less coupled implementations should be done. There is the case of using the storage metadata as a source to store data necessary to the policies, or even using the go-micro store as a kv store to achieve the exact same, since it already runs as its own service. The implementation of this is trivial and left out of the POC since it requires more time than the allotted for this task. - -#### Message Broker - -This problem perfectly encompasses the use of a message broker, where services such as OCS will emit messages to a bus and only listeners react to them. In this case the following applies: - -![message broker](https://i.imgur.com/sa1pANQ.jpg) - -The necessary interfaces are provided to us by go-micro, only implementations are to be done. diff --git a/docs/ocis/adr/0011-global-url-format.md b/docs/ocis/adr/0011-global-url-format.md deleted file mode 100644 index d3ecf1bbee..0000000000 --- a/docs/ocis/adr/0011-global-url-format.md +++ /dev/null @@ -1,320 +0,0 @@ ---- -title: "11. WebUI URL format" -weight: 11 -date: 2021-07-07T14:55:00+01:00 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0011-global-url-format.md ---- - -* Status: accepted -* Deciders: [@refs](https://github.com/refs), [@butonic](https://github.com/butonic), [@micbar](https://github.com/micbar), [@dragotin](https://github.com/dragotin), [@hodyroff](https://github.com/hodyroff), [@pmaier1](https://github.com/pmaier1), [@fschade](https://github.com/fschade), [@tbsbdr](https://github.com/tbsbdr), [@kulmann](https://github.com/kulmann) -* Date: 2021-07-07 - -## Context and Problem Statement - -When speaking about URLs we have to make a difference between browser URLs and API URLs. Only browser URLs are visible to end users and will be bookmarked. The currently existing and bookmarked ownCloud 10 URLs look something like this: - -``` -GET https://demo.owncloud.com/apps/files/?dir=/path/to/resource&fileid=5472225 -303 Location: https://demo.owncloud.com/apps/files/?dir=/path/to/resource -``` - -When the URL contains a `fileid` parameter the server will look up the corresponding `dir`, overwriting whatever was set before the redirect. The `fileid` always takes precedence and the server is responsible for the lookup. - -``` -GET https://demo.owncloud.com/apps/files/?dir=/path/to/resource -``` - -The `dir` parameter is then used to make a WebDAV request against the `/dav/files` endpoint of the currently logged-in user: - -``` -PROPFIND https://demo.owncloud.com/remote.php/dav/files/demo/path/to/resource -``` - -The resulting PROPFIND response is used to render the file listing. All good so far. - -For the new ocis web UI we want to clean up the user visible Browser URLs. They currently look like this: - -``` -https://demo.owncloud.com/#/files/list/all/path/to/resource -``` - -Currently, there is no `fileid` like parameter in the browser URL, making bookmarks of it fragile (they break when a bookmarked folder is renamed). - -The oCIS web UI just takes the path and uses the `/webdav` endpoint of the currently logged-in user: - -``` -PROPFIND https://demo.owncloud.com/remote.php/webdav/path/to/resource -``` - - -With the new ownCloud web client (owncloud/web) - - needs to interpret them to make API calls. With this in mind, this is the current mapping on ownCloud Web with OC10 and OCIS backend: - -| | Browser URL | API URL | -|------|----------------------------------------------------------------|----------------------------------------------------| -| OC10 + classic WebUI | `https://demo.owncloud.com/apps/files/?dir=/path/to/resource&fileid=5472225` | `https://demo.owncloud.com/remote.php/dav/files/demo/path/to/resource` | -| OC10 + OCIS WebUI| `https://web.owncloud.com/index.html#/files/list/all/path%2Fto%2Fresource` | `https://demo.owncloud.com/remote.php/webdav/path/to/resource` | -| OCIS | `https://demo.owncloud.com/#/files/list/all/path/to/resource` | `https://demo.owncloud.com/remote.php/webdav/path/to/resource` | - - -On an OC10 backend the `fileid` query parameter takes precedence over the `dir`. In fact if `dir` is invalid but `fileid` isn't, the resolution will succeed, as opposed to if the `fileid` is wrong (doesn't exist) and `dir` correct, resolution will fail altogether with a 404. - -This ADR is limited to the scope of "how will a web client deal with the browser URL?". The API URLs will change with the spaces concept to `https://demo.owncloud.com/dav/spaces//relative/path/to/resource`. The Web UI can look up a space id and the mount path using the `/graph/v1.0/drives` API: -1. TODO for a given resource id as part of the URL the `https://demo.owncloud.com/v1.0/drive/items/123456A14B0A7750!359?$select=parentReference` can be used to retrieve the drive/space: -``` -{ - "parentReference": { - "driveId": "123456a14b0a7750", - "driveType": "personal", - "id": "123456A14B0A7750!357", - "path": "/drive/root:" - } -} -``` -2. TODO to fetch the list of all spaces with their mount points we need an API endpoint that allows clients (not only the web ui) to 'sync' the list of storages a user has access to from the storage registry on the server side. This allows clients to directly talk to a storage provider on another instance, allowing true storage federation. The MS graph api has no notion of mount points, so we will need to add a `mountpath` *(or `mountpoint`? or `alias`?)* to our [`drive` resource properties in the libreGraph spec](https://github.com/owncloud/open-graph-api/blob/dc6da5359eee0345429080b5b59762fd8c57b121/api/openapi-spec/v0.0.yaml#L351-L384). Tracked in https://github.com/owncloud/open-graph-api/issues/6 - - -{{< hint >}} -@jfd: The graph api returns a `path` in the `parentReference`, which is part of the `root` in a `drive` resource. But it contains a value in the namespace of the `graph` endpoint, e.g.: `/drive/root:/Bilder` for the `/Bilder` folder in the root of the currently logged-in users personal drive/space. Which is again relative to the drive. To give the clients a way to determine the mount point we need to add a new `mountpath/point/alias` property. -{{< /hint >}} - -## Decision Drivers - -* To reveal relevant context to the user URLs should either carry a path component or a meaningful alias -* To prevent bookmarks from breaking URLs should have an id component that can be used by the system to lookup the resource - -## Considered Options - -* Existing ownCloud 10 URLs -* ID based URLs -* Path based URLs -* Space based URLs -* Mixed Global URLs -* Configurable path component in URLs - -## Decision Outcome - -Chosen option: "Mixed global URLs", because it meets the requirement to contain a path and a stable identifier. - -### Positive Consequences - -* The path makes it "human readable" -* The URL can be bookmarked -* The bookmarked URLs remain stable even if the path changes -* All URLs can be shortened to hide any metadata like path, resource name and query parameters - -### Negative Consequences - -* the web UI needs to look up the space alias in a registry to build an API request for the `/dav/space` endpoint - -## Pros and Cons of the Options - -### Existing OwnCloud 10 URLs - -The existing ownCloud 10 URLs look like this - -| URL | comment | -|-----|---------| -| `https:///apps/files/?dir=&fileid=` | pattern | -| `https://demo.owncloud.com/apps/files/?dir=/&fileid=18` | root of the currently logged in user | -| `https://demo.owncloud.com/index.php/apps/files/?dir=/path/to/resource&fileid=192` | sub folder `/path/to/resource` | - -It contains a path and a `fileid` (which takes precedence). - -* Good, because the `fileid` prevents bookmarks from breaking -* Good, because the `dir` reveals context in the form of a path -* Bad, because the web UI needs to look up the space alias in a registry to build an API request for the `/dav/space` endpoint -* Bad, because URLs still contain a long prefix `(/index.php)/apps/files` -* Bad, because the `fileid` needs to be accompanied by a `storageid` to allow efficient routing in ocis -* Bad, because if not configured properly an additional `/index.php` prefixes the route -* Bad, because power users cannot navigate by updating only the path in the URL, as the `fileid` takes precedence. They have to delete the `fileid` to navigate - -### ID based URLs - -MS OneDrive has URLs like this: - -| URL | comment | -|-----|---------| -| `https:///?id=(&cid=)` | pattern, the `cid` is optional but added automatically | -| `https://onedrive.live.com/?id=root&cid=A12345A14B0A7750` | root of a personal drive | -| `https://onedrive.live.com/?id=A12345A14B0A7750%21359&cid=A12345A14B0A7750` | sub folder in a personal drive | - -It contains only IDs but no folder names. The `fileid` is a URL encoded `!`. Very similar to the CS3 `resourceid` which consists of `storageid` and `nodeid`. - -* Good, because bookmarks cannot break -* Good, because URLs do not disclose unshared path segments -* Bad, because the web UI needs to look up the space id in a registry to build an API request for the `/dav/space` endpoint -* Bad, because URLs reveal no context to users - -### Path based URLs - -There is a customized ownCloud instance that uses path only based URLs: - -| URL | comment | -|-----|---------| -| `https:///apps/files/?dir=/&` | root of the currently logged in user | -| `https://demo.owncloud.com/apps/files/?dir=/&` | root of the currently logged in user | -| `https://demo.owncloud.com/apps/files/?dir=/path/to/resource&` | sub folder `/path/to/resource` | - -* Good, because the URLs reveal the full path context to users -* Good, because power users can navigate by updating the path in the url -* Bad, because the web UI needs to look up the space id in a registry to build an API request for the `/dav/space` endpoint -* Bad, because the bookmarks break when someone renames a folder in the path -* Bad, because there is no id that can be used as a fallback lookup mechanism -* Bad, because URLs might leak too much context (parent folders of shared files) - -### Space based URLs - -| URL | comment | -|-----|---------| -| `https:///#/s/(/)(?id=)` | the pattern, relative `path` and `resource_id` are optional | -| `https://demo.owncloud.com/#/s/b78c2044-5b51-446f-82f6-907a664d089c:194b4a97-597c-4461-ab56-afd4f5a21607` | root of a storage space, might be the currently logged in users home | -| `https://demo.owncloud.com/#/s/b78c2044-5b51-446f-82f6-907a664d089c:194b4a97-597c-4461-ab56-afd4f5a21607/relative/path/to/resource` | sub folder `/relative/path/to/resource` in the storage with id `b78c2044-5b51-446f-82f6-907a664d089c:194b4a97-597c-4461-ab56-afd4f5a21607`, works ***only*** if path still exists | -| `https://demo.owncloud.com/#/s/b78c2044-5b51-446f-82f6-907a664d089c:194b4a97-597c-4461-ab56-afd4f5a21607/relative/path/to/resource?id=ba4c1820-df12-11eb-8dcd-ff21f12c1264:beb78dd6-df12-11eb-a05c-a395505126f6` | sub folder `/relative/path/to/resource` in the storage with id `b78c2044-5b51-446f-82f6-907a664d089c:194b4a97-597c-4461-ab56-afd4f5a21607`, lookup can fall back to the `id` | - -{{< hint >}} -* `/#` is used by the current vue router. -* `/s` denotes that this is a space url. -* `` and `` both consist of `:`, but the `space_id` can be replaced with a shorter id or an alias. See further down below. -* `` takes precedence over the ``, both are optional -{{< /hint >}} - -* Good, because the web UI does not need to look up the space id in a registry to build an API request for the `/dav/space` endpoint -* Good, because the URLs reveal a relevant path context to users -* Good, because everything after the `#` is not sent to the server, building the webdav request to list the folder is offloaded to the clients -* Good, because power users can navigate by updating the path in the url -* Bad, because the current ids are uuid based, leading to very long URLs where the path component nearly vanishes between two very long strings -* Bad, because the `#` in the URL is just a technical requirement -* Bad, because ocis web requires a `/#/files/s` at the root of the route to distinguish the files app from other apps -* Bad, while navigating using the WebUI, the URL has to be updated whenever we change spaces. -* Bad, because the technical `` is meaningless to end users - -With the above explained, let's see some use cases: - -#### Example 1: UserA shares something from her Home folder with UserB - -- open the browser and go to `demo.owncloud.com` -- the browser's url changes to: `https://demo.owncloud.com/#/s/b78c2044-5b51-446f-82f6-907a664d089c:194b4a97-597c-4461-ab56-afd4f5a21607`. You're now in YOUR home folder / personal space. -- you create a new folder `/relative/path/to/resource` and navigate into `/relative/path/to` - - the URL now changes to: `https://demo.owncloud.com/#/s/b78c2044-5b51-446f-82f6-907a664d089c:194b4a97-597c-4461-ab56-afd4f5a21607/relative/path/to` -- You share `resource` with some else -- You navigate into `/relative/path/to/resource` - - now the URL would look like: `https://demo.owncloud.com/#/s/b78c2044-5b51-446f-82f6-907a664d089c:3a9305da-df17-11eb-ab99-abe09d93e08a` - -As you can see, even if you're the owner of `/relative/path/to/resource` and navigate into it, the URL changes due to a new space being entered. This ensures that while working in your home folder, copying URLs and giving them to the person you share the resource with, the receiver can still navigate within the new space. - -In short terms, while navigating using the WebUI, the URL has to constantly change whenever we change spaces to reflect the most explicit one. - -#### Example 2: UserA shares something from a Workspace - -Assuming we only have one storage provider; a consequence of this, all storage spaces will start with the same storage_id. - -- open the browser and go to `demo.owncloud.com` -- the browser's url changes to: `https://demo.owncloud.com/#/s/b78c2044-5b51-446f-82f6-907a664d089c:194b4a97-597c-4461-ab56-afd4f5a21607`. You're now in YOUR home folder / personal space. -- you have access to a workspace called `foo` (created by an admin) -- navigate into workspace `foo` - - the URL now changes to: `https://demo.owncloud.com/#/s/b78c2044-5b51-446f-82f6-907a664d089c:d342f9ce-df18-11eb-b319-1b6d9df4bc74`. You are now at the root of the workspace `foo`. - - because we only have one storage provider, the `space_id` section of the URL only updates the `node_id` part of it. - - had we had more than one storage provider, the `space_id` would depend on which storage provider contains the storage space. -- you create a folder `/relative/path/to/resource` -- you navigate into `/relative/path/to/resource` - - now the URL would look like: `https://demo.owncloud.com/#/s/b78c2044-5b51-446f-82f6-907a664d089c:d342f9ce-df18-11eb-b319-1b6d9df4bc74/relative/path/to/resource` - - or a more robust url: `https://demo.owncloud.com/#/s/b78c2044-5b51-446f-82f6-907a664d089c:d342f9ce-df18-11eb-b319-1b6d9df4bc74/relative/path/to/resource?id=b78c2044-5b51-446f-82f6-907a664d089c:04f1991c-df19-11eb-9cc7-3b09f04f9ca3` - -#### Spaces Registry - -A big drawback against this idea is that the length of the URL is increased by a lot, rendering them almost unreadable. Introducing a Spaces Registry (SR) would shorten them. Let's see how. - -A URL without a SR would look like: `https://ocis.com/#/s/b78c2044-5b51-446f-82f6-907a664d089c:d342f9ce-df18-11eb-b319-1b6d9df4bc74/TEST?id=b78c2044-5b51-446f-82f6-907a664d089c:04f1991c-df19-11eb-9cc7-3b09f04f9ca3` -The same URL with a SR `https://ocis.com/#/s/workspaceFoo/TEST?id=b78c2044-5b51-446f-82f6-907a664d089c:04f1991c-df19-11eb-9cc7-3b09f04f9ca3` - -Space Registry resolution can happen at the client side (i.e: the client keeps a list of space name -> space id [where space id = storageid + nodeid]; the client queries a SR) or server side. Server side is more resilient due to clients can have limited networking; for instance if they are running on a tight intranet. - -### Mixed Global URLs - -While ID based space URLs can be made more readable by shortening the IDs they only start to reveal context when an alias is used instead of the space id. These aliases however have to be unique identifiers. These aliases should live in namespaces like `/workspaces/marketing` and `/personal/marketing` to make phishing attacks harder (in this case a user that registered with the username `marketing`). But namespaced aliases is semantically equivalent to ... a path hierarchy. - -When every space has a namespaced alias and a relative path we can build a global namespace: - -| URL | comment | -|-----|---------| -| `https:///files?id=` | the pattern, `/files` might become optional | -| `https://demo.owncloud.com/files/personal/einstein/?id=b78c2044-5b51-446f-82f6-907a664d089c:194b4a97-597c-4461-ab56-afd4f5a21607` | root of user `einstein` | -| `https://demo.owncloud.com/files/personal/einstein/relative/path/to/resource?id=b78c2044-5b51-446f-82f6-907a664d089c:194b4a97-597c-4461-ab56-afd4f5a21608` | sub folder `/relative/path/to/resource` | -| `https://demo.owncloud.com/files/shares/einstein/somesharename?id=b78c2044-5b51-446f-82f6-907a664d089c:194b4a97-597c-4461-ab56-afd4f5a21608` | shared URL for `/relative/path/to/resource` | -| `https://demo.owncloud.com/files/personal/einstein/marie is stupid/and richard as well/resource?id=b78c2044-5b51-446f-82f6-907a664d089c:194b4a97-597c-4461-ab56-afd4f5a21608` | sub folder `marie is stupid/and richard as well/resource` ... something einstein might not want to reveal | -| `https://demo.owncloud.com/files/shares/einstein/resource (2)?id=b78c2044-5b51-446f-82f6-907a664d089c:194b4a97-597c-4461-ab56-afd4f5a21608` | named link URL for `/marie is stupid/and richard as well/resource`, does not disclose the actual hierarchy, has an appended counter to avoid a collision | -| `https://demo.owncloud.com/files/shares/einstein/mybestfriends?id=b78c2044-5b51-446f-82f6-907a664d089c:194b4a97-597c-4461-ab56-afd4f5a21608` | named link URL for `/marie is stupid/and richard as well/resource`, does not disclose the actual hierarchy, has a custom alias for the share | -| `https://demo.owncloud.com/files/public/kcZVYaXr7oZ66bg/relative/path/to/resource` | sub folder `/relative/path/to/resource` in public link with token `kcZVYaXr7oZ66bg` | -| `https://demo.owncloud.com/files/public/kcZVYaXr7oZ66bg/relative/path/to/resource` | sub folder `/relative/path/to/resource` in public link with token `kcZVYaXr7oZ66bg` | -| `https://demo.owncloud.com/s/kcZVYaXr7oZ66bg/` | shortened link to a resource. This is needed to be able to copy a link to a resource without leaking any metadata. | - - -`` is the global path in the CS3 api. The CS3 Storage Registry is responsible by managing the mount points. - -In order to be able to copy and paste URLs all resources must be uniquely identifiable: - -* Instead of `/home` the URL always has to reflect the user: `/personal/einstein` -* Workspaces can use `/workspaces/` or `/workspaces///` where the hierarchy is given by the organization -* Experiments can use `/experiments/` -* Research institutes could set up `/papers//` -* Trash could be accessed by prefixing the namespace alias with `/trash`? or using `/trash/` -* Instead of a namespaced alias a storage space id could be used with a generic `/space/` namespace -* An url shortener can create urls like `/s/` which could be used as a stable link to a resource. -* Links for anonymous users will resolve to `/public/` - -The alias namespace hierarchy and depth can be pre-determined by the admin. Even if aliases change the `id` parameter prevents bookmarks from breaking. A user can decide to build a different hierarchy by using his own registry. - -What about shares? Similar to `/home` it must reflect the user: `/shares/einstein` would list all shares *by* einstein for the currently logged-in user. The ui needs to apply the same URL rewriting as for space based URLs: when navigating into a share the URL has to switch from `/personal/einstein/relative/path/to/shared/resource` to `/shares/einstein/`. When more than one `resource` was shared a name collision would occur. To prevent this we can use ids `/shares/einstein/id/`. As a default we could take the alias at creation time from the filename. That way two shares to a resource with the same name, e.g.: `/personal/einstein/project AAA/foo` and `/personal/einstein/project BBB/foo` would lead to `/shares/einstein/foo` (a CS3 internal reference to `/personal/einstein/project AAA/foo`) and `/shares/einstein/foo (2)` (a CS3 internal reference to `/personal/einstein/project BBB/foo`). `foo (2)` would keep its name even when `foo` is deleted or renamed. Well an id as the alias might be better then, because users might rename these aliases, which would break URLs if they have been bookmarked. In any case this would make end user more aware of what they share AND it would allow them to choose an arbitrary context for the links they want to send out: personal internal share URLs. - -With these different namespaces the `/files` part in the URL becomes obsolete, because the files application can be registered for multiple namespaces: `/personal`, `/workspaces`, `/shares`, `/trash` ... - -* Good, because it contains a global path -* Good, because spaces with namespaced aliases can be bookmarked and copied into mails or chat without disclosing unshared path segments, as the space is supposed to be shared -* Good, because the UI can detect broken paths and notify the user to update his bookmark if the resource could be found by `id` -* Good, because the `/files` part might only be required for `id` only based lookup to let the web ui know which app is responsible for the route -* Good, because it turns shares into deliberately named spaces in `/shares//` -* Good, because all urls can be shortened to hide any metadata like path, resource name and query parameters -* Bad, because the web UI needs to look up the space alias in a registry to build an API request for the `/dav/space` endpoint - - -### Configurable path component in URLs - -Not every deployment may have the requirement to have the path in the URL. We could use id only based URLs, similar to onedrive and make showing paths configurable. - - -| URL | comment | -|-----|---------| -| `https:///files?id=` | default id based navigation | -| `https:///files?id=` | optional path based navigation with fallback to id | - -In contrast to ownCloud 10 path takes precedence and the user is warned when the fileid in his bookmark no longer matches the id on the server: sth. like "The path of the resource has changed, please verify and update your bookmark!" - -When a file is selected the filename also becomes part of the URL so individual files can be bookmarked. - -If navigation is id based we need to look up the path for the id so we can make a webdav request, or we need to implement the graph drives and driveItem resources. - -The URL `https:///files?id=̀` is sent to the server. It has to look up the correct path and redirect the request, including the path. But that would make all bookmarks contain tha path again, even if paths were configured to not be part of the URL. - -The `/meta/` webdav endpoint can be used to look up the path with property `meta-path-for-user`. - -For now, we would use path based navigation with URLs like this: - -``` -https:///files?id= -``` - -This means that only the _resource path_ is part of the URL path. Any other parameter, e.g. file `id`, `page` or sort order must be given as URL parameters. - -- [ ] To make lookup by id possible we need to implement the `/meta/` endpoint so the sdk can use it to look up the path. We should not implement a redirect on the ocis server side because the same redirect logic would need to be added to oc10. Having it in ocis web is the right place. - -- [ ] The old sharing links and oc10 urls still need to be redirected by ocis/reva as in oc10. - -Public links would have the same format: `https:///files?id=` The web UI has to detect if the user is logged in or not and adjust the ui accordingly. - -{{< hint warning >}} -Since there is no difference between public and private files a logged-in user cannot see the public version of a link unless he logs out. -{{< /hint >}} diff --git a/docs/ocis/adr/0012-tracing.md b/docs/ocis/adr/0012-tracing.md deleted file mode 100644 index e804b4853c..0000000000 --- a/docs/ocis/adr/0012-tracing.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: "12. Tracing" -weight: 12 -date: 2021-08-17T12:56:53+01:00 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0012-tracing.md ---- - -* Status: proposed -* Deciders: [@butonic](https://github.com/butonic), [@micbar](https://github.com/micbar), [@dragotin](https://github.com/dragotin), [@mstingl](https://github.com/mstingl) [@pmaier1](https://github.com/pmaier1), [@fschade](https://github.com/fschade) -* Date: 2021-08-17 - -## Context and Problem Statement - -At the time of this writing we are in a situation where our logs have too much verbosity, rendering impossible or rather difficult to debug an instance. For this reason we are giving some care to our traces by updating dependencies from OpenCensus to OpenTelemetry. - -## Decision Drivers - -- We don't want to rely only on logs to debug an instance. -- Logs are too verbose. -- Since we have micro-services, we want to holistically understand a request. - -## Considered Options - -- Trim down logs -- Use OpenCensus -- Migrate to OpenTelemetry - -## Decision Outcome - -Chosen option: option 3; Migrate to OpenTelemetry. OpenCensus is deprecated, and OpenTelemetry is the merger from OpenCensus and OpenTelemetry and the most recent up-to-date spec. - -### Positive Consequences - -- Fix the current state of the traces on Reva. -- Add more contextual information on a span for a given request. -- Per-request filtering with the `X-Request-Id` header. -- Group the supported tracing backends to support Jaeger only for simplicity. - -## Chosen option approach - -- A trace is a tree, and the proxy will create the root trace and propagate it downstream. -- The Root trace will log the request headers. -- The unit that ultimately does the work will log the result of the operation if success. -- The unit that ultimately does the work will change the state of the span to error if any occurred. - - -With these premises, this is by no means a fixed document and the more we learn about the usage of an instance the more context we can add to the traces. diff --git a/docs/ocis/adr/0013-locking.md b/docs/ocis/adr/0013-locking.md deleted file mode 100644 index 693e651c64..0000000000 --- a/docs/ocis/adr/0013-locking.md +++ /dev/null @@ -1,96 +0,0 @@ ---- -title: "13. Locking" -weight: 13 -date: 2021-08-17T12:56:53+01:00 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0013-locking.md ---- - -- Status: accepted -- Deciders: [@hodyroff](https://github.com/hodyroff), [@pmaier1](https://github.com/pmaier1), [@jojowein](https://github.com/jojowein), [@dragotin](https://github.com/dragotin), [@micbar](https://github.com/micbar), [@tbsbdr](https://github.com/tbsbdr), [@wkloucek](https://github.com/wkloucek) -- Date: 2021-11-03 - -## Context and Problem Statement - -At the time of this writing no locking mechanisms exists in oCIS / REVA for both directories and files. The CS3org WOPI server implements a file based locking in order to lock files. This ADR discusses if this approach is ok for the general availability of oCIS or if changes are needed. - -## Decision Drivers - -- Is the current situation acceptable for the GA -- Is locking needed or can we have oCIS / REVA without locking - -## Considered Options - -1. File based locking -2. No locking -3. CS3 API locking - -## Decision Outcome - -For the GA we chose option 2. Therefore we need to remove or disable the file based locking functionality of the CS3org WOPI server. The decision was taken because the current file based locking does not work on file-only shares. The current locking also does not guarantee exclusive access to a file since other parts of oCIS like the WebDAV API or other REVA services don't respect the locks. - -After the GA we need to implement option 3. - -## Pros and Cons of the Options - -### File based locking - -The CS3org WOPI server creates a `.sys.wopilock..` and `.~lock.#` file when opening a file in write mode - -**File based locking is good**, because: - -- it is already implemented in the current CS3org WOPI server - -**File based locking is bad**, because: - -- lock files should be checked by all parties manipulating files (e.g. the WebDAV api) -- lock files can be deleted by everyone -- you can not lock files in a file-only share (you need a folder share to create a lock file besides the original file) - -If we have file based locks, we can also sync them with e.g. the Desktop Client. - -**Syncing lock files is good**: because - -- native office applications can notice lock files by the WOPI server and vice versa (LibreOffice also creates `.lock.#` files) - -**Syncing lock files is bad**, because: - -- if lockfile is not deleted, no one can edit the file -- creating lock files in a folder shared with 2000000 users creates a lot of noise and pressure on the server (etag propagation, therefore oC Desktop sync client has an ignore rule for `.~lock.*` files) - -### No locking - -We remove or disable the file based locking of the CS3org WOPI server. - -**No locking is good**, because: - -- you don't need to release locks -- overwriting a file just creates a new version of it - -**No locking is bad**, because: - -- merging changes from different versions is a pain, since there is no way to calculate differences for most of the files (e.g. docx or xlsx files) -- no locking breaks the WOPI specs, as the CS3 WOPI server won't be capable to honor the WOPI Lock related operations - -### CS3 API locking - -- Add CS3 API for resource (files, directories) locking, unlocking and checking locks - - locking always with timeout - - lock creation is a "create-if-not-exists" operation - - locks need to have arbitrary metadata (e.g. the CS3 WOPI server is stateless by storing information on / in the locks) -- Implement WebDAV locking using the CS3 API -- Implement Locking in storage drivers -- Change CS3 WOPI server to use CS3 API locking mechanism -- Optional: manual lock / unlock in ownCloud Web (who is allowed to unlock locks of another user?) - -**CS3 API locking is good**, because: - -- you can lock files on the actual storage (if the storage supports that -> storage driver dependent) -- you can lock files in ownCloud 10 when using the ownCloudSQL storage driver in the migration deployment (but oC10 Collabora / OnlyOffice also need to implement locking, to fully leverage that) -- clients can get the lock information via the api without ignoring / hiding lock file changes -- clients can use the lock information to lock the file in their context (e.g. via some file explorer integration) - -**CS3 API locking is bad**, because: - -- it needs to be defined and implemented, currently not planned for the GA diff --git a/docs/ocis/adr/0014-microservices-runtime.md b/docs/ocis/adr/0014-microservices-runtime.md deleted file mode 100644 index 8587089c03..0000000000 --- a/docs/ocis/adr/0014-microservices-runtime.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -title: "14. Microservices Runtime" -weight: 14 -date: 2022-01-21T12:56:53+01:00 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0014-microservices-runtime.md ---- - -* Status: proposed -* Deciders: [@butonic](https://github.com/butonic), [@micbar](https://github.com/micbar), [@dragotin](https://github.com/dragotin), [@mstingl](https://github.com/mstingl) [@pmaier1](https://github.com/pmaier1), [@fschade](https://github.com/fschade) -* Date: 2022-01-21 - -## Context and Problem Statement - -In an environment where shipping a single binary makes it easier for the end user to use oCIS, embedding a whole family of microservices within a package and running it leveraging the use of the Go language has plenty of value. In such environment, a runtime is necessary to orchestrate the services that run within it. Other solutions are hot right now, such as Kubernetes, but for a single deployment this entails orbital measures. - -## Decision Drivers - -- Start oCIS microservices with a single command (`ocis server`). -- Clear separation of concerns between services. -- Control the lifecycle of the running services. -- Services can be distributed across multiple machines and still be controllable somehow. - -## Considered Options - -1.The use of frameworks such as: - - asim/go-micro - - go-kit/kit -2. Build and synchronize all services in-house. -3. A hybrid solution between framework and in-house. - -## Options - -### go-kit/kit - -Pros -- Large community behind -- The creator is a maintainer of Go, so the code quality is quite high. - -Cons -- Too verbose. Ultimately too slow to make progress. -- Implementing a service would require defining interfaces and a lot of boilerplate. - -### asim/go-micro - -Pros -- Implementation based in swappable interfaces. -- Multiple implementations, either in-memory or through external services -- Production ready -- Good compromise between high and low level code. - -## Decision Outcome - -Number 3: A hybrid solution between framework and in-house. - -### Design - -{{< figure src="/ocis/static/runtime.drawio.svg" >}} - -First of, every ocis service IS a go-micro service, and because go-micro makes use of urfave/cli, a service can be conveniently wrapped inside a subcommand. Writing a supervisor is then a choice. We do use a supervisor to ensure long-running processes and embrace the "let it crash" mentality. The piece we use for this end is called [Suture](https://github.com/thejerf/suture). - -The code regarding the runtime can be found pretty isolated [here](https://github.com/owncloud/ocis/blob/d6adb7bee83b58aa3524951ed55872a5f3105568/ocis/pkg/runtime/service/service.go). The runtime itself runs as a service. This is done so messages can be sent to it using the oCIS single binary to control the lifecycle of its services. diff --git a/docs/ocis/adr/0015-events.md b/docs/ocis/adr/0015-events.md deleted file mode 100644 index 4a1f55727b..0000000000 --- a/docs/ocis/adr/0015-events.md +++ /dev/null @@ -1,100 +0,0 @@ ---- -title: "15. oCIS Event System" -weight: 15 -date: 2022-02-01T12:56:53+01:00 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0015-events.md ---- - -* Status: proposed -* Deciders: [@butonic](https://github.com/butonic), [@micbar](https://github.com/micbar), [@dragotin](https://github.com/dragotin), [@c0rby](https://github.com/c0rby), [@wkloucek](https://github.com/wkloucek) -* Date: 2022-01-21 - -## Context and Problem Statement - -### Overview - -To be able to implement simple, flexible and independent inter service communication there is the idea to implement an event system in oCIS. A service can send out events which are received by one or more other services. The receiving service can cause different kinds of actions based on the event by utilizing the information that the event carries. - -### Example: Email Notification - -A simple example is the notification feature for oCIS: Users should receive an email when another user shares a file with them. The information, that the file was shared should go out as an event from a storage provider or share manager, carrying the information which file was shared to which receiver. A potential notification service that sends out the email listens to these kinds of events and sends the email out once on every received event of that specific type. - -## Decision Drivers - -* Events are supposed to decouple services and raise flexibility, also considering extensions that are not directly controlled by the ownCloud project. -* Events should bring flexibility in the implementation of sending and receiving services. -* Events should not obsolete other mechanisms to communicate, i.e. grpc calls. -* Sending an event has to be as little resource consuming for the sender as possible. -* Events are never user visible. - -## Considered Options - -1. Lightweight Events with Event Queue and "At most once" QoS -2. As 1., but with "At least once" QoS - -## Options - -### 1. Lightweight Events with Event Queue and "At most once" QoS - -Reva will get a messaging service that is available to all services within oCIS and Reva. It is considered as one of the mandatory services of the oCIS system. If the messaging backend is not running, neither Reva nor oCIS can be considered healthy and should shut down. - -All oCIS- and Reva-services can connect to the messaging bus and send so-called events. The sender gets an immediate return if handing the event to the message bus was successful or not. - -The sender can not make any assumptions when the message is delivered to any receiving service. Depending on the QoS model (as proposed as alternatives in this ADR) it might even be not guaranteed that the event is delivered at all. Also, the sender can not know if zero, one or many services are listening to that event. - -#### Event Data - -Events are identified by their namespace and their respective name. The namespace is delimited by dots and starts with either "reva" or "ocis" or a future extension name. It is followed by the name of the sending service and an unique name of the event. - -Example: `ocis.ocdav.delete` - an event with that name sent out if an WebDAV DELETE request arrived in the oCDav service. - -An event can carry a payload which is encoded as json object. (See for example [NATS](https://docs.nats.io/using-nats/developer/sending/structure) ). There are no pre-defined members in that object, it is fully up to the sender which data will be included in the payload. Receivers must be robust to deal with changes. - -#### Quality of Service - -Events are sent with "At most once" quality of service. That means, if a receiver is not present at the moment of publishing it might not receive the event. That requires that the sender and the receiver must have functionality to back up the situation that events were missed. That adds more state to the services because they always need to behave like a [FISM](https://en.wikipedia.org/wiki/Finite-state_machine). Given that the event queue can be considered the backbone of the system, it is unlikely that it is not running. - -#### Transactions - -The described way of inter service communication with events is not transactional. It is not supposed to be, but only provides a lightweight, loosely coupled way to "inform". - -If transactions are required, proper synchronous GRPC API calls should be used. Another way would be to build asynchronous flows with request- and reply events as in [saga pattern](https://microservices.io/patterns/data/saga.html). That is only recommended for special cases. - -#### Pros - -* Simple setup -* Flexible way of connecting services -* Stateless event queue -* "State of the art" pattern in microservices architectures - -#### Cons - -* Over engineering: Can we do without an extra message queue component? -* Messages might get lost, so that eventual consistency is endangered -* A service needs to hold more state to ensure consistency -* Message queue needs to be implemented in Reva - -### 2. Lightweight Events with Event Queue and "At-least once" QoS - -Exactly as described above, but with a higher service level quality. - -#### Quality of Service - -Events are sent with "At least once" quality of service. That means the events will remain in the queue until they are received by all receivers. This puts more responsibility on the event bus and adds state to the events. Given that the event queue can be considered the backbone of the system, it is required to be running. - -#### Pros - -* Better service level: Messages do not get lost -* Simplifies the design of the microservices because the events are "fire-and-forget" -* Events would be idempotent. If a service goes down the events will stay in the queue until they are consumed - -#### Cons - -* Stateful event system with higher cost in terms of compute and storage -* The queue could become a bottleneck and needs to be scaled - -## Decision Outcome - -### Design diff --git a/docs/ocis/adr/0016-files-metadata.md b/docs/ocis/adr/0016-files-metadata.md deleted file mode 100644 index abb7dabf8b..0000000000 --- a/docs/ocis/adr/0016-files-metadata.md +++ /dev/null @@ -1,90 +0,0 @@ ---- -title: "16. Storage for Files Metadata" -weight: 16 -date: 2022-03-02T00:00:00+01:00 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0016-files-metadata.md ---- - -* Status: superseded by [ADR-0024]({{< ref "0024-msgpack-metadata.md" >}}) -* Deciders: [@butonic](https://github.com/butonic), [@dragotin](https://github.com/dragotin), [@micbar](https://github.com/micbar), [@c0rby](https://github.com/c0rby) -* Date: 2022-02-04 - -## Context and Problem Statement - -In addition to the file content we need to store metadata which is attached to a file. Metadata describes additional properties of a file. These properties need to be stored as close as possible to the file content to avoid inconsistencies. Metadata are key to workflows and search. We consider them as an additional value which enhances the file content. - -## Decision Drivers - -* Metadata will become more important in the future -* Metadata are key to automated data processing -* Metadata storage should be as close as possible to the file content -* Metadata should be always in sync with the file content - -## Considered Options - -* Database -* Extended file attributes -* Metadata file next to the file content -* Linked metadata in separate file - -## Decision Outcome - -Chosen option: "Extended File Attributes", because we guarantee the consistency of data and have arbitrary simple storage mechanism. - -### Positive Consequences - -* Metadata is always attached to the file itself -* We can store arbitrary key/values -* No external dependencies are needed - -### Negative consequences - -* The storage inside extended file attributes has limits -* Changes to extended attributes are not atomic and need file locks - -## Pros and Cons of the Options - -### Database or Key-Value Store - -Use a Database or an external key/value store to persist metadata. - -* Good, because it scales well -* Good, because databases provide efficient lookup mechanisms -* Bad, because the file content and the metadata could run out of sync -* Bad, because a storage backup doesn't cover the file metadata - -### Extended File Attributes - -Extended File Attributes allow storing arbitrary properties. There are 4 namespaces `user`, `system`, `trusted` and `security`. We can safely use the `user` namespace. An example attribute name would be `user.ocis.owner.id`. The linux kernel has length limits on attribute names and values. - -From Wikipedia on [Extended file attributes](https://en.wikipedia.org/wiki/Extended_file_attributes#Linux): - -> The Linux kernel allows extended attribute to have names of up to 255 bytes and values of up to 64 KiB,[14] as do XFS and ReiserFS, but ext2/3/4 and btrfs impose much smaller limits, requiring all the attributes (names and values) of one file to fit in one “filesystem block” (usually 4 KiB). Per POSIX.1e,[citation needed] the names are required to start with one of security, system, trusted, and user plus a period. This defines the four namespaces of extended attributes. - -* Good, because metadata is stored in the filesystem -* Good, because consistency is easy to maintain -* Good, because the data is attached to the file and survives file operations like copy and move -* Good, because a storage backup also covers the file metadata -* Bad, because we could hit the filesystem limit -* Bad, because changes to extended attributes are not atomic - -### Metadata File - -We could store metadata in a metadata file next to the file content which has a structured content format like .json, .yaml or .toml. That would give us more space to store bigger amounts of metadata. - -* Good, because there are no size limits -* Good, because there is more freedom to the content format -* Good, because a storage backup also covers the file metadata -* Bad, because it doubles the amount of read / write operations -* Bad, because it needs additional measures against concurrent overwriting changes - -### Link metadata with an id in the extended attributes - -To link metadata to file content a single extended attribute with a file id (unique per storage space) is sufficient. This would also allow putting metadata in better suited storage systems like SQLite or a key value store. - -* Good, because it avoids extended attribute limits -* Good, because the same mechanism could be used to look up files by id, when the underlying filesystem is an existing POSIX filesystem. -* Bad, because backup needs to cover the metadata as well. Could be mitigated by sharing metadata per space and doing space wide snapshots. -* Bad, because it is a bit more effort to access it to read or index it. diff --git a/docs/ocis/adr/0017-allow-read-only-external-user-management.md b/docs/ocis/adr/0017-allow-read-only-external-user-management.md deleted file mode 100644 index cfd78e7560..0000000000 --- a/docs/ocis/adr/0017-allow-read-only-external-user-management.md +++ /dev/null @@ -1,111 +0,0 @@ ---- -title: "17. Allow read only external User Management" -weight: 17 -date: 2022-02-08T10:53:00+01:00 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0017-allow-read-only-external-user-management.md ---- - -* Status: proposed -* Deciders: [@butonic](https://github.com/butonic), [@micbar](https://github.com/micbar), [@rhafer](https://github.com/rhafer) -* Date: 2022-02-08 - -## Context and Problem Statement - -oCIS needs to be integrated with various external Authentication and Identity Management Systems. -Usually oCIS will have no administrative access to such a system and we will not be allowed to -reconfigure it to suit our needs (e.g. we will not be able to enhance the schema of an already existing -LDAP Directory). In most of the cases our access will be read-only. - -Sidenote: There is a difference between users, identities and accounts: A user may have multiple -identities which he can authenticate with, e.g. his facebook, twitter, microsoft or google -identity. Multiple identities can be linked to an account in ocis, allowing to fall back to another -identity provider should one of them shut down. This also allows migrating from one identity -provider to another. - -There are different cases where oCIS requires access to users: - -1. While we settled on using OpenID Connect (OIDC) as the authentication protocol for oCIS, we - need to build a user object during authentication with at least an account UUID (to identify - the account) and the email or a name (for display purposes). -2. When searching for share recipients we need to be able to query existing users in the external - identity management system -3. When listing files we need to be able to look up a users display properties (username, email, - avatar...) based on the account UUID - -oCIS internally relies on a stable and persistent identifier (e.g. a UUID) for accounts in order to -implement permissions and sharing. Unfortunately, some deployments are unable to deliver this kind -of stable identifier for users: - -- In OIDC itself the only stable identifier that is guaranteed to be provided by the IDP is - combination of the sub and iss claims. IDPs can optionally return other claims, but we cannot - rely on a specific claim being present. -- When no other services (LDAP, SCIM, ...) are available that could be used look up a user UUID - - -## Decision Drivers - -* oCIS should be a single binary that can run out of the box without external dependencies like an - LDAP server. -* Time: we want to build a release candidate asap. -* oCIS should be easy to integrate with standard external identity management systems - -## Considered Options - -There are two case to consider: -* External identity management system provides an OIDC IdP and an interface to query users -* External identity management system provides just an OIDC IdP with no possibility to query users - -## Decision Outcome - -It's not really possible single out any of the options for this ADR. In the end we will likely need -to support both scenarios. - -### Positive Consequences: - -* Very flexible integration with a wide range of external systems - -### Negative consequences: - -* configuration complexity, high support efforts -* Increasingly complex code in oCIS - -## Pros and Cons of the Options - -### External identity management system is read only and provides an interface to query users (e.g. Corporate Active Directory) - -IdP sends sub & iss and mail or username claims, Identity Management System provides APIs (e.g. -LDAP, SCIM, REST ...) to lookup additional user information. All oCIS services use the CS3 API to -look up the account for the given email or username, where CS3 then uses a backend that relies on -the APIs provided by the IdM. - -* Good, because we can rely on the external identity management -* Good, because ocis services only need to know about the CS3 user provider API, which acts as an - abstraction layer for different identity management systems -* Good, because there is only a single source of truth (the external IdM) and we don't need to - implement a synchronization mechanism to maintain an internal user database (we will likely need - some form of caching though, see below) -* Bad, because the identity management needs to provide a stable, persistent, non-reassignable user - identifier for an account, e.g. `owncloudUUID` or `ms-DS-ConsistencyGuid` -* Bad, because we need to implement tools that can change the account id when it did change anyway -* Bad, because without caching we will hammer the identity management system with lookup requests - -### External identity management system is read only and does NOT provide an API to query users - -Idp sends sub & iss and mail or username claims. We need to provision an internal account mapping, -creating a unique ID, upon the first login of a user to be able to look up user properties by account -id. - -* Good, because this has very little external requirements -* Good, because we have accounts fully under our control -* Bad, because we have to provide the user lookup APIs -* Bad, because users will only a visible after the first login -* Bad, because our internal account mapping might get out of date when user attribute (e.g. name or - mail) change. At least until the next time that user logs in - -## Links - -* [Link type] [Link to ADR] -* … -* supersedes [3. Use external User Management]({{< ref "0003-external-user-management.md" >}}) diff --git a/docs/ocis/adr/0018-file-search-api.md b/docs/ocis/adr/0018-file-search-api.md deleted file mode 100644 index 51fc25250a..0000000000 --- a/docs/ocis/adr/0018-file-search-api.md +++ /dev/null @@ -1,61 +0,0 @@ ---- -title: "18. File Search API" -date: 2022-03-18T09:00:00+01:00 -weight: 18 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0018-file-search-api.md ---- - -* Status: proposed -* Deciders: [@butonic](https://github.com/butonic), [@micbar](https://github.com/micbar), [@dragotin](https://github.com/dragotin), [@c0rby](https://github.com/c0rby) -* Date: 2022-03-18 - -## Context and Problem Statement - -The ability to find files based on certain search terms is a key requirement for a system that provides the ability to store unstructured data on a large scale. - -## Decision Drivers - -* Have a simple yet powerful, scalable and performant way of finding files in oCIS -* Be able to construct intelligent searches based on metadata -* Allow the user to filter the search queries based on metadata - -## Considered Options - -* [Libre Graph API](#libre-graph-api) -* [WebDAV API](#webdav-api) - -## Decision Outcome - -Chosen option: [WebDAV API](#webdav-api) because the current WebUI is compatible with that API. We may use the GraphAPI later in a second iteration. - -### Positive Consequences - -* The existing Clients can continue to use the well-known API -* There are existing API tests which cover the basic behavior - -### Negative consequences - -* We have no server side result filtering capabilities - -## Pros and Cons of the Options - -### Libre Graph API - -* Good, because we try to switch most of our HTTP requests to Libre Graph -* Good, because the Graph API supports scopes, sorting and query language -* Good, because it supports server side result filtering -* Bad, because there are currently no clients which support that - -### WebDAV API - -* Good, because WebDAV is a well-known and widely adopted Standard -* Good, because existing Clients continue to work without extra efforts -* Bad, because the syntax is limited -* Bad, because we cannot do server side result filtering - -## Links - -* [Search Indexing](0019-file-search-index.md) -* [Search Query Language](0020-file-search-query-language.md) diff --git a/docs/ocis/adr/0019-file-search-index.md b/docs/ocis/adr/0019-file-search-index.md deleted file mode 100644 index b80b56c5d2..0000000000 --- a/docs/ocis/adr/0019-file-search-index.md +++ /dev/null @@ -1,80 +0,0 @@ ---- -title: "19. File Search Index" -date: 2022-03-18T09:00:00+01:00 -weight: 19 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0019-file-search-index.md ---- - -* Status: accepted -* Deciders: [@butonic](https://github.com/butonic), [@micbar](https://github.com/micbar), [@dragotin](https://github.com/dragotin), [@c0rby](https://github.com/c0rby) -* Date: 2022-03-18 - -## Context and Problem Statement - -The ability to find files based on certain search terms is a key requirement for a system that provides the ability to store unstructured data on a large scale. - -More sophisticated search capabilities are expected and can be implemented, especially based on metadata. - -To trigger the indexing of a file, the search service listens to create, update and delete events on the internal event bus of oCIS. - -The events need to contain a valid reference that defines the file space and file id of the file in question. The event only must be sent when the file operation (update, creation, removal) is finished. - -Sharing adds more complexity because the index also needs to react to create, delete and modify shares events. Sharing should not duplicate the indexed data, especially within spaces or group shares. - -## Decision Drivers - -* Have a simple yet powerful, scalable and performant way of finding files in oCIS -* Be able to construct intelligent searches based on metadata -* Allow the user to filter the search queries based on metadata -* Basic File Search needs to be implemented out of the box without external dependencies -* The Search Indexing Service should be replaceable with more sophisticated technologies like Elasticsearch -* Make use of the spaces architecture to shard search indexes by space -* The Search Indexing Service needs to deal with multiple users accessing the same resources due to shares -* The Search Service should be compatible with different search indexing technologies - -## Considered Options - -* [Bleve Search](#bleve-search) -* [Elastic Search](#elastic-search) - -## Decision Outcome - -Chosen option: Bleve Search, because we can fulfill the MVP and include it into the single binary. - -### Positive Consequences - -* Basic File Search works out of the box -* We do not need heavy external dependencies which need to be deployed alongside - -### Negative consequences - -* We need to be aware of the scaling limits -* We need to find a way to work with shares and spaces -* It has a limited query language - -## Pros and Cons of the Options - -### Bleve Search - -* Good, because it is written in GoLang and can be bundled into the single oCIS binary -* Good, because it is a lightweight but powerful solution which could fulfill a lot of use cases -* Bad, because we do not know exactly how we can represent shares in the index without duplicating data -* Bad, because it is a single process -* Bad, because the query language is limited - -### Elastic Search - -* Good, because it has become an industry standard -* Good, because it supports a rich query language -* Good, because it has built in cluster support and scales well -* Good, because it has a permission system and supports multiple users and groups to access the same resource -* Bad, because it is a heavy setup and needs extra effort and knowledge - -## Links - -* [Search API](0018-file-search-api.md) -* [Search Query Language](0020-file-search-query-language.md) -* [Bleve Search on GitHub](https://github.com/blevesearch/bleve) -* [ElasticSearch](https://www.elastic.co/elastic-stack/) diff --git a/docs/ocis/adr/0020-file-search-query-language.md b/docs/ocis/adr/0020-file-search-query-language.md deleted file mode 100644 index 372a9065e4..0000000000 --- a/docs/ocis/adr/0020-file-search-query-language.md +++ /dev/null @@ -1,110 +0,0 @@ ---- -title: "20. File Search Query Language" -date: 2022-06-23T09:00:00+01:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0020-file-search-query-language.md ---- - -* Status: accepted -* Deciders: [@butonic](https://github.com/butonic), [@micbar](https://github.com/micbar), [@dragotin](https://github.com/dragotin), [@c0rby](https://github.com/c0rby), [@kulmann](https://github.com/kulmann), [@felix-schwarz](https://github.com/felix-schwarz), [@JammingBen](https://github.com/JammingBen) -* Date: 2023-06-23 - -## Context and Problem Statement - -From the users perspective, the interface to search is just a single form field where the user enters one or more search terms. The minimum expectation is that the search returns file names and links to files that: - -* have a file name that contains at least one of the search terms -* contain at least one of the search terms in the file contents -* have metadata that is equal or contains one of the search terms - -## Decision Drivers - -* The standard user should not be bothered by a query syntax -* The power user should also be able to narrow his search with an efficient and flexible syntax -* We need to consider different backend technologies which we need to access through an abstraction layer -* Using different indexing systems should lead to a slightly different feature set without changing the syntax completely - -## Considered Options - -* [KQL - Keyword Query Language](#keyword-query-language) -* [Simple Query](#simplified-query) -* [Lucene Query Language](#lucene-query-language) -* [Solr Query Language](#solr-query-language) -* [Elasticsearch Query Language](#elasticsearch-query-language) - -## Decision Outcome - -Chosen option: [KQL - Keyword Query Language](#keyword-query-language), because it enables advanced search across all platforms. - -### Positive Consequences - -* We can use the same query language in all clients - -### Negative consequences - -* We need to build and maintain a backend connector - -## Pros and Cons of the Options - -### Keyword Query Language - -The Keyword Query Language (KQL) is used by Microsoft Share Point and other Microsoft Services. It uses very simple query elements, property restrictions and operators. - -* Good, because we can fulfill all our current needs -* Good, because it is very similar to the used query language in iOS -* Good, because it supports date time keywords like "today", "this week" and more -* Good, because it can be easily extended to use "shortcuts" for eg. document types like `:presentation` which combine multiple mime types. -* Good, because it is successfully implemented and used in similar use cases -* Good, because it gives our clients the freedom to always use the same query language across all platforms -* Good, because Microsoft Graph API is using it, we will have an easy transition in the future -* Bad, because we need to build and maintain a connector to different search backends (bleve, elasticsearch or others) - -### Simplified Query - -Implement a very simple search approach: Return all files which contain at least one of the keywords in their name, path, alias or selected metadata. - -* Good, because that covers 80% of the users needs -* Good, because it is very straightforward -* Good, because it is a suitable solution for GA -* Bad, because it is below the industry standard -* Bad, because it only provides one search query - -### Lucene Query Language - -The Lucene Query Parser syntax supports advanced queries like term, phrase, wildcard, fuzzy search, proximity search, regular expressions, boosting, boolean operators and grouping. It is a well known query syntax used by the Apache Lucene Project. Popular Platforms like Wikipedia are using Lucene or Solr, which is the successor of Lucene - -* Good, because it is a well documented and powerful syntax -* Good, because it is very close to the Elasticsearch and the Solr syntax which enhances compatibility -* Bad, because there is no powerful and well tested query parser for golang available -* Bad, because it adds complexity and fulfilling all the different query use-cases can be an "uphill battle" - -### Solr Query Language - -Solr is highly reliable, scalable and fault-tolerant, providing distributed indexing, replication and load-balanced querying, automated failover and recovery, centralized configuration and more. Solr powers the search and navigation features of many of the world's largest internet sites. - -* Good, because it is a well documented and powerful syntax -* Good, because it is very close to the Elasticsearch and the Lucene syntax which enhances compatibility -* Good, because it has a strong community with large resources and knowledge -* Bad, because it adds complexity and fulfilling all the different query use-cases can be an "uphill battle" - -### Elasticsearch Query Language - -Elasticsearch provides a full Query DSL (Domain Specific Language) based on JSON to define queries. Think of the Query DSL as an AST (Abstract Syntax Tree) of queries, consisting of two types of clauses. It is able to combine multiple query types into compound queries. It is also a successor of Solr. - -* Good, because it is a well documented and powerful syntax -* Good, because it is very close to the Elasticsearch and the Solr syntax which enhances compatibility -* Good, because there is a stable and well tested go client which brings a query builder -* Good, because it could be used as the query language which supports different search backends by just implementing what is needed for our use-case -* Bad, because it adds complexity and fulfilling all the different query use-cases can be an "uphill battle" - -## Links - -* [Search API](0018-file-search-api.md) -* [Search Indexing](0019-file-search-index.md) -* [KQL](https://learn.microsoft.com/en-us/sharepoint/dev/general-development/keyword-query-language-kql-syntax-reference) -* [Apache Lucene](https://lucene.apache.org/) -* [Apache Solr](https://solr.apache.org/) -* [Elastic Search](https://solr.apache.org/) -* [Elastic Search for go](https://github.com/elastic/go-elasticsearch) diff --git a/docs/ocis/adr/0021-service-accounts.md b/docs/ocis/adr/0021-service-accounts.md deleted file mode 100644 index 776e6a9cc5..0000000000 --- a/docs/ocis/adr/0021-service-accounts.md +++ /dev/null @@ -1,95 +0,0 @@ ---- -title: "21. Service accounts" -date: 2023-01-18T16:07:00+01:00 -weight: 21 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0021-service-accounts.md ---- - -* Status: proposed -* Deciders: [@butonic](https://github.com/butonic), [@c0rby](https://github.com/c0rby) -* Date: 2023-01-18 - -## Context and Problem Statement - -There are three levels of security checks in a microservice web application that uses OpenID Connect: -1. **scope claims** limit the possible operations to what the user (or admin on behalf of the organization) consented to -2. **service authorization** limit the possible operations to what specific services are allowed to do, on behalf of users or even without them -3. **permission checks** limit the possible operations to the relationships between subject, permission and resource allow - -This ADR deals with a prerequisite for service authorization: service accounts. - -Some services need access to file content without a user being logged in. We currently pass the owner or manager -of a space in events which allows the search service to impersonate that user to extract metadata from the changed resource. -There are two problems with this: -1. The service could get all permissions of the user and gain write permission -2. There is a race condition where the user in the event might no longer have read permission, causing the index to go stale - -The race condition will become more of an issue when we start working on a workflow engine. - -How can we grant services the least amount of permissions required for their purpose? - -## Decision Drivers - -* It should be possible to represent this as servicePrincipals in the libregraph API, similar to the [MS Graph servicePrincipal](https://learn.microsoft.com/en-us/graph/api/resources/serviceprincipal?view=graph-rest-1.0). -* Services should check permissions using the oCIS permissions or reva auth service, we don't want to introduce a new mechanism for this - -## Considered Options - -* [Service Accounts](#service-accounts) -* [Impersonate Space-Owners](#impersonate-space-owners) - -## Decision Outcome - -Chosen option: [Service Accounts](#service-accounts) - -### Consequences - -* Good, because it allows provisioning permissions for services -* Good, because it uses existing CS3 concepts -* Good, because it uses the existing permissions service -* Good, because it can be mapped to libre graph permissions -* Bad, because we have to make the reva auth manager aware of CS3 [`USER_TYPE_SERVICE`](https://cs3org.github.io/cs3apis/#cs3.identity.user.v1beta1.UserType) -* Bad, because we have to provision and manage service accounts on init -* Bad, because external APIs may need to filter out service accounts -* Bad, because we need to persist service accounts in addition to normal user accounts - -## Pros and Cons of the Options - -### Service Accounts - -Make the reva auth manager and registry aware of CS3 users of type [`USER_TYPE_SERVICE`](https://cs3org.github.io/cs3apis/#cs3.identity.user.v1beta1.UserType). Then we can provision service accounts at oCIS initialization and use the permissions service to check permissions. -When assigning permissions we use the permission constraints to define the scope of permissions, see [Permission Checks](#permission-checks) for more details. - -To authenticate service accounts the static reva auth registry needs to be configured with a new auth provider for type `service`. The actual provider can use a plain JSON file or JSONCS3 that is provisioned once with `ocis init`. TODO Furthermore, the user provider needs to be able to return users for service accounts. - - -* Good, because we could replace machine auth with specific service accounts and no longer have to distribute a shared secret everywhere -* Bad, because we don't know if a there are places in the code that try to look up a user with USER_TYPE_SERVICE at the cs3 users service ... they might not exist there ... or do we have to implement a userregistry, similar to the authregistry? -* Bad, because we have to provision and manage service accounts on init -* Bad, because we have to write code to manage service accounts or at least filter them out in the admin ui - - -### Impersonate Space-Owners - -We could implement a new auth manager that can authenticate space owners, a CS3 user type we introduced for project spaces which 'have no owner', only one or more managers. - -* Good, because it reuses the space owner user type -* Bad, because the space owner always has write permission -* Bad, because we don't know if a there are places in the code that try to look up a user with USER_TYPE_SPACE_OWNER at the cs3 users service ... they might not exist there ... or do we have to implement a userregistry, similar to the authregistry? -* Bad, because it feels like another hack and does not protect against compromised services that try to execute operations that the user did not consent to. - -## Links - -* [MS Graph servicePrincipal](https://learn.microsoft.com/en-us/graph/api/resources/serviceprincipal?view=graph-rest-1.0) -* [reva auth managers](https://reva.link/docs/config/packages/auth/manager/) - lacks docs for `auth_machine`, to be found [in the code](https://github.com/cs3org/reva/blob/edge/pkg/auth/manager/machine/machine.go) - -## Permission checks -When checking permissions we do not check for global permissions but for the concrete permission. Global permissions describe permissions that are used when assigning permissions, e.g. the index service account has the read permission constrained to tenant. The concrete permission check always contains a resource and a specific permission like `Resource.Read` or `Space.Delete`. That we currently check if a user has the `delete-all-spaces` permission is wrong. It should instead check if the user has the permission `Space.Delete` on a specific space. The permissions service can implement the check by taking the permission constraint into account. - -Another example would be a `Resource.Read` check for a specific resource. Normal users like the demo users Einstein and Marie would have the permission `Resource.ReadWrite` with the constraint ALL (which limits them to all files they own and that have been shared with them). The permissions service can return true. Service accounts like the indexer would have `Resource.Read` with the constraint TENANT and thus be granted read access to all resources. - -In the storage drive implementation we can check the ACLs first (which would allow service accounts that are known to the underlying storage system, e.g. EOS to access the resource) and then make a call to the permissions service. At least for the Read Resource permission. Other permission checks can be introduced as needed. - -The permission names and constraints are different from the MS Graph API. Giving permission like [`Files.ReadWrite.All`](https://learn.microsoft.com/en-us/graph/permissions-reference#user-permissions) a different meaning, depending on the type of user (for normal users it means all files they have access to, for service accounts it means all files in the organization) is a source of confusion which only gets worse when there are two different UUIDs for this. diff --git a/docs/ocis/adr/0022-sharing-and-space-management-api.md b/docs/ocis/adr/0022-sharing-and-space-management-api.md deleted file mode 100644 index 4256e2d879..0000000000 --- a/docs/ocis/adr/0022-sharing-and-space-management-api.md +++ /dev/null @@ -1,87 +0,0 @@ ---- -title: "22. Sharing and Space Management API" -date: 2023-09-08T02:29:00+01:00 -weight: 22 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0022-sharing-and-space-management-api.md ---- - -* Status: accepted -* Deciders: [@JammingBen](https://github.com/JammingBen) [@butonic](https://github.com/butonic) [@theonering](https://github.com/theonering) [@kobergj](https://github.com/kobergj) [@micbar](https://github.com/micbar) -* Date: 2023-08-08 - -Technical Story: [Public issue](https://github.com/owncloud/ocis/issues/6993) - -## Context and Problem Statement - -In the early days of the rewrite of ownCloud it was an important goal to keep all important APIs compatible with ownCloud 10. Infinite Scale embraced that goal until version 1.0.0. - -After that first release, the focus changed. - -Infinite Scale started the spaces feature which brings a whole new set of APIs and concepts. We made the conscious decision to keep the sharing API as it was, live with its shortcomings and create workarounds to support spaces. We have come a long way so far. Now we need to move on. The Web Client has made the decision to drop the support of ownCloud 10 and keep version 7.0 alive for ownCloud 10 to keep the easy migration path intact. - -The desktop and mobile client platforms were suffering from poor support from the server and can now move forward with a new API implementation. By using openApi 3 and all the needed tooling around it developing the LibreGraph specification, documentaion and SDKs, we now feel confident to move on. - -## Decision Drivers - -* The Path based nature of the OCS API lacks spaces support -* The permissions bitmask is no longer working when using sharing roles -* We want to support server announced sharing roles which are different per instance or scope -* We need to get rid of the currently hardcoded sharing roles in our clients -* New sharing roles and permissions are needed to support secure view and other new features -* Space Memberships are not shares and need to have different semantics -* Elevation of permissions in subfolders or full denials should be possible without creating a new share -* Third party integrations need generated SDKs in different languages to speed up the development - -## Considered Options - -* [New OCS Api Version](#new-ocs-api-version) -* [Sharing via LibreGraph](#sharing-via-libregraph) - -## Decision Outcome - -Chosen option: "[LibreGraph](#sharing-via-libregraph)" - -### Positive Consequences: - -* We can create a new clean API which fits the spaces concept -* LibreGraph embraces OData which is a known API pattern -* Sharing will be integrated in the existing SDKs and documentation -* Removing the OCS Api reduces complexity -* Removing the OCS Api makes the clients codebases smaller and removes manually maintained parts of the SDKs -* The extra error handling for the OCS API can be dropped from our clients - -### Negative Consequences: - -* We need to deprecate and remove the OCS API -* Existing third party integrations need to do some refactoring - -## Pros and Cons of the Options - -### New OCS Api Version - -To overcome the limitations of the OCS 2.0 API we could create a new major version with the spaces concept in mind. This would give us the opportunity to create a new openApi Spec. - -* Good, because the workarounds from version 2.0 could be dropped -* Bad, because we would need to deprecate the version 2.0 -* Bad, because we would need to maintain a separate specification / repository -* Bad, because it would create the need to use two different SDKs in our clients -* Bad, because we would need to implement query parameters and filters on our own -* Bad, because sharing information could not be included in the spaces API via queries or filters - -### Sharing via LibreGraph - -Integrate Sharing into the [LibreGraph API](https://github.com/owncloud/libre-graph-api) by using the already existing toolchain and documentation flows. - -* Good, because that reduces the number of SDKs -* Good, because it reduces the number of APIs -* Good, because spaces and shares can be used together in queries and filters -* Good, because we would use the existing OData pattern -* Bad, because we need to deprecate the OCS API - -## Links - -* [LibreGraph API](https://github.com/owncloud/libre-graph-api) -* [OData](https://www.odata.org/documentation/) -* [OpenAPI Standard](https://www.openapis.org/) diff --git a/docs/ocis/adr/0023-index-and-store-metadata.md b/docs/ocis/adr/0023-index-and-store-metadata.md deleted file mode 100644 index e040487911..0000000000 --- a/docs/ocis/adr/0023-index-and-store-metadata.md +++ /dev/null @@ -1,79 +0,0 @@ ---- -title: "23. Index and store metadata" -date: 2023-10-17T15:15:00+01:00 -weight: 23 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0023-index-and-store-metadata.md ---- - - -* Status: accepted -* Deciders: [@butonic](https://github.com/butonic), [@theonering](https://github.com/dschmidt), [@micbar](https://github.com/micbar), [@dragotin](https://github.com/dragotin) -* Date: 2023-10-17 - -## Context and Problem Statement - -ownCloud Infinite Scale is supposed to become a data platform and as such it needs to provide access to metadata. -Currently only metadata common to all file types (filesize, mime-type, ...) is stored in the index and the metadata storage. -We want to make other file type specific metadata available to consumers of our internal and external APIs. -Simple examples would be audio metadata like artist, album and title or exif metadata in images. - -## Decision Drivers - -## Considered Options - -* [Store subset of extracted metadata required for graph api](#store-subset-of-extracted-metadata-required-for-graph-api) -* [Store subset of extracted metadata specified by another standard](#store-subset-of-extracted-metadata-specified-by-another-standard) -* [Store everything from extractors](#store-everything-from-extractors) - -## Decision Outcome - -Chosen option: "[store only subset of extracted metadata required for graph api](#store-subset-of-extracted-metadata-required-for-graph-api)", because Graph API is a simple common denominator and we want to avoid putting the complexity of mapping non-standardized data from potentially different extractors in several areas of the code base. Storage and index keys are determined by facet and property name, e.g. `audio.artist` for the artist in a music file. Storage keys are additionally prefixed with `libre.graph.`, i.e. `libre.graph.audio.artist`. -Handling Graph API specific metadata is a first step towards handling metadata. More generic and extensible handling of arbitrary metadata can be added later. - -### Positive Consequences: - -* Graph API endpoint implementation is trivial -* Documented public api and stored data are the same -* Reasonable complexity for the initial implementation - -### Negative Consequences: - -* Graph API is limited, so not *all* available metadata can be accessed -* Switching the internal format and adding more metadata later will require re-indexing - -## Pros and Cons of the Options - -### Store Subset of Extracted Metadata Required for Graph API - -Use Graph API facets and properties for determining the subset of stored metadata and the storage key. -The index key for the `artist` property of the `audio` facet is `audio.artist`, the storage key is additionally prefixed with `libre.graph.`. - -* Good, because central mapping of values happens consistently and only once in a central place - - it happens in the extractor (integration) which likely knows best how to map metadata to standard properties -* Good, because when multiple extractors share a common set of provided values, applications can rely on the mapping and the complexity is kept low -* Bad, because not all metadata is available, not everything can be searched -* Good, because Graph API already chose a reasonable subset of most interesting properties - -### Store Subset of Extracted Metadata Specified by Another Standard - -There are a bunch of metadata standards but none of them is really universal. There is always something that is only supported in one or the other standard. Tika for example extracts audio metadata using a mixture of Dublin Core and XMP Dynamic Media keys. - -- Bad, because it makes implementing a new extractor integration harder -- Bad, because it makes using the stored data more complicated than a simple standard like discussed above - -### Store Everything from Extractors - -- Good, because all metadata is available and searchable -- Good, because consuming applications can decide how to map data -- Good, because extractor implementation becomes more trivial -- Bad, because all applications become dependent on the extractor and need to handle different extractors on their own - -## Links - -* https://github.com/owncloud/libre-graph-api/pull/120 / https://learn.microsoft.com/de-de/graph/api/resources/audio?view=graph-rest-1.0 -* https://github.com/owncloud/libre-graph-api/pull/122 / https://learn.microsoft.com/en-us/graph/api/resources/photo?view=graph-rest-1.0 -* https://github.com/owncloud/libre-graph-api/pull/123 / https://learn.microsoft.com/en-us/graph/api/resources/geoCoordinates?view=graph-rest-1.0 -* https://developer.adobe.com/xmp/docs/XMPNamespaces/xmpDM/ -* https://www.dublincore.org/schemas/ diff --git a/docs/ocis/adr/0024-msgpack-metadata.md b/docs/ocis/adr/0024-msgpack-metadata.md deleted file mode 100644 index fb046dc687..0000000000 --- a/docs/ocis/adr/0024-msgpack-metadata.md +++ /dev/null @@ -1,83 +0,0 @@ ---- -title: "24. Messagepack metadata" -date: 2024-02-09T14:57:00+01:00 -weight: 24 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0024-msgpack-metadata.md ---- - - -* Status: accepted -* Deciders: [@butonic](https://github.com/butonic), [@aduffeck](https://github.com/aduffeck), [@micbar](https://github.com/micbar), [@dragotin](https://github.com/dragotin) -* Date: [2023-03-15](https://github.com/cs3org/reva/pull/3711/commits/204253eee9dbb8e7fa93a01f3f94a2d28ce40a06) - -## Context and Problem Statement - -File metadata management is an important aspect for oCIS as a data platform. While using extended attributes to store metadata allows attaching the metadata to the actual file it causes a significant amount of syscalls that outweigh the benefits. Furthermore, filesystems are subject to different limitations in the number of extended attributes or the value size that is available. - -## Decision Drivers - -Performance of reading extended attributes suffers from the syscall overhead when listing and reading all attributes. Getting rid of limitations imposed by the filesystem used to store decomposedfs metadata. - -## Considered Options - -Going back to the original [ADR-0016 Storage for Files Metadata]({{< ref "0016-files-metadata.md" >}}) we decided to use a dedicated file for metadata storage next to the decomposedfs file representing the node. Several options for the data format were considered: - -* Use JSON files to store metadata -* Use INI files to store metadata -* Use msgpack files to store metadata -* Use protobuf messages to store metadata - -## Decision Outcome - -Chosen option: "[msgpack files](#msgpack-files)", because we want to stay with a self describing binary format. This is a performance tradeoff that is faster and more efficient than text based formats and more flexible but less efficient than protobuf. - -Note: directory listings are still read from the storage and remain uncached. - -### Positive Consequences: - -* Way less syscalls -* Node metadata can easily be cached, avoiding all trips to the storage until a file changes. - -### Negative Consequences: - -* We need to migrate existing metadata -* We need to build tooling that allows manipulating metadata similar to `setfattr` and `getfattr`. - -## Pros and Cons of the Options - -### Ini files - -* Good, human readable -* Good, self describing -* Good, widely used and well understood -* Good, suited for key value like content - exactly what we need for extended attributes -* Bad, slower and less efficient than binary formats - -### JSON files - -* Good, human readable -* Good, self describing -* Good, widely used and well understood -* Good, could be used for more than just key value -* Bad, slower and less efficient than binary formats - -### Msgpack files - -* Good, self describing -* Good, efficient because it is binary encoded -* Good, could be used for more than just key value -* Bad, not human readable - requires tooling to manipulate safely - -### protobuf files - -* Good, very efficient because it is binary encoded -* Good, could be used for more than just key value -* Bad, not human readable -* Bad, not self describing - requires tooling to evolve the messages - -## Links - -* supersedes [ADR-0016 Storage for Files Metadata]({{< ref "0016-files-metadata.md" >}}) -* [The need for speed — Experimenting with message serialization](https://medium.com/@hugovs/the-need-for-speed-experimenting-with-message-serialization-93d7562b16e4) \ No newline at end of file diff --git a/docs/ocis/adr/0025-distributed-search-index.md b/docs/ocis/adr/0025-distributed-search-index.md deleted file mode 100644 index 5f257dbdc0..0000000000 --- a/docs/ocis/adr/0025-distributed-search-index.md +++ /dev/null @@ -1,76 +0,0 @@ ---- -title: "25. Distributed Search Index" -date: 2024-02-09T16:27:00+01:00 -weight: 25 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0025-distributed-search-index.md ---- - -* Status: draft -* Deciders: [@butonic](https://github.com/butonic), [@fschade](https://github.com/fschade), [@aduffeck](https://github.com/aduffeck) -* Date: 2024-02-09 - -## Context and Problem Statement - -Search is currently implemented with [blevesearch](https://github.com/blevesearch/bleve), which internally uses bbolt. bbolt writes to a local file, which prevents scaling out the service. - -The initial implementation used a single blevesearch index for all spaces. While this makes querying all spaces easy because the results do not need to be aggregated from multiple indexes, the single node becomes a bottleneck when answering search queries. Furthermore, indexing is also part of the search service and has to share the resources. - -## Decision Drivers - -* Indexing should be decoupled from the search service -* The search service should be able to scale horizontally -* The solution needs to be embeddable in the single binary - -## Considered Options - -* one index per space -* [elasticsearch](https://github.com/elastic/elasticsearch) (java) -* [dgraph](https://github.com/dgraph-io/dgraph) (go) -* [manticore](https://github.com/manticoresoftware/manticoresearch/) (C++) -* [meilisearch](https://github.com/meilisearch/meilisearch) (Rust) - -## Decision Outcome - -Chosen option: *???* - -### Positive Consequences: - -* TODO - -### Negative Consequences: - -* TODO - -## Pros and Cons of the Options - -### one index per space - -Instead of using a single index (current implementation) or a distributed search index like elasticsearch the search service should aggregate queries from dedicated indexes per space. The api to a space index provider should be able to take multiple space ids in the request, similar to how a storage provider can handle multiple spaces. When treating spaces and the corresponding search index to belong together we can also treat them as a single unit for backup and restore. In federated deployments we can send the search queries to all search providers / spaces that the user has access to. - -How a search provider is implemented then depends on the requirements. For a single node deployment bleve might be fine, for a kubernetes deployment a dedicated service might be the better fit. - -### elasticsearch - -* Good, commercial support available at https://www.elastic.co/de/pricing -* Good, industry standard -* Bad, nobody seems to like it -* Bad, not embeddable (Java) - -### dgraph - -* Good, commercial support available at https://dgraph.io/pricing -* Good, embeddable? (go) - TODO verify - -### manticore -* Good, commercial support available at https://manticoresearch.com/services/ -* Bad, not embeddable (C++) - -### meilisearch -* Good, commercial support available at https://www.meilisearch.com/pricing -* Bad, not embeddable (Rust) - -## Links - -* supersedes [ADR-0019 File Search Index]({{< ref "0019-file-search-index.md" >}}) \ No newline at end of file diff --git a/docs/ocis/adr/0026-application-based-user-settings.md b/docs/ocis/adr/0026-application-based-user-settings.md deleted file mode 100644 index 1ed488f4c1..0000000000 --- a/docs/ocis/adr/0026-application-based-user-settings.md +++ /dev/null @@ -1,93 +0,0 @@ ---- -title: "26. Application based user settings" -date: 2024-02-09T17:30:00+01:00 -weight: 26 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0026-application-based-user-settings.md ---- - -* Status: draft -* Deciders: [@butonic](https://github.com/butonic), [@fschade](https://github.com/fschade), [@kulmann](https://github.com/kulmann) -* Date: 2024-02-09 - -## Context and Problem Statement - -To share user settings across devices applications want to store user specific settings on the server. The ePUB app wants to remember which page the user is on. The iOS app wants to rember search queries. The Caldav app needs a space to store data. - -## Decision Drivers - -## Considered Options - -* OCS provisioning API -* settings service -* libregraph API - -## Decision Outcome - -Chosen option: *???* - -### Positive Consequences: - -* TODO - -### Negative Consequences: - -* TODO - -## Pros and Cons of the Options - -### OCS provisioning API - -Nextcloud added a `/ocs/v2.php/apps/provisioning_api/api/v1/config/users/{appId}/{configKey}` endpoint - -* Bad, legacy API we want to get rid of - -### settings service - -- Bad, yet another API. Always uses POST requests. - -### libregraph API - -The MS Graph API has [a special approot driveItem](https://learn.microsoft.com/en-us/graph/api/drive-get-specialfolder?view=graph-rest-1.0&tabs=http) that apps can use to store arbitrary files. See also: -[Using an App Folder to store user content without access to all files](https://learn.microsoft.com/en-us/onedrive/developer/rest-api/concepts/special-folders-appfolder?view=odsp-graph-online) and a blog post with the section [Store data in the application’s personal folder](https://blog.mastykarz.nl/easiest-store-user-settings-microsoft-365-app/#store-data-in-the-applications-personal-folder). - -It basically uses the `/me/drive/special/approot:/{filename}` endpoint to -```http -PUT https://graph.microsoft.com/v1.0/me/drive/special/approot:/settings.json:/content -content-type: text/plain -authorization: Bearer abc - -{"key": "value"} -``` -or -```http -GET https://graph.microsoft.com/v1.0/me/drive/special/approot:/settings.json:/content -authorization: Bearer abc -``` - -On single page apps you need two requests: -```http -GET https://graph.microsoft.com/v1.0/me/drive/special/approot:/settings.json?select=@microsoft.graph.downloadUrl -authorization: Bearer abc -``` -followed by -```http -GET -``` - -Currently, applications have no dedicated tokens that we could use to derive the `appid` from. All apps should have an `appid` and [be discoverable under](https://learn.microsoft.com/en-us/graph/api/application-list?view=graph-rest-1.0&tabs=http) -```http -GET /applications -``` - -In any case for libregraph we could introduce a `LIBRE_GRAPH_APPID` header to make these requests possible rather soon. - -Then we can decide if we want to store these files in the users personal drive, or if we create a space for every app that then uses the userid as a folder that contains all the files for the user. - -- Good, because clients can remain in libregraph API land -- Bad, we currently have no application tokens - - - -## Links diff --git a/docs/ocis/adr/0027-new-share-jail.md b/docs/ocis/adr/0027-new-share-jail.md deleted file mode 100644 index 1036301cf4..0000000000 --- a/docs/ocis/adr/0027-new-share-jail.md +++ /dev/null @@ -1,94 +0,0 @@ ---- -title: "27. New Share Jail" -date: 2024-02-21T15:19:00+01:00 -weight: 27 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0027-new-share-jail.md ---- - -* Status: draft -* Deciders: [@butonic](https://github.com/butonic), [@rhafer](https://github.com/rhafer), [@dragotin](https://github.com/dragotin) -* Date: 2024-02-21 - -## Context and Problem Statement - -The oCIS share jail is a space that contains all accepted / synced shares of a user. In contrast to a personal or project space that contains actual resources, the share jail space only contains references pointing to shared resources. The root directory only consists of mountpoints that actually represent resources in other spaces. On the WebDAV API clients expect an `oc:fileid` property to identify resources in other API endpoints, eg. the libregraph `/me/sharedWithMe` endpoint. - -Currently, we construct the `oc:fileid` from the pattern `{shareproviderid}${sharespaceid}!{sharemountid}`. `{shareproviderid}`and `{sharespaceid}` are both hardcoded to `a0ca6a90-a365-4782-871e-d44447bbc668`. The `{sharemountid}` itself uses the pattern `{shared-resource-providerid}:{shared-resource-spaceid}:{shareid}`. - -Since a resource can be shared to the same user in multiple ways (a group share and a user share) we deduplicate the two shares and only show one mountpoint in the share jail root. This is where this solution starts to fall apart: -* When accepting, mounting or syncing a share we implicitly have to accept all shares -* Each share has a different `{shareid}`, so we currently look up the oldest share and use it to build the `oc:fileid` -* Consequently, when the oldest share is revoked the `oc:fileid` changes. - -We need to build the `oc:fileid` from a more stable pattern. - -### Shareid - -The WebDAV PROPFIND response also contains a `oc:shareid` which currently is derived from the path when the spaceid matches the share jail. The jsoncs3 implementation of the share manager currently is the only one using the `{shared-resource-providerid}:{shared-resource-spaceid}:{shareid}` pattern, where `{shareid}` is a uuid that is generated when creating the share. - -Again, the problem is that a resource can be shared multiple times. - -## Decision Drivers - -* We need to change the `oc:fileid` pattern without breaking clients. -* We need to be able to correlate files from WebDAV and the Graph API. - -## Considered Options - -* [Share based id](#share-based-id) -* [Resource based id](#resource-based-id) -* [Permission based id](#permission-based-id) -* [Use graph for file metadata](#use-graph-for-file-metadata) - -## Decision Outcome - -Resource based id: it correctly reflects the semantic meaning of a mount point, by indirectly pointing to the resource, not the share. The permissions on the share have to be checked in the storageprovider itself, anyway. Switching to graph requires more effort and the transition can happen gradually ofter changing the `oc:fileid` pattern in the sharejail. - -### Positive Consequences: - -* We get rid of mixing share ids with fileids, preventing unexpected `oc:fileid` changes. - -### Negative Consequences: - -* We need to teach clients about a new share jail space that uses the new `oc:fileid` pattern. They may need to implement a migration strategy to switch from the old share jail space to a new share jail space by replacing the fileid in their internal database. The might be able to just switch over, because the only `oc:fileid` that changes is the one from the mountpoints. The other nodes in the subtree already use the resourceid of the shared resource. -* Clients relying on `oc:shareid` to correlate share jail entries in PROPFIND responses need to either deal with multiple `oc:shareid` as a resource can be shared multiple times, or we deprecate `oc:shareid` and only use the `oc:fileid`. *jfd: Who is using this? why? Please explain and add to the decision drivers above!* -* The graph api also needs to be able to list entries from the new share jail. *jfd: clients could use a filter to ask for the new share jail id* - -## Pros and Cons of the Options - -### Share based id -Follow the pattern `{shareproviderid}${sharespaceid}!{sharemountid}`, where `{sharemountid}` is `{shared-resource-providerid}:{shared-resource-spaceid}:{shareid}`. -Combined patter `{shareproviderid}${sharespaceid}!{shared-resource-providerid}:{shared-resource-spaceid}:{shareid}`. -`{shareproviderid}` and `{sharespaceid}`are both hardcodet to `a0ca6a90-a365-4782-871e-d44447bbc668` to route all id based requests for mountpoints to the share jail space. - -+ Good, the `{shared-resource-providerid}` and `{shared-resource-spaceid}` are used to shard the shares per space. -- Bad, `oc:fileid` changes if the oldest received share to a resource is revoked. - -### Resource based id -Follow the pattern `{shareproviderid}${sharespaceid}!{shared-resource-providerid}:{shared-resource-spaceid}:{shared-resource-opaqueid}`. -Hardcode `756e6cdf-5630-4b66-9380-55a85188e0f6` as a new `{sharespaceid}` to allow clients to detect the new share jail and change it at their own pace. - -+ Good, stable `oc:fileid` that remains the same, regardless of permission changes. -+ Good, clients can detect the new share jail and deal with it on their terms. - -### Permission based id -Follow the pattern `{shareproviderid}${sharespaceid}!{shared-resource-providerid}:{shared-resource-spaceid}:{shared-resource-opaqueid}:{permission-id}`. - -- Bad, same instability as the share id -- Bad, we don't even have a permission id. We could construct one from the grantee, but this leads nowhere. - - -### Use graph for file metadata -Instead of using WebDAV to correlate files with shares fully embrace libregraph to manage file metadata. -Follow the pattern `{shareproviderid}${sharespaceid}!{shared-resource-providerid}:{shared-resource-spaceid}:{shared-resource-opaqueid}`. -WebDAV can be stripped of any ownCloud specific properties and will only be used for file up and download. - -- Bad, more effort -+ Good, clean way of representing mountpoints and the shared resource in one `driveItem` that can include the resource based id. -+ Good, pagination, sorting and filtering cleanly specified -+ Good, WebDAV can be stripped down. -+ Good, Clients could get rid of WebDAV client and XML libs as all endpoints use JSON (all OCS endpoins return JSON when appending a `format=json` query parameter) - -## Links diff --git a/docs/ocis/adr/0028-activities-service.md b/docs/ocis/adr/0028-activities-service.md deleted file mode 100644 index e507de05da..0000000000 --- a/docs/ocis/adr/0028-activities-service.md +++ /dev/null @@ -1,106 +0,0 @@ ---- -title: "28. Activity Service" -date: 2024-05-16T15:00:00+01:00 -weight: 28 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: 0028-activities-service.md ---- - -* Status: draft -* Deciders: [@kobergj](https://github.com/kobergj), [@fschade](https://github.com/fschade) -* Date: 2024-05-16 - -## Context and Problem Statement - -The user should be able to see all activities for a resource. -Besides the current resource, the user should also be able to decide if he wants to include child resource activities or not. - -## Decision Drivers - -* The user should be able to see all activities for a resource. -* The user should be able to decide if he wants to include child resource activities. -* Activities should be stored space efficiently. -* Activities should be stored in a way that they can be queried efficiently. -* Activities should stay in place even if the resource is gone. -* Activities reflect the state at a given point in time and not the current state. -* The Service should only store a configurable number of activities per resource. - -## Considered Options - -### Activity store - -* Use a go-micro store to store the individual activities. -* Use a time series database to store the activities. -* Use a graph database to store the activities. -* Use a relational database to store the activities. -* Use the file system to store the activities. - -### Activity format - -* Normalize the activities before storing them. -* Only store relevant data to get the related event from the event-history service when needed, e.g., - ```go - package pseudo_code - - import ( - "time" - ) - - type Activity struct { - ResourceId string - EventID string - Depth int64 - Timestamp time.Time - } - ``` -* Store the activity in a human-readable way e.g. "resource A has been shared with user B." -* Store each activity only on the resource itself. -* Store each activity only on the resource itself and all its parents. - -## Decision Outcome - -* Activity store: - * Use a go-micro store to store the individual activities. -* Activity format: - * Store each activity only on the resource itself and all its parents. - * Only store event ids and get the related event from the event-history service when needed. - -### Positive Consequences: - -* Activity store (go-micro store): - * Reuse existing technology. - * We can use nats-js-kv store which already proved reliable in production. - * No need to introduce any kind of new technology, e.g., a time series database, a relational database. -* Activity Format: - * Having each activity stored on each resource (the resource itself and its parents) - makes it easy to retrieve the timeline of activities for a resource and its children. - * Only storing the event id and getting the related event from the event-history we benefit - from the event-history services capabilities to store and query events. - * Walking the resource tree from the resource to the root is a linear operation and can be done efficiently. - -### Negative Consequences: - -* Activity store: - * Other database types might be more efficient for storing activities. - * Using the go-micro-store only allows storing the activity in a key-value format. -* Activity Format: - * Storing only the event ids and getting the related data from the event-history service when needed - might introduce additional latency when querying activities. - * Adding each event-id to each resource parent leads to a lot of duplicated data. - -## Pros and Cons of the Options - -* Activity store: - * (PRO) Introducing a new database type might be more efficient for storing activities. - * (CON) Introducing a new database type brings extra complexity and maintenance overhead. - * (CON) Using the file system to store the activities might be inefficient and could be problematic especially in a distributed environment. -* Activity format: - * (PRO) Normalizing the activities before storing them might make it easier and more efficient to query them. - * (PRO) Storing each activity only on the resource itself is more space-efficient. - * (CON) Storing each activity only on the resource itself increases the complexity of querying activities. - * (CON) Storing each activity in a human-readable format is not space-efficient. - -## Links - -* [Story](https://github.com/owncloud/ocis/issues/8881) diff --git a/docs/ocis/adr/_index.md b/docs/ocis/adr/_index.md deleted file mode 100644 index 2a9216b29d..0000000000 --- a/docs/ocis/adr/_index.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: "Architecture Decisions" -date: 2021-02-10T20:21:00+01:00 -weight: 15 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/adr -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -oCIS is documenting architecture decisions using [Markdown Architectural Decision Records](https://adr.github.io/madr/) (MADR), following [Documenting Architecture Decisions by Michael Nygard](https://cognitect.com/blog/2011/11/15/documenting-architecture-decisions). - -{{< toc >}} - -To manage the records we use [butonic/adr-tools](https://github.com/butonic/adr-tools), a fork of the original [npryce/adr-tools](https://github.com/npryce/adr-tools), based on [a pull request that should have added MADR support](https://github.com/npryce/adr-tools/pull/43). It also supports a YAML header that is used by our Hugo based doc generation \ No newline at end of file diff --git a/docs/ocis/backup.md b/docs/ocis/backup.md deleted file mode 100644 index 64aaf89c7a..0000000000 --- a/docs/ocis/backup.md +++ /dev/null @@ -1,229 +0,0 @@ ---- -title: "Backup Considerations" -date: 2024-05-07T10:31:00+01:00 -weight: 30 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis -geekdocFilePath: backup.md ---- - -This small guide aims to shed some light on the internal Infinite Scale data structure. You can refer to it when you are trying to optimize your backups or if you are just curious about how Infinite Scale stores its data. - -Note, as a prerequisite backing up Infinite Scale, the instance has to be fully shut down for the time being. - -## Ocis Data Structure - -Ocis stores its data in a folder that can be configured via the environment variable `OC_BASE_DATA_PATH`. Without further configuration, services derive from that path when they store data, though individual settings for certain data types can be configured. - -The default value for the `OC_BASE_DATA_PATH` variable is `$HOME/.ocis` (or `/var/lib/ocis` when using the docker container. Note: Configuration data is by default stored in `/etc/ocis/` in the container.). - -Inside this folder, Infinite Scale will store all its data in separate subdirectories. That includes metadata, configurations, queues and stores etc. The actual bytes of files (blobs) are handled by a so called blobstore, which also stores here by default. Depending on the used blobstore, the blobs need to be backed up separately, for example if S3 is used. Note: See special case for the `config` folder in a docker container. - -### Base Data Path Overview - -Listing the contents of the folder will return the following: -```bash - ~/.ocis/:tree -L 1 -. -├── config -├── idm -├── idp -├── nats -├── proxy -├── search -├── storage -├── thumbnails -└── web - -10 directories, 0 files -``` - -The following sections describe the content and background of the subdirectories to decide if a backup is required or recommended and its effect when it is not backed up. - -### `config` - -Contains basic Infinite Scale configuration created by `ocis init`(Note: The location of the configuration folder can be specified with the `OC_CONFIG_DIR` environment variable, but for this document we will assume this variable is not set and the default is used.) - -```bash - ~/.ocis/config/:tree -. -└── ocis.yaml - -1 directory, 1 file -``` - -* `ocis.yaml`:\ -BACKUP RECOMMENDED. Holds Infinite Scale configuration data. The contents can vary depending on your environment variables. In general, most of this file can be recreated again by running `ocis init`. This will recreate secrets and certificates. However, if not backed up completely, some fields MUST be copied over from the old config manually to regain data access after a restore: - -| Field Name | Envvar Name | Description | If not backed up | -| --- | --- | --- | --- | -| `idp.ldap.bind_password` | `OC_LDAP_BIND_PASSWORD` | Password for the idp | no logins possible | -| `idm.service_user_passwords.idp_password`| `IDM_IDPSVC_PASSWORD` | Same as above | no logins possible | -| `system_user_id` | `OC_SYSTEM_USER_ID` | The id of storage-system user | no logins possible | -| `idm.service_user_passwords.reva_password`| `IDM_REVASVC_PASSWORD` | The reva password | no logins possible | -| `auth_basic.auth_providers.ldap.bind_password` | `AUTH_BASIC_LDAP_BIND_PASSWORD` | Same as above | no logins possible | -| `users.drivers.ldap.bind_password` | `USERS_LDAP_BIND_PASSWORD` | Same as above | no logins possible | -| `groups.drivers.ldap.bind_password` | `GROUPS_LDAP_BIND_PASSWORD` | Same as above | no logins possible | -| `storage_users.mount_id` | `STORAGE_USERS_MOUNT_ID` | The mountid of the storage_users service | sharing data lost | -| `gateway.storage_registry.storage_users_mount_id` | `GATEWAY_STORAGE_USERS_MOUNT_ID` | Same as above | sharing data lost | - -### `idm` - -Note: This folder will not appear if you use an external idm. Refer to your idms documentation for backup details in this case. - -Contains the data for the internal Infinite Scale identity management. See the [IDM README]({{< ref "../services/idm/_index.md" >}}) for more details. - -```bash - ~/.ocis/idm/:tree -. -├── ldap.crt -├── ldap.key -└── ocis.boltdb - -1 directory, 3 files -``` - -* `ocis.boltdb`:\ -BACKUP REQUIRED. This is the boltdb database that stores user data. Use `IDM_DATABASE_PATH` to specify its path. If not backed up, Infinite Scale will have no users, therefore also all data is lost. -* `ldap.crt`:\ -BACKUP OPTIONAL. This is the certificate for the idm. Use `IDM_LDAPS_CERT` to specify its path. Will be auto-generated if not backed up. -* `ldap.key`:\ -BACKUP OPTIONAL. This is the certificate key for the idm. Use `IDM_LDAPS_KEY` to specify its path. Will be auto-generated if not backed up. - - -### `idp` - -Note: This folder will not appear if you use an external idp. Refer to your idp's documentation for backup details in this case. - -Contains the data for the internal Infinite Scale identity provider. See the [IDP README]({{< ref "../services/idp/_index.md" >}}) for more details. - -```bash - ~/.ocis/idp/:tree -. -├── encryption.key -├── private-key.pem -└── tmp - └── identifier-registration.yaml - -2 directories, 3 files -``` - -* `encryption.key`:\ -BACKUP RECOMMENDED. This is the encryption secret. Use `IDP_ENCRYPTION_SECRET_FILE` to specify its paths. Not backing this up will force users to relogin. -* `private-key.pem`:\ -BACKUP RECOMMENDED. This is the encryption key. Use `IDP_SIGNING_PRIVATE_KEY_FILES` to specify its paths. Not backing this up will force users to relogin. -* `identifier-registration.yml`:\ -BACKUP OPTIONAL. It holds configuration for oidc clients (web, desktop, ios, android). Will be recreated if not backed up. - -### `nats` - -Note: This folder will not appear if you use an external nats installation. In that case, data has to secured in alignment with the external installation. - -Contains nats data for streams and stores. See the [NATS README]({{< ref "../services/nats/_index.md" >}}) for more details. - -```bash - ~/.ocis/nats/:tree -L 1 -. -└── jetstream - -``` - -* `jetstream`:\ -BACKUP RECOMMENDED. This folder contains nats data about streams and key-value stores. Use `NATS_NATS_STORE_DIR` to specify its path. Not backing it up can break history for multiple (non-vital) features such as history or notifications. The Infinite Scale functionality is not impacted if omitted. - -### `proxy` - -Contains proxy service data. See the [PROXY README]({{< ref "../services/proxy/_index.md" >}}) for more details. - -```bash - ~/.ocis/proxy/:tree -. -├── server.crt -└── server.key - -1 directory, 2 files -``` - -* `server.crt`:\ -BACKUP OPTIONAL. This is the certificate for the http services. Use `PROXY_TRANSPORT_TLS_CERT` to specify its path. -* `server.key`:\ -BACKUP OPTIONAL. This is the certificate key for the http services. Use `PROXY_TRANSPORT_TLS_KEY` to specify its path. - -### `search` - -Contains the search index. See the [SEARCH README]({{< ref "../services/search/_index.md" >}}) for more details. - -```bash - ~/.ocis/search/:tree -L 1 -. -└── bleve - -2 directories, 0 files -``` - -* `bleve`:\ -BACKUP RECOMMENDED/OPTIONAL. This contains the search index. Can be specified via `SEARCH_ENGINE_BLEVE_DATA_PATH`. If not backed up, the search index needs to be recreated. This can take a long time depending on the amount of files. - -### `storage` - -Contains Infinite Scale meta (and blob) data, depending on the blobstore. See the [STORAGE-USERS README]({{< ref "../services/storage-users/_index.md" >}}) for more details. - -```bash - ~/.ocis/storage/:tree -L 1 -. -├── metadata -├── ocm -└── users - -4 directories, 0 files -``` - -* `metadata`:\ -BACKUP REQUIRED. Contains system data. Path can be specified via `STORAGE_SYSTEM_OC_ROOT`. Not backing it up will remove shares from the system and will also remove custom settings. -* `ocm`:\ -BACKUP REQUIRED/OMITABLE. Contains ocm share data. When not using ocm sharing, this folder does not need to be backed up. -* `users`:\ -BACKUP REQUIRED. Contains user data. Path can be specified via `STORAGE_USERS_OCIS_ROOT`. Not backing it up will remove all spaces and all files. As result, you will have a configured but empty Infinite Scale instance, which is fully functional accepting new data. Old data is lost. - -### `thumbnails` - -Contains thumbnails data. See the [THUMBNAILS README]({{< ref "../services/thumbnails/_index.md" >}}) for more details. - -```bash - ~/.ocis/thumbnails/:tree -L 1 -. -└── files -``` - -* `files`:\ -OPTIONAL/RECOMMENDED. This folder contains prerendered thumbnails. Can be specified via `THUMBNAILS_FILESYSTEMSTORAGE_ROOT`. If not backed up, thumbnails will be regenerated automatically on access which leads to some load on the thumbnails service. - -### `web` - -Contains web assets such as custom logos, themes etc. See the [WEB README]({{< ref "../services/web/_index.md" >}}) for more details. - -```bash - ~/.ocis/web/:tree -L 1 -. -└── assets - -2 directories, 0 files -``` - -* `assets`:\ -BACKUP RECOMMENDED/OMITABLE. This folder contains custom web assets. Can be specified via `WEB_ASSET_CORE_PATH`. If no custom web assets are used, there is no need for a backup. If those exist but are not backed up, they need to be reuploaded. - -### `external services` - -When using an external idp/idm/nats or blobstore, its data needs to be backed up separately. Refer to your idp/idm/nats/blobstore documentation for backup details. - -## Backup Consistency Command - -Infinite Scale now allows checking an existing backup for consistency. Use the command: -```bash -ocis backup consistency -p "" -``` - -`path-to-base-folder` needs to be replaced with the path to the storage providers base path. Should be same as the `STORAGE_USERS_OCIS_ROOT` - -Use the `-b s3ng` option when using an external (s3) blobstore. Note: When using this flag, the path to the blobstore must be configured via envvars or a yaml file to match the configuration of the original instance. Consistency checks for other blobstores than `ocis` and `s3ng` are not supported at the moment. diff --git a/docs/ocis/config.md b/docs/ocis/config.md deleted file mode 100644 index 05ad081bbb..0000000000 --- a/docs/ocis/config.md +++ /dev/null @@ -1,170 +0,0 @@ ---- -title: "Configuration" -date: "2021-11-09T00:03:16+0100" -weight: 2 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis -geekdocFilePath: config.md ---- - -{{< toc >}} - -## Configuration Framework - -In order to simplify deployments and development the configuration model from oCIS aims to be simple yet flexible. - -## Overview of the approach - -{{< figure src="/ocis/static/ocis-config-redesign.drawio.svg" >}} - -## In-depth configuration - -Since we include a set of predefined extensions within the single binary, configuring an extension can be done in a variety of ways. Since we work with complex types, having as many cli per config value scales poorly, so we limited the options to config files and environment variables. - -The hierarchy is clear enough, leaving us with: - -_(each element above overwrites its precedent)_ - -1. env variables -2. extension config -3. ocis config - -This is manifested in the previous diagram. We can then speak about "configuration file arithmetics", where resulting config transformations happen through a series of steps. An administrator must be aware of these sources, since mis-managing them can be a source of confusion, having undesired transformations on config files believed not to be applied. - -## Flows - -Let's explore the various flows with examples and workflows. - -### Examples - -Let's explore with examples this approach. - -#### Expected loading locations - -- docker images: `/etc/ocis/` -- binary releases: `$HOME/.ocis/config/` - -followed by the `.yaml`, e.g. `proxy.yaml` for the extension configuration. You also can put an `ocis.yaml` config file to the expected loading location to use a single config file. - -You can set another directory as config path in the environment variable `OC_CONFIG_DIR`. It will then pick the same file names, but from the folder you configured. - -#### Only config files - -The following config files are present in the default loading locations: - -_ocis.yaml_ -```yaml -proxy: - http: - addr: localhost:1111 - log: - pretty: false - color: false - level: info -log: - pretty: true - color: true - level: info -``` - -_proxy.yaml_ -```yaml -http: - addr: localhost:3333 -``` - -Note that the extension files will overwrite values from the main `ocis.yaml`, causing `ocis server` to run with the following configuration: - -```yaml -proxy: - http: - addr: localhost:3333 -log: - pretty: true - color: true - level: info -``` - -#### Using ENV variables - -The logging configuration if defined in the main ocis.yaml is inherited by all extensions. It can be, however, overwritten by a single extension file if desired. The same example can be used to demonstrate environment values overwrites. With the same set of config files now we have the following command `PROXY_HTTP_ADDR=localhost:5555 ocis server`, now the resulting config looks like: - -```yaml -proxy: - http: - addr: localhost:5555 -log: - pretty: true - color: true - level: info -``` - -#### Substitute ENV variables in configuration files - -Environment variables can be used in the configurations files and will be replaced by oCIS when loading these. -Default values can be specified after a `|` character - see below. - -```yaml -proxy: - http: - addr: ${PROXY_HTTP_ADDR|localhost:4321} -log: - pretty: true - color: true - level: info -``` - -### Workflows - -Since one can run an extension using the runtime (supervised) or not (unsupervised), we ensure correct behavior in both modes, expecting the same outputs. - -#### Supervised - -You are using the supervised mode whenever you issue the `ocis server` command. We start the runtime on port `9250` (by default) that listens for commands regarding the lifecycle of the supervised extensions. When an extension runs supervised and is killed, the only way to provide / overwrite configuration values will be through an extension config file. This is due to the parent process has already started, and it already has its own environment. - -#### Unsupervised - -All the points from the priority section hold true. An unsupervised extension can be started with the format: `ocis [extension]` i.e: `ocis proxy`. First, `ocis.yaml` is parsed, then `proxy.yaml` followed by environment variables. - -## Shared Values - -When running in supervised mode (`ocis server`) it is beneficial to have common values for logging, so that the log output is correctly formatted, or everything is piped to the same file without duplicating config keys and values all over the place. This is possible using the global `log` config key: - -_ocis.yaml_ -```yaml -log: - level: error - color: true - pretty: true - file: /var/tmp/ocis_output.log -``` - -There is, however, the option for extensions to overwrite this global values by declaring their own logging directives: - -_ocis.yaml_ -```yaml -log: - level: info - color: false - pretty: false -``` - -One can go as far as to make the case of an extension overwriting its shared logging config that received from the main `ocis.yaml` file. Because things can get out of hands pretty fast we recommend not mixing logging configuration values and either use the same global logging values for all extensions. - -{{< hint warning >}} -When overwriting a globally shared logging values, one *MUST* specify all values. -{{< /hint >}} - -### Log config keys - -```yaml -log: - level: [ error | warning | info | debug ] - color: [ true | false ] - pretty: [ true | false ] - file: [ path/to/log/file ] # MUST not be used with pretty = true -``` - -## Default config values (in yaml) - -TBD. Needs to be generated and merged with the env mappings. diff --git a/docs/ocis/deployment/_index.md b/docs/ocis/deployment/_index.md deleted file mode 100644 index 0ddd1a10e9..0000000000 --- a/docs/ocis/deployment/_index.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -title: "Deployment" -date: 2020-10-01T20:35:00+01:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/deployment -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -{{< toc >}} - -## Deployments scenarios and examples -This section handles deployments and operations for admins and people who are interested in how versatile oCIS is. If you want to just try oCIS you may also follow [Getting started]({{< ref "../getting-started" >}}). - -### Setup oCIS on your server -oCIS deployments are super simple, yet there are many configurations possible for advanced setups. - -- [Basic oCIS setup]({{< ref "basic-remote-setup" >}}) - configure domain, certificates and port -- [oCIS setup with Keycloak as identity provider]({{< ref "ocis_keycloak" >}}) -- [Flexible oCIS setup with WebOffice and Search capabilities]({{< ref "ocis_full" >}}) -- [Parallel deployment of oC10 and oCIS]({{< ref "oc10_ocis_parallel" >}}) -- [oCIS with the Hello extension example]({{< ref "ocis_hello" >}}) - - -## Secure an oCIS instance - -oCIS no longer has any default secrets in versions later than oCIS 1.20.0. Therefore you're no -longer able to start oCIS without generating / setting all needed secrets. - -The recommended way is to use `ocis init` for that. It will generate a secure config file for you. diff --git a/docs/ocis/deployment/basic-remote-setup.md b/docs/ocis/deployment/basic-remote-setup.md deleted file mode 100644 index 310c7619ba..0000000000 --- a/docs/ocis/deployment/basic-remote-setup.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: "Basic Remote Setup" -date: 2020-02-27T20:35:00+01:00 -weight: 16 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/deployment -geekdocFilePath: basic-remote-setup.md ---- - -{{< toc >}} - -The default configuration of the oCIS binary and the `owncloud/ocis` docker image assume, that you access oCIS on `localhost`. This enables you to do quick testing and development without any configuration. - -If you need to access oCIS running in a docker container, on a VM or a remote machine via another hostname than `localhost`, you need to configure this hostname in oCIS. The same applies if you are not using hostnames but instead an IP (e.g. `192.168.178.25`). - -## Start the oCIS fullstack server from binary - -Initialize the oCIS configuration by running `./bin/ocis init`. - -Upon first start of the oCIS fullstack server with `./bin/ocis server` it will generate a directory tree skeleton in `$HOME/.ocis`. If that is already existing it will not be overwritten as it contains all relevant data for oCIS. - -For the following examples you need to have the oCIS binary in your current working directory, we assume it is named `ocis` and it needs to be marked as executable. See [Getting Started]({{< ref "../getting-started/#binaries" >}}) for where to get the binary from. - -### Using automatically generated certificates - -In order to run oCIS with automatically generated and self-signed certificates please execute following command. You need to replace `your-host` with an IP or hostname. Since you have only self-signed certificates you need to have `OC_INSECURE` set to `true`. - -```bash -OC_INSECURE=true \ -PROXY_HTTP_ADDR=0.0.0.0:9200 \ -OC_URL=https://your-host:9200 \ -./ocis server -``` - -### Using already present certificates - -If you have your own certificates already in place, you may want to make oCIS use them: - -```bash -OC_INSECURE=false \ -PROXY_HTTP_ADDR=0.0.0.0:9200 \ -OC_URL=https://your-host:9200 \ -PROXY_TRANSPORT_TLS_KEY=./certs/your-host.key \ -PROXY_TRANSPORT_TLS_CERT=./certs/your-host.crt \ -./ocis server -``` - -If you generated these certificates on your own, you might need to set `OC_INSECURE` to `true`. - -For more configuration options check the configuration section in [oCIS]({{< ref "../config" >}}) and the oCIS services. - -## Start the oCIS fullstack server with Docker Compose - -Please have a look at our other [deployment examples]({{< ref "./" >}}). diff --git a/docs/ocis/deployment/bridge.md b/docs/ocis/deployment/bridge.md deleted file mode 100644 index 9835a936a8..0000000000 --- a/docs/ocis/deployment/bridge.md +++ /dev/null @@ -1,318 +0,0 @@ ---- -title: "Bridge" -date: 2020-02-27T20:35:00+01:00 -weight: 30 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/deployment -geekdocFilePath: bridge.md ---- - -{{< toc >}} - -We are planning to build a bridge from ownCloud 10 to ocis. The idea is to have a reverse proxy in front of ownCloud 10 that will forward requests to ownCloud 10 or ocis-reva, depending on the migration status of the logged-in user. - -This document is a work in progress of the current setup. - -## Current status - -Using ocis and the ownCloud 10 [graphapi app](https://github.com/owncloud/graphapi/) it is possible today to use an existing owncloud 10 instance as a user backend and storage backend for ocis. - -## How to do it - -### Install the owncloud 10 graphapi app - -In an owncloud 10 apps folder -``` -$ git clone git@github.com:owncloud/graphapi.git -$ cd graphapi -$ composer install -``` - -### Enable the graphapi app - -``` -occ a:e graphapi -``` - -No configuration necessary. You can test with `curl`: -```console -$ curl https://cloud.ocis.test/index.php/apps/graphapi/v1.0/users -u admin -s | jq -Enter host password for user 'admin': -{ - "value": [ - { - "id": "admin", - "displayName": "admin", - "mail": null - }, - { - "id": "demo", - "displayName": "Demo", - "mail": null - }, - ... - - ], - "@odata.nextLink": "https://cloud.ocis.test/apps/graphapi/v1.0/users?$top=10&$skip=10" -} -``` - -{{< hint >}} -The MS graph api actually asks for `Bearer` auth, but in order to check users passwords during an LDAP bind we are exploiting ownClouds authentication implementation that will grant access when `Basic` auth is used. An LDAP Bind you may ask? Read on! -{{< /hint >}} - -### Grab ocis! - -``` -$ git clone git@github.com:owncloud/ocis.git -$ cd ocis -$ make -C ocis build -``` -This should give you an `ocis/bin/ocis` binary. Try listing the help with `ocis/bin/ocis --help`. - -{{< hint >}} -You can check out a custom branch and build a custom binary which can then be used for the steps below. -{{< /hint >}} - -### Start ocis glauth - -We are going to use the built binary and ownCloud 10 graphapi app to turn ownCloud 10 into the datastore for an LDAP proxy. - -#### configure it - -While ocis can be configured using environment variables, e.g. for a docker compose setup we are going to use a more traditional config file here. -Create a config file for ocis in either `/etc/ocis`, `$HOME/.ocis` or `./.config`. You can use `.json`, `.yaml` or `.toml`. I will use toml here, because ... reasons. - -```toml -[glauth.backend] -datastore = "owncloud" # switch to the owncloud datastore -servers = ["https://cloud.ocis.test/apps/graphapi/v1.0"] # the graph api endpoint to connect to -basedn = "dc=ocis,dc=test" # base dn to construct the LDAP dn. The user `admin` will become `cn=admin,dc=ocis,dc=test` -``` - -{{< hint >}} -There is a bug in the config merging for environment variables, cli flags and config files causing log settings not to be picked up from the config file when specifying `--extensions`. That is why I will -* configure most of the config in a file, -* adjust logging using `OC_LOG_*` environment variables and -* specify which extension to run using `ocis/bin/ocis server --extensions "comma, separated, list, of, extensions"`. -{{< /hint >}} - -#### Run it! - -For now, we only start the glauth extension: -```console -$ OC_LOG_PRETTY=true OC_LOG_COLOR=true ocis/bin/ocis server --extensions "glauth" -``` - -#### Check it is up and running - -You should now be able to list accounts from your ownCloud 10 oc_accounts table using: -```console -$ ldapsearch -x -H ldap://127.0.0.1:9125 -b dc=ocis,dc=test -D "cn=admin,dc=ocis,dc=test" -W '(objectclass=posixaccount)' -``` - -Groups should work as well: -```console -$ ldapsearch -x -H ldap://127.0.0.1:9125 -b dc=ocis,dc=test -D "cn=admin,dc=ocis,dc=test" -W '(objectclass=posixgroup)' -``` - -{{< hint >}} -This is currently a readonly implementation and minimal to the use-case of authenticating users with an IDP. -{{< /hint >}} - -### Start ocis storage-gateway, storage-authbasic and storage-userprovider - -We are going to set up reva to authenticate users against our glauth LDAP proxy. This allows us to log in and use the reva cli. The ocis storage-gateway starts the reva gateway which will authenticate basic auth requests using the storage-authbasic service. Furthermore, users have to be available in the storage-userprovider to retrieve displayname, email address and other user metadata. - -To configure LDAP to use our glauth we add this section to the config file: - -```toml -[storage.reva.ldap] -idp = "https://ocis.ocis.test" -basedn = "dc=ocis,dc=test" -binddn = "cn=admin,dc=ocis,dc=test" # an admin user in your oc10 -bindpassword = "secret" -userschema = { uid = "uid", displayname = "givenname" } # TODO make glauth return an ownclouduuid and displayname attribute -``` - -Now we can start all necessary services. - -```console -$ OC_LOG_PRETTY=true OC_LOG_COLOR=true ocis/bin/ocis server --extensions "glauth, storage-gateway, storage-authbasic, storage-userprovider" -``` - - -{{< hint warning >}} -Here I ran out of time. I tried to verify this step with the reva cli: -`cmd/reva/reva -insecure -host localhost:9142` -`login basic` -but it tries to create the user home, which cannot be disabled in a config file: https://github.com/owncloud/ocis/issues/2416#issuecomment-901197053 - -starting `STORAGE_GATEWAY_DISABLE_HOME_CREATION_ON_LOGIN=true OC_LOG_LEVEL=debug OC_LOG_PRETTY=true OC_LOG_COLOR=true ocis/bin/ocis server --extensions "storage-gateway, storage-authbasic, storage-userprovider"` let me login: - -```console -✗ cmd/reva/reva -insecure -host localhost:9142 -reva-cli v1.11.0-27-g95b1f2ee (rev-95b1f2ee) -Please use `exit` or `Ctrl-D` to exit this program. ->> login basic -username: jfd -password: OK ->> whoami -id: username:"jfd" mail:"jfd@butonic.de" display_name:"J\303\266rn" uid_number:99 gid_number:99 ->> exit -``` - -I hope https://github.com/owncloud/ocis/pull/2024 fixes the parsing order of things. - -everything below this is outdated - -... gotta run -{{< /hint >}} - - -### Start ocis storage-userprovider - -```console -ocis/bin/ocis storage-userprovider --ldap-port 19126 --ldap-user-schema-uid uid --ldap-user-schema-displayName givenName --addr :19144 -``` - -TODO clone `git clone git@github.com:cs3org/cs3apis.git` - -query users using [grpcurl](https://github.com/fullstorydev/grpcurl) -```console -grpcurl -import-path ./cs3apis/ -proto ./cs3apis/cs3/identity/user/v1beta1/user_api.proto -plaintext localhost:19144 cs3.identity.user.v1beta1.UserAPI/FindUsers -ERROR: - Code: Unauthenticated - Message: auth: core access token not found -``` - - -### Start ocis idp - -#### Set environment variables - -The built-in [libregraph/lico](https://github.com/libregraph/lico) needs environment variables to configure the LDAP server: -```console -export OC_URL=https://ocis.ocis.test -export IDP_LDAP_URI=ldap://127.0.0.1:9125 -export IDP_LDAP_BASE_DN="dc=ocis,dc=test" -export IDP_LDAP_BIND_DN="cn=admin,dc=ocis,dc=test" -export IDP_LDAP_BIND_PASSWORD="its-a-secret" -export IDP_LDAP_SCOPE=sub -export IDP_LDAP_LOGIN_ATTRIBUTE=uid -export IDP_LDAP_NAME_ATTRIBUTE=givenName -``` -Don't forget to use an existing user with admin permissions (only admins are allowed to list all users via the graph api) and the correct password. - -#### Run it! - -You can now bring up `ocis/bin/ocis idp` with: -```console -$ ocis/bin/ocis idp server --iss http://127.0.0.1:9130 --signing-kid gen1-2020-02-27 -``` - -`ocis/bin/ocis idp` needs to know -- `--iss http://127.0.0.1:9130` the issuer, which must be a reachable http endpoint. For testing an ip works. For openid connect HTTPS is NOT optional. This URL is exposed in the `http://127.0.0.1:9130/.well-known/openid-configuration` endpoint and clients need to be able to connect to it, securely. We will change this when introducing the proxy. -- `--signing-kid gen1-2020-02-27` a signature key id, otherwise the jwks key has no name, which might cause problems with clients. a random key is ok, but it should change when the actual signing key changes. - -{{< hint warning >}} -* TODO: the port in the `--iss` needs to be changed when hiding the idp behind the proxy -* TODO: the signing keys and encryption keys should be precreated so they are reused between restarts. Otherwise all client sessions will become invalid when restarting the IdP. -{{< /hint >}} - - -#### Check it is up and running - -1. Try getting the configuration: -```console -$ curl http://127.0.0.1:9130/.well-known/openid-configuration -``` - -2. Check if the login works at http://127.0.0.1:9130/signin/v1/identifier - -{{< hint >}} -If you later get a `Unable to find a key for (algorithm, kid):PS256, )` Error make sure you did set a `--signing-kid` when starting `ocis/bin/ocis idp` by checking it is present in http://127.0.0.1:9130/konnect/v1/jwks.json -{{< /hint >}} - -### Start ocis proxy - - -{{< hint >}} -Everything below this hint is outdated. Next steps are roughly: -* directly after glauth start the `ocis storage-userporvider`? - - how to verify that works? - - https://github.com/fullstorydev/grpcurl -* start proxy - - the ocis ipd url can be changed to https - - when do we hide oc10 behind ocis? -> advanced bridge at the end? for now run it without touching the existing oc10 instance -* start web - - verify the login works, but how? - - TODO the login works, but then the capabilities requests will fail ... unless we make the proxy answer them by talking to oc10? - -Other ideas: -* the owncloud backend in glauth also works with the user provisioning api ... no changes to a running production instance? db access could be done with a read only account as well... -{{< /hint >}} - - -### Start ocis-web - -#### Run it! - -Point `ocis-web` to your owncloud domain and tell it where to find the openid connect issuing authority: -```console -$ bin/web server --web-config-server https://cloud.example.com --oidc-authority https://192.168.1.100:9130 --oidc-metadata-url https://192.168.1.100:9130/.well-known/openid-configuration --oidc-client-id ocis -``` - -`ocis-web` needs to know -- `--web-config-server https://cloud.example.com` is ownCloud url with webdav and ocs endpoints (oc10 or ocis) -- `--oidc-authority https://192.168.1.100:9130` the openid connect issuing authority, in our case `oidc-idp`, running on port 9130 -- `--oidc-metadata-url https://192.168.1.100:9130/.well-known/openid-configuration` the openid connect configuration endpoint, typically the issuer host with `.well-known/openid-configuration`, but there are cases when another endpoint is used, e.g. ping identity provides multiple endpoints to separate domains -- `--oidc-client-id ocis` the client id we will register later with `ocis-idp` in idp OIDC client settings - -### Patch owncloud - -While the UserSession in ownCloud 10 is currently used to test all available IAuthModule implementations, it immediately logs out the user when an exception occurs. However, existing owncloud 10 instances use the oauth2 app to create Bearer tokens for mobile and desktop clients. - -To give the openidconnect app a chance to verify the tokens we need to change the code a bit. See https://github.com/owncloud/core/pull/37043 for a possible solution. - -> Note: The PR is hot ... as in *younger than this list of steps*. And it messes with authentication. Use with caution. - -### Install the owncloud 10 openidconnect app - -In an owncloud 10 apps folder -``` -$ git clone git@github.com:owncloud/openidconnect.git -$ cd openidconnect -$ composer install -``` - -After enabling the app configure it in `config/oidc.config.php` - -```php -$CONFIG = [ - 'openid-connect' => [ - 'provider-url' => 'https://192.168.1.100:9130', - 'client-id' => 'ocis', - 'loginButtonName' => 'OpenId Connect @ Konnectd', - ], - 'debug' => true, // if using self-signed certificates - // allow the different domains access to the ocs and webdav endpoints: - 'cors.allowed-domains' => [ - 'https://cloud.example.com', - 'http://localhost:9100', - ], -]; -``` - -In the above configuration replace -- `provider-url` with the URL to your `ocis-idp` issuer -- `https://cloud.example.com` with the URL to your ownCloud 10 instance -- `http://localhost:9100` with the URL to your ownCloud Web instance - -> Note: By default the openidconnect app will use the email of the user to match the user from the oidc userinfo endpoint with the ownCloud account. So make sure your users have a unique primary email. - -## Next steps - -Aside from the above todos these are the next steps -- tie it all together behind `ocis-proxy` -- create an `ocis bridge` command that runs all the ocis services in one step with a properly preconfigured idp OIDC client `ocis-idp` for `ownCloud Web` and the owncloud 10 `openidconnect` app, as well as a randomized `--signing-kid`. diff --git a/docs/ocis/deployment/continuous_deployment.md b/docs/ocis/deployment/continuous_deployment.md deleted file mode 100644 index b146f8947c..0000000000 --- a/docs/ocis/deployment/continuous_deployment.md +++ /dev/null @@ -1,113 +0,0 @@ ---- -title: "Continuous Deployment" -date: 2020-10-12T14:04:00+01:00 -weight: 10 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/deployment -geekdocFilePath: continuous_deployment.md ---- - -{{< toc >}} - -We are continuously deploying the following deployment examples. Every example is deployed in two flavors: - -- Master: reflects the current master branch state of oCIS and will be updated with every commit to master -- Rolling: reflects the latest rolling release of oCIS and will be updated with every rolling release -- Production: reflects the latest production release of oCIS and will be updated with every production release - -The configuration for the continuous deployment can be found in the [oCIS repository](https://github.com/owncloud/ocis/tree/master/deployments/continuous-deployment-config). - -# oCIS with Web Office - -This deployment is based on our modular [ocis_full Example](ocis_full.md) and uses the default configuration with Collabora Online as the office suite, traefik reverse proxy, cloudimporter and the inbucket mail catching server to showcase the full feature set of oCIS. - -Credentials: - -- oCIS: see [default demo users]({{< ref "../getting-started#login-to-owncloud-web" >}}) - -## Master - -- oCIS: [ocis.ocis.master.owncloud.works](https://ocis.ocis.master.owncloud.works) -- Mail: [mail.ocis.master.owncloud.works](https://mail.ocis.master.owncloud.works) - -## Rolling Release - -- oCIS: [ocis.ocis.rolling.owncloud.works](https://ocis.ocis.rolling.owncloud.works) -- Mail: [mail.ocis.rolling.owncloud.works](https://mail.ocis.rolling.owncloud.works) - -## Production Release - -- oCIS: [ocis.ocis.production.owncloud.works](https://ocis.ocis.production.owncloud.works) -- Mail: [mail.ocis.production.owncloud.works](https://mail.ocis.production.owncloud.works) - -## Master with OnlyOffice - -This example is using OnlyOffice as the office suite. - -- oCIS: [ocis.ocis-onlyoffice.master.owncloud.works](https://ocis.ocis-onlyoffice.master.owncloud.works) - -## Rolling Release with OnlyOffice - -This example is using OnlyOffice as the office suite. - -- oCIS: [ocis.ocis-onlyoffice.rolling.owncloud.works](https://ocis.ocis-onlyoffice.rolling.owncloud.works) - -# oCIS and ownCloud Web with both most recent development versions - -Credentials: - -- oCIS: see [default demo users]({{< ref "../getting-started#login-to-owncloud-web" >}}) - -## Master branches - -- oCIS: [ocis.ocis-web.master.owncloud.works](https://ocis.ocis-web.master.owncloud.works) - -# oCIS with Keycloak - -Credentials: - -- oCIS: see [default demo users]({{< ref "../getting-started#login-to-owncloud-web" >}}) -- Keycloak: - - username: admin - - password: admin - -## Rolling Release - -- oCIS: [ocis.ocis-keycloak.rolling.owncloud.works](https://ocis.ocis-keycloak.rolling.owncloud.works) -- Keycloak admin access: [keycloak.ocis-keycloak.rolling.owncloud.works](https://keycloak.ocis-keycloak.rolling.owncloud.works) -- Keycloak account management: [keycloak.ocis-keycloak.rolling.owncloud.works/realms/oCIS/account/#/](https://keycloak.ocis-keycloak.rolling.owncloud.works/realms/oCIS/account/#/) - - -# oCIS with S3 storage backend (MinIO) - -This deployment is based on our modular [ocis_full Example](ocis_full.md), see the [oCIS with Web Office](#ocis-with-web-office) description for the feature set. In addition to that, we deployed a MinIO S3 storage backend. oCIS stores the data in the S3 server and the metadata on the local disk by using the `s3ng` storage driver. - -The MinIO server provides a powerful Web UI for browser-based access to the storage which makes it possible to manage the data stored in the S3 server and understand how different policies and configurations affect the data. - -Credentials: - -- oCIS: see [default demo users]({{< ref "../getting-started/demo-users/" >}}) -- MinIO: - - access key: ocis - - secret access key: ocis-secret-key - -## Rolling Release - -- oCIS: [ocis.ocis-s3.rolling.owncloud.works](https://ocis.ocis-s3.rolling.owncloud.works) -- MinIO: [minio.ocis-s3.rolling.owncloud.works](https://minio.ocis-s3.rolling.owncloud.works) -- Mail: [mail.ocis-s3.rolling.owncloud.works](https://mail.ocis-s3.rolling.owncloud.works) - -# oCIS with LDAP for users and groups - -Credentials: - -- oCIS: see [default demo users]({{< ref "../getting-started/demo-users/" >}}) -- LDAP admin: - - username: cn=admin,dc=owncloud,dc=com - - password: admin - -## Rolling Release - -- oCIS: [ocis.ocis-ldap.rolling.owncloud.works](https://ocis.ocis-ldap.rolling.owncloud.works) -- LDAP admin: [ldap.ocis-ldap.rolling.owncloud.works](https://ldap.ocis-ldap.rolling.owncloud.works) - diff --git a/docs/ocis/deployment/kubernetes.md b/docs/ocis/deployment/kubernetes.md deleted file mode 100644 index 4d2b9d7d7b..0000000000 --- a/docs/ocis/deployment/kubernetes.md +++ /dev/null @@ -1,73 +0,0 @@ ---- -title: "Kubernetes" -date: 2021-09-23T11:04:00+01:00 -weight: 25 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/deployment -geekdocFilePath: kubernetes.md ---- - -{{< toc >}} - -## What is Kubernetes - -Formally described as: - -> Kubernetes is a portable, extensible, open-source platform for managing containerized workloads and services, that facilitates both declarative configuration and automation. - -_[source](https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/)_ - -Without getting too deep in definitions, and for the purpose of compactness, Kubernetes can be summarized as a way of managing containers that run applications to ensure that there is no downtime and an optimal usage of resources. It provides with a framework in which to run distributed systems. - -Kubernetes provides you with: -- **Service discovery and load balancing**: Kubernetes can expose a container using the DNS name or using their own IP address. If traffic to a container is high, Kubernetes is able to load balance and distribute the network traffic so that the deployment is stable. -- **Storage orchestration**: Kubernetes allows you to automatically mount a storage system of your choice, such as local storages, public cloud providers, and more. -- **Automated rollouts and rollbacks**: You can describe the desired state for your deployed containers using Kubernetes, and it can change the actual state to the desired state at a controlled rate. For example, you can automate Kubernetes to create new containers for your deployment, remove existing containers and adopt all their resources to the new container. -- **Automatic bin packing**: You provide Kubernetes with a cluster of nodes that it can use to run containerized tasks. You tell Kubernetes how much CPU and memory (RAM) each container needs. Kubernetes can fit containers onto your nodes to make the best use of your resources. -- **Self-healing**: Kubernetes restarts containers that fail, replaces containers, kills containers that don't respond to your user-defined health check, and doesn't advertise them to clients until they are ready to serve. -- **Secret and configuration management**: Kubernetes lets you store and manage sensitive information, such as passwords, OAuth tokens, and SSH keys. You can deploy and update secrets and application configuration without rebuilding your container images, and without exposing secrets in your stack configuration. - -_[extracted from k8s docs](https://kubernetes.io/docs/concepts/overview/what-is-kubernetes/#why-you-need-kubernetes-and-what-can-it-do)_ - -If that is still too abstract, [here is an ELI5 writeup](https://dev.to/miguelmota/comment/filh). - -### References and further reads - -- [Marcel Wunderlich's](https://github.com/Deaddy) [4 series articles](http://deaddy.net/introduction-to-kubernetes-pt-1.html) on Kubernetes clarifying its declarative nature, deep diving into ingress networking, storage and monitoring. - -### How does oCIS fit in the Kubernetes model - -oCIS was designed with running on Kubernetes in mind. We set up to adopt the [Twelve-Factor App](https://12factor.net/) principles regarding configuration, with almost every aspect of oCIS being modifiable via environment variables. This comes in handy when you especially have a look at how a helm chart's (we will introduce this concept shortly) [list of values](https://github.com/owncloud/ocis-charts/blob/d8735e3222d2050504303851d3461909c86fcc89/ocis/values.yaml) looks like. - -## What is Minikube - -[Minikube](https://minikube.sigs.k8s.io/docs/) lets you run a Kubernetes cluster locally. It is the most approachable way to test a deployment. It requires no extra configuration on any cloud platform, as everything runs on your local machine. For the purpose of these docs, this is the first approach we chose to run oCIS and will develop on how to set it up. - -## What is `kubectl` - -[kubectl](https://kubernetes.io/docs/tasks/tools/) is the command-line tool for Kubernetes. It allows users to run commands against a k8s cluster the user has access to. It supports for having multiple contexts for as many clusters as you have access to. In these docs we will setup 2 contexts, a minikube and a GCP context. - -## What are Helm Charts, and why they are useful for oCIS - -[Helm](https://helm.sh/) is the equivalent of a package manager for Kubernetes. It can be described as a layer on top of how you would write pods, deployments or any other k8s resource declaration. - -### Installing Helm - -[Follow the official installation guide](https://helm.sh/docs/intro/install/). - -## Setting up Minikube - -For a guide on how to set minikube up follow the [official minikube start guide](https://minikube.sigs.k8s.io/docs/start/) for your specific OS. - -## oCIS charts - -We have not yet published the oCIS Helm charts, therefore you need to clone the git repository manually. It currently also does not support to be run on Kind or Minikube clusters. For known issues and planned features, please have a look at the [GitHub issue tracker](https://github.com/owncloud/ocis-charts/issues). - -Configuration options are described [here](https://github.com/owncloud/ocis-charts/tree/master/charts/ocis#configuration). - -### Run oCIS - -1. clone the charts: `git clone https://github.com/owncloud/ocis-charts.git /var/tmp/ocis-charts` -2. cd into the charts root: `cd /var/tmp/ocis-charts/charts/ocis` -3. install the package: `helm install ocis .` (you need to set configuration values in almost all cases) -4. verify the application is running in the cluster: `kubectl get pods` diff --git a/docs/ocis/deployment/monitoring-tracing.md b/docs/ocis/deployment/monitoring-tracing.md deleted file mode 100644 index 83c6241e24..0000000000 --- a/docs/ocis/deployment/monitoring-tracing.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: "Monitoring & Tracing" -date: 2020-02-27T20:35:00+01:00 -weight: 10 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/deployment -geekdocFilePath: monitoring-tracing.md ---- - -{{< toc >}} - -Monitoring and tracing gives developers and admin insights into a complex system, in this case oCIS. - -If you are a developer and want to trace during developing you should have a look at [example server setup]({{< ref "../development/tracing" >}}). - -This documentation describes how to set up a long-running monitoring & tracing infrastructure for one or multiple oCIS servers or deployments. After reading this guide, you also should know everything needed to integrate oCIS into your existing monitoring and tracing infrastructure. - -# Overview about the proposed solution - -{{< figure src="/ocis/static/monitoring_tracing_overview.drawio.svg" >}} - -## Monitoring & tracing clients - -We assume that you already have oCIS deployed on one or multiple servers by using our deployment examples (see rectangle on the left). On these servers our monitoring & tracing clients, namely Telegraf and Jaeger agent, need to be added. - -Telegraf will collect host metrics (CPU, RAM, network, processes, ...) and docker metrics (per container CPU, RAM, network, ...). Telegraf is also configured to scrape metrics from Prometheus metric endpoints which oCIS exposes, this is done by the Prometheus input plugin . The metrics from oCIS and all other metrics gathered will be exposed with the Prometheus output plugin and can therefore be scraped by our monitoring & tracing server. - -Jaeger agent is being configured as target for traces in oCIS. It then will receive traces from all oCIS services, add some process tags to them and forward them to our Jaeger collector on our monitoring & tracing server. - -For more information and how to deploy it, see [monitoring & tracing client](https://github.com/owncloud-devops/monitoring-tracing-client). - -## Monitoring & tracing server - -A live version of the monitoring and tracing server for our demo instances is available here: [Grafana](https://grafana.infra.owncloud.works), [Prometheus](https://prometheus.infra.owncloud.works) and [Jaeger Query](https://jaeger.infra.owncloud.works). - -The monitoring & tracing server is considered as shared infrastructure and is normally used for different services. This means that oCIS is not the only software whose metrics and traces are available on the monitoring server. It is also possible that data of multiple oCIS instances are available on the monitoring server. - -Metrics are scraped, stored and can be queried with Prometheus. For the visualization of these metrics Grafana is used. Because Prometheus is scraping the metrics from the oCIS server (pull model instead of a push model), the Prometheus server must have access to the exposed endpoint of the Telegraf Prometheus output plugin. - -Jaeger collector receives traces sent by the Jaeger agent on the oCIS servers and persists them in ElasticSearch. From there the user can query and visualize the traces in Jaeger query or in Grafana. Because Jaeger agent is actively sending traces to the monitoring & tracing server, the server must be reachable from the oCIS server. - -For more information and how to deploy it, see [monitoring & tracing server](https://github.com/owncloud-devops/monitoring-tracing-server). diff --git a/docs/ocis/deployment/oc10_ocis_parallel.md b/docs/ocis/deployment/oc10_ocis_parallel.md deleted file mode 100644 index af5e3f2fc1..0000000000 --- a/docs/ocis/deployment/oc10_ocis_parallel.md +++ /dev/null @@ -1,168 +0,0 @@ ---- -title: "Parallel deployment of oC10 and oCIS" -date: 2020-10-12T14:04:00+01:00 -weight: 24 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/deployment -geekdocFilePath: oc10_ocis_parallel.md ---- - -{{< toc >}} - -## Overview - -- This setup reflects [stage 6 of the oC10 to oCIS migration plan]({{< ref "migration#stage-6-parallel-deployment" >}}) -- Traefik generating self-signed certificates for local setup or obtaining valid SSL certificates for a server setup -- OpenLDAP server with demo users -- LDAP admin interface to edit users -- Keycloak as OpenID Connect provider in federation with the LDAP server -- ownCloud 10 with MariaDB and Redis - - ownCloud 10 is configured to synchronize users from the LDAP server - - ownCloud 10 is used to use OpenID Connect for authentication with Keycloak -- oCIS running behind Traefik as reverse proxy - - oCIS is using the ownCloudSQL storage driver on the same files and same database as ownCloud 10 - - oCIS is using Keycloak as OpenID Connect provider - - oCIS is using the LDAP server as user backend -- All requests to both oCIS and oC10 are routed through the oCIS proxy and will be routed based on an OIDC claim to one of them. Therefore admins can change on a user basis in the LDAP which backend is used. - -[Find this example on GitHub](https://github.com/owncloud/ocis/tree/master/deployments/examples/oc10_ocis_parallel) - -## Server Deployment - -### Requirements - -- Linux server with docker and docker-compose installed -- four domains set up and pointing to your server - - cloud.\* for serving oCIS - - keycloak.\* for serving Keycloak - - ldap .\* for serving the LDAP management UI - - traefik.\* for serving the Traefik dashboard - -See also [example server setup]({{< ref "preparing_server" >}}) - -### Install this example - -- Clone oCIS repository - - `git clone https://github.com/owncloud/ocis.git` - -- Go to the deployment example - - `cd ocis/deployment/examples/oc10_ocis_parallel` - -- Open the `.env` file in a text editor - The file by default looks like this: - - ```bash - # If you're on a internet facing server please comment out following line. - # It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates. - INSECURE=true - - ### Traefik settings ### - TRAEFIK_LOG_LEVEL= - # Serve Traefik dashboard. Defaults to "false". - TRAEFIK_DASHBOARD= - # Domain of Traefik, where you can find the dashboard. Defaults to "traefik.owncloud.test" - TRAEFIK_DOMAIN= - # Basic authentication for the dashboard. Defaults to user "admin" and password "admin" - TRAEFIK_BASIC_AUTH_USERS= - # Email address for obtaining LetsEncrypt certificates, needs only be changed if this is a public facing server - TRAEFIK_ACME_MAIL= - - ### shared oCIS / oC10 settings ### - # Domain of oCIS / oC10, where you can find the frontend. Defaults to "cloud.owncloud.test" - CLOUD_DOMAIN= - - ### oCIS settings ### - # oCIS version. Defaults to "latest" - OC_DOCKER_TAG= - # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" - OC_JWT_SECRET= - # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret" - STORAGE_TRANSFER_SECRET= - # Machine auth api key secret. Must be changed in order to have a secure oCIS. Defaults to "change-me-please" - OC_MACHINE_AUTH_API_KEY= - - ### oCIS settings ### - # oC10 version. Defaults to "latest" - OC10_DOCKER_TAG= - # client secret which the openidconnect app uses to authenticate to Keycloak. Defaults to "oc10-oidc-secret" - OC10_OIDC_CLIENT_SECRET= - # app which will be shown when opening the ownCloud 10 UI. Defaults to "files" but also could be set to "web" - OWNCLOUD_DEFAULT_APP= - # if set to "false" (default) links will be opened in the classic UI, if set to "true" ownCloud Web is used - OWNCLOUD_WEB_REWRITE_LINKS= - - ### LDAP settings ### - # password for the LDAP admin user "cn=admin,dc=owncloud,dc=com", defaults to "admin" - LDAP_ADMIN_PASSWORD= - # Domain of the LDAP management frontend. Defaults to "ldap.owncloud.test" - LDAP_MANAGER_DOMAIN= - - ### Keycloak ### - # Domain of Keycloak, where you can find the management and authentication frontend. Defaults to "keycloak.owncloud.test" - KEYCLOAK_DOMAIN= - # Realm which to be used with oC10 and oCIS. Defaults to "owncloud" - KEYCLOAK_REALM= - # Admin user login name. Defaults to "admin" - KEYCLOAK_ADMIN_USER= - # Admin user login password. Defaults to "admin" - KEYCLOAK_ADMIN_PASSWORD= - ``` - - You are installing oCIS on a server and Traefik will obtain valid certificates for you so please remove `INSECURE=true` or set it to `false`. - - If you want to use the Traefik dashboard, set TRAEFIK_DASHBOARD to `true` (default is `false` and therefore not active). If you activate it, you must set a domain for the Traefik dashboard in `TRAEFIK_DOMAIN=` e.g. `TRAEFIK_DOMAIN=traefik.owncloud.test`. - - The Traefik dashboard is secured by basic auth. Default credentials are the user `admin` with the password `admin`. To set your own credentials, generate a htpasswd (e.g. by using [an online tool](https://htpasswdgenerator.de/) or a cli tool). - - Traefik will issue certificates with LetsEncrypt and therefore you must set an email address in `TRAEFIK_ACME_MAIL=`. - - By default oCIS will be started in the `latest` version. If you want to start a specific version of oCIS set the version to `OC_DOCKER_TAG=`. Available versions can be found on [Docker Hub](https://hub.docker.com/r/owncloud/ocis/tags?page=1&ordering=last_updated). - - Set your domain for the oC10 and oCIS frontend in `CLOUD_DOMAIN=`, e.g. `CLOUD_DOMAIN=cloud.owncloud.test`. - - By default ownCloud 10 will be started in the `latest` version. If you want to start a specific version of oCIS set the version to `OC10_DOCKER_TAG=`. Available versions can be found on [Docker Hub](https://hub.docker.com/r/owncloud/ocis/tags?page=1&ordering=last_updated). - - You can switch the default application of ownCloud 10 by setting`OWNCLOUD_DEFAULT_APP=files` in oder to have the classic UI as frontend, which is also the default. If you prefer ownCloud Web as the default application in ownCloud 10 just set `OWNCLOUD_DEFAULT_APP=web`. - - In oder to change the default link open action which defaults to the classic UI (`OWNCLOUD_WEB_REWRITE_LINKS=false`) you can set it to `OWNCLOUD_WEB_REWRITE_LINKS=true`. This will lead to links being opened in ownCloud Web. - - The OpenLDAP server in this example deployment has an admin users, which is also used as bind user in order to keep these examples simple. You can change the default password "admin" to a different one by setting it to `LDAP_ADMIN_PASSWORD=...`. - - Set your domain for the LDAP manager UI in `LDAP_MANAGER_DOMAIN=`, e.g. `ldap.owncloud.test`. - - Set your domain for the Keycloak administration panel and authentication endpoints to `KEYCLOAK_DOMAIN=` e.g. `KEYCLOAK_DOMAIN=keycloak.owncloud.test`. - - Changing the used Keycloak realm can be done by setting `KEYCLOAK_REALM=`. This defaults to the ownCloud realm `KEYCLOAK_REALM=owncloud`. The ownCloud realm will be automatically imported on startup and includes our demo users. - - You probably should secure your Keycloak admin account by setting `KEYCLOAK_ADMIN_USER=` and `KEYCLOAK_ADMIN_PASSWORD=` to values other than `admin`. - - Now you have configured everything and can save the file. - -- Start the docker stack - - `docker-compose up -d` - -- You now can visit the cloud, oC10 or oCIS depending on the user configuration. Marie defaults to oC10 and Richard and Einstein default to oCIS, but you can change the ownCloud selector at any time in the LDAP management UI. - -## Local setup - -For a more simple local ocis setup see [Getting started]({{< ref "../getting-started" >}}) - -This docker stack can also be run locally. One downside is that Traefik can not obtain valid SSL certificates and therefore will create self-signed ones. This means that your browser will show scary warnings. Another downside is that you can not point DNS entries to your localhost. So you have to add static host entries to your computer. - -On Linux and macOS you can add them to your `/etc/hosts` file and on Windows to `C:\Windows\System32\Drivers\etc\hosts` file like this: - -``` -127.0.0.1 cloud.owncloud.test -127.0.0.1 keycloak.owncloud.test -127.0.0.1 ldap.owncloud.test -127.0.0.1 traefik.owncloud.test -``` - -After that you're ready to start the application stack: - -`docker-compose up -d` - -You now can visit the cloud, oC10 or oCIS depending on the user configuration. Marie defaults to oC10 and Richard and Einstein default to oCIS, but you can change the ownCloud selector at any time in the LDAP management UI. diff --git a/docs/ocis/deployment/ocis_and_wopi_drawio.svg b/docs/ocis/deployment/ocis_and_wopi_drawio.svg deleted file mode 100644 index 1e1ac8008c..0000000000 --- a/docs/ocis/deployment/ocis_and_wopi_drawio.svg +++ /dev/null @@ -1,4 +0,0 @@ - - - -
cs3api
cs3api
app registry
app registry
/app/list
/app/open
/app/list...
cs3api
/listapps
/openapp
cs3api...
frontend
frontend
cs3api
/registerapp
cs3api...
GET /hosting/discovery 
GET /hosting/discovery 
/iop/open...
/iop/open...
app provider
(per web office)
app provider...
graph
webdav
ocs
graph...
/space1/foo.docx
/space1/foo.docx
User
User
/space2/bar.docx
/space2/bar.docx
fileid c
fileid c
Web Office
Web Office
Web Office
Web Office
Web Office
Web Office
cs3org/wopiserver
cs3org/wopiserver
cs3org/wopiserver
cs3org/wopiserver
wopi
wopi
fileid a
fileid a
fileid b
fileid b
User
User
Collabora:
for collaborative edit sessions
a sticky route by fileid
(from wopiSrc) is needed

OnlyOffice:
automatic handling
Collabora:...
inter services communication
inter services communication
all outside communication via the proxy service (api gateway)
all outside communication via the proxy service (api gat...
1
1
2
2
8
8
9
9
6
6
4
4
3
3
7
7
19
19
20
20
13
13
11
11
10
10
12
12
17
17
15
15
18
18
14
14
16
16
21
21
5
5
office application
office application
https://office-application.owncloud.test
https://office-application.owncloud....
https://ocis.owncloud.test
https://ocis.owncloud.test
wopi server
wopi server
ocis
ocis
reverse proxy
reverse proxy
User
User
wopi -> general.wopiurl
address an office application can reach the wopi server
wopi -> general.wopiurl...
reverse proxy
reverse proxy
https://wopiserver.owncloud.test
https://wopiserver.owncloud.test
APP_PROVIDER_DRIVER: wopi
  # for display purposes only
  APP_PROVIDER_WOPI_APP_NAME: Office-Application
  # address of the office application server
  APP_PROVIDER_WOPI_APP_URL: https://office-application.owncloud.test
  # where can the app provider reach the wopiserver
  APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL: https://wopiserver.owncloud.test
  #  the base URL to access ocis (global OC_URL, or overwritten by the below)
  APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL: https://ocis.owncloud.test
APP_PROVIDER_DRIVER: wopi...
wopi -> ocis_wopi/config/wopiserver/wopiserver.conf.dist
wopi -> ocis_wopi/config/wopiserver/wopiserver.conf.dist
a. Open oC web
b. List space
c. Select file
d. Open selected file via office app
e. oC Web opens office url with token in an iframe
a. Open oC web...
a. load:    /app/list => display available office apps
a+b+c                   => obtain file id
e. call:     /app/open
    return: office url to open:
a. load:    /app/list => display available of...
https://office-application.owncloud.test/xyz?
wopiSrc=https://wopiserver.owncloud.test/wopi/xxx/file-id-123

Token management is for security reasons not part of the URL
https://office-application.owncloud.test/xyz?wopiSrc=https:...
reverse proxy
reverse proxy
wopi -> cs3.revagateway
(cs3 api gateway)
wopi -> cs3.revagateway...Text is not SVG - cannot display \ No newline at end of file diff --git a/docs/ocis/deployment/ocis_full.md b/docs/ocis/deployment/ocis_full.md deleted file mode 100644 index 88b4851d6d..0000000000 --- a/docs/ocis/deployment/ocis_full.md +++ /dev/null @@ -1,415 +0,0 @@ ---- -title: "Full modular oCIS with WebOffice" -date: 2024-06-25T00:00:00+01:00 -weight: 24 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/deployment -geekdocFilePath: opencloud_full.md ---- - -{{< toc >}} - -## Overview - -* oCIS, the collaboration service, Collabora or OnlyOffice running behind Traefik as reverse proxy -* Collabora or OnlyOffice enable you to edit office documents in your browser -* The collaboration server acts as a bridge to make the oCIS storage accessible to Collabora and OnlyOffice -* Traefik generating self-signed certificates for local setup or obtaining valid SSL certificates for a server setup -* The whole deployment acts as a modular toolkit to use different flavors of office suites and ocis features - -[Find this example on GitHub](https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_full) - -## Easy Default - -The Infinite Scale Team and product management are providing a default setup for oCIS. - -### Goal: - - provide a good starting point for a production deployment - - minimal effort to get started with an opinionated setup - - keep it adjustable it to your needs. - -### Default Components - -- Infinite Scale -- Full Text Search -- Collabora Online Web Office -- Prepared for LetsEncrypt SSL certificates via Traefik Reverse Proxy - -### Optional Components - -- ClamAV Virusscanner -- Cloud Importer (Experimental) -- OnlyOffice as an alternative to Collabora -- S3 Storage config to connect to an S3 storage backend -- S3 Minio Server as a local S3 storage backend for debugging and development - -### Important Note - -If you deviate from the configuration setup and let the `collaboration` service run in its own container, you MUST -ensure the ocis configuration is shared as shown in the example deployment. This is because secrets generated -must be accessible for all services. - -## Server Deployment - -### Requirements - -* Linux server with docker and docker-compose installed -* Three domains set up and pointing to your server - * ocis.* for serving oCIS - * collabora.* for serving Collabora - * onlyoffice.* for serving OnlyOffice - * wopiserver.* for serving the WOPI server - * traefik.* for serving the Traefik dashboard - * companion.* for serving the uppy companion app - -See also [example server setup]({{< ref "preparing_server" >}}) - -### Install oCIS and Traefik - -* Clone oCIS repository - - `git clone https://github.com/owncloud/ocis.git --depth 1` - -* Go to the deployment example - - `cd ocis/deployments/examples/ocis_full` - -* Open the `.env` file in a text editor. - - The file by default looks like this: - - ```shell {linenos=table,hl_lines=[8,24,48,50,135,138]} - ## Basic Settings ## - # Define the docker compose log driver used. - # Defaults to local - LOG_DRIVER= - # If you're on an internet facing server, comment out following line. - # It skips certificate validation for various parts of Infinite Scale and is - # needed when self signed certificates are used. - INSECURE=true - - - ## Traefik Settings ## - # Note: Traefik is always enabled and can't be disabled. - # Serve Traefik dashboard. - # Defaults to "false". - TRAEFIK_DASHBOARD= - # Domain of Traefik, where you can find the dashboard. - # Defaults to "traefik.owncloud.test" - TRAEFIK_DOMAIN= - # Basic authentication for the traefik dashboard. - # Defaults to user "admin" and password "admin" (written as: "admin:admin"). - TRAEFIK_BASIC_AUTH_USERS= - # Email address for obtaining LetsEncrypt certificates. - # Needs only be changed if this is a public facing server. - TRAEFIK_ACME_MAIL= - # Set to the following for testing to check the certificate process: - # "https://acme-staging-v02.api.letsencrypt.org/directory" - # With staging configured, there will be an SSL error in the browser. - # When certificates are displayed and are emitted by # "Fake LE Intermediate X1", - # the process went well and the envvar can be reset to empty to get valid certificates. - TRAEFIK_ACME_CASERVER= - - - ## Infinite Scale Settings ## - # Beside Traefik, this service must stay enabled. - # Disable only for testing purposes. - # Note: the leading colon is required to enable the service. - OCIS=:ocis.yml - # The oCIS container image. - # For production releases: "owncloud/ocis" - # For rolling releases: "owncloud/ocis-rolling" - # Defaults to production if not set otherwise - OC_DOCKER_IMAGE=owncloud/ocis-rolling - # The oCIS container version. - # Defaults to "latest" and points to the latest stable tag. - OC_DOCKER_TAG= - # Domain of oCIS, where you can find the frontend. - # Defaults to "ocis.owncloud.test" - OC_DOMAIN= - # oCIS admin user password. Defaults to "admin". - ADMIN_PASSWORD= - # Demo users should not be created on a production instance, - # because their passwords are public. Defaults to "false". - # Also see: https://doc.owncloud.com/ocis/latest/deployment/general/general-info.html#demo-users-and-groups - DEMO_USERS= - # Define the oCIS loglevel used. - # For more details see: - # https://doc.owncloud.com/ocis/latest/deployment/services/env-vars-special-scope.html - LOG_LEVEL= - # Define the kind of logging. - # The default log can be read by machines. - # Set this to true to make the log human readable. - # LOG_PRETTY=true - # - # Define the oCIS storage location. Set the paths for config and data to a local path. - # Note that especially the data directory can grow big. - # Leaving it default stores data in docker internal volumes. - # For more details see: - # https://doc.owncloud.com/ocis/next/deployment/general/general-info.html#default-paths - # OC_CONFIG_DIR=/your/local/ocis/config - # OC_DATA_DIR=/your/local/ocis/data - - # S3 Storage configuration - optional - # Infinite Scale supports S3 storage as primary storage. - # Per default, S3 storage is disabled and the local filesystem is used. - # To enable S3 storage, uncomment the following line and configure the S3 storage. - # For more details see: - # https://doc.owncloud.com/ocis/next/deployment/storage/s3.html - # Note: the leading colon is required to enable the service. - #S3NG=:s3ng.yml - # Configure the S3 storage endpoint. Defaults to "http://minio:9000" for testing purposes. - S3NG_ENDPOINT= - # S3 region. Defaults to "default". - S3NG_REGION= - # S3 access key. Defaults to "ocis" - S3NG_ACCESS_KEY= - # S3 secret. Defaults to "ocis-secret-key" - S3NG_SECRET_KEY= - # S3 bucket. Defaults to "ocis" - S3NG_BUCKET= - # - # For testing purposes, add local minio S3 storage to the docker-compose file. - # The leading colon is required to enable the service. - #S3NG_MINIO=:minio.yml - # Minio domain. Defaults to "minio.owncloud.test". - MINIO_DOMAIN= - - # Define SMPT settings if you would like to send Infinite Scale email notifications. - # For more details see: - # https://doc.owncloud.com/ocis/latest/deployment/services/s-list/notifications.html - # NOTE: when configuring Inbucket, these settings have no effect, see inbucket.yml for details. - # SMTP host to connect to. - SMTP_HOST= - # Port of the SMTP host to connect to. - SMTP_PORT= - # An eMail address that is used for sending Infinite Scale notification eMails - # like "ocis notifications ". - SMTP_SENDER= - # Username for the SMTP host to connect to. - SMTP_USERNAME= - # Password for the SMTP host to connect to. - SMTP_PASSWORD= - # Authentication method for the SMTP communication. - SMTP_AUTHENTICATION= - # Allow insecure connections to the SMTP server. Defaults to false. - SMTP_INSECURE= - - - ## Default Enabled Services ## - - ### Apache Tika Content Analysis Toolkit ### - # Tika (search) is enabled by default, comment if not required. - # Note: the leading colon is required to enable the service. - TIKA=:tika.yml - # Set the desired docker image tag or digest. - # Defaults to "latest" - TIKA_IMAGE= - - - ### Collabora Settings ### - # Collabora web office is default enabled, comment if not required. - # Note: the leading colon is required to enable the service. - COLLABORA=:collabora.yml - # Domain of Collabora, where you can find the frontend. - # Defaults to "collabora.owncloud.test" - COLLABORA_DOMAIN= - # Domain of the wopiserver which handles OnlyOffice. - # Defaults to "wopiserver.owncloud.test" - WOPISERVER_DOMAIN= - # Admin user for Collabora. - # Defaults to "admin". - # Collabora Admin Panel URL: - # https://{COLLABORA_DOMAIN}/browser/dist/admin/admin.html - COLLABORA_ADMIN_USER= - # Admin password for Collabora. - # Defaults to "admin". - COLLABORA_ADMIN_PASSWORD= - # Set to true to enable SSL for Collabora Online. Default is true if not specified. - COLLABORA_SSL_ENABLE=false - # If you're on an internet-facing server, enable SSL verification for Collabora Online. - # Please comment out the following line: - COLLABORA_SSL_VERIFICATION=false - ... - ``` - #### Reverse Proxy and SSL - - {{< hint type=important >}} - **Domains and SSL**\ - Though it may sound strange, most of the setups are failing due to a misconfiguration regarding domains and SSL. Please make sure that you have set up the domains correctly and that they are pointing to your server. Also, make sure that you have set up the email address for the LetsEncrypt certificates in `TRAEFIK_ACME_MAIL=`. - {{< /hint >}} - - You are installing oCIS on a server and Traefik will obtain valid certificates for you so please remove `INSECURE=true` or set it to `false`. - - Traefik will issue certificates with LetsEncrypt and therefore you must set an email address in `TRAEFIK_ACME_MAIL=`. - - #### Infinite Scale Release and Version - By default oCIS will be started in the `latest` rolling version. Please note that this deployment does currently not work with the 5.x productions releases. - The oCIS "collaboration" service, which is required by this deployment, is not part of the 5.x releases. - - If you want to use a specific version of oCIS, set the version to a dedicated tag like `OC_DOCKER_TAG=6.3.0`. The minimal required oCIS Version to run this deployment is 6.3.0. Available production versions can be found on [Docker Hub Production](https://hub.docker.com/r/owncloud/ocis/tags?page=1&ordering=last_updated) and available rolling releases can be found on [Docker Hub Rolling](https://hub.docker.com/r/owncloud/ocis-rolling/tags?page=1&ordering=last_updated) - - {{< hint type=info title="oCIS Releases" >}} - You can read more about the different oCIS releases in the [oCIS Release Lifecycle](../release_roadmap.md). - {{< /hint >}} - - Set your domain for the oCIS frontend in `OC_DOMAIN=`, e.g. `OC_DOMAIN=ocis.owncloud.test`. - - Set the initial admin user password in `ADMIN_PASSWORD=`, it defaults to `admin`. - - Web Office needs a public domain for the WOPI server to be set in `WOPISERVER_DOMAIN=`, where the office suite can work on the files via the WOPI protocol. - - Now it's time to set up Collabora and you need to configure the domain of Collabora in `COLLABORA_DOMAIN=`. - - If you want to use the Collabora admin panel you need to set the username and password for the administrator in `COLLABORA_ADMIN_USER=` and `COLLABORA_ADMIN_PASSWORD=`. - -* Start the docker stack - - `docker-compose up -d` - -* You now can visit oCIS and are able to open an office document in your browser. You may need to wait some minutes until all services are fully ready, so make sure that you try to reload the pages from time to time. - -## Local Setup - -This docker stack can also be run locally. One downside is that Traefik can not obtain valid SSL certificates and therefore will create self-signed ones. This means that your browser will show scary warnings. Another downside is that you can not point DNS entries to your localhost. So you have to add static host entries to your computer. - -On Linux and macOS you can add them to your `/etc/hosts` file and on Windows to `C:\Windows\System32\Drivers\etc\hosts` file like this: - -``` -127.0.0.1 ocis.owncloud.test -127.0.0.1 traefik.owncloud.test -127.0.0.1 collabora.owncloud.test -127.0.0.1 onlyoffice.owncloud.test -127.0.0.1 wopiserver.owncloud.test -127.0.0.1 mail.owncloud.test -127.0.0.1 companion.owncloud.test -127.0.0.1 minio.owncloud.test -``` - -After that, you're ready to start the application stack: - -`docker-compose pull && docker-compose up -d` - -Open https://collabora.owncloud.test in your browser and accept the invalid certificate warning. - -Open https://ocis.owncloud.test in your browser and accept the invalid certificate warning. You are now able to open an office document in your browser. You may need to wait some minutes until all services are fully ready, so make sure that you try to reload the pages from time to time. - -## Additional services - -### Clamav Virusscanner - -You can add a Clamav Virusscanner to the stack. The service is disabled by default. To enable it, uncomment the `CLAMAV` line in the `.env` file. - -```shell {linenos=table,hl_lines=[3]} -## Clamav Settings ## -# The leading colon is required to enable the service. -CLAMAV=:clamav.yml -``` - -After enabling that service, you can add the service to the stack with `docker-compose up -d` again. - -### Traefik Dashboard - -If you want to use the Traefik dashboard, set TRAEFIK_DASHBOARD to `true` (default is `false` and therefore not active). If you activate it, you must set a domain for the Traefik dashboard in `TRAEFIK_DOMAIN=` e.g. `TRAEFIK_DOMAIN=traefik.owncloud.test`. - -The Traefik dashboard is secured by basic auth. Default credentials are the user `admin` with the password `admin`. To set your own credentials, generate a htpasswd (e.g. by using [an online tool](https://htpasswdgenerator.de/) or a cli tool). - -```shell {linenos=table,hl_lines=[4,7,10]} -### Traefik Settings ### -# Serve Traefik dashboard. -# Defaults to "false". -TRAEFIK_DASHBOARD=true -# Domain of Traefik, where you can find the dashboard. -# Defaults to "traefik.owncloud.test" -TRAEFIK_DOMAIN= -# Basic authentication for the traefik dashboard. -# Defaults to user "admin" and password "admin" (written as: "admin:admin"). -TRAEFIK_BASIC_AUTH_USERS= -``` -### Cloud Importer - -Cloud importer can provide an Upload Interface to your oCIS instance. It is a separate service that can be enabled in the `.env` file. - -```shell {linenos=table,hl_lines=[3]} -## Uppy Companion Settings ## -# The leading colon is required to enable the service. -CLOUD_IMPORTER=:cloudimporter.yml -## The docker image to be used for uppy companion. -# owncloud has built a container with public link import support. -COMPANION_IMAGE= -# Domain of Uppy Companion. Defaults to "companion.owncloud.test". -COMPANION_DOMAIN= -# Provider settings, see https://uppy.io/docs/companion/#provideroptions for reference. -# Empty by default, which disables providers. -COMPANION_ONEDRIVE_KEY= -COMPANION_ONEDRIVE_SECRET= -``` - -After Enabling that servive by uncommenting the `CLOUD_IMPORTER` line, you can add the service to the stack with `docker-compose up -d` again. - -### S3 Storage - -You can use an S3 compatible Storage as the primary data store. The metadatata of the files will still be stored on the local filesystem. - -{{}} -The endpoint, region and keys for your S3 Server need to be provided by the service or company who operates it. Normally you can get these via web portal. -{{}} - -```shell {linenos=table,hl_lines=[8,10,12,14,16,18]} -# S3 Storage configuration - optional -# Infinite Scale supports S3 storage as primary storage. -# Per default, S3 storage is disabled and the local filesystem is used. -# To enable S3 storage, uncomment the following line and configure the S3 storage. -# For more details see: -# https://doc.owncloud.com/ocis/next/deployment/storage/s3.html -# Note: the leading colon is required to enable the service. -# S3NG=:s3ng.yml -# Configure the S3 storage endpoint. Defaults to "http://minio:9000" for testing purposes. -S3NG_ENDPOINT= -# S3 region. Defaults to "default". -S3NG_REGION= -# S3 access key. Defaults to "ocis" -S3NG_ACCESS_KEY= -# S3 secret. Defaults to "ocis-secret-key" -S3NG_SECRET_KEY= -# S3 bucket. Defaults to "ocis" -S3NG_BUCKET= -``` - -#### Use a Local Minio S3 Storage Backend - -For testing purposes, you can use a local minio S3 storage backend. To enable it, uncomment the `S3NG_MINIO` line in the `.env` file. - -The frontend for the minio server is available at `http://minio.owncloud.test` and the access key is `ocis` and the secret key is `ocis-secret`. - -## Local Setup for Web Development - -In case you want to run ownCloud Web from a development branch together with this deployment example (e.g. for feature development for the app provider frontend) you can use this deployment example with the local setup and some additional steps as described below. - -1. Clone the [ownCloud Web repository](https://github.com/owncloud/web) on your development machine. -2. Run `pnpm i && pnpm build:w` for `web`, so that it creates and continuously updates the `dist` folder for web. -3. Add the dist folder as read only volume to `volumes` section of the `ocis` service in the `docker-compose.yml` file: - ```yaml - - /your/local/path/to/web/dist/:/web/dist:ro - ``` - Make sure to point to the `dist` folder inside your local copy of the web repository. -4. Set the oCIS environment variables `WEB_ASSET_CORE_PATH` and `WEB_ASSET_APPS_PATH` in the `environment` section of the `ocis` service, so that it uses your mounted dist folder for the web assets, instead of the assets that are embedded into oCIS. - ```yaml - WEB_ASSET_CORE_PATH: "/web/dist" - WEB_ASSET_APPS_PATH: "/web/dist" - ``` -5. Start the deployment example as described above in the `Local setup` section. - -For app provider frontend development in `web` you can find the source code in `web/packages/web-app-external`. Some parts of the integration live in `web/packages/web-app-files`. - -## Using Podman - -Podman doesn't have a "local" log driver. Also it's docker-compatibility socket does live in a different location, especially when running a rootless podman. - -Using the following settings you can run the deployment with a recent podman version: - -```bash -LOG_DRIVER=journald \ -DOCKER_SOCKET_PATH=/run/user/1000/podman/podman.sock \ -podman compose start -``` diff --git a/docs/ocis/deployment/ocis_hello.md b/docs/ocis/deployment/ocis_hello.md deleted file mode 100644 index 58797eae61..0000000000 --- a/docs/ocis/deployment/ocis_hello.md +++ /dev/null @@ -1,121 +0,0 @@ ---- -title: "oCIS with Hello extension" -date: 2020-10-12T14:04:00+01:00 -weight: 24 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/deployment -geekdocFilePath: ocis_hello.md ---- - -{{< toc >}} - -## Overview - -- oCIS running behind Traefik as reverse proxy -- oCIS Hello extension runs beside the main oCIS stack and providing the Hello functionality -- Traefik generating self-signed certificates for local setup or obtaining valid SSL certificates for a server setup - -[Find this example on GitHub](https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_hello) - -The docker stack consists of 3 containers. One of them is Traefik, a proxy which is terminating SSL and forwards the requests to oCIS in the internal docker network. - -The oCIS Hello extension is running in another container and enables you to use its functionality from within ownCloud Web. - -## Server Deployment - -### Requirements - -- Linux server with docker and docker-compose installed -- two domains set up and pointing to your server - - ocis.\* for serving oCIS - - traefik.\* for serving the Traefik dashboard - -See also [example server setup]({{< ref "preparing_server" >}}) - -### Install oCIS and Traefik - -- Clone oCIS repository - - `git clone https://github.com/owncloud/ocis.git` - -- Go to the deployment example - - `cd ocis/deployment/examples/ocis_hello` - -- Open the `.env` file in a text editor. - - The file by default looks like this: - - ```bash - # If you're on a internet facing server please comment out following line. - # It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates. - INSECURE=true - - ### Traefik settings ### - # Serve Traefik dashboard. Defaults to "false". - TRAEFIK_DASHBOARD= - # Domain of Traefik, where you can find the dashboard. Defaults to "traefik.owncloud.test" - TRAEFIK_DOMAIN= - # Basic authentication for the dashboard. Defaults to user "admin" and password "admin" - TRAEFIK_BASIC_AUTH_USERS= - # Email address for obtaining LetsEncrypt certificates, needs only be changed if this is a public facing server - TRAEFIK_ACME_MAIL= - - ### oCIS settings ### - # oCIS version. Defaults to "latest" - OC_DOCKER_TAG= - # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test" - OC_DOMAIN= - # oCIS admin user password. Defaults to "admin". - ADMIN_PASSWORD= - # The demo users should not be created on a production instance - # because their passwords are public. Defaults to "false". - DEMO_USERS= - - ### oCIS Hello settings ### - # oCIS Hello version. Defaults to "latest" - OC_HELLO_DOCKER_TAG= - ``` - - You are installing oCIS on a server and Traefik will obtain valid certificates for you so please remove `INSECURE=true` or set it to `false`. - - If you want to use the Traefik dashboard, set TRAEFIK_DASHBOARD to `true` (default is `false` and therefore not active). If you activate it, you must set a domain for the Traefik dashboard in `TRAEFIK_DOMAIN=` e.g. `TRAEFIK_DOMAIN=traefik.owncloud.test`. - - The Traefik dashboard is secured by basic auth. Default credentials are the user `admin` with the password `admin`. To set your own credentials, generate a htpasswd (e.g. by using [an online tool](https://htpasswdgenerator.de/) or a cli tool). - - Traefik will issue certificates with LetsEncrypt and therefore you must set an email address in `TRAEFIK_ACME_MAIL=`. - - By default oCIS will be started in the `latest` version. If you want to start a specific version of oCIS set the version to `OC_DOCKER_TAG=`. Available versions can be found on [Docker Hub](https://hub.docker.com/r/owncloud/ocis/tags?page=1&ordering=last_updated). - - Set your domain for the oCIS frontend in `OC_DOMAIN=`, e.g. `OC_DOMAIN=ocis.owncloud.test`. - - Set the initial admin user password in `ADMIN_PASSWORD=`, it defaults to `admin`. - - By default the oCIS Hello extension will be started in the `latest` version. If you want to start a specific version of oCIS Hello set the version to `OC_HELLO_DOCKER_TAG=`. Available versions can be found on [Docker Hub](https://hub.docker.com/r/owncloud/ocis-hello/tags?page=1&ordering=last_updated). - - Now you have configured everything and can save the file. - -- Start the docker stack - - `docker-compose up -d` - -- You now can visit oCIS and are able to switch to the Hello extension by using the application switcher on the top right corner of ownCloud Web. You may need to wait some minutes until all services are fully ready, so make sure that you try to reload the pages from time to time. - -## Local setup - -For a more simple local ocis setup see [Getting started]({{< ref "../getting-started" >}}) - -This docker stack can also be run locally. One downside is that Traefik can not obtain valid SSL certificates and therefore will create self-signed ones. This means that your browser will show scary warnings. Another downside is that you can not point DNS entries to your localhost. So you have to add static host entries to your computer. - -On Linux and macOS you can add them to your `/etc/hosts` file and on Windows to `C:\Windows\System32\Drivers\etc\hosts` file like this: - -``` -127.0.0.1 ocis.owncloud.test -127.0.0.1 traefik.owncloud.test -``` - -After that you're ready to start the application stack: - -`docker-compose up -d` - -Open https://ocis.owncloud.test in your browser and accept the invalid certificate warning. You are now able to switch to the Hello extension by using the application switcher on the top right corner of ownCloud Web. You may need to wait some minutes until all services are fully ready, so make sure that you try to reload the pages from time to time. diff --git a/docs/ocis/deployment/ocis_keycloak.md b/docs/ocis/deployment/ocis_keycloak.md deleted file mode 100644 index 10b0455fb4..0000000000 --- a/docs/ocis/deployment/ocis_keycloak.md +++ /dev/null @@ -1,136 +0,0 @@ ---- -title: "oCIS with Keycloak" -date: 2020-10-12T14:04:00+01:00 -weight: 24 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/deployment -geekdocFilePath: ocis_keycloak.md ---- - -{{< toc >}} - -## Overview - -* oCIS and Keycloak running behind Traefik as reverse proxy -* Keycloak acting as the IDP for oCIS -* Traefik generating self-signed certificates for local setup or obtaining valid SSL certificates for a server setup - -[Find this example on GitHub](https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_keycloak) - -The docker stack consists 4 containers. One of them is Traefik, a proxy which is terminating ssl and forwards the requests to oCIS in the internal docker network. It -is also responsible for redirecting requests on the OIDC discovery endpoints (e.g. `.well-known/openid-configuration`) to the correct destination in Keycloak. - -Keycloak add two containers: Keycloak itself and a PostgreSQL as database. Keycloak will be configured as oCIS' IDP instead of the internal IDP [LibreGraph Connect]({{< ref "../../services/idp" >}}) - -The other container is oCIS itself, running all services in one container. In this example oCIS uses the [oCIS storage driver]({{< ref "../storage/storagedrivers" >}}) - -## Server Deployment - -### Requirements - -* Linux server with docker and docker-compose installed -* Three domains set up and pointing to your server - - ocis.* for serving oCIS - - keycloak.* for serving Keycloak - - traefik.* for serving the Traefik dashboard - -See also [example server setup]({{< ref "preparing_server" >}}) - - -### Install oCIS and Traefik - -* Clone oCIS repository - - `git clone https://github.com/owncloud/ocis.git` - -* Go to the deployment example - - `cd ocis/deployments/examples/ocis_keycloak` - -* Open the `.env` file in a text editor. - - The file by default looks like this: - - ```bash - # If you're on a internet facing server please comment out following line. - # It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates. - INSECURE=true - - ### Traefik settings ### - # Serve Traefik dashboard. Defaults to "false". - TRAEFIK_DASHBOARD= - # Domain of Traefik, where you can find the dashboard. Defaults to "traefik.owncloud.test" - TRAEFIK_DOMAIN= - # Basic authentication for the dashboard. Defaults to user "admin" and password "admin" - TRAEFIK_BASIC_AUTH_USERS= - # Email address for obtaining LetsEncrypt certificates, needs only be changed if this is a public facing server - TRAEFIK_ACME_MAIL= - - ### oCIS settings ### - # oCIS version. Defaults to "latest" - OC_DOCKER_TAG= - # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test" - OC_DOMAIN= - # ownCloud Web openid connect client id. Defaults to "ocis-web" - OC_OIDC_CLIENT_ID= - - ### Keycloak ### - # Domain of Keycloak, where you can find the management and authentication frontend. Defaults to "keycloak.owncloud.test" - KEYCLOAK_DOMAIN= - # Realm which to be used with oCIS. Defaults to "oCIS" - KEYCLOAK_REALM= - # Admin user login name. Defaults to "admin" - KEYCLOAK_ADMIN_USER= - # Admin user login password. Defaults to "admin" - KEYCLOAK_ADMIN_PASSWORD= - - ``` - - You are installing oCIS on a server and Traefik will obtain valid certificates for you so please remove `INSECURE=true` or set it to `false`. - - If you want to use the Traefik dashboard, set TRAEFIK_DASHBOARD to `true` (default is `false` and therefore not active). If you activate it, you must set a domain for the Traefik dashboard in `TRAEFIK_DOMAIN=` e.g. `TRAEFIK_DOMAIN=traefik.owncloud.test`. - - The Traefik dashboard is secured by basic auth. Default credentials are the user `admin` with the password `admin`. To set your own credentials, generate a htpasswd (e.g. by using [an online tool](https://htpasswdgenerator.de/) or a cli tool). - - Traefik will issue certificates with LetsEncrypt and therefore you must set an email address in `TRAEFIK_ACME_MAIL=`. - - By default oCIS will be started in the `latest` version. If you want to start a specific version of oCIS set the version to `OC_DOCKER_TAG=`. Available versions can be found on [Docker Hub](https://hub.docker.com/r/owncloud/ocis/tags?page=1&ordering=last_updated). - - Set your domain for the oCIS frontend in `OC_DOMAIN=`, e.g. `OC_DOMAIN=ocis.owncloud.test`. - - If you want to change the OIDC client id of th ownCloud Web frontend, you can do this by setting the name to `OC_OIDC_CLIENT_ID=`. - - Set your domain for the Keycloak administration panel and authentication endpoints to `KEYCLOAK_DOMAIN=` e.g. `KEYCLOAK_DOMAIN=keycloak.owncloud.test`. - - Changing the used Keycloak realm can be done by setting `KEYCLOAK_REALM=`. This defaults to the oCIS realm `KEYCLOAK_REALM=oCIS`. The oCIS realm will be automatically imported on startup and includes our demo users. - - You probably should secure your Keycloak admin account by setting `KEYCLOAK_ADMIN_USER=` and `KEYCLOAK_ADMIN_PASSWORD=` to values other than `admin`. - - Now you have configured everything and can save the file. - -* Start the docker stack - - `docker-compose up -d` - -* You now can visit oCIS, Keycloak and Traefik dashboard on your configured domains. You may need to wait some minutes until all services are fully ready, so make sure that you try to reload the pages from time to time. - -## Local setup -For a more simple local ocis setup see [Getting started]({{< ref "../getting-started" >}}) - -This docker stack can also be run locally. One downside is that Traefik can not obtain valid SSL certificates and therefore will create self-signed ones. This means that your browser will show scary warnings. Another downside is that you can not point DNS entries to your localhost. So you have to add static host entries to your computer. - -On Linux and macOS you can add them to your `/etc/hosts` file and on Windows to `C:\Windows\System32\Drivers\etc\hosts` file like this: - -``` -127.0.0.1 ocis.owncloud.test -127.0.0.1 traefik.owncloud.test -127.0.0.1 keycloak.owncloud.test -``` - -After that you're ready to start the application stack: - -`docker-compose up -d` - -Open https://keycloak.owncloud.test in your browser and accept the invalid certificate warning. - -Open https://ocis.owncloud.test in your browser and accept the invalid certificate warning. You now can login to oCIS with the demo users. You may need to wait some minutes until all services are fully ready, so make sure that you try to reload the pages from time to time. diff --git a/docs/ocis/deployment/ocis_ldap.md b/docs/ocis/deployment/ocis_ldap.md deleted file mode 100644 index a0378f2e22..0000000000 --- a/docs/ocis/deployment/ocis_ldap.md +++ /dev/null @@ -1,134 +0,0 @@ ---- -title: "oCIS with LDAP" -date: 2020-10-12T14:04:00+01:00 -weight: 24 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/deployment -geekdocFilePath: ocis_ldap.md ---- - - -{{< toc >}} - -## Overview - -- Traefik generating self-signed certificates for local setup or obtaining valid SSL certificates for a server setup -- OpenLDAP server with demo users -- LDAP admin interface to edit users -- oCIS running behind Traefik as reverse proxy - - oCIS is using the LDAP server as user backend - -[Find this example on GitHub](https://github.com/owncloud/ocis/tree/master/deployments/examples/ocis_ldap) - -## Server Deployment - -### Requirements - -- Linux server with docker and docker-compose installed -- four domains set up and pointing to your server - - ocis.\* for serving oCIS - - ldap .\* for serving the LDAP management UI - - traefik.\* for serving the Traefik dashboard - -See also [example server setup]({{< ref "preparing_server" >}}) - -### Install this example - -- Clone oCIS repository - - `git clone https://github.com/owncloud/ocis.git` - -- Go to the deployment example - - `cd ocis/deployment/examples/ocis_ldap` - -- Open the `.env` file in a text editor. - - The file by default looks like this: - - ```bash - # If you're on a internet facing server please comment out following line. - # It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates. - INSECURE=true - - ### Traefik settings ### - # Serve Traefik dashboard. Defaults to "false". - TRAEFIK_DASHBOARD= - # Domain of Traefik, where you can find the dashboard. Defaults to "traefik.owncloud.test" - TRAEFIK_DOMAIN= - # Basic authentication for the dashboard. Defaults to user "admin" and password "admin" - TRAEFIK_BASIC_AUTH_USERS= - # Email address for obtaining LetsEncrypt certificates, needs only be changed if this is a public facing server - TRAEFIK_ACME_MAIL= - - ### oCIS settings ### - # oCIS version. Defaults to "latest" - OC_DOCKER_TAG= - # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test" - OC_DOMAIN= - # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" - OC_JWT_SECRET= - # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret" - STORAGE_TRANSFER_SECRET= - # Machine auth api key secret. Must be changed in order to have a secure oCIS. Defaults to "change-me-please" - OC_MACHINE_AUTH_API_KEY= - - ### LDAP server settings ### - # Password of LDAP user "cn=admin,dc=owncloud,dc=com". Defaults to "admin" - LDAP_ADMIN_PASSWORD= - - ### LDAP manager settings ### - # Domain of LDAP manager. Defaults to "ldap.owncloud.test" - LDAP_MANAGER_DOMAIN= - ``` - - You are installing oCIS on a server and Traefik will obtain valid certificates for you so please remove `INSECURE=true` or set it to `false`. - - If you want to use the Traefik dashboard, set TRAEFIK_DASHBOARD to `true` (default is `false` and therefore not active). If you activate it, you must set a domain for the Traefik dashboard in `TRAEFIK_DOMAIN=` e.g. `TRAEFIK_DOMAIN=traefik.owncloud.test`. - - The Traefik dashboard is secured by basic auth. Default credentials are the user `admin` with the password `admin`. To set your own credentials, generate a htpasswd (e.g. by using [an online tool](https://htpasswdgenerator.de/) or a cli tool). - - Traefik will issue certificates with LetsEncrypt and therefore you must set an email address in `TRAEFIK_ACME_MAIL=`. - - By default oCIS will be started in the `latest` version. If you want to start a specific version of oCIS set the version to `OC_DOCKER_TAG=`. Available versions can be found on [Docker Hub](https://hub.docker.com/r/owncloud/ocis/tags?page=1&ordering=last_updated). - - Set your domain for the oCIS frontend in `OC_DOMAIN=`, e.g. `OC_DOMAIN=cloud.owncloud.test`. - - The OpenLDAP server in this example deployment has an admin users, which is also used as bind user in order to keep these examples simple. You can change the default password "admin" to a different one by setting it to `LDAP_ADMIN_PASSWORD=...`. - - Set your domain for the LDAP manager UI in `LDAP_MANAGER_DOMAIN=`, e.g. `ldap.owncloud.test`. - - Grant the oCIS Admin role to the admin user from your LDAP in `OC_ADMIN_USER_ID:`. You need to enter the uuid of LDAP user. - - {{< hint type=tip title=Encoding >}} - In the .ldif file in this example, the admin user id is base64 encoded. You need to decode it to make it work. - {{< /hint >}} - - Now you have configured everything and can save the file. - -- Start the docker stack - - `docker-compose up -d` - -- You now can visit oCIS and Traefik dashboard on your configured domains. You may need to wait some minutes until all services are fully ready, so make sure that you try to reload the pages from time to time. - -## Local setup - -For a more simple local ocis setup see [Getting started]({{< ref "../getting-started" >}}) - -This docker stack can also be run locally. One downside is that Traefik can not obtain valid SSL certificates and therefore will create self-signed ones. This means that your browser will show scary warnings. Another downside is that you can not point DNS entries to your localhost. So you have to add static host entries to your computer. - -On Linux and macOS you can add them to your `/etc/hosts` file and on Windows to `C:\Windows\System32\Drivers\etc\hosts` file like this: - -``` -127.0.0.1 cloud.owncloud.test -127.0.0.1 keycloak.owncloud.test -127.0.0.1 ldap.owncloud.test -127.0.0.1 traefik.owncloud.test -``` - -After that you're ready to start the application stack: - -`docker-compose up -d` - -Open https://ocis.owncloud.test in your browser and accept the invalid certificate warning. You now can login to oCIS with the default users, which also can be found here: [Getting started]({{< ref "../getting-started#login-to-ocis-web" >}}). You may need to wait some minutes until all services are fully ready, so make sure that you try to reload the pages from time to time. diff --git a/docs/ocis/deployment/preparing_server.md b/docs/ocis/deployment/preparing_server.md deleted file mode 100644 index bd4806b168..0000000000 --- a/docs/ocis/deployment/preparing_server.md +++ /dev/null @@ -1,67 +0,0 @@ ---- -title: "Preparing a server" -date: 2020-10-12T14:04:00+01:00 -weight: 100 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/deployment -geekdocFilePath: preparing_server.md ---- - -{{< toc >}} - - -## Example for Hetzner Cloud -* create server on Hetzner Cloud. Set labels "owner" and "for". Example for hcloud cli: -`hcloud server create --type cx21 --image ubuntu-20.04 --ssh-key admin --name ocis-server --label owner=admin --label for=testing` - -* Configure DNS A-records for needed domains pointing on the servers ip address, for example in CloudFlare - -* Access server via ssh as root - -* Create a new user - - `$ adduser --disabled-password --gecos "" admin` - -* Add user to sudo group - - `$ usermod -aG sudo admin` - -* Install docker - - ``` - apt update - apt install docker.io - ``` - -* Add user to docker group - - `usermod -aG docker admin` - -* Install docker-compose via - - `curl -L "https://github.com/docker/compose/releases/download/1.27.4/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose` - - (docker compose version 1.27.4 as of today) -* Make docker-compose executable - - `chmod +x /usr/local/bin/docker-compose` - - -* Add users pub key to - ``` - mkdir /home/admin/.ssh - echo "" >> /home/admin/.ssh/authorized_keys - chown admin:admin -R /home/admin/.ssh - ``` - -* Secure ssh daemon by editing `/etc/ssh/sshd_config` - ``` - PermitRootLogin no - ChallengeResponseAuthentication no - PasswordAuthentication no - UsePAM no - ``` - -* restart sshd server to apply settings `systemctl restart sshd` - -* Login as the user you created diff --git a/docs/ocis/deployment/systemd.md b/docs/ocis/deployment/systemd.md deleted file mode 100644 index 50aef61293..0000000000 --- a/docs/ocis/deployment/systemd.md +++ /dev/null @@ -1,72 +0,0 @@ ---- -title: "Systemd service" -date: 2020-09-27T06:00:00+01:00 -weight: 16 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/deployment -geekdocFilePath: systemd.md ---- - -{{< toc >}} - -## Install the oCIS binary - -Download the oCIS binary of your preferred version and for your CPU architecture and operating system from [download.owncloud.com](https://download.owncloud.com/ocis/ocis). - -Rename the downloaded binary to `ocis` and move it to `/usr/bin/`. As a next step, you need to mark it as executable with `chmod +x /usr/bin/ocis`. - -When you now run `ocis help` on your command line, you should see the available options for the oCIS command. - -## Systemd service definition - -Create the Systemd service definition for oCIS in the file `/etc/systemd/system/ocis.service` with following content: - -```systemd -[Unit] -Description=OCIS server - -[Service] -Type=simple -User=root -Group=root -EnvironmentFile=/etc/ocis/ocis.env -ExecStart=ocis server -Restart=always - -[Install] -WantedBy=multi-user.target -``` - -{{< hint warning >}} -For reasons of simplicity we are using the root user and group to run oCIS which is not recommended. Please use a non-root user in production environments and modify the oCIS service definition accordingly. -{{< /hint >}} - -In the service definition we referenced `/etc/ocis/ocis.env` as our file containing environment variables for the oCIS process. -In order to create the file we need first to create the folder `/etc/ocis/` and then we can add the actual `/etc/ocis/ocis.env` with following content: - -```bash -OC_URL=https://some-hostname-or-ip:9200 -PROXY_HTTP_ADDR=0.0.0.0:9200 -OC_INSECURE=false - -OC_LOG_LEVEL=error - -OC_CONFIG_DIR=/etc/ocis -OC_BASE_DATA_PATH=/var/lib/ocis -``` - -Since we set `OC_CONFIG_DIR` to `/etc/ocis` you can also place configuration files in this directory. - -Please change your `OC_URL` in order to reflect your actual deployment. If you are using self-signed certificates you need to set `OC_INSECURE=true` in `/etc/ocis/ocis.env`. - -oCIS will store all data in `/var/lib/ocis`, because we configured it so by setting `OC_BASE_DATA_PATH`. Therefore you need to create that directory and make it accessible to the user, you use to start oCIS. - -## Starting the oCIS service - -Initialize the oCIS configuration by running `ocis init --config-path /etc/ocis`. - -You can enable oCIS now by running `systemctl enable --now ocis`. It will ensure that oCIS also is restarted after a reboot of the host. - -If you need to restart oCIS because of configuration changes in `/etc/ocis/ocis.env`, run `systemctl restart ocis`. - -You can have a look at the logs of oCIS by issuing `journalctl -f -u ocis`. diff --git a/docs/ocis/deployment/ubernauten.md b/docs/ocis/deployment/ubernauten.md deleted file mode 100644 index 7fb8fd3188..0000000000 --- a/docs/ocis/deployment/ubernauten.md +++ /dev/null @@ -1,144 +0,0 @@ ---- -title: "Installing ownCloud Infinite Scale at Ubernauten" - -date: 2023-12-04T14:04:00+01:00 -weight: 100 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/deployment -geekdocFilePath: ubernauten.md ---- - -{{< toc >}} - -## Uberspace and ownCloud Infinite Scale in 50 seconds - -This howto shows how to set up ownCloud Infinite Scale for a quick test. For convenience, we will use the free service from the Ubernauten -- Join us here: [Uberspace Registration Page](https://dashboard.uberspace.de/register?lang=en). They offer free of charge (for the first month) web hosting. - -In this documentation, we are assuming you already have an account there and it is configured for SSH access. This guide is using "ocis.uber.space" as a domain at Uberspace, version 4.0.3 of Infinite Scale and the local user "owncloud". Make sure you adapt the example code and scripts mentioned in this page to your needs Both username and domain will be set when you sign in to Uberspace. - -Installing ownCloud Infinite Scale on Ubernauten is pretty straigt-forward, you can do it in three steps that take less than a minute: Here's a short video that shows how fast the whole process actually is - thanks to Infinite Scale's cloud native architecture. [ownCloud Infinite Scale in 50 seconds](/ocis/deployment/ubernauten_media/001-OCIS-in-50-seconds-2023-10-17.mkv) - -### Three Steps to your Infinite UberSpace - -* Download the Infinite Scale binary and make it executable -``` -curl https://download.owncloud.com/ocis/ocis/stable/4.0.3/ocis-4.0.3-linux-amd64 --output ocis -chmod +x ocis -``` - -* Set some environment variables related to Uberspace (**Make sure you fill in YOUR domain!**) -``` -uberspace web backend set / --http --port 9200 -export OC_URL=https://ocis.uber.space -export PROXY_TLS=false -export PROXY_HTTP_ADDR=0.0.0.0:9200 -export PROXY_LOG_LEVEL=debug -``` - -* Start the `ocis` binary, first with the parameter `init` for initial configuration. This will also give you your unique login password for the user `admin`. Once finished, call `ocis start`: -``` -./ocis init -./ocis server -``` -Wait a few seconds, now you can visit the url of your uberspace server and login: - -{{< figure src="/ocis/deployment/ubernauten_media/login.png" width="70%" height="auto" >}} - -To make it easier (and faster), here's the commands in a script called `ocis.install`: - -``` -#!/bin/bash -# This file is named ocis.install -# It downloads ocis, configures the environment varibles and starts -# ownCloud Infinite Scale on a ubernauten account. You can run it in your home directory - -curl https://download.owncloud.com/ocis/ocis/stable/4.0.3/ocis-4.0.3-linux-amd64 --output ocis -chmod +x ocis -uberspace web backend set / --http --port 9200 -export OC_URL=https://ocis.uber.space -export PROXY_TLS=false -export PROXY_HTTP_ADDR=0.0.0.0:9200 -export PROXY_LOG_LEVEL=debug -./ocis init -./ocis server -``` - -### Service Management with Supervisord - -If you want `ocis` to run continuously, you need to configure `supervisord` (http://supervisord.org) which is the tool Uberspace is using for service management. - -You can start and stop services with `supervisorctl`, it will (re)read configuration files it finds in your home directory, under `etc/services.d/`, in `.ini` files. The content of these files is very simple, you only have to enter three lines, here is the example for Infinite Scale in `/home/owncloud/etc/services.d/ocis.ini`. - -``` -[program:ocis] -command="/home/owncloud/ocis.start" -startsecs=60 -``` - -`ocis.start` is a script that combines all of the commands above except for the download of the ocis binary. It looks like this: - -``` -#!/bin/bash -# This file is named ocis.start. -# It sets environment variables needed for uber.space needed for Infinite Scale -/usr/bin/uberspace web backend set / --http --port 9200 & -export OC_URL=https://ocis.uber.space -export PROXY_TLS=false -export PROXY_HTTP_ADDR=0.0.0.0:9200 -export PROXY_LOG_LEVEL=debug -/home/owncloud/ocis server -``` - -There are four supervisorctl commands that you will find useful (many more can be found in its documentation). You can use `supervisorctl status` to check which services managed by supervisorctl are running, a `supervisorctl reread` will be necessary after you changed the `ini` files, an `update` is applying changes, and `supervisorctl stop` will stop a running service: - -``` -[owncloud@ocis ~]$ supervisorctl status -ocis RUNNING pid 9813, uptime 0:01:40 -[owncloud@ocis ~]$ supervisorctl reread -No config updates to processes -[owncloud@ocis ~]$ supervisorctl update -``` -You can find all information on Supervisord and `supervisorctl` on its website: [Running Supervisord](http://supervisord.org/running.html). - -### Updating ownCloud Infinite Scale - -Updating the ocis binary is simple: When a new version comes to life, just download the new `ocis` binary from the download server, replacing the old `ocis` executable on your uberspace server. - -Make a backup of your data and make sure you have read and understood the release notes of your new version , especially the "breaking changes" section before starting the binary. - -Don't worry, you can always go back to the older version you had installed, there's a long list of older versions available for download. - -Mind that if you want to re-configure, re-install or start a new version of ocis, make sure you have stopped supervisorctl from restarting ocis. Enter `supervisorctl stop ocis`, followed by a `killall -9 ocis` to make sure no ocis version is still running. - -### Wiping and Clean Restart from Scratch - -This little script is removing your ocis installation (and **all of your data!**), replacing it with a new, clean ocis installation. Be careful and only use it for testing purposes. Specify your desired ocis version in the curl command. - -``` -#!/bin/bash -# This file is named ocis.reinstall -# It deletes the old ocis installation, fetches a new binary and starts ocis. -rm -rf .ocis -curl https://download.owncloud.com/ocis/ocis/stable/4.0.3/ocis-4.0.3-linux-amd64 --output ocis -chmod +x ocis -uberspace web backend set / --http --port 9200 -export OC_URL=https://ocis.uber.space -export PROXY_TLS=false -export PROXY_HTTP_ADDR=0.0.0.0:9200 -export PROXY_LOG_LEVEL=debug -./ocis init -./ocis server -``` - -### Troubleshooting - -* SSL/TLS Certificates: Every Uberspace comes with its own HTTPS certificate via Let's Encrypt. See the [Uberspace - HTTPS](https://manual.uberspace.de/web-https/) documentation for more details. - -* Error message about `jwt_secret`: If you get the following error message, then you probably forgot to run the `ocis init` command. If `ocis server` find an configuration hasn't been set up, it will complain like this: -``` -[owncloud@ocis ~]$ ./ocis server -The jwt_secret has not been set properly in your config for ocis. -Make sure your /home/mfeilner/.ocis/config config contains the proper values -(e.g. by running ocis init or setting it manually in the config/corresponding -environment variable). -``` diff --git a/docs/ocis/deployment/ubernauten_media/001-OCIS-in-50-seconds-2023-10-17.mkv b/docs/ocis/deployment/ubernauten_media/001-OCIS-in-50-seconds-2023-10-17.mkv deleted file mode 100644 index 189a5479cf..0000000000 Binary files a/docs/ocis/deployment/ubernauten_media/001-OCIS-in-50-seconds-2023-10-17.mkv and /dev/null differ diff --git a/docs/ocis/deployment/ubernauten_media/login.png b/docs/ocis/deployment/ubernauten_media/login.png deleted file mode 100644 index de76db6881..0000000000 Binary files a/docs/ocis/deployment/ubernauten_media/login.png and /dev/null differ diff --git a/docs/ocis/development/_index.md b/docs/ocis/development/_index.md deleted file mode 100644 index 9767dcfe45..0000000000 --- a/docs/ocis/development/_index.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -title: "Development" -date: 2020-10-01T20:35:00+01:00 -weight: 10 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/development -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- diff --git a/docs/ocis/development/beta-testplan.md b/docs/ocis/development/beta-testplan.md deleted file mode 100644 index c9e61793c6..0000000000 --- a/docs/ocis/development/beta-testplan.md +++ /dev/null @@ -1,316 +0,0 @@ ---- -title: "Beta testplan" -date: 2022-03-24T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/development -geekdocFilePath: beta-testplan.md ---- - -# Beta Testing - -This document is supposed to give you some ideas how and what to test on ocis. It's not meant to be an extensive list of all tests to be done, rather it should help you, as beta-tester, to get started and enable you to get creative and create your own test-cases. [Derive from these examples, be creative, do unusual and unconventional things, to try to break things](https://twitter.com/sempf/status/514473420277694465). - -One option to create new test-cases and to stress the system is to examine what the [API acceptance-tests](https://owncloud.dev/ocis/development/testing/#testing-with-test-suite-natively-installed) or the [web-UI](#web) does, [examine the requests](#decode-https-traffic-with-wireshark) and do something a bit different with curl. This is also a good way to find out how APIs work that are not already fully documented. - -Some cases have suggested setup steps, but feel free to use other setups. This can include: -- different deployment methods (e.g. running single binary, docker-container, docker-compose setup, [individual services in own docker containers](https://owncloud.dev/ocis/deployment/ocis_individual_services/)) -- different identity managers (e.g. [different external LDAP](https://owncloud.dev/ocis/deployment/ocis_ldap/), internal IDM) -- different reverse proxies (e.g. [traefik](https://owncloud.dev/ocis/deployment/ocis_traefik/)) -- different OpenIDConnect IDPs (e.g builtin IDP, [keycloak](https://owncloud.dev/ocis/deployment/ocis_keycloak/), AzureAD) - - for some functionalities you will need an [LDAP server](https://owncloud.dev/ocis/deployment/ocis_ldap/) where the IDP and oCIS both get the users from - - [keycloak example](https://owncloud.dev/ocis/deployment/ocis_keycloak/) - - [service configuration](https://owncloud.dev/extensions/idp/configuration/) -- different storage systems (decomposedFS on local POSIX (default), [decomposedFS on NFS](https://owncloud.dev/ocis/storage-backends/dcfsnfs/), [S3](https://owncloud.dev/ocis/deployment/ocis_s3/) ) - -It's a good idea to test ocis in the same environment where you are planning to use it later (with the LDAP server, storage system, etc. of your organisation). - -# run oCIS -For a quick start, please have a look into the [getting started documentation of oCIS]({{< ref "../getting-started/#run-ocis" >}}) -If you would like -to access oCIS remotely please refer to the [Basic Remote Setup]({{< ref "../deployment/basic-remote-setup" >}}) section. - -## additional tips -- to allow basic auth (e.g. to easily access oCIS using curl commands) you have to set `PROXY_ENABLE_BASIC_AUTH=true` environment variable -- if you cannot use real SSL Certificates set `OC_INSECURE=true` as environment variable - - -# Testplan - -## user / groups from LDAP - -Prerequisite: -- connect ocis to your preferred LDAP server -- create users and groups in LDAP -- start ocis with basic auth - -documentation resources: - - [configure ocis with LDAP](https://owncloud.dev/ocis/deployment/ocis_ldap/) - - [sharing API is compatible to ownCloud 10](https://doc.owncloud.com/server/10.9/developer_manual/core/apis/ocs-share-api.html) - - [webDav operations](#webdav) - -| Test Case | Expected Result | Comment | -|-------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------|---------| -| share file / folder to a group | member of the group can access shared item | | -| share file / folder to a group, remove member from group in LDAP | removed member should not have access to the shared item | | -| share file / folder to a group with different permissions, as receiver try to violate the permissions | receiver should not be able to violate the permissions | | -| try to login with wrong credentials | login should not be possible | | -| set a quota in LDAP, upload files till the quota is exceeded | upload should work till quota is full, uploads should not work when quota is full | | -| try to access files / folders of other users | access should not be possible | | -| try to share with non-existing users and groups | sharing should not be possible | | -| try to share with user/groups-names that contain special characters | sharing should be possible, access shares with that user does not create any problems | | - -## other sharing - -should be tried in various ways and in different environments - -documentation resources: -- [sharing API is compatible to ownCloud 10](https://doc.owncloud.com/server/10.9/developer_manual/core/apis/ocs-share-api.html) -- [webDav operations](#webdav) - -| Test Case | Expected Result | Comment | -|---------------------------------------------------------------------------------------|-----------------------------------------------------------------------|-----------------------------------------------------------| -| share a file/folder with the same name from different users | receiver can accept and access both file/folders and distinguish them | | -| share a file/folder with the same name but different permissions from different users | receiver can access both file/folders according to the permissions | | -| share a file/folder with the same name but different locations from one user | receiver can accept and access both file/folders and distinguish them | | -| share a file/folder back to the sharer | sharing back should not be possible | | -| re-share a file/folder with different permissions | sharing with lower permissions is possible, but not with higher | | -| decline received share | shared resource should not be shown to the receiver | | - - -## parallel deployment - -- [configure ocis with LDAP](https://owncloud.dev/ocis/deployment/ocis_ldap/) -- [setup oC10 and ocis in parallel](https://owncloud.dev/ocis/deployment/oc10_ocis_parallel/) -- create users and groups in LDAP - -documentation resources: -- [sharing API is compatible to ownCloud 10](https://doc.owncloud.com/server/10.9/developer_manual/core/apis/ocs-share-api.html) - -| Test Case | Expected Result | Comment | -|------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------|---------| -| share file / folder to a group in one implementation (use different permissions), access the items with the other implementation, try to violate the permissions | receiver should not be able to violate the permissions | | -| share file / folder to a group, remove member from group in LDAP, try to access items with the removed member from both implementations | removed member should not have access to the shared item | | - -## Spaces - -Prerequisite: -- start ocis with basic auth -- variable declaration, for curl examples: -```shell -SERVER_URI=https://localhost:9200 -GRAPH_API_PATH=graph/v1.0 -SHARE_API_PATH=ocs/v2.php/apps/files_sharing/api/v1/shares -USER=admin -PASSWORD=admin -``` -- create a new user `curl -k -u $USER:$PASSWORD "$SERVER_URI/$GRAPH_API_PATH/users" -X POST -d'{"displayName":"Example User","mail":"example@example.org","onPremisesSamAccountName":"example","passwordProfile":{"password":"ThePassword"}}'` -- give the user the "Space Admin" role - 1. get the id of the user: `curl -k -u $USER:$PASSWORD $SERVER_URI/$GRAPH_API_PATH/users/ | jq '.id'` - 2. assign role user to role: `curl -k -u $USER:$PASSWORD $SERVER_URI/api/v0/settings/assignments-add -d'{"account_uuid":"","role_id":"2aadd357-682c-406b-8874-293091995fdd"}` -- create a space: `curl -k -u $USER:$PASSWORD "$SERVER_URI/$GRAPH_API_PATH/drives" -X POST -d'{"Name":"Space for finance","driveType":"project", "description":"we need some space"}'` -- list spaces: `curl -k -u $USER:$PASSWORD $SERVER_URI/$GRAPH_API_PATH/me/drives` -- disable a space: `curl -k -u $USER:$PASSWORD $SERVER_URI/$GRAPH_API_PATH/drives/ -X DELETE` -- delete a space: `curl -k -u $USER:$PASSWORD $SERVER_URI/$GRAPH_API_PATH/drives/ -X DELETE -H'Purge: T'` -- restore a space: `curl -k -u $USER:$PASSWORD $SERVER_URI/$GRAPH_API_PATH/drives/ -X PATCH -d"{}" -H"Restore: true"` -- rename the space: `curl -k -u $USER:$PASSWORD $SERVER_URI/$GRAPH_API_PATH/drives/ -X PATCH -d'{"name":"नेपालि नाम"}'` -- change description of the space: `curl -k -u $USER:$PASSWORD $SERVER_URI/$GRAPH_API_PATH/drives/ -X PATCH -d'{"description":"this contains important data"}'` -- change quota of the space `curl -k -u $USER:$PASSWORD $SERVER_URI/$GRAPH_API_PATH/drives/ -X PATCH -d'{"quota":{"total":}}'` -- change image of space: - 1. upload an image file to the `.spaces` folder: `curl -k -u $USER:$PASSWORD https://localhost:9200/dav/spaces//.space/ -T -v` - 2. note the id provided in the `Oc-Fileid` header - 3. set the image as "special-folder": `curl -k -u $USER:$PASSWORD $SERVER_URI/$GRAPH_API_PATH/drives/ -X PATCH -d'{"special":[{"specialFolder":{"name":"image"},"id":""}]}'` -- share a space: `curl -k -u $USER:$PASSWORD $SERVER_URI/$SHARE_API_PATH -d'space_ref=&shareType=7&shareWith=&role='` - - Roles: - - viewer - - editor - - manager -- share a resource within a space `curl -k -u $USER:$PASSWORD $SERVER_URI/$SHARE_API_PATH -d'shareType=0&shareWith=&space_ref=%2F&permissions=` - - possible permissions - - 1 = read - - 2 = update - - 4 = create - - 8 = delete - - 15 = read/write - - 16 = share - - 31 = All permissions -- WebDAV - - root: `https:///dav/spaces/` - - [example commands for operations](#webdav) - -| Test Case | Expected Result | Comment | -|-------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------|---------| -| create a space | space should exist | | -| create a space with special characters as a name & description | space should exist | | -| create a space, delete the space | space should not exist | | -| create a space, share the space with a user | space should be accessible | | -| create a space, share the space with a group | space should be accessible, space content is shared among all users | | -| create a space, share the space with a group, disable the space | space should not be accessible | | -| create a space, share the space with a user, disable the space, restore the space | space should be accessible | | -| create a space, disable the space, delete the space, restore the space | it should not be possible to restore the space | | -| create a space, disable the space, try to share the space | sharing the space should not be possible | | -| create a space, try to delete the space | it should not be possible to delete an enabled space | | -| create & share a space with a group with viewer role, do CRUD file/folder operations with WebDAV | space content is readable but neither space not content should not be writable | | -| create & share a space with a group with editor role, do CRUD file/folder operations with WebDAV | space and content should be writable | | -| create a space, try CRUD file/folder operations with WebDAV on the space with a user that its not shared with | space and content should not be accessible | | -| create a space with a quota, share the space, upload files till the quota is exceeded | upload should work till quota is full, uploads should not work when quota is full | | -| share file/folders from inside a space (see other sharing section) | sharing works and obeys the permissions | | -| create a space, rename the space | new name should be displayed in API calls and web | | -| create a space, change description of the space | new description should be displayed in API calls and web | | -| create a space, set quota, change quota of the space | new quota is obeyed | | -| create a space, set quota, change quota of the space to a value that is lower than the sum of data already stored | new quota is obeyed, new files cannot be uploaded | | -| try the various space operations with invalid data | good error output, server does not crash | | -| try the various space operations without the correct permissions | operations are not possible without sufficient permissions | | -| try the various space operations on personal and virtual spaces | server should not crash, good error responses | | -| try the various space operations sending invalid data (invalid numbers, wrong types, invalid JSON, etc.) | server should not crash, good error responses | | - - -## Web - -Prerequisite: -- [connect ocis to your preferred LDAP server](https://owncloud.dev/ocis/deployment/ocis_ldap/) -- create users and groups in LDAP -- Use your preferred browser (Firefox 94-96, Chrome 92-97, Opera 81-82, Edge 96-97, Safari 14-15) to access the built-in webUI (by default: https://localhost:9200) - -| Test Case | Expected Result | Comment | -|--------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------|---------| -| Login with the created user | User logs in. | | -| Create a text file. | Text editor can open, file is saved. | | -| Create a text file with special characters as name | file is created if the name is legal otherwise an error is displayed | | -| Modify a text file. | File can be modified, no problems found. | | -| Rename a file. | File is renamed. | | -| Upload a file. | File is uploaded, no problems found. | | -| Upload multiple files at once. | Files are uploaded, no problems found. | | -| delete all content of a folder at once. | Folder is cleaned, items are visible in the trashbin | | -| Overwrite a file by uploading a new version. | File is uploaded and overwritten, file versions are displayed | | -| Overwrite a file by uploading a new version, restore the original version. | File is restored correctly | | -| upload a huge file | File is uploaded, no problems found. | | -| upload a huge file, cancel the upload, restart the upload | Upload continues at the position where it was cancelled, file is uploaded completely. | | -| Remove a file. | File is removed correctly, it appears in the trashbin. | | -| Restore the deleted file from trashbin | File is restored correctly | | -| Remove multiple files that have the same name but are located in different folders | Files are removed correctly, they appear in the trashbin. | | -| Restore some of the deleted files from trashbin | Files are restored correctly in the correct folders. | | -| Restore some of the deleted files from trashbin, but delete the original containing folder before | Files are restored correctly | | -| Clean files from the trashbin | files are permanently deleted | | -| Create a lot of files, delete a lot of files, empty the trashbin | trashbin is cleaned | | -| Move a file inside a folder. | There are not problems on the process. | | -| Move a file inside a folder that already contains a file with the same name | File is not moved, content in the destination is not overwritten | | -| Create a folder. | Folder is created, no MKCOL problems appear. | | -| Create a folder with special characters as name | Folder is created if the name is legal otherwise an error is displayed | | -| Create a folder with a name of an already existing file/folder | Folder is not created, an error is displayed | | -| Create a folder with a lot of subfolders, use special characters in the name | Folder is created, no MKCOL problems appear. | | -| Delete a folder. | Folder is removed. | | -| Move a folder inside another. | No problems while moving the folder. | | -| open images in mediaviewer | files are displayed correctly. | | -| open videos in mediaviewer | files are displayed correctly. | | -| switch through videos and images in mediaviewer | files are displayed correctly. | | -| Share a file by public link. | Link is created and can be accessed. | | -| Share a folder by public link. | Link is created and can be accessed. | | -| Share a file with another user. | It is shared correctly. | | -| Share a folder with another user. | It is shared correctly. | | -| Share a file with a group. | It is shared correctly. | | -| Share a folder with a group. | It is shared correctly. | | -| Share a folder with userB giving edit permissions. As userB do CRUD operations on items inside the received folder | userB doesn't find any problem while interacting with files. | | -| Use your mobile device to access the UI | All elements reachable | | -| do tests mentioned in the [spaces](#spaces) section using the web-UI | | | - -## Desktop Client - -Prerequisite: -- [install the desktop client on your preferred OS](https://owncloud.com/desktop-app/) -- start ocis -- connect a new account in the desktop client to ocis e.g. `https://localhost:9200` if you are running the server and the client on the same machine -- accept the self-signed certificate -- you will be redirected to the browser, accept the certificate there also -- login as any user -- allow the "ownCloud desktop app" to access ocis -- select a folder to sync - -| Test Case | Expected Result | Comment | -|---------------------------------------------------------------------------------------------------------|------------------------------------------------------------------------------|---------| -| Set up two clients with the same user. Change files, add some, delete some, move some, create folders. | Changes sync properly in both clients without errors. | | -| Share a file using contextual menu with userB. | Option to share appears in the contextual menu and file is correctly shared. | | - - -## Mobile Clients (iOS || Android) - -Prerequisite: -- [install the ownCloud app on your mobile](https://owncloud.com/mobile-apps/) -- start oCIS as described in [Basic Remote Setup]({{< ref "../deployment/basic-remote-setup" >}}) -- connect a new account in the mobile client to ocis -- accept the self-signed certificate -- you will be redirected to the browser, accept the certificate there also -- login as any user -- allow the mobile app to access ocis - - -| Test Case | Expected Result | Comment | -|-----------------------------------------------|------------------------------------------|---------| -| Connect to server, see files, download one. | No problems while downloading. | | -| Upload a file using mobile client. | No problems while uploading. | | -| Share a file with userB using mobile client. | File is correctly shared. | | - -## other WebDAV clients - -Prerequisite: -- start ocis with basic auth - -| Test Case | Expected Result | Comment | -|---------------------------------------------------------------|-------------------------------------------------------------|--------------------------------------------------------------------------------------------------------------| -| use ocis as webDAV external storage in ownCloud 10 | resource access works | | -| access webDAV with your file-manager | that will not give you a good UX, but ocis should not crash | Urls: https://\/remote.php/webdav & https://\/remote.php/dav/files/\ | -| access webDAV with the "remote-files" function of LibreOffice | files are accessible and can be written back | | - -# Tips for testing - -## WebDav -WebDav is accessible under different path -- old: https://\/remote.php/webdav -- new: https://\/remote.php/dav/files/\ -- spaces: https://\/dav/spaces/\ - -WebDav specifications can be found on http://webdav.org/ - -here some general WebDav request examples: - -variable declaration: -```shell -SERVER_URI=https://localhost:9200 -API_PATH=remote.php/webdav -USER=admin -PASSWORD=admin -``` -- list content of root folder: `curl -k -u $USER:$PASSWORD "$SERVER_URI/$API_PATH/" -X PROPFIND` -- list content of sub-folder: `curl -k -u $USER:$PASSWORD "$SERVER_URI/$API_PATH/f1" -X PROPFIND` -- create a folder: `curl -k -u $USER:$PASSWORD "$SERVER_URI/$API_PATH/folder" -X MKCOL` -- delete a resource: `curl -k -u $USER:$PASSWORD "$SERVER_URI/$API_PATH/folder" -X DELETE` -- rename / move a resource: `curl -k -u $USER:$PASSWORD "$SERVER_URI/$API_PATH/folder" -X MOVE -H "Destination: $SERVER_URI/$API_PATH/renamed"` -- copy a resource: `curl -k -u $USER:$PASSWORD "$SERVER_URI/$API_PATH/folder" -X COPY -H "Destination: $SERVER_URI/$API_PATH/folder-copy"` - -## decode HTTPS traffic with wireshark -To decode the HTTPS traffic we need the keys that were used to encrypt the traffic. Those keys are kept secret by the clients, but we can request the clients to save them in a specific file, so that wireshark can use them to decrypt the traffic again. - -1. create key file: `touch /tmp/sslkey.log` -2. start wireshark -3. set log filename - - navigate to Edit=>Preferences=>Protocols=>TLS - - in the field `(Pre)-Master-Secret log filename` enter `/tmp/sslkey.log` -4. decode as HTTP - - navigate to Analyze=>Decode As... - - click the + button - - set Field: `TLS Port; Value=9200; Type: Integer, base 10; Default (none); Current HTTP` (adjust the port if you are using another one than 9200) -5. start recording - - use `port 9200` as capture filter to only record ocis packages - - use `http` as display filter to see only decoded traffic -6. run test-software with `SSLKEYLOGFILE=/tmp/sslkey.log` as env. variable e.g. - - curl: `SSLKEYLOGFILE=/tmp/sslkey.log curl -k -u admin:admin https://localhost:9200/ocs/v1.php/cloud/users` - - Browser: `SSLKEYLOGFILE=/tmp/sslkey.log firefox` - - LibreOffice: `SSLKEYLOGFILE=/tmp/sslkey.log libreoffice` - - acceptance tests: `SSLKEYLOGFILE=/tmp/sslkey.log make test-acceptance-api ...` - -## format output -- piping **xml** results to `xmllint` gives you nice formats. E.g. `curl -k --user marie:radioactivity "https://localhost:9200/ocs/v1.php/apps/files_sharing/api/v1/shares" | xmllint --format -` -- piping **json** results to `jq` gives you nice formats. E.g. `curl -k --user marie:radioactivity "https://localhost:9200/ocs/v1.php/apps/files_sharing/api/v1/shares?format=json" | jq` - -## create edge cases -- [Big List of Naughty Strings](https://github.com/minimaxir/big-list-of-naughty-strings) diff --git a/docs/ocis/development/build-docs.md b/docs/ocis/development/build-docs.md deleted file mode 100644 index 44624b234c..0000000000 --- a/docs/ocis/development/build-docs.md +++ /dev/null @@ -1,26 +0,0 @@ ---- -title: "Documentation" -date: 2020-07-27T08:39:38+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/development -geekdocFilePath: build-docs.md ---- - -{{< toc >}} - -## Build the documentation - -{{< hint info >}} -For building the documentation you need to have Make and Go 1.14 or higher installed. -{{< /hint >}} - -Just run `make -C docs docs-serve` from within the root level of the oCIS git repository. This will make documentation available on [localhost:1313](http://localhost:1313) and also do a hot reload if you change something in the (non autogenerated) documentation files. - -Note that you may get files changed reported like `env_vars.yaml` by just running the make command. You can discard any of these as they come from an internal helper process step necessary. To take care on those changed files, see the [Docs Helpers](https://github.com/owncloud/ocis/tree/master/docs/helpers) readme. - -## Add changes to the documentation - -Please keep this documentation in sync with the oCIS source code. - -Changes on the documentation are automatically applied to [this site]({{< ref "../" >}}) when merged to the master branch. diff --git a/docs/ocis/development/build.md b/docs/ocis/development/build.md deleted file mode 100644 index e78409335f..0000000000 --- a/docs/ocis/development/build.md +++ /dev/null @@ -1,57 +0,0 @@ ---- -title: "Build" -date: 2020-02-27T20:35:00+01:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/development -geekdocFilePath: build.md ---- - -{{< toc >}} - -## Build requirements - -see [Development - Getting Started]({{< ref "getting-started/#requirements">}}) - -## Get the sources - -{{< highlight txt >}} -git clone https://github.com/owncloud/ocis.git -cd ocis -{{< / highlight >}} - -## Build the oCIS binary - -You only need to run following command if you have changed protobuf definitions or the frontend part in one of the extensions. Run the command in the root directory of the repository. Otherwise you can skip this step and proceed to build the oCIS binary. -This will usually modify multiple `embed.go` files because we embed the frontend build output in these `embed.go` files and a timestamp will be updated and also minor differences are expected between different Node.js versions. - -{{< highlight txt >}} -make generate -{{< / highlight >}} - -The next step is to build the actual oCIS binary. Therefore you need to navigate to the subdirectory `ocis` and start the build process. - -{{< highlight txt >}} -cd ocis -make build -{{< / highlight >}} - -After the build process finished, you can find the binary within the `bin/` folder (in `ocis/bin` relative to the oCIS repository root folder). - -Try to run it: `./bin/ocis h` - -## Build a local oCIS docker image - -If you are developing and want to run your local changes in a docker or docker-compose setup, you have to build an image locally. - -Therefore run following commands in the root of the oCIS repository: - -{{< highlight txt >}} -docker build -t owncloud/ocis:dev . -{{< / highlight >}} - -Then you can test as usual via - -{{< highlight txt >}} -docker run --rm -ti owncloud/ocis:dev -{{< / highlight >}} diff --git a/docs/ocis/development/continuous-integration.md b/docs/ocis/development/continuous-integration.md deleted file mode 100644 index b5907d7cdc..0000000000 --- a/docs/ocis/development/continuous-integration.md +++ /dev/null @@ -1,56 +0,0 @@ ---- -title: "Continuous Integration" -date: 2020-10-01T20:35:00+01:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/development -geekdocFilePath: continuous-integration.md ---- - -{{< toc >}} - -oCIS uses [DRONE](https://www.drone.io/) as CI system. You can find the pipeline logs [here](https://drone.owncloud.com/owncloud/ocis) or in your PR. - -## Concepts - -The pipeline is defined in [Starlark](https://github.com/bazelbuild/starlark) and transformed to YAML upon pipeline run. This enables us to do a highly dynamic and non repeating pipeline configuration. We enforce Starlark format guidelines with Bazel Buildifier. You can format the .drone.star file by running `make ci-format`. - -Upon running the pipeline, your branch gets merged to the master branch. This ensures that we always test your changeset if as it was applied to the master of oCIS. Please note that this does not apply to the pipeline definition (`.drone.star`). - -## Things done in CI - -- static code analysis -- linting -- running UI tests -- running ownCloud 10 test suite against oCIS -- build and release docker images -- build and release binaries -- build and release documentation - -## Flags in commit message and PR title - -You may add flags to your commit message or PR title in order to speed up pipeline runs and take load from the CI runners. - -- `[CI SKIP]`: no CI is run on the commit or PR - -- `[full-ci]`: deactivates the fail early mechanism and runs all available test (as default only smoke tests are run) - -### Knowledge base - -- My pipeline fails because some CI related files or commands are missing. - - Please make sure to rebase your branch onto the latest master of oCIS. It could be that the pipeline definition (`.drone.star`) was changed on the master branch. This is the only file, that will not be auto merged to master upon pipeline run. So things could be out of sync. - -- How can I see the YAML drone pipeline definition? - - In order to see the Yaml pipeline definition you can use the drone-cli to convert the Starlark file. - - ``` - drone starlark - ``` - - {{< hint info >}} - If you experience a `"build" struct has no .title attribute` you need a newer version of drone-cli. - - You currently need to build it yourself from this [source code](https://github.com/drone/drone-cli). If you are not using master as source, please ensure that this [PR](https://github.com/drone/drone-cli/pull/175) is included. - {{< /hint >}} diff --git a/docs/ocis/development/debugging.md b/docs/ocis/development/debugging.md deleted file mode 100644 index dd2ac7477a..0000000000 --- a/docs/ocis/development/debugging.md +++ /dev/null @@ -1,272 +0,0 @@ ---- -title: "Debugging" -date: 2020-03-19T08:21:00+01:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/development -geekdocFilePath: debugging.md ---- - -{{< toc >}} - -## Debugging - -As a single binary for easy deployment running `ocis server` just forks itself to start all the services, which makes debugging those processes a little harder. - -Ultimately, we want to be able to stop a single service using e.g. `ocis kill web` so that you can start the service you want to debug in debug mode. We need to [change the way we fork processes](https://github.com/owncloud/ocis/issues/77) though, otherwise the runtime will automatically restart a service if killed. - -### Start ocis - -For debugging there are two workflows that work well, depending on your preferences. - -#### Use the debug binary and attach to the process as needed - -Run the debug binary with `OC_LOG_LEVEL=debug bin/ocis-debug server` and then find the service you want to debug using: - -```console -# ps ax | grep ocis -12837 pts/1 Sl+ 0:00 bin/ocis-debug server -12845 pts/1 Sl 0:00 bin/ocis-debug graph -12847 pts/1 Sl 0:00 bin/ocis-debug reva-auth-bearer -12849 pts/1 Sl 0:00 bin/ocis-debug ocs -12850 pts/1 Sl 0:00 bin/ocis-debug reva-storage-oc-data -12863 pts/1 Sl 0:00 bin/ocis-debug webdav -12874 pts/1 Sl 0:00 bin/ocis-debug reva-frontend -12897 pts/1 Sl 0:00 bin/ocis-debug reva-sharing -12905 pts/1 Sl 0:00 bin/ocis-debug reva-gateway -12912 pts/1 Sl 0:00 bin/ocis-debug reva-storage-home -12920 pts/1 Sl 0:00 bin/ocis-debug reva-users -12929 pts/1 Sl 0:00 bin/ocis-debug glauth -12940 pts/1 Sl 0:00 bin/ocis-debug reva-storage-home-data -12948 pts/1 Sl 0:00 bin/ocis-debug idp -12952 pts/1 Sl 0:00 bin/ocis-debug proxy -12961 pts/1 Sl 0:00 bin/ocis-debug thumbnails -12971 pts/1 Sl 0:00 bin/ocis-debug reva-storage-oc -12981 pts/1 Sl 0:00 bin/ocis-debug web -12993 pts/1 Sl 0:00 bin/ocis-debug api -12998 pts/1 Sl 0:00 bin/ocis-debug registry -13004 pts/1 Sl 0:00 bin/ocis-debug web -13015 pts/1 Sl 0:00 bin/ocis-debug reva-auth-basic -``` - -Then you can set a breakpoint in the service you need and attach to the process via processid. To debug the `reva-sharing` service the VS Code `launch.json` would look like this: - -```json -{ - "version": "0.2.0", - "configurations": [ - { - "name": "ocis attach", - "type": "go", - "request": "attach", - "mode": "local", - "processId": 12897 - } - ] -} -``` - -#### Start all services independently to replace one of them with a debug process - -1. You can use this `./ocis.sh` script to start all services independently, so they don't get restarted by the runtime when you kill them: - -```bash -#/bin/sh -LOG_LEVEL="debug" - -bin/ocis --log-level=$LOG_LEVEL micro & - -bin/ocis --log-level=$LOG_LEVEL glauth & -bin/ocis --log-level=$LOG_LEVEL graph & -#bin/ocis --log-level=$LOG_LEVEL hello & -bin/ocis --log-level=$LOG_LEVEL idp & -#bin/ocis --log-level=$LOG_LEVEL ocs & -bin/ocis --log-level=$LOG_LEVEL web & -bin/ocis --log-level=$LOG_LEVEL reva-auth-basic & -bin/ocis --log-level=$LOG_LEVEL reva-auth-bearer & -bin/ocis --log-level=$LOG_LEVEL reva-frontend & -bin/ocis --log-level=$LOG_LEVEL reva-gateway & -bin/ocis --log-level=$LOG_LEVEL reva-sharing & -bin/ocis --log-level=$LOG_LEVEL reva-storage-home & -bin/ocis --log-level=$LOG_LEVEL reva-storage-home-data & -bin/ocis --log-level=$LOG_LEVEL reva-storage-oc & -bin/ocis --log-level=$LOG_LEVEL reva-storage-oc-data & -bin/ocis --log-level=$LOG_LEVEL reva-storage-root & -bin/ocis --log-level=$LOG_LEVEL reva-users & -#bin/ocis --log-level=$LOG_LEVEL webdav - -bin/ocis --log-level=$LOG_LEVEL proxy & -``` - -2. Get the list of running processes: - -```console -# ps ax | grep ocis -12837 pts/1 Sl+ 0:00 bin/ocis-debug server -12845 pts/1 Sl 0:00 bin/ocis-debug graph -12847 pts/1 Sl 0:00 bin/ocis-debug reva-auth-bearer -12849 pts/1 Sl 0:00 bin/ocis-debug ocs -12850 pts/1 Sl 0:00 bin/ocis-debug reva-storage-oc-data -12863 pts/1 Sl 0:00 bin/ocis-debug webdav -12874 pts/1 Sl 0:00 bin/ocis-debug reva-frontend -12897 pts/1 Sl 0:00 bin/ocis-debug reva-sharing -12905 pts/1 Sl 0:00 bin/ocis-debug reva-gateway -12912 pts/1 Sl 0:00 bin/ocis-debug reva-storage-home -12920 pts/1 Sl 0:00 bin/ocis-debug reva-users -12929 pts/1 Sl 0:00 bin/ocis-debug glauth -12940 pts/1 Sl 0:00 bin/ocis-debug reva-storage-home-data -12948 pts/1 Sl 0:00 bin/ocis-debug idp -12952 pts/1 Sl 0:00 bin/ocis-debug proxy -12961 pts/1 Sl 0:00 bin/ocis-debug thumbnails -12971 pts/1 Sl 0:00 bin/ocis-debug reva-storage-oc -12981 pts/1 Sl 0:00 bin/ocis-debug web -12993 pts/1 Sl 0:00 bin/ocis-debug api -12998 pts/1 Sl 0:00 bin/ocis-debug registry -13004 pts/1 Sl 0:00 bin/ocis-debug web -13015 pts/1 Sl 0:00 bin/ocis-debug reva-auth-basic -``` - -3. Kill the service you want to start in debug mode: - -```console -# kill 17628 -``` - -4. Start the service you are interested in debug mode. When using make to build the binary there is already a `bin/ocis-debug` binary for you. When running an IDE tell it which service to start by providing the corresponding sub command, e.g. `bin\ocis-debug reva-frontend`. - -### Debugging the ocis in a docker container - -Remote debugging is the debug mode commonly used to work with a debugger and target running on a remote machine or a container for example a wopi stack `deployments/examples/ocis_full/docker-compose.yml`. Docker compose lets us define a compose application model through multiple compose files. When doing so, compose follows certain rules to merge compose files. See [Merge and override](https://docs.docker.com/compose/compose-file/13-merge/) in the Compose Specification. Based on this rules, we added the extra files `deployments/examples/ocis_full/debug-ocis.yml`, `deployments/examples/ocis_full/debug-collaboration-collabora.yml`, `deployments/examples/ocis_full/debug-collaboration-onlyoffice.yml` that overwrites the `command` attribute and extends the `ports` attribute. -Below we describe the steps how to build the image, run the docker-compose and connect via remote debugger. -1. Build the image: -```bash -cd github.com/owncloud/ocis/ocis -make debug-docker -``` -2. Change the tag label: -```bash -export OC_DOCKER_TAG=debug -``` -3. Run docker compose -Building the docker compose command depends on what you want to debug, for example `ocis` and `collaboration` with the `collabora` supports. -```bash -docker compose -f docker-compose.yml -f ocis.yml -f collabora.yml -f debug-ocis.yml -f debug-collaboration-collabora.yml up -d -``` -4. Connect to remote `delve` -* For the VS Code add the configuration to the `.vscode/launch.json` [https://github.com/golang/vscode-go/wiki/debugging#remote-debugging](https://github.com/golang/vscode-go/wiki/debugging#remote-debugging) -```json - { - "name": "Debug remote ocis :40000", - "type": "go", - "request": "attach", - "mode": "remote", - "port": 40000, - "host": "localhost", // optional - "trace": "verbose", // optional - "showLog": true // optional -}, -{ - "name": "Debug remote collaboration collabora :40001", - "type": "go", - "request": "attach", - "mode": "remote", - "port": 40001, - "host": "localhost", // optional - "trace": "verbose", // optional - "showLog": true // optional -}, -{ - "name": "Debug remote collaboration onlyoffice :40002", - "type": "go", - "request": "attach", - "mode": "remote", - "port": 40002, - "host": "localhost", // optional - "trace": "verbose", // optional - "showLog": true // optional -}, -``` -* For the Jetbrains Goland add the configuration following the docs [https://www.jetbrains.com/help/go/go-remote.html](https://www.jetbrains.com/help/go/go-remote.html) - - -### Gather error messages - -We recommend you collect all related information in a single file or in a GitHub issue. Let us start with an error that pops up in the Web UI: - -> Error while sharing. -> error sending a grpc stat request - -This popped up when I tried to add `marie` as a collaborator in ownCloud Web. That triggers a request to the server which I copied as curl. We can strip a lot of headers and the gist of it is: - -```console -# curl 'https://localhost:9200/ocs/v1.php/apps/files_sharing/api/v1/shares' -d 'shareType=0&shareWith=marie&path=%2FNeuer+Ordner&permissions=1' -u einstein:relativity -k -v | xmllint -format - -[... headers ...] - - - - error - 998 - error sending a grpc stat request - - -``` - -{{< hint info >}} -The username and password only work when basic auth is available. Otherwise you have to obtain a bearer token, e.g. by grabbing it from the browser. -{{< /hint >}} -{{< hint danger >}} -TODO add ocis cli tool to obtain a bearer token. -{{< /hint >}} - -We also have a few interesting log entries: - -``` -0:43PM INF home/jfd/go/pkg/mod/github.com/cs3org/reva@v0.0.2-0.20200318111623-a2f97d4aa741/internal/grpc/interceptors/log/log.go:69 > unary code=OK end="18/Mar/2020:22:43:40 +0100" from=tcp://[::1]:44078 pid=17836 pkg=rgrpc start="18/Mar/2020:22:43:40 +0100" time_ns=95841 traceid=b4eb9a9f45921f7d3632523ca32a42b0 uri=/cs3.storage.registry.v1beta1.RegistryAPI/GetStorageProvider user-agent=grpc-go/1.26.0 -10:43PM ERR home/jfd/go/pkg/mod/github.com/cs3org/reva@v0.0.2-0.20200318111623-a2f97d4aa741/internal/grpc/interceptors/log/log.go:69 > unary code=Unknown end="18/Mar/2020:22:43:40 +0100" from=tcp://[::1]:43910 pid=17836 pkg=rgrpc start="18/Mar/2020:22:43:40 +0100" time_ns=586115 traceid=b4eb9a9f45921f7d3632523ca32a42b0 uri=/cs3.gateway.v1beta1.GatewayAPI/Stat user-agent=grpc-go/1.26.0 -10:43PM ERR home/jfd/go/pkg/mod/github.com/cs3org/reva@v0.0.2-0.20200318111623-a2f97d4aa741/internal/http/services/owncloud/ocs/reqres.go:94 > error sending a grpc stat request error="rpc error: code = Unknown desc = gateway: error calling Stat: rpc error: code = Unavailable desc = connection error: desc = \"transport: Error while dialing dial tcp [::1]:9152: connect: connection refused\"" pid=17832 pkg=rhttp traceid=b4eb9a9f45921f7d3632523ca32a42b0 -``` - -{{< hint danger >}} -TODO return the trace id in the response so we can correlate easier. For reva tracked in https://github.com/cs3org/reva/issues/587 -{{< /hint >}} - -The last line gives us a hint where the log message originated: `.../github.com/cs3org/reva@v0.0.2-0.20200318111623-a2f97d4aa741/internal/http/services/owncloud/ocs/reqres.go:94`. Which looks like this: - -```go -89: // WriteOCSResponse handles writing ocs responses in json and xml -90: func WriteOCSResponse(w http.ResponseWriter, r *http.Request, res *Response, err error) { -91: var encoded []byte -92: -93: if err != nil { -94: appctx.GetLogger(r.Context()).Error().Err(err).Msg(res.OCS.Meta.Message) -95: } -``` - -Ok, so this seems to be a convenience method that is called from multiple places and also handles errors. Unfortunately, this hides the actual source of the error. We could set a breakpoint in line 94 and reproduce the problem, which can be a lot harder than just clicking the share button or sending a curl request again. So let us see what else the log tells us. - -The previous line tells us that a Stat request failed: `uri=/cs3.gateway.v1beta1.GatewayAPI/Stat`. This time the line is written by the grpc log interceptor. What else is there? - -The first line tells us that looking up the responsible storage provider seems to have succeeded: `uri=/cs3.storage.registry.v1beta1.RegistryAPI/GetStorageProvider`. - -At this point it your familiarity with the codebase starts to become a factor. If you are new you should probably go back to setting a break point on the log line and check the stack trace. - -Debug wherever the call trace leads you to ... good luck! - -### Managing dependencies and testing changes - -You can either run and manage the services independently, or you can update the `go.mod` file and replace dependencies with your local version. - -To debug the reva frontend we need to add two replacements: - -``` -// use the local ocis-reva repo -replace github.com/owncloud/ocis-reva => ../ocis-reva -// also use the local reva repo -replace github.com/cs3org/reva => ../reva -``` - -{{< hint info >}} -The username and password only work when basic auth is available. Otherwise you have to obtain a bearer token, e.g. by grabbing it from the browser. -{{< /hint >}} - -Rebuild ocis to make sure the dependency is used. It should be sufficient to just restart the service you want to debug. diff --git a/docs/ocis/development/envvars.md b/docs/ocis/development/envvars.md deleted file mode 100644 index c401b370d8..0000000000 --- a/docs/ocis/development/envvars.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: "Environment Variables" -date: 2024-08-22T15:41:00+01:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/development -geekdocFilePath: envvars.md ---- - -Environment variables are an essential part of configuring services. - -If you are going to create new ones or deprecate existing ones, you must read the [Envvar Naming Scope]({{< ref "services/general-info/envvar-scopes.md" >}}) and the -[Deprecating Variables]({{< ref "services/general-info/deprecating-variables.md" >}}) documentation for more details first before doing so. diff --git a/docs/ocis/development/extensions.md b/docs/ocis/development/extensions.md deleted file mode 100644 index 9c07fa9775..0000000000 --- a/docs/ocis/development/extensions.md +++ /dev/null @@ -1,65 +0,0 @@ ---- -title: "Extensions" -date: 2020-02-27T20:35:00+01:00 -weight: 40 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/development -geekdocFilePath: extensions.md ---- - -oCIS is all about files, sync and share - but most of the time there is more you want to do with your files, e.g. having a different view on your photo collection or editing your offices files in an online file editor. ownCloud 10 faced the same problem and solved it with `applications`, which can extend the functionality of ownCloud 10 in a wide range. Since oCIS is different in its architecture compared to ownCloud 10, we had to come up with a similar (yet slightly different) solution. To extend the functionality of oCIS, you can write or install `extensions`. An extension is basically any running code which integrates into oCIS and provides functionality to oCIS and its users. Because extensions are just microservices providing an API, you can technically choose any programming language you like - a huge improvement to ownCloud 10, where it was nearly impossible to use a different programming language than PHP. - -We will now introduce you to the oCIS extension system and show you how you can create a custom extension yourself. - -## Extension examples - -Technically every service in oCIS is an extension, even if oCIS would not really work without some of them. Therefore, you can draw inspiration from any of the plenty of extensions in the [oCIS monorepo](https://github.com/owncloud/ocis). - -Besides these "default" extensions in the oCIS monorepo, there are two more extensions you should be aware of: - -- [Hello](https://github.com/owncloud/ocis-hello) -- [WOPI server](https://github.com/owncloud/ocis-wopiserver) - -Differences between the extensions maintained inside the oCIS monorepo and the ones maintained in their own repository are: - -- extensions inside the [oCIS monorepo](https://github.com/owncloud/ocis) are all written in Go, whereas other extensions may choose the programming language freely -- extensions inside the oCIS monorepo heavily share tooling to reduce maintenance efforts, whereas other extensions may use different tooling (e.g. a different CI system) -- extensions inside the oCIS monorepo will be all build into one binary and started with the `ocis server` command. All other extensions must be started individually besides oCIS. - - -For quickstart purposes we also offer a [template project](https://github.com/owncloud/boilr-ocis-extension) which can be used to generate all the boilerplate code for you. But you also can decide to use your own project layout or even a different programming language. - - -## Integration into oCIS - -Depending on the functionality of your extension, you might need to integrate with one or multiple of the components of oCIS mentioned below. - -### ownCloud Web - -If your extension is not just doing something in the background, you will need a UI in order to allow the user to interact with your extension. You could just provide your own web frontend for that purpose, but for a better user experience you can easily integrate into the web frontend of oCIS, the new [ownCloud Web](https://github.com/owncloud/web). - -ownCloud Web allows you to write an extension for itself and therefore offers a seamless user experience. Upon login, the user will be able to use the application switcher to switch between the files view, settings and other available and installed extensions, yours included. Furthermore it is also possible to register your extension for different file actions. As an example, you could offer your extension to the user for creating and editing office documents. The user will then be able to create or open a file with your application directly from the files view. How to provide create an extension for ownCloud Web can be seen best in [the Hello extension](https://github.com/owncloud/ocis-hello/blob/master/ui/app.js), whereas plain file handling without any web frontend is available in the [WOPI server extension](https://github.com/owncloud/ocis-wopiserver/blob/master/ui/app.js). - -To make ownCloud Web pick up your extension, you need to activate it in the configuration like seen in the [Hello extension](https://owncloud.dev/extensions/ocis_hello/running/#configure-and-start-ocis). - -For a consistent look and feel, ownCloud Web uses an external design library, the [ownCloud design system](https://github.com/owncloud/owncloud-design-system). Since its classes and components are available through the wrapping `web runtime`, we highly recommend you to leverage it in your extension as well. - -### Settings - -An extension likely has some behaviour which the user can configure. Fundamental configuration will often be done by administrators during deployment, via configuration files or by setting environment variables. But for other settings, which are supposed to change more often or which are even user specific, this is not a viable way. Therefore you need to offer the users a UI where they can configure your extension to their liking. Because implementing something like this is a repetitive task among extensions, oCIS already offers the settings extensions which does that for your extension. Your extension just needs to register settings bundles, respective permissions and finally read the current values from the settings service. You can read more on that on the [settings extension]({{< ref "../../services/settings" >}}) and see how [oCIS Hello uses these settings](https://owncloud.dev/extensions/ocis_hello/settings/). - -### Proxy - -The Proxy is an API gateway and acts as the single connection point where all external request from users and devices need to pass through. - -To make sure that requests can reach your extension's API, you need to register one or multiple endpoints at the proxy. The registration is an easy task and can be seen best on the [oCIS Hello example](https://owncloud.dev/extensions/ocis_hello/running/#configure-and-start-ocis). - -As files in ownCloud must always stay private (unless you share them with your friends or coworkers), requests to oCIS have an authenticated user context. This user context is also available to your extension and can be used to interact with the user's files. How to get the user context and authentication can be seen on the [oCIS Hello example](https://owncloud.dev/extensions/ocis_hello/settings/#account-uuid). - -### Storage - -oCIS leverages the CS3 APIs and [CS3 REVA](https://github.com/cs3org/reva) as a storage system because it offers a very flexible setup and supports a variety of storage backends like EOS, S3 and of course your local hard drive. REVA makes it easy to support more storage backends as needed. - -If you need to interact with files directly, you have the full power of the [CS3 APIs](https://cs3org.github.io/cs3apis/) in your hand. With the user context and the user's authentication token, which your extensions gets from the proxy, your extension can make these request in behalf of the user. - -If your extension needs to store persistent data which is not supposed to live in the user's home folder, there is also a so-called metadata storage, intended for exactly that purpose. You should always use the metadata storage in favor of the local filesystem for persistent files, because your extension will then automatically use the storage backend the oCIS admin decides to use. For a temporary cache it is perfectly fine to use the local filesystem. diff --git a/docs/ocis/development/getting-started.md b/docs/ocis/development/getting-started.md deleted file mode 100644 index 367c779185..0000000000 --- a/docs/ocis/development/getting-started.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: "Getting Started" -date: 2020-07-07T20:35:00+01:00 -weight: 15 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/development -geekdocFilePath: getting-started.md ---- - -{{< toc >}} - -## Requirements - -We want contribution to oCIS and the creation of extensions to be as easy as possible. -So we are trying to reflect this in the tooling. It should be kept simple and quick to be set up. - -Besides standard development tools like git and a text editor, you need the following software for development: - -- Go >= v1.22 ([install instructions](https://golang.org/doc/install)) -- pnpm ([install instructions](https://pnpm.io/installation)) -- docker ([install instructions](https://docs.docker.com/get-docker/)) -- docker-compose ([install instructions](https://docs.docker.com/compose/install/)) - -If you find tools needed besides the mentioned above, please feel free to open an issue or open a PR. - -## Repository structure - -oCIS consists of multiple microservices, also called extensions. We started by having standalone repositories for each of them, but quickly noticed that this adds a time-consuming overhead for developers. So we ended up with a monorepo housing all the extensions in one repository. - -Each extension lives in a subfolder (e.g. `accounts` or `settings`) within this repository as an independent Go module, following the [golang-standard project-layout](https://github.com/golang-standards/project-layout). They have common Makefile targets and can be used to change, build and run individual extensions. This allows us to version and release each extension independently. - -The `ocis` folder contains our [go-micro](https://github.com/asim/go-micro/) and [suture](https://github.com/thejerf/suture) based runtime. It is used to import all extensions and implements commands to manage them, similar to a small orchestrator. With the resulting oCIS binary you can start single extensions or even all extensions at the same time. - -The `docs` folder contains the source for the [oCIS documentation]({{< ref "../" >}}). - -The `deployments` folder contains documented deployment configurations and templates. On a single node, running a single ocis runtime is a resource efficient way to deploy ocis. For multiple nodes docker compose or helm charts for kubernetes examples can be found here. - -The `scripts` folder contains scripts to perform various build, install, analysis, etc. operations. - -## Starting points - -Depending on what you want to develop there are different starting points. These will be described below. - -### Developing oCIS - -If you want to contribute to oCIS: - -- see [contribution guidelines](https://github.com/owncloud/ocis#contributing) -- make sure the tooling is set up by [building oCIS]({{< ref "build" >}}) and [building the docs]({{< ref "build-docs" >}}) -- create or pick an [open issue](https://github.com/owncloud/ocis/issues) to develop on and mention in the issue that you are working on it -- open a PR and get things done - -### Developing extensions - -If you want to develop an extension, start here: [Extensions]({{< ref "extensions">}}) diff --git a/docs/ocis/development/profiling.md b/docs/ocis/development/profiling.md deleted file mode 100644 index 47a19431c9..0000000000 --- a/docs/ocis/development/profiling.md +++ /dev/null @@ -1,140 +0,0 @@ ---- -title: "Profiling" -date: 2021-08-24T12:32:20+01:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/development -geekdocFilePath: profiling.md ---- - -{{< toc >}} - -# 0. Prerequisites - -- Go development kit of a [supported version](https://golang.org/doc/devel/release.html#policy). - Follow [these instructions](http://golang.org/doc/code.html) to install the - go tool and set up GOPATH. -- Graphviz: http://www.graphviz.org/. Used to generate graphic visualizations of profiles, which this example setup does. - -The only way to enable the profiler currently is to explicitly select which areas to collect samples for. In order to do this, the following steps have to be followed. - -## 1. Clone Reva - -Reva is the reference implementation of the CS3 APIs that we use for our daily business between oCIS and its storages. It is in charge of accessing the storage, as well as managing shares. Because of this fact, the examples will modify code in this dependency. You can think of Reva as the framework we use in order to interface with different storage providers. - -`git clone github.com/cs3org/reva` - -## 2. Patch reva with the area that you want sampled. - -For the purposes of these docs let's use the WebDAV `PROPFIND` path. This patch is needed in order to have the WebDAV process reporting profiling traces to the `pprof`. - -```diff -diff --git a/internal/http/services/owncloud/ocdav/propfind.go b/internal/http/services/owncloud/ocdav/propfind.go -index 0e9c99be..f271572f 100644 ---- a/internal/http/services/owncloud/ocdav/propfind.go -+++ b/internal/http/services/owncloud/ocdav/propfind.go -@@ -32,6 +32,8 @@ import ( - "strings" - "time" - -+ _ "net/http/pprof" -+ - userv1beta1 "github.com/cs3org/go-cs3apis/cs3/identity/user/v1beta1" - rpc "github.com/cs3org/go-cs3apis/cs3/rpc/v1beta1" - link "github.com/cs3org/go-cs3apis/cs3/sharing/link/v1beta1" -@@ -311,6 +313,12 @@ func requiresExplicitFetching(n *xml.Name) bool { - return true - } - -+func init() { -+ go func() { -+ http.ListenAndServe(":1234", nil) -+ }() -+} -+ - // from https://github.com/golang/net/blob/e514e69ffb8bc3c76a71ae40de0118d794855992/webdav/xml.go#L178-L205 - func readPropfind(r io.Reader) (pf propfindXML, status int, err error) { - c := countingReader{r: r} -``` - -The previous patch will: - -1. import `net/http/pprof`, which will register debug handlers in `DefaultServeMux`. -2. define a `init()` function that starts an HTTP server with the previously registered handlers. - -With everything running one should have access to http://localhost:1234/debug/pprof/ - -## 3. Replace reva in oCIS go.mod with local version and build a new binary - -In Go, the `go.mod` file controls the dependencies of your module. Because we patched an external library, Go provides with a mechanism to overwrite an existing dependency with one on your local machine, which we previously installed. - -```diff -diff --git a/go.mod b/go.mod -index 131d14d7b..9668c38e4 100644 ---- a/go.mod -+++ b/go.mod -@@ -78,6 +78,7 @@ require ( - - replace ( - github.com/crewjam/saml => github.com/crewjam/saml v0.4.5 -+ github.com/cs3org/reva => path/to/your/reva - go.etcd.io/etcd/api/v3 => go.etcd.io/etcd/api/v3 v3.0.0-20210204162551-dae29bb719dd - go.etcd.io/etcd/pkg/v3 => go.etcd.io/etcd/pkg/v3 v3.0.0-20210204162551-dae29bb719dd - ) -``` - -Make sure to replace `github.com/cs3org/reva => path/to/your/reva` with the correct location of your reva. - -## 4. Build a new ocis binary - -Using the new dependency with the pprof patch. - -From owncloud/ocis root: - -```console -$ cd ocis -$ make clean build -``` - -## 5. Start oCIS server - -From owncloud/ocis root: - -```console -$ ocis/bin/ocis server -``` - -## 6. Run `pprof` - -[Pprof](https://github.com/google/pprof) is a tool developed at Google. It is a tool for visualization and analysis of profiling data. It will take the reported profiled data from our server, and represent it in a meaningful manner. - -### Install pprof - -If `pprof` is not installed make sure to get it; one way of installing it is using the Go tools: - -```console -$ go get -u github.com/google/pprof -``` - -### Collecting samples - -Collect 30 seconds of samples: - -```console -$ pprof -web http://:1234/debug/pprof/profile\?seconds\=30 -``` - -Once the collection is done a browser tab will open with the result `svg`, looking similar to this: - -![img](https://i.imgur.com/vo0EbcX.jpg) - -For references on how to interpret this graph, [continue reading here](https://github.com/google/pprof/blob/master/doc/README.md#interpreting-the-callgraph). - -## Room for improvement - -Because these docs are intended to be read by developers they are quite technical in content. Requiring the user to alter the code. This is done so that we do not include, or assume, third party dependencies such as Graphviz in our binary, making it heavier. Having said this, the profiler is only meant to be used in development - -## References - -- https://medium.com/swlh/go-profile-your-code-like-a-master-1505be38fdba -- https://dave.cheney.net/2013/07/07/introducing-profile-super-simple-profiling-for-go-programs diff --git a/docs/ocis/development/tracing.md b/docs/ocis/development/tracing.md deleted file mode 100644 index 82e13806ad..0000000000 --- a/docs/ocis/development/tracing.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: "Tracing" -date: 2020-05-13T12:09:00+01:00 -weight: 55 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/development -geekdocFilePath: tracing.md ---- - -{{< toc >}} - -By default, we use [Jaeger](https://www.jaegertracing.io) for request tracing within oCIS. You can follow these steps -to get started: - -1. Start Jaeger by using the all-in-one docker image: - ```console - docker run -d --name jaeger \ - -e COLLECTOR_ZIPKIN_HTTP_PORT=9411 \ - -p 5775:5775/udp \ - -p 6831:6831/udp \ - -p 6832:6832/udp \ - -p 5778:5778 \ - -p 16686:16686 \ - -p 14268:14268 \ - -p 14250:14250 \ - -p 9411:9411 \ - jaegertracing/all-in-one:1.17 - ``` -2. Every single oCIS service has its own environment variables for enabling and configuring tracing. - 1. You can enable and configure tracing on each service individually. For example, enable tracing - in Reva when starting the oCIS single binary like this: - ```console - REVA_TRACING_ENABLED=true \ - REVA_TRACING_ENDPOINT=localhost:6831 \ - REVA_TRACING_COLLECTOR=http://localhost:14268/api/traces \ - ./bin/ocis server - ``` - 2. Enabling and configuring tracing on oCIS itself will forward the configuration to all services: - ```console - OC_TRACING_ENABLED=true \ - OC_TRACING_ENDPOINT=localhost:6831 \ - OC_TRACING_COLLECTOR=http://localhost:14268/api/traces \ - ./bin/ocis server - ``` - If you want to set individual tracing configuration for each service, make sure to set - `OC_TRACING_ENABLED=false`. -3. Make the actual request that you want to trace. -4. Open up the [Jaeger UI](http://localhost:16686) to analyze request traces. - -For more information on Jaeger, please refer to their [Documentation](https://www.jaegertracing.io/docs/1.17/). diff --git a/docs/ocis/development/unit-testing/_index.md b/docs/ocis/development/unit-testing/_index.md deleted file mode 100644 index 48d7215b50..0000000000 --- a/docs/ocis/development/unit-testing/_index.md +++ /dev/null @@ -1,87 +0,0 @@ ---- -title: "Unit Testing" -date: 2024-04-25T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/development/unit-testing -geekdocFilePath: _index.md ---- - -{{< toc >}} - -Go is a statically typed language, which makes it easy to write unit tests. The Go standard library provides a `testing` package that allows you to write tests for your code. The testing package provides a framework for writing tests, and the `go test` command runs the tests. Other than that there are a lot of libraries and tools available to make testing easier. - -- [Testify](https://github.com/stretchr/testify) - A toolkit with common assertions and mocks that plays nicely with the standard library. -- [Ginkgo](https://onsi.github.io/ginkgo/) - A BDD-style testing framework for Go. -- [Gomega](https://onsi.github.io/gomega/) - A matcher/assertion library for Ginkgo. -- [GoDog](https://github.com/cucumber/godog) - A Behavior-Driven Development framework for Go which uses Gherkin. - -In oCIS we generally use [Ginkgo](https://onsi.github.io/ginkgo/) framework for testing. To keep things consistent, we would encourage you to use the same. In some cases, where you feel the need for a more verbose or more "code oriented" approach, you can also use the testing package from the standard library without ginkgo. - -## 1 Ginkgo - -Using a framework like [Ginkgo](https://onsi.github.io/ginkgo/) brings many advantages. - -### Pros - -- Provides a BDD-style syntax which makes it easier to write reusable and understandable tests -- Together with [Gomega](https://onsi.github.io/gomega/) it provides a powerful and expressive framework with assertions in a natural language -- Natural Language Format empowers testing in a way that resembles user interactions with the system -- In the context of microservices it is particularly well suited to test individual services and the interactions between them -- Offers support for asynchronous testing which makes it easier to test code that involves concurrency -- Nested and structured containers and setup capabilities make it easy to organize tests and adhere to the DRY principle -- Provides helpful error messages to identify and fix issues -- Very usable for Test Driven Development following the ["Red, Green, Cleanup, Repeat"](https://en.wikipedia.org/wiki/Test-driven_development) workflow. - -### Cons - -- Sometimes it can be difficult to get started with -- Asynchronous behaviour brings more complexity to tests. -- Not compatible with broadly known `testify` package - -### Example - -As you can see, **Ginkgo** and **Gomega** together provide the foundation to write understandable and maintainable tests which can mimic user interaction and the interactions between microservices. - -```go -Describe("Public Share Provider", func() { - Context("When the user has no share permission", func() { - BeforeEach(func() { - // downgrade user permissions to have no share permission - resourcePermissions.AddGrant = false - }) - It("should return grpc invalid argument", func() { - req := &link.CreatePublicShareRequest{} - - res, err := provider.CreatePublicShare(ctx, req) - Expect(err).ToNot(HaveOccurred()) - Expect(res.GetStatus().GetCode()).To(Equal(rpc.Code_CODE_INVALID_ARGUMENT)) - Expect(res.GetStatus().GetMessage()).To(Equal("no share permission")) - }) -}) -``` - -### How to use it in oCIS - -{{< button relref="testing-ginkgo" size="large" >}}{{< icon "gdoc_arrow_right_alt" >}} Read more{{< /button >}} - -## 2 Testing Package - -For smaller straight-forward tests of some packages it might feel more natural to use the testing package that comes with the go standard library. - -### Pros - -- Straightforward approach -- Naming conventions -- Built-in tooling - -### Cons - -- Difficult to reuse code in larger and more complex packages -- Difficult to create clean and isolated setups for the test steps -- No natural language resemblance - - -### How to use it in ocis - -{{< button relref="testing-pkg" size="large" >}}{{< icon "gdoc_arrow_right_alt" >}} Read more{{< /button >}} diff --git a/docs/ocis/development/unit-testing/testing-ginkgo.md b/docs/ocis/development/unit-testing/testing-ginkgo.md deleted file mode 100644 index 2d5455394f..0000000000 --- a/docs/ocis/development/unit-testing/testing-ginkgo.md +++ /dev/null @@ -1,395 +0,0 @@ ---- -title: "Testing with Ginkgo" -date: 2024-04-25T00:00:00+00:00 -weight: 10 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/development/unit-testing -geekdocFilePath: testing-ginkgo.md - ---- - -{{< toc >}} - -In this section we try to enable developers to write tests in oCIS using Ginkgo and Gomega and explain how to mock other microservices to also cover some integration tests. The full documentation of the tools can be found on the [Ginkgo](https://onsi.github.io/ginkgo/) and [Gomega](https://onsi.github.io/gomega/) websites. - -{{% hint type=tip icon=gdoc_link title="Reading the documentation" %}} -This page provides only a basic introduction to get started with Ginkgo and Gomega. For more detailed information, please refer to the official documentation. - -**Useful Links:** - -- [Ginkgo](https://onsi.github.io/ginkgo/) -- [Gomega](https://onsi.github.io/gomega/) -- [Mockery](https://vektra.github.io/mockery/latest/) - -{{% /hint %}} - -## Prerequisites - -To use Ginkgo, you need to install the Ginkgo CLI. You can install it using the following command: - -```bash -go install github.com/onsi/ginkgo/v2/ginkgo -go get github.com/onsi/gomega/... -``` - -## Getting Started - -Navigate to the directory where you want to write your tests and run the following command: - -### Bootstrap - -```bash -cd ocis/ocis-pkg/config/parser -ginkgo bootstrap -Generating ginkgo test suite bootstrap for parser in: - parser_suite_test.go - -``` - -This command creates a `parser_suite_test.go` file in the parser directory. This file contains the test suite for the parser package. - -```go -package parser_test - -import ( - "testing" - - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" -) - -func TestParser(t *testing.T) { - RegisterFailHandler(Fail) - RunSpecs(t, "Parser Suite") -} -``` - -Ginkgo defaults to setting up the suite as a `*_test` package to encourage you to only test the external behavior of your package, not its internal implementation details. - -After the package `parser_test` declaration we import the ginkgo and gomega packages into the test's top-level namespace by performing a `.` dot-import. Since Ginkgo and Gomega are DSLs (Domain-specific Languages) this makes the tests more natural to read. If you prefer, you can avoid the dot-import via `ginkgo bootstrap --nodot`. Throughout this documentation we'll assume dot-imports. - -With the bootstrap complete, you can now run your tests using the `ginkgo` command: - -```bash -ginkgo - -Running Suite: Parser Suite - /ocis/ocis-pkg/config/parser -=============================================================================================== -Random Seed: 1714076559 - -Will run 0 of 0 specs - -Ran 0 of 0 Specs in 0.000 seconds -SUCCESS! -- 0 Passed | 0 Failed | 0 Pending | 0 Skipped -PASS - -Ginkgo ran 1 suite in 7.0058606s -Test Suite Passed -``` - -Under the hood, ginkgo is simply calling `go test`. While you can run `go test` instead of the ginkgo CLI, Ginkgo has several capabilities that can only be accessed via `ginkgo`. We generally recommend users embrace the ginkgo CLI and treat it as a first-class member of their testing toolchain. - -### Adding Specs to the Suite - -```bash -ginkgo generate parser -Generating ginkgo test for Parser in:  ✔  7s  22:22:46  - parser_test.go -``` - -This will generate a `parser_test.go` file in the parser directory. This file contains the test suite for the parser package. - -```go -package parser_test - -import ( - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - - "github.com/owncloud/ocis/v2/ocis-pkg/config/parser" -) - -var _ = Describe("Parser", func() { - -}) -``` - -## Writing Specs - -### Describe - -The `Describe` block is used to describe the behavior of a particular component of your code. It is a way to group together related specs. The `Describe` block takes a string and a function. The string is a description of the component you are describing, and the function contains the specs that describe the behavior of that component. - -```go -var _ = Describe("Parser", func() { - // Specs go here -}) -``` - -### Context - -The `Context` block is used to further describe the behavior of a component. It is a way to group together related specs within a `Describe` block. The `Context` block takes a string and a function. The string is a description of the context you are describing, and the function contains the specs that describe the behavior of that context. - -```go -var _ = Describe("Parser", func() { - Context("when the input is valid", func() { - // Specs go here - }) -}) -``` - -### It - -The `It` block is used to describe a single spec. It takes a string and a function. The string is a description of the behavior you are specifying, and the function contains the code that exercises that behavior. - -```go -var _ = Describe("Parser", func() { - Context("when the input is valid", func() { - It("parses the input", func() { - // Spec code goes here - }) - }) -}) -``` - -### Expect - -The `Expect` function is used to make assertions in your specs. It takes a value and returns an `*Expectation`. You can then chain methods on the `*Expectation` to make assertions about the value. - -```go -var _ = Describe("Parser", func() { - Context("when the input is valid", func() { - It("parses the input", func() { - result := parser.Parse("valid input") - Expect(result).To(Equal("expected output")) - }) - }) -}) -``` - -### BeforeEach - -The `BeforeEach` block is used to run a setup function before each spec in a `Describe` or `Context` block. It takes a function that contains the setup code. - -```go -package parser_test - -import ( - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - "github.com/owncloud/ocis/v2/ocis-pkg/config" - - p "github.com/owncloud/ocis/v2/ocis-pkg/config/parser" -) - -var _ = Describe("Parser", func() { - var c *config.Config - - BeforeEach(func() { - c = config.DefaultConfig() - }) - - Context("when the input is valid", func() { - It("parses the input", func() { - err := p.ParseConfig(c, false) - Expect(err).ToNot(HaveOccurred()) - Expect(c.Commons.OcisURL).To(Equal("https://localhost:9200")) - }) - }) -}) -``` - -Let us take a closer look at the code above: - -We are following the recommended practise on variables to **"declare in container nodes"** and **"initialize in setup nodes"**. This is why we are declaring the `c` variable at the top of the `Describe` block and initializing it in the `BeforeEach` block. This is important to get isolated test steps which can be run in any order and even in parallel. - -Let us take a look at a bad example where we are polluting the spec by not following this recommended practise: - -```go -package parser_test - -import ( - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - "github.com/owncloud/ocis/v2/ocis-pkg/config" - - p "github.com/owncloud/ocis/v2/ocis-pkg/config/parser" -) - - -var _ = Describe("Parser", func() { - c := config.DefaultConfig() - - Context("when the defaults are applied", func() { - It("fails to parse the input", func() { - c.TokenManager.JWTSecret = "" // bam! we have changed the closure variable and it will never be reset - err := p.ParseConfig(c, false) - Expect(err).To(HaveOccurred()) - }) - It("parses the input", func() { - err := p.ParseConfig(c, false) - Expect(err).ToNot(HaveOccurred()) - Expect(c.Commons.OcisURL).To(Equal("https://localhost:9200")) - }) - }) -}) -``` - -{{% hint type="warning" title="Specs MUST be clean and independent"%}} -Always **declare variables in the container node**(which are basically `Describe()` and `Context()`) - -and **initialize your variables in the setup nodes.** (which are basically `BeforeEach()` and `JustBeforeEach()`). - -This will ensure that your specs are clean and independent of each other. -{{% /hint %}} - -### Focused Specs - -You can focus on a single spec by adding an `F` in front of the `It` block. This will run only the focused spec. - -```go -var _ = Describe("Parser", func() { - Context("when the input is valid", func() { - FIt("parses the input", func() { - result := parser.Parse("valid input") - Expect(result).To(Equal("expected output")) - }) - }) -}) -``` - -### Pending Specs - -You can mark a spec as pending by adding a `P` in front of the `It` block. This will skip the spec. - -```go -var _ = Describe("Parser", func() { - Context("when the input is valid", func() { - PIt("parses the input", func() { - result := parser.Parse("valid input") - Expect(result).To(Equal("expected output")) - }) - }) -}) -``` - -### Test Driven Development - -You can run the tests in watch mode to follow a test-driven development approach. This will run the tests every time you save a file. - -```bash -ginkgo watch -``` - -## Mocking - -In oCIS, we use the `mockery` tool to generate mocks for interfaces. [Mockery](https://vektra.github.io/mockery/latest/) is a simple tool that generates mock implementations of Go interfaces. It is useful for writing tests against interfaces instead of concrete types. We can use it to mock requests to other microservices to cover some integration tests. We should already have a number of mocks in the project. The mocks are configured on the packages level in the `.mockery.yaml` files. - -**Example file:** - -```yaml -with-expecter: true -filename: "{{.InterfaceName | snakecase }}.go" -dir: "{{.PackageName}}/mocks" -mockname: "{{.InterfaceName}}" -outpkg: "mocks" -packages: - github.com/owncloud/ocis/v2/ocis-pkg/oidc: - interfaces: - OIDCClient: -``` - -We should add missing mocks to this file and define the interfaces we want to mock. After that, we can generate the mocks by running `mockery` in the repo, it will find all the `.mockery.yaml` files and generate the mocks for the interfaces defined in them. - -Our mocks are generated with the setting `with-expecter: true`. This allows us to use type-safe methods to generate the call expectations by simply calling `EXPECT()` on the mock object. - -{{% hint type="tip" title="Type safe mock identifiers" %}} -By using `EXPECT()` on the mock object, we can work with type-safe methods to generate the call expectations. -{{% /hint %}} - -**Example of a mocked gateway client** - -In our oCIS services we need to use a gateway pool selector to get the gateway client. - -We should always use the constructor on a new mock like `gatewayClient = cs3mocks.NewGatewayAPIClient(GinkgoT())`. This brings us two advantages: - -- The `AssertExpectations` method is registered to be called at the end of the tests via `t.Cleanup()` method. -- The `testing.TB` interface is registered on the `mock.Mock` so that tests don't panic when a call on the mock is unexpected. - -```go -package publicshareprovider_test - -import ( - "context" - "time" - - - "github.com/opencloud-eu/reva/v2/pkg/rgrpc/todo/pool" - cs3mocks "github.com/opencloud-eu/reva/v2/tests/cs3mocks/mocks" - . "github.com/onsi/ginkgo/v2" - . "github.com/onsi/gomega" - "google.golang.org/grpc" -) - -var _ = Describe("PublicShareProvider", func() { - // declare in container nodes - var ( - gatewayClient *cs3mocks.GatewayAPIClient - gatewaySelector pool.Selector - ) - - BeforeEach(func() { - // initialize in setup nodes - pool.RemoveSelector("GatewaySelector" + "any") - // create a new mock client - gatewayClient = cs3mocks.NewGatewayAPIClient(GinkgoT()) - gatewaySelector = pool.GetSelector[gateway.GatewayAPIClient]( - "GatewaySelector", - "any", - func(cc *grpc.ClientConn) gateway.GatewayAPIClient { - return gatewayClient - }, - ) - }) - Context("The user has the permission to create public shares", func() { - BeforeEeach(func() { - // set up the mock - // this is implicitly creating the expectation that it will be called Once() - // this will throw an error if the method is not called - gatewayClient. - EXPECT(). - CheckPermission( - mock.Anything, - mock.Anything, - ). - Return(checkPermissionResponse, nil) - }) - It("should return a public share", func() { - // call the method - req := &link.CreatePublicShareRequest{ - ResourceInfo: &providerpb.ResourceInfo{ - Owner: &userpb.UserId{ - OpaqueId: "alice", - }, - Path: "./NewFolder/file.txt", - }, - Grant: &link.Grant{ - Permissions: &link.PublicSharePermissions{ - Permissions: linkPermissions, - }, - Password: "SecretPassw0rd!", - }, - Description: "test", - } - res, err := provider.CreatePublicShare(ctx, req) - Expect(err).ToNot(HaveOccurred()) - Expect(res.GetStatus().GetCode()).To(Equal(rpc.Code_CODE_OK)) - Expect(res.GetShare()).To(Equal(createdLink)) - }) - }) -}) -``` - -{{% hint type="tip" title="Mocking in oCIS" %}} -Use the constructor on new mocks to register the `AssertExpectations` method to be called at the end of the tests via the `t.Cleanup()` method. -{{% /hint %}} diff --git a/docs/ocis/development/unit-testing/testing-pkg.md b/docs/ocis/development/unit-testing/testing-pkg.md deleted file mode 100644 index 81ce85905e..0000000000 --- a/docs/ocis/development/unit-testing/testing-pkg.md +++ /dev/null @@ -1,113 +0,0 @@ ---- -title: "Standard Library Testing" -date: 2024-04-25T00:00:00+00:00 -weight: 10 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/development/unit-testing -geekdocFilePath: testing-pkg.md - ---- - -## Using the standard library - -To write a unit test for your package, create a file with the `_test.go` suffix. For example, if you have a package `foo` with a file `foo.go`, you can create a file `foo_test.go` in the same directory. The test file should have the same package name as the package being tested. By doing this, you can access all exported and unexported identifiers of the package. It is a good practice to keep the test file in the same package as the code being tested. - -### Simple Example - -We are using an oversimplified example from [FooBarQuix](https://codingdojo.org/kata/FooBarQix/) to demonstrate how to use the `testing` package. - -```go -package divide - -import "strconv" - -// If the number is divisible by 3, write "Yes" otherwise, the number -func IsDivisible(input int) string { - if (input % 3) == 0 { - return "Yes" - } - return strconv.Itoa(input) -} -``` - -To test the `IsDivisible` function, create a file `divide_test.go` in the same directory as `divide.go`. The test file should have the same package name as the package being tested. - -A test function in Go starts with `Test` and takes `*testing.T` as the only parameter. In most cases, you will name the unit test `Test[NameOfFunction]`. The testing package provides tools to interact with the test workflow, such as `t.Errorf`, which indicates that the test failed by displaying an error message on the console. - -The test function for the `IsDivisible` function could look like this - -```go -package divide - -import "testing" - -func TestDivide3(t *testing.T) { - result := IsDivisible(3) - if result != "Yes" { - t.Errorf("Result was incorrect, got: %s, want: %s.", result, "Yes") - } -} -``` - -To run the test, use the `go test` command in the directory where the test file is located. - -### Use a helper package for assertions - -You could make the test more readable by using testify. The `assert` package provides a lot of helper functions to make the test more readable. - -```go -package divide - -import ( - "testing" - "github.com/stretchr/testify/assert" -) - -func TestDivide3(t *testing.T) { - result := IsDivisible(3) - assert.Equal(t, "Yes", result) -} -``` - -### Table Driven Example - -Write Table Driven Tests to test multiple inputs. - -```go -package divide - -import ( - "testing" - "github.com/stretchr/testify/assert" -) - - -func TestIsDivisibleTableDriven(t *testing.T) { - // Defining the columns of the table - var tests = []struct { - name string - input int - want string - }{ - // the table itself - {"9 should be Yes", 9, "Yes"}, - {"3 should be Yes", 3, "Yes"}, - {"1 is not Yes", 1, "1"}, - {"0 should be Yes", 0, "Yes"}, - } - - // The execution loop - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - answer := IsDivisible(tt.input) - assert.Equal(t, tt.want, answer) - }) - } -} -``` - -A table-driven test starts by defining the input structure. This can be seen like defining the columns of the table. Each row of the table lists a test case to execute. Once the table is defined, the execution loop can be created. - -The execution loop calls `t.Run()`, which defines a subtest. In our example each row of the table defines a subtest named `[NameOfTheFuction]/[NameOfTheSubTest]`. - -This way of writing tests is very popular, and considered the canonical way to write unit tests in Go. diff --git a/docs/ocis/flow-docs/_index.md b/docs/ocis/flow-docs/_index.md deleted file mode 100644 index f7033802e7..0000000000 --- a/docs/ocis/flow-docs/_index.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -title: "Flow documentation" -date: 2020-10-01T20:35:00+01:00 -weight: 30 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/flow-docs -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- diff --git a/docs/ocis/flow-docs/login-flow.md b/docs/ocis/flow-docs/login-flow.md deleted file mode 100644 index 68143b3328..0000000000 --- a/docs/ocis/flow-docs/login-flow.md +++ /dev/null @@ -1,60 +0,0 @@ ---- -title: "Login Flow" -date: 2020-05-04T20:47:00+01:00 -weight: 43 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/flow-docs -geekdocFilePath: login-flow.md ---- - - -## Login Flow - -The following sequence diagram describes the [openid connect auth code flow](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth). The eight numbered steps and notes correspond to the [openid connect auth code flow steps](https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowSteps). Example requests are based on the spec as well: - -{{< mermaid class="text-center">}} -sequenceDiagram - %% we have comments!! \o/ - %% this documents the login workflow - %% examples taken from the oidc spec https://openid.net/specs/openid-connect-core-1_0.html#CodeFlowAuth - %% TODO add PKCE, see https://developer.okta.com/blog/2019/08/22/okta-authjs-pkce#use-pkce-to-make-your-apps-more-secure - participant user as User - participant client as Client - participant proxy as ocis-proxy - participant idp as IdP - participant idm as LibreIDM - participant ldap as External User Directory - - user->>+client: What is the content of my home? - client->>+proxy: PROPFIND no (or expired) auth - Note over client,proxy: ocis needs to know the IdP that is used to authenticate users. The proxy will redirect unauthenticated requests to that IdP. - proxy-->>-client: 401 Unauthorized - client->>+proxy: 1. The client starts a new openIDConnect Flow - Note over client, proxy: GET /.well-known/openid-configuration - proxy-->>-client: Return openidConnect configuration for the IdP - client-->>client: 2. Client prepares an Authentication Request containing the desired request parameters and generates the code challenge (PKCE). - client->>+idp: 3. Client sends the request and the code challenge to the Authorization Server. - Note over client, idp: GET /authorize? flow=oidc&response_type=code &scope=openid%20profile%20email &code_challenge=Y2SGoq9vtAp7YAavTaO0B550H_Rsj9DypiL7xZuFjOE &code_challenge_method=S25&client_id=s6BhdRkqt3 &state=af0ifjsldkj &redirect_uri=https%3A%2F%2Fclient.example.org%2Fcb HTTP/1.1 Host: server.example.com - Note over user, idp: 3. Authorization Server Authenticates the End-User. - alt all users managed by idp/ocis idm - idp->>+idm: LDAP query/bind - idm-->>-idp: LDAP result - Note over idp,ldap: In case users are managed in an external ldap they have to be autoprovisioned in the ocis IdM when they are loggin in. - else all users authenticated by an external idp - idp->>+ldap: Lookup of the user in the directory - ldap-->>-idp: Lookup result - end - idp-->>-user: Idp presents the user an authentication prompt. - user->>+idp: 5. User authenticates and gives consent. - idp-->>-client: 6. Authorization Server sends the End-User back to the Client with an Authorization Code. - Note over client, idp: HTTP/1.1 302 Found Location: https://client.example.org/cb? code=SplxlOBeZQQYbYS6WxSbIA&state=af0ifjsldkj - client->>+idp: 7. Client requests a response using the Authorization Code and the code verifier at the Token Endpoint. - Note over client, idp: POST /token HTTP/1.1 Host: server.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&code=SplxlOBeZQQYbYS6WxSbIA &redirect_uri=https%3A%2F%2Fclient.example.org &code_verifier=a98ccbe253754259963e6e2b67b5a044929446d7a15046cc8e3194022ad061d9d667dce91876418d9e6fe9f54819332e - idp->>+idp: 8. IdP checks the code verifier (PKCE) - idp-->>-client: 9. Client receives a response that contains an ID Token and Access Token in the response body. If offline access is requested, the client also receives a refresh token. - Note over client, idp: HTTP/1.1 200 OK Content-Type: application/json Cache-Control: no-store Pragma: no-cache { "access_token": "SlAV32hkKG", "token_type": "Bearer", "refresh_token": "8xLOxBtZp8", "expires_in": 3600, "id_token": "a ... b.c ... d.e ... f" // must be a JWT } - client-->>client: 10. Client validates the ID token and retrieves the End-User's Subject Identifier. - client->>+proxy: PROPFIND With access token - proxy-->>-client: 207 Multi-Status - client-->>-user: List of Files X, Y, Z ... -{{< /mermaid >}} diff --git a/docs/ocis/flow-docs/public-upload-flow.md b/docs/ocis/flow-docs/public-upload-flow.md deleted file mode 100644 index ae9a5d025a..0000000000 --- a/docs/ocis/flow-docs/public-upload-flow.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: "Public upload Flow" -date: 2020-07-27T14:16:00+01:00 -weight: 47 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/flow-docs -geekdocFilePath: public-upload-flow.md ---- - - -## Public Upload flow - -The following diagram describes the flow of requests: - -{{< figure src="/ocis/static/tus-public-upload.svg" >}} diff --git a/docs/ocis/flow-docs/request-flow.md b/docs/ocis/flow-docs/request-flow.md deleted file mode 100644 index 02e3e78163..0000000000 --- a/docs/ocis/flow-docs/request-flow.md +++ /dev/null @@ -1,96 +0,0 @@ ---- -title: "Request Flow" -date: 2020-04-27T16:07:00+01:00 -weight: 45 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/flow-docs -geekdocFilePath: request-flow.md ---- - - -## Request Flow - -The following sequence diagram describes the general request flow. It shows where account provisioning and token minting are happening: - -{{< mermaid class="text-center">}} -sequenceDiagram - %% we have comments!! \o/ - participant user as User - participant client as Client - participant proxy as ocis-proxy - participant idp as IdP - participant accounts as ocis-accounts - participant ldap as corporate LDAP server - - user->>+client: What is the content of my home? - - client->>+proxy: PROPFIND Bearer auth using oidc auth token - Note over client,proxy: What is in a bearer token? The spec recommends opaque tokens. Treat it as random byte noise. - Note over client,proxy: the proxy MUST authenticate users using ocis-accounts because it needs to decide where to send the request - %% Mention introspection endpoint for opaque tokens - %% idp uses jwt, so we can save a request - %% either way the token can be used to look up the sub and iss of the user - - %% or is token check enough? - proxy->>+idp: GET /userinfo - alt userinfo succeeds - - idp-->>proxy: 200 OK - Note over proxy,accounts: Content-Type: application/json{"sub": "248289761001","name": "Jane Doe","given_name": "Jane","family_name": "Doe","preferred_username": "j.doe","email": "janedoe@example.com","picture": "http://example.com/janedoe/me.jpg"} - %% see: https://openid.net/specs/openid-connect-core-1_0.html#UserInfoResponse - - else userinfo fails - - idp-->>-proxy: 401 Unauthorized - Note over proxy,accounts: WWW-Authenticate: error="invalid_token",error_description="The Access Token expired" - - proxy-->>client: 401 Unauthorized or 302 Found with redirect to idp - Note over client: start at login flow or refresh the token - - end - - proxy->>+accounts: TODO API call to exchange sub@iss with account UUID - Note over proxy,accounts: does not autoprovision users. They are explicitly provisioned later. - - alt account exists or has been migrated - - accounts-->>proxy: existing account UUID - else account does not exist - - opt oc10 endpoint is configured - Note over proxy,oc10: Check if user exists in oc10 - proxy->>+oc10: GET /apps/graphapi/v1.0/users/<uuid> - opt user exists in oc10 - oc10-->>-proxy: 200 - %% TODO auth using internal token - proxy->>+oc10: PROPFIND - Note over proxy,oc10: forward existing bearer auth - oc10-->>-proxy: Multistatus response - proxy-->>client: Multistatus response - client-->>user: List of Files X, Y, Z ... - end - end - - Note over proxy,accounts: provision a new account including displayname, email and sub@iss TODO only if the user is allowed to login, based on group membership in the ldap server - proxy->>proxy: generate new uuid - proxy->>+accounts: TODO create account with new generated uuid - accounts-->>-proxy: OK / error - - else account has been disabled - - accounts-->>-proxy: account is disabled - proxy-->>client: 401 Unauthorized or 302 Found with redirect to idp - Note over client: start at login flow or refresh the token - - end - proxy->>proxy: store uuid in context - - %% what if oc10 does not support a certain request / API - - proxy->>proxy: mint an internal jwt that includes the UUID and username using revas `x-access-token` header - proxy->>+reva: PROPFIND Token auth using internal JWT - reva-->>-proxy: Multistatus response - proxy-->>-client: Multistatus response - - client-->>-user: List of Files X, Y, Z ... -{{< /mermaid >}} diff --git a/docs/ocis/getting-started/_index.md b/docs/ocis/getting-started/_index.md deleted file mode 100644 index 4a86e675e7..0000000000 --- a/docs/ocis/getting-started/_index.md +++ /dev/null @@ -1,132 +0,0 @@ ---- -title: "Getting Started" -date: 2020-02-27T20:35:00+01:00 -weight: 0 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/getting-started -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -{{< toc >}} - -## oCIS online demo - -We have an oCIS demo instance running on [ocis.owncloud.com](https://ocis.owncloud.com) where you can get a first impression of it. - -We also have some more variations of oCIS running and [continuously deployed]({{< ref "../deployment/continuous_deployment" >}}) to reflect different scenarios in that oCIS might be used. - -## Run oCIS - -We are distributing oCIS as binaries and Docker images. - -{{< hint warning >}} -The examples in this document assume that oCIS is accessed from the same host as it is running on (`localhost`). If you would like -to access oCIS remotely please refer to the [Basic Remote Setup]({{< ref "../deployment/basic-remote-setup" >}}) section. Especially -to the notes about setting the `PROXY_HTTP_ADDR` and `OC_URL` environment variables. -{{< /hint >}} - -You can find more deployment examples in the [deployment section]({{< ref "../deployment" >}}). - -### Binaries - -You can find the latest official release of oCIS at [our download mirror](https://download.owncloud.com/ocis/ocis/stable/) or on [GitHub](https://github.com/owncloud/ocis/releases). -The latest build from the master branch can be found at [our download mirrors daily section](https://download.owncloud.com/ocis/ocis/daily/). Pre-Releases are available at [our download mirrors testing section](https://download.owncloud.com/ocis/ocis/testing/). - -To run oCIS as binary you need to download it first and then run the following commands. -For this example, assuming version 2.0.0-beta.5 of oCIS running on a Linux AMD64 host: - -```console -# download -curl https://download.owncloud.com/ocis/ocis/testing/2.0.0-beta.5/ocis-2.0.0-beta.5-linux-amd64 --output ocis - -# make binary executable -chmod +x ocis - -# initialize a minimal oCIS configuration -./ocis init - -# run with demo users -IDM_CREATE_DEMO_USERS=true ./ocis server -``` - -The default primary storage location is `~/.ocis` or `/var/lib/ocis` depending on the packaging format and your operating system user. You can change that value by configuration. - -{{< hint info >}} -When you're using oCIS with self-signed certificates, you need to answer the question for certificate checking with "yes" or set the environment variable `OC_INSECURE=true`, in order to make oCIS work. -{{< /hint >}} - -{{< hint warning >}} -oCIS by default relies on Multicast DNS (mDNS), usually via avahi-daemon. If your system has a firewall, make sure mDNS is allowed in your active zone. -{{< /hint >}} - -{{< hint warning >}} - -#### Open Files on macOS - -The start command `./ocis server` starts a runtime which runs all oCIS services in one process. On MacOS we have very low limits for open files. oCIS needs more than the default 256. Please raise the limit to 1024 by typing `ulimit -n 1024` within the same cli session where you start ocis from. -{{< /hint >}} - -### Docker - -Docker images for oCIS are available on [Docker Hub](https://hub.docker.com/r/owncloud/ocis). - -The `latest` tag always reflects the current master branch. - -```console -docker pull owncloud/ocis -docker run --rm -it -v ocis-config:/etc/ocis owncloud/ocis init -docker run --rm -p 9200:9200 -v ocis-config:/etc/ocis -v ocis-data:/var/lib/ocis -e IDM_CREATE_DEMO_USERS=true owncloud/ocis -``` - -{{< hint info >}} -When you're using oCIS with self-signed certificates, you need to set the environment variable `OC_INSECURE=true`, in order to make oCIS work. -{{< /hint >}} - -{{< hint warming >}} -When you're creating the [demo users]({{< ref "./demo-users" >}}) by setting `IDM_CREATE_DEMO_USERS=true`, you need to be sure that this instance is not used in production because the passwords are public. -{{< /hint >}} - -{{< hint warning >}} -We are using named volumes for the oCIS configuration and oCIS data in the above example (`-v ocis-config:/etc/ocis -v ocis-data:/var/lib/ocis`). You could instead also use host bind-mounts instead, eg. `-v /some/host/dir:/var/lib/ocis`. - -You cannot use bind mounts on MacOS, since extended attributes are not supported ([owncloud/ocis#182](https://github.com/owncloud/ocis/issues/182), [moby/moby#1070](https://github.com/moby/moby/issues/1070)). -{{< /hint >}} - -## Usage - -### Login to ownCloud Web - -Open [https://localhost:9200](https://localhost:9200) and [login using one of the demo accounts]({{< ref "./demo-users" >}}). - -### Basic Management Commands - -The oCIS single binary contains multiple extensions and the `ocis` command helps you to manage them. You already used `ocis server` to run all available extensions in the [Run oCIS]({{< ref "#run-ocis" >}}) section. We now will show you some more management commands, which you may also explore by typing `ocis --help` or going to the [docs]({{< ref "../config" >}}). - -To initialize the oCIS configuration: - -{{< highlight txt >}} -ocis init -{{< / highlight >}} - -To start oCIS server: - -{{< highlight txt >}} -ocis server -{{< / highlight >}} - -The list command prints all running oCIS services. -{{< highlight txt >}} -ocis list -{{< / highlight >}} - -The version command prints the version of your installed oCIS. -{{< highlight txt >}} -ocis --version -{{< / highlight >}} - -The health command is used to execute a health check, if the exit code equals zero the service should be up and running, if the exit code is greater than zero the service is not in a healthy state. Generally this command is used within our Docker containers, it could also be used within Kubernetes. - -{{< highlight txt >}} -ocis health --help -{{< / highlight >}} diff --git a/docs/ocis/getting-started/demo-users.md b/docs/ocis/getting-started/demo-users.md deleted file mode 100644 index 89edea3c99..0000000000 --- a/docs/ocis/getting-started/demo-users.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -title: "Demo Users" -date: 2020-02-27T20:35:00+01:00 -weight: 0 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/getting-started -geekdocFilePath: demo-users.md ---- - -oCIS has the option to create demo users during the first startup. These enable you to do quick testing and developing. - -{{< hint info >}} -To create the demo users, run the initial setup step with an additional environment variable. -`IDM_CREATE_DEMO_USERS=true ./bin/ocis server` will generate the demo users listed in the table below. By default, it only generates the admin and one user for IDP and Reva respectively. -{{< /hint >}} - -Following users are available in the demo set: - -| username | password | email | role | groups | -| --------- | ----------------------------------------- | --------------------- | ----------- | ----------------------------------------------------------------------- | -| admin | admin or the one generated by `ocis init` | admin@example.org | admin | users | -| einstein | relativity | einstein@example.org | user | users, philosophy-haters, physics-lovers, sailing-lovers, violin-haters | -| marie | radioactivity | marie@example.org | user | users, physics-lovers, polonium-lovers, radium-lovers | -| moss | vista | moss@example.org | space admin | users | -| richard | superfluidity | richard@example.org | user | users, philosophy-haters, physics-lovers, quantum-lovers | -| katherine | gemini | katherine@example.org | space admin | users, sailing-lovers, physics-lovers, quantum-lovers | - -You may also want to run oCIS with only your custom users by [deleting the demo users]({{< ref "../deployment#delete-demo-users" >}}). diff --git a/docs/ocis/guides/_index.md b/docs/ocis/guides/_index.md deleted file mode 100644 index ae989fa82a..0000000000 --- a/docs/ocis/guides/_index.md +++ /dev/null @@ -1,22 +0,0 @@ ---- -title: "Guides" -date: 2022-06-14T16:00:00+02:00 -weight: 8 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/guides -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -{{< toc >}} - -## Step-by-step Guides - -These guides should extend the generic documentation and help admins to learn Infinite Scale through digestable "hands-on" sessions. - -### Available Guides - -oCIS deployments are super simple, yet there are many configurations possible for advanced setups. - -- {{< icon "docker" >}} [Discover oCIS with Docker]({{< ref "ocis-local-docker" >}}) - configure domain, certificates and port -- {{< icon "person-walking-luggage" >}} [Migrate data to Infinite Scale]({{< ref "migrate-data-rclone" >}}) diff --git a/docs/ocis/guides/migrate-data-rclone.md b/docs/ocis/guides/migrate-data-rclone.md deleted file mode 100644 index 7f1a14be51..0000000000 --- a/docs/ocis/guides/migrate-data-rclone.md +++ /dev/null @@ -1,103 +0,0 @@ - ---- -title: "Migrate Data using rclone" -date: 2020-06-12T14:35:00+01:00 -weight: 8 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/guides -geekdocFilePath: migrate-data-rclone.md -geekdocCollapseSection: true ---- - -People keep asking on how to migrate data from other cloud storage to Infinite Scale. - -There are too many cloud variants and use cases out there to have a migration path for all at hand, but let's see what we can start with: There is the famous Swiss army knife for clouds called rclone available. - -The awesome rclone tool makes it easy to migrate data from one installation to another on a user per user base. A very good first step. - -This article explains by the example of Nextcloud how you would migrate your data from an running NC to Infinite Scale. A prerequisite is that you have Infinite Scale already set up and running on a different domain. - -{{< hint warning >}} -Be prepared that migration can take some time. Also, check the size of your data. This example was around 1.5 GiB of data, that obviously went fast. - -And of course: Have a backup! Even if this method only reads from the source, you never know. -{{< /hint >}} - -## Install rclone - -Check the [rclone website on how to install](https://rclone.org/install/) rclone. - -## Create Users - -First, decide on a user that you want to migrate. To create the user on Infinite Scale, log in as an admin user and create the desired user. Create and set groups accordingly. - -For the next step, you need the user credentials on both the source- and the destination cloud. - -## Configure rclone Remotes - -To be able to address the clouds in rclone, you need to configure so called _remotes_. It is nothing else than a shortcut for the combination of -- which kind of cloud are you talking to -- the URL -- the username -- the password, if one is set - -You need to add a configuration for both the source cloud (Nextcloud) and the target (Infinite Scale). As both talk WebDAV, the [rclone manual page](https://rclone.org/webdav/) is accurate to follow. - -For both, use an URL in the form of `https://my.host.de/remote.php/webdav`. - -Once that is finished, the command `rclone config show` should give output similar to this: - -```bash -[:~/] ± rclone config show - -[NCoC] -type = webdav -url = https://nc.this.de/remote.php/webdav -vendor = nextcloud -user = wilma -pass = zfdsaiewrafdskfjdasfxdasffdafdsafas - -[ocis] -type = webdav -url = https://infinitescale.works/remote.php/webdav -vendor = owncloud -user = wilma -pass = cdsfasrefdsadaGkxTXjksfpqQFI5nQawqs - -``` - -Now, for example the directories on the Nextcloud root can be checked with `rclone lsd NCoC:/`. - -## Copy Data - -To migrate the data, rclone provides the command `copy`. It transfers data from one remote to the other. Use the following command example to transfer the entire cloud data from Nextcloud to Infinite Scale: -``` -rclone copy NCoC:/ ocis:/ --no-check-certificate -P -``` -The --no-check-certificate can and should be skipped if your clouds have proper certificates. The `-P` however, provides you with interesting statistics about the copy progress. -Once you are finished, this might be the result: -``` -[:~/] $ rclone copy NCoC:/ ocis:/ --no-check-certificate -P -Transferred: 1.228 GiB / 1.228 GiB, 100%, 10.170 MiB/s, ETA 0s -Transferred: 411 / 411, 100% -Elapsed time: 2m19.3s -``` - -Note that while testing this, occasionally the Nextcloud was returning a `404 not found` for some files. While the reason for that was not completely clear, it does not matter, because the rclone command can be repeated. It is clever enough to only copy what has changed! - -## Enjoy! - -All done! Now you have your data on Infinite Scale. - -Obviously this method has a few downsides, such as: -- This migration requires a little of "quiet time" for migrating data. -- It is a user by user method where provisioning of users has to be done manually. -- Only data is migrated, and there is probably a data size limit in real life using this way. -- Private- and public shares are not migrated -- The trashbin, versions, comments and favorites are not migrated - -These are shortcomings but this is a good first step to start investigating. The other parts will be sorted as we move along. - ---- -To improve this guide, you are welcome to file an issue or even send a pull request. See the [getting started guide](https://owncloud.dev/ocis/development/build-docs/) how easy it is to build the documentation. - diff --git a/docs/ocis/guides/ocis-and-containers.md b/docs/ocis/guides/ocis-and-containers.md deleted file mode 100644 index 6ae7ce5d50..0000000000 --- a/docs/ocis/guides/ocis-and-containers.md +++ /dev/null @@ -1,44 +0,0 @@ ---- -title: "oCIS and Containers" -date: 2022-06-14T16:00:00+02:00 -weight: 5 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/guides -geekdocFilePath: ocis-and-containers.md -geekdocCollapseSection: true ---- - -## Cloud Native - -Why do we recommend to work with containers? - -{{< columns >}} - -### {{< icon "scale-balanced" >}}   Lightweight - -Containers are more lightweight than VMs. It is easier to work with shared volumes and networks because they are isolated from the host system. -<---> - -### {{< icon "shield-halved" >}}   Dependencies - -The container images have all dependencies installed and the maintainer takes care for keeping them up-to-date. - -<---> - -### {{< icon "gauge-high" >}}   Scaling - -In addition to that, containers help with scaling. You can run multiple instances of one container and distribute them across hosts. - -{{< /columns >}} - -## Docker compose - -For oCIS deployments you often need multiple services. These services need to share resources like volumes and networks. If you do not use any orchestration tool, you would end up writing bash scripts to create and update containers and volumes and connect them via networks. This is what orchestration tools like docker compose can do for you. You define a service mesh using .yaml files and the tool tries to run and maintain that. You gain more value and a version history by using a version control system. Your deployment configuration is fully written down as a spec and you will never touch any system directly and change the config manually. - -## Kubernetes - -Containers are also used in [kubernetes](https://kubernetes.io/). Kubernetes is part of a huge ecosystem and is founded on best-of-breed practises to orchestrate large scale container applications and services. - -## oCIS and Containers - -oCIS was developed as microservices. We do not scale the whole system as a monolith but we scale the individual services. diff --git a/docs/ocis/guides/ocis-local-docker.md b/docs/ocis/guides/ocis-local-docker.md deleted file mode 100644 index 9580873383..0000000000 --- a/docs/ocis/guides/ocis-local-docker.md +++ /dev/null @@ -1,319 +0,0 @@ ---- -title: "Discover oCIS with Docker" -date: 2022-06-14T16:00:00+02:00 -weight: 8 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/guides -geekdocFilePath: ocis-local-docker.md -geekdocCollapseSection: true ---- - -{{< toc >}} - -## Prerequisites - -- Local docker installation (e.g. Docker for Desktop) -- Check [oCIS and Containers]({{< ref "ocis-and-containers" >}}) - -## Start oCIS with docker compose - -### Create the project - -Use the following skeleton as a docker-compose.yml: - -```bash -mkdir simple-ocis && \ -cd simple-ocis && \ -touch docker-compose.yml -``` - -Copy the following file content into `docker-compose.yml` and save it. - -```yaml -version: "3.7" - -services: - ocis: - image: owncloud/ocis:latest - environment: - # INSECURE: needed if oCIS / Traefik is using self generated certificates - OC_INSECURE: "true" - - # OC_URL: the external domain / ip address of oCIS (with protocol, must always be https) - OC_URL: "https://localhost:9200" - - # OC_LOG_LEVEL: error / info / ... / debug - OC_LOG_LEVEL: info -``` - -### Initialize - -Run ocis init to create a config - -```bash -docker run --rm -it -v $(pwd):/etc/ocis/ owncloud/ocis:latest init -``` - -You will get the following output: - -```txt {hl_lines=[9]} -Do you want to configure Infinite Scale with certificate checking disabled? - This is not recommended for public instances! [yes | no = default] yes - -========================================= - generated OCIS Config -========================================= - configpath : /etc/ocis/ocis.yaml - user : admin - password : t3p4N0jJ47LbhpQ04s9W%u1$d2uE3Y.3 -``` - -Check your local folder. We just generated a default ocis configuration file with random passwords and secrets. - -```bash -ls # list the current folder -docker-compose.yml ocis.yaml # ocis.yaml has been generated -``` - -Run `cat ocis.yaml` - -```yaml {linenos=table,hl_lines=[19]} -token_manager: - jwt_secret: X35rffWpS9BR.=^#LDt&z3ykYOd7h@w* -machine_auth_api_key: -0$4ieu5+t6HD6Ui^0PpKU6B0qxisv.m -system_user_api_key: oVxICwMR9YcKXTau+@pqKZ0EO-OHz8sF -transfer_secret: e%3Sda=WFBuy&ztBUmriAbBR$i2CmaDv -system_user_id: b7d976a1-7300-4db7-82df-13502d6b5e18 -admin_user_id: c59a6ae9-5f5e-4eef-b82e-0e5c34f93e52 -graph: - spaces: - insecure: false - identity: - ldap: - bind_password: wElKpGjeH0d.E4moXh=.dc@s2CtB0vy% -idp: - ldap: - bind_password: Ft2$2%#=6Mi22@.YPkhh-c6Kj=3xBZAb -idm: - service_user_passwords: - admin_password: t3p4N0jJ47LbhpQ04s9W%u1$d2uE3Y.3 - idm_password: wElKpGjeH0d.E4moXh=.dc@s2CtB0vy% - reva_password: pJAdZ2fU!SFKgcdDPRW%ruIiNM6GnN1D - idp_password: Ft2$2%#=6Mi22@.YPkhh-c6Kj=3xBZAb -proxy: - insecure_backends: false -frontend: - archiver: - insecure: false -auth_basic: - auth_providers: - ldap: - bind_password: pJAdZ2fU!SFKgcdDPRW%ruIiNM6GnN1D -auth_bearer: - auth_providers: - oidc: - insecure: false -users: - drivers: - ldap: - bind_password: pJAdZ2fU!SFKgcdDPRW%ruIiNM6GnN1D -groups: - drivers: - ldap: - bind_password: pJAdZ2fU!SFKgcdDPRW%ruIiNM6GnN1D -storage_system: - data_provider_insecure: false -storage_users: - data_provider_insecure: false -ocdav: - insecure: false -thumbnails: - thumbnail: - transfer_secret: z-E%G8MTeFpuT-ez2o8BjfnG1Jl2yLLm - webdav_allow_insecure: false - cs3_allow_insecure: false -``` - -{{< hint type=tip title="Admin password" >}} -**Password initialisation**\ -During the run of `./ocis init`, the password for the `admin` user has been set to a random string. - -You can override that later by setting `IDM_ADMIN_PASSWORD=secret`. The ENV variable setting always overrides the config file. -{{< /hint >}} - -### Mount the config file - -Add the config file as a bind mount. - -```yaml - volumes: - # mount the ocis config file inside the container - - "./ocis.yaml:/etc/ocis/ocis.yaml" -``` - -### Apply the changes - -```bash -docker compose up -d -``` - -The service should be running. - -```bash -docker compose ps -NAME COMMAND SERVICE STATUS PORTS -simple-ocis-ocis-1 "/usr/bin/ocis server" ocis running 9200/tcp -``` - -### Open the port 9200 to the outside - -```yaml -ports: - - 9200:9200 -``` - -Add a port mapping to your docker compose file and run `docker compose up -d` again. You should now be able to access and log in. You will get a warning from your browser that the connection is not safe because we are using a self-signed certificate. Accept this warning message to continue. Use the user `admin` and the password which has been initialized before. - -Congratulations! You have successfully set up a simple Infinite Scale locally. - -{{< hint type=tip title="Docker Compose Helps you" >}} -**docker compose up**\ -You do not need to shut down your service to apply changes from the docker-compose.yml file. Running `docker compose up -d` again is enough. Docker compose always tries to bring all services to the desired state. - -**docker compose ps**\ -This gives you a status of the services of the project. - -**docker compose exec \ \**\ -This command is handy to run specific commands inside your service. Try `docker compose exec ocis ocis version`. -{{< /hint >}} - -### Persist data, restart and logging - -The key to a successful container setup is the persistence of the application data to make the data survive a re-boot. Docker normally uses [volumes](https://docs.docker.com/storage/volumes/) for this purpose. A volume can either be a "named volume" which are completely managed by docker and have many advantages (see the linked docker documentation), or "bind mounts" which are using the directory structure and OS of the host system. In our example we already use a bind mount for the config file. We will now add a named volume for the oCIS data directory. - -This is the way we should configure the ocis service: - -```yaml - volumes: - # mount the ocis config file inside the container - - "./ocis.yaml:/etc/ocis/ocis.yaml" - # short syntax for using a named volume - # in the form : - # use a named volume for the ocis data directory - - "ocis-data:/var/lib/ocis" - # or the more verbose syntax - #- type: volume - # source: ocis-data # name of the volume - # target: /var/lib/ocis # the mount path inside the container -``` - -The docker-compose.yml needs to declare the named volumes globally, add this at the bottom of the file: - -```yaml -# https://docs.docker.com/compose/compose-file/compose-file-v3/#volumes -# this declares the named volume with all default settings -# you can also see the volume when running `docker volume list` -volumes: - ocis-data: -``` - -Now let us configure the restart policy and the logging settings for the ocis service: - -```yaml - # https://docs.docker.com/compose/compose-file/compose-file-v3/#restart - restart: always # or on-failure / unless-stopped - - # https://docs.docker.com/config/containers/logging/configure/ - # https://docs.docker.com/compose/compose-file/compose-file-v3/#logging - # the default log driver does no log rotation - # you can switch to the "local" log driver which does rotation by default - logging: - driver: local - # otherwise you could specify log rotation explicitly - # driver: "json-file" # this is the default driver - # options: - # max-size: "200k" # limit the size of the log file - # max-file: "10" # limit the count of the log files -``` - -Apply your changes! Just run `docker compose up -d` again. - -Now you have an oCIS which will survive reboots, restart automatically and has log rotation by default. - -Access the logs via `docker compose logs -f` and do some actions in the frontend to see the effect. Create data by uploading files and adding more users. Then run `docker compose down` to shut oCIS down. Start it again `docker compose up -d`, log in again and check that your data has survived the reboot. - -### Pin the oCIS version - -Last but not least, it is never a good idea to use the `latest` docker tag. Pin your container image to a released version. - -```yaml - image: owncloud/ocis:latest@sha256:5ce3d5f9da017d6760934448eb207fbaab9ceaf0171b4122e791e292f7c86c97 - # the latest tag is not recommended, because you don't know which version you'll get - # but even if you use `owncloud/ocis:1.16.0` you cannot be sure that you'll get - # the exact same image if you pull it at a later point in time (because docker image tags are not immutable). - # To be 100% that you always get the same image, you can pin the digest (hash) of the - # image. If you do a `docker pull owncloud/ocis:latest`, it also will also show you the digest. - # see also https://docs.docker.com/engine/reference/commandline/images/#list-image-digests -``` - -## Wrapping up - -If you have completed this guide, your docker-compose.yml should look like the following example: - -{{< expand "Solution" "..." >}} -```yaml -version: "3.7" - -services: - ocis: - image: owncloud/ocis:latest@sha256:5ce3d5f9da017d6760934448eb207fbaab9ceaf0171b4122e791e292f7c86c97 - # the latest tag is not recommended, because you don't know which version you'll get - # but even if you use `owncloud/ocis:1.16.0` you cannot be sure that you'll get - # the exact same image if you pull it at a later point in time (because docker image tags are not immutable). - # To be 100% that you always get the same image, you can pin the digest (hash) of the - # image. If you do a `docker pull owncloud/ocis:latest`, it also will also show you the digest. - # see also https://docs.docker.com/engine/reference/commandline/images/#list-image-digests - environment: - # INSECURE: needed if oCIS / Traefik is using self generated certificates - OC_INSECURE: "true" - - # OC_URL: the external domain / ip address of oCIS (with protocol, must always be https) - OC_URL: "https://localhost:9200" - - # OC_LOG_LEVEL: error / info / ... / debug - OC_LOG_LEVEL: info - volumes: - # mount the ocis config file inside the container - - "./ocis.yaml:/etc/ocis/ocis.yaml" - # short syntax for using a named volume - # in the form : - # use a named volume for the ocis data directory - - "ocis-data:/var/lib/ocis" - # or the more verbose syntax - #- type: volume - # source: ocis-data # name of the volume - # target: /var/lib/ocis # the mount path inside the container - ports: - - 9200:9200 - # https://docs.docker.com/compose/compose-file/compose-file-v3/#restart - restart: always # or on-failure / unless-stopped - - # https://docs.docker.com/config/containers/logging/configure/ - # https://docs.docker.com/compose/compose-file/compose-file-v3/#logging - # the default log driver does no log rotation - # you can switch to the "local" log driver which does rotation by default - logging: - driver: local - # otherwise you could specify log rotation explicitly - # driver: "json-file" # this is the default driver - # options: - # max-size: "200k" # limit the size of the log file - # max-file: "10" # limit the count of the log files - -# https://docs.docker.com/compose/compose-file/compose-file-v3/#volumes -# this declares the named volume with all default settings -# you can also see the volume when running `docker volume list` -volumes: - ocis-data: -``` -{{< /expand >}} diff --git a/docs/ocis/identity-provider/_index.md b/docs/ocis/identity-provider/_index.md deleted file mode 100644 index fa9733d1e9..0000000000 --- a/docs/ocis/identity-provider/_index.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: "Identity Provider" -date: 2023-05-03T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/identity-provider -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -## Overview - -oCIS provides out of the box a minimal OpenID Connect provider via the [IDP service](../../services/idp/) and a minimal LDAP service via the [IDM service](../../services/idm/). Both services are limited in the provided functionality, see the [admin documentation](https://doc.owncloud.com/ocis/next/deployment/services/s-list/idp.html) for details, and can be used for small environments like up to a few hundred users. For enterprise environments, it is highly recommended using enterprise grade external software like KeyCloak plus openLDAP or MS ADFS with Active Directory, which can be configured in the respective service. Entrada ID (formerly Azure AD) is in preparation, but not yet released or documented and might need some small fixes, and for certain functions a LDAP/AD connection. diff --git a/docs/ocis/identity-provider/ldap-active-directory.md b/docs/ocis/identity-provider/ldap-active-directory.md deleted file mode 100644 index 8248aca5e9..0000000000 --- a/docs/ocis/identity-provider/ldap-active-directory.md +++ /dev/null @@ -1,42 +0,0 @@ ---- -title: "LDAP - Active Directory" -date: 2023-05-03T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/identity-provider -geekdocFilePath: ldap-active-directory.md -geekdocCollapseSection: true ---- - -## Overview - -oCIS can be configured using Active Directory as identity provider. - -## Configuration Example - -This configuration is an _example_ for using Samba4 AD as well as a Windows Server 2022 as the LDAP backend for oCIS. It is intended as guideline and first starting point. - -```text -OC_LDAP_URI=ldaps://xxxxxxxxx -OC_LDAP_INSECURE="true" -OC_LDAP_BIND_DN="cn=administrator,cn=users,xxxxxxxxxx" -OC_LDAP_BIND_PASSWORD=xxxxxxx -OC_LDAP_DISABLE_USER_MECHANISM="none" -OC_LDAP_GROUP_BASE_DN="dc=owncloud,dc=test" -OC_LDAP_GROUP_OBJECTCLASS="group" -OC_LDAP_GROUP_SCHEMA_ID="objectGUID" -OC_LDAP_GROUP_SCHEMA_ID_IS_OCTETSTRING="true" -OC_LDAP_GROUP_SCHEMA_GROUPNAME="cn" -OC_LDAP_USER_BASE_DN="dc=owncloud,dc=test" -OC_LDAP_USER_OBJECTCLASS="user" -OC_LDAP_USER_SCHEMA_ID="objectGUID" -OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING="true" -OC_LDAP_USER_SCHEMA_USERNAME="sAMAccountName" -OC_LDAP_LOGIN_ATTRIBUTES="sAMAccountName" -IDP_LDAP_LOGIN_ATTRIBUTE="sAMAccountName" -IDP_LDAP_UUID_ATTRIBUTE="objectGUID" -IDP_LDAP_UUID_ATTRIBUTE_TYPE=binary -GRAPH_LDAP_SERVER_WRITE_ENABLED="false" -OC_EXCLUDE_RUN_SERVICES=idm -OC_ADMIN_USER_ID="" -``` diff --git a/docs/ocis/identity-provider/oidc.md b/docs/ocis/identity-provider/oidc.md deleted file mode 100644 index 85004c603f..0000000000 --- a/docs/ocis/identity-provider/oidc.md +++ /dev/null @@ -1,106 +0,0 @@ ---- -title: "OIDC" -date: 2023-10-10T00:00:00+00:00 -weight: 21 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/identity-provider -geekdocFilePath: oidc.md -geekdocCollapseSection: true ---- - -Infinite Scale has implemented OpenID Connect (OIDC) for authentication. -OIDC defines a discovery mechanism, called OpenID Connect Discovery, -where an OpenID server publishes its metadata at a well-known URL, typically: - -`https://ocis.test/.well-known/openid-configuration` - -This URL returns a JSON listing of the OpenID/OAuth endpoints, supported scopes and claims, public keys used to sign the tokens, and other details. -The clients can use this information to construct a request to the OpenID server. -The field names and values are defined in the [OpenID Connect Discovery Specification](https://openid.net/specs/openid-connect-discovery-1_0.html). -Here is an example of data returned: -```json -{ - "issuer": "https://ocis.test", - "authorization_endpoint": "https://ocis.test/signin/v1/identifier/_/authorize", - "token_endpoint": "https://ocis.test/konnect/v1/token", - "userinfo_endpoint": "https://ocis.test/konnect/v1/userinfo", - "end_session_endpoint": "https://ocis.test/signin/v1/identifier/_/endsession", - "check_session_iframe": "https://ocis.test/konnect/v1/session/check-session.html", - "jwks_uri": "https://ocis.test/konnect/v1/jwks.json", - "scopes_supported": [ - "openid", - "offline_access", - "profile", - "email", - "LibgreGraph.UUID", - "LibreGraph.RawSub" - ], - "response_types_supported": [ - "id_token token", - "id_token", - "code id_token", - "code id_token token" - ], - "subject_types_supported": [ - "public" - ], - "id_token_signing_alg_values_supported": [ - "RS256", - "RS384", - "RS512", - "PS256", - "PS384", - "PS512" - ], - "userinfo_signing_alg_values_supported": [ - "RS256", - "RS384", - "RS512", - "PS256", - "PS384", - "PS512" - ], - "request_object_signing_alg_values_supported": [ - "ES256", - "ES384", - "ES512", - "RS256", - "RS384", - "RS512", - "PS256", - "PS384", - "PS512", - "none", - "EdDSA" - ], - "token_endpoint_auth_methods_supported": [ - "client_secret_basic", - "none" - ], - "token_endpoint_auth_signing_alg_values_supported": [ - "RS256", - "RS384", - "RS512", - "PS256", - "PS384", - "PS512" - ], - "claims_parameter_supported": true, - "claims_supported": [ - "iss", - "sub", - "aud", - "exp", - "iat", - "name", - "family_name", - "given_name", - "email", - "email_verified" - ], - "request_parameter_supported": true, - "request_uri_parameter_supported": false -} -``` - -Refer to the [Authorization](https://owncloud.dev/apis/http/authorization) section for example usages and details. diff --git a/docs/ocis/license.md b/docs/ocis/license.md deleted file mode 100644 index bd98bc9947..0000000000 --- a/docs/ocis/license.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: "License" -date: 2020-02-27T20:35:00+01:00 -weight: 100 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis -geekdocFilePath: license.md ---- - -The source code of the project is licensed under the [Apache 2.0](https://github.com/owncloud/ocis/blob/master/LICENSE) license. For the license of the used libraries you have to check the respective sources. - -Stable, supported binary builds of ownCloud Infinite Scale that will be distributed by ownCloud GmbH are covered by a non OSS Freemium License [EULA](https://owncloud.com/license-owncloud-infinite-scale/). This protects additional efforts that ownCloud GmbH is putting into these builds. - -Since the source code of Infinite Scale is available under free licenses, the free usage can, should and will not be limited in general. diff --git a/docs/ocis/metrics.md b/docs/ocis/metrics.md deleted file mode 100644 index 8612bc9b7f..0000000000 --- a/docs/ocis/metrics.md +++ /dev/null @@ -1,109 +0,0 @@ ---- -title: "Metrics" -date: 2020-05-04T20:47:00+01:00 -weight: 43 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis -geekdocFilePath: metrics.md ---- - - -## Metrics - -This service provides some [Prometheus](https://prometheus.io/) metrics through the debug endpoint, you can optionally secure the metrics endpoint by some random token, which has to be configured either through the flag `--debug-token` or the environment variable `OC_DEBUG_TOKEN` mentioned above. By default, the metrics endpoint is bound to `http://0.0.0.0:8001/metrics`. - -go_gc_duration_seconds -: A summary of the GC invocation durations - -go_gc_duration_seconds_sum -: A summary of the GC invocation durations - -go_gc_duration_seconds_count -: A summary of the GC invocation durations - -go_goroutines -: Number of goroutines that currently exist - -go_info -: Information about the Go environment - -go_memstats_alloc_bytes -: Number of bytes allocated and still in use - -go_memstats_alloc_bytes_total -: Total number of bytes allocated, even if freed - -go_memstats_buck_hash_sys_bytes -: Number of bytes used by the profiling bucket hash table - -go_memstats_frees_total -: Total number of frees - -go_memstats_gc_cpu_fraction -: The fraction of this program's available CPU time used by the GC since the program started - -go_memstats_gc_sys_bytes -: Number of bytes used for garbage collection system metadata - -go_memstats_heap_alloc_bytes -: Number of heap bytes allocated and still in use - -go_memstats_heap_idle_bytes -: Number of heap bytes waiting to be used - -go_memstats_heap_inuse_bytes -: Number of heap bytes that are in use - -go_memstats_heap_objects -: Number of allocated objects - -go_memstats_heap_released_bytes -: Number of heap bytes released to OS - -go_memstats_heap_sys_bytes -: Number of heap bytes obtained from system - -go_memstats_last_gc_time_seconds -: Number of seconds since 1970 of last garbage collection - -go_memstats_lookups_total -: Total number of pointer lookups - -go_memstats_mallocs_total -: Total number of mallocs - -go_memstats_mcache_inuse_bytes -: Number of bytes in use by mcache structures - -go_memstats_mcache_sys_bytes -: Number of bytes used for mcache structures obtained from system - -go_memstats_mspan_inuse_bytes -: Number of bytes in use by mspan structures - -go_memstats_mspan_sys_bytes -: Number of bytes used for mspan structures obtained from system - -go_memstats_next_gc_bytes -: Number of heap bytes when next garbage collection will take place - -go_memstats_other_sys_bytes -: Number of bytes used for other system allocations - -go_memstats_stack_inuse_bytes -: Number of bytes in use by the stack allocator - -go_memstats_stack_sys_bytes -: Number of bytes obtained from system for stack allocator - -go_memstats_sys_bytes -: Number of bytes obtained from system - -go_threads -: Number of OS threads created - -promhttp_metric_handler_requests_in_flight -: Current number of scrapes being served - -promhttp_metric_handler_requests_total -: Total number of scrapes by HTTP status code diff --git a/docs/ocis/migration.md b/docs/ocis/migration.md deleted file mode 100644 index 5d4121f978..0000000000 --- a/docs/ocis/migration.md +++ /dev/null @@ -1,768 +0,0 @@ ---- -title: "Migration" -date: 2021-03-16T16:17:00+01:00 -weight: 41 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis -geekdocFilePath: migration.md ---- - -The migration happens in subsequent stages while the service is online. First all users need to migrate to the new architecture, then the global namespace needs to be introduced. Finally, the data on disk can be migrated user by user by switching the storage driver. - -
- -{{< hint warning >}} -@jfd: It might be easier to introduce the spaces api in oc10 and then migrate to oCIS. We cannot migrate both at the same time, the architecture to oCIS (which will change fileids) and introduce a global namespace (which requires stable fileids to let clients handle moves without redownloading). Either we implement arbitrary mounting of shares in oCIS / reva or we make clients and oc10 spaces aware. -{{< /hint >}} - -
- -## Migration Stages - -### Stage 0: pre migration -Is the pre-migration stage when having a functional ownCloud 10 instance. - -
- -#### FAQ -_Feel free to add your question as a PR to this document using the link at the top of this page!_ - -
- -
- -### Stage 1: introduce ownCloud Web -Install and introduce [ownCloud Web](https://github.com/owncloud/web/) and let users test it voluntarily to gain early feedback on the new UI. - -#### Steps -Deploy web and enable switching to and from it. -For more details see: [ownCloud 10 with ownCloud Web](https://owncloud.dev/clients/web/deployments/oc10-app/) - -
- -_TODO allow limiting the web ui switch to an 'early adopters' group_ - -
- -#### Validation -Ensure switching back and forth between the classic ownCloud 10 web UI and ownCloud web works as at our https://demo.owncloud.com. - -#### Rollback -Should there be problems with ownCloud web at this point it can simply be removed from the menu and be undeployed. - -#### Notes -
-The ownCloud 10 demo instance uses OAuth to obtain a token for ownCloud web and currently always requires explicit consent. In oCIS the token is provided by the OpenID Connect Identity Provider, which may skip the consent step for trusted clients for a more seamless login experience. You may want to introduce OpenID Connect before enabling the new web UI. - -
- -_TODO make oauth2 in oc10 trust the new web ui, based on `redirect_uri` and CSRF so no explicit consent is needed?_ - -#### FAQ -_Feel free to add your question as a PR to this document using the link at the top of this page!_ - -
- -
- -### Stage 2: introduce OpenID Connect - -Basic auth requires us to properly store and manage user credentials. Something we would rather like to delegate to a tool specifically built for that task. -While SAML and Shibboleth are protocols that solve that problem, they are limited to web clients. Desktop and mobile clients were an afterthought and keep running into timeouts. For these reasons, we decided to move to [OpenID Connect as our primary authentication protocol](https://owncloud.com/news/openid-connect-oidc-app/). - -
- -_TODO @butonic add ADR for OpenID Connect and flesh out pros and cons of the above_ - -
- -#### User impact - -When introducing OpenID Connect, the clients will detect the new authentication scheme when their current way of authenticating returns an error. Users will then have to -reauthorize at the OpenID Connect IdP, which again, may be configured to skip the consent step for trusted clients. - -#### Steps -1. There are multiple products that can be used as an OpenID Connect IdP. We test with [LibreGraph Connect](https://github.com/libregraph/lico), which is also [embedded in oCIS](https://github.com/owncloud/web/). Other alternatives include [Keycloak](https://www.keycloak.org/) or [Ping](https://www.pingidentity.com/). Please refer to the corresponding setup instructions for the product you intend to use. - -
- -_TODO @butonic flesh out oCIS IDP documentation_ - -
- -2. Add [Openid Connect (OIDC)](https://doc.owncloud.com/server/admin_manual/configuration/user/oidc/) support to ownCloud 10. - -#### Validation -When OpenID Connect support is enabled verify that all clients can login: -- web classic -- ownCloud web -- desktop -- android -- iOS - -#### Rollback -Should there be problems with OpenID Connect at this point you can disable the app. Users will have to reauthenticate in this case. - -#### Notes -
-Legacy clients relying on Basic auth or app passwords need to be migrated to OpenId Connect to work with oCIS. For a transition period Basic auth in oCIS can be enabled with `PROXY_ENABLE_BASIC_AUTH=true`, but we strongly recommend adopting OpenID Connect for other tools as well. - -While OpenID Connect providers will send an `iss` and `sub` claim that relying parties (services like oCIS or ownCloud 10) can use to identify users we recommend introducing a dedicated, globally unique, persistent, non-reassignable user identifier like a UUID for every user. This `ownclouduuid` should be sent as an additional claim to save additional lookups on the server side. It will become the user id in oCIS, e.g. when searching for recipients the `ownclouduuid` will be used to persist permissions with the share manager. It has a different purpose than the ownCloud 10 username, which is used to login. Using UUIDs we can not only mitigate username collisions when merging multiple instances but also allow renaming usernames after the migration to oCIS has been completed. - -
- -#### FAQ -_Feel free to add your question as a PR to this document using the link at the top of this page!_ - -
- -
- -### Stage 3: introduce oCIS internally - -Before letting oCIS handle end user requests we will first make it available in the internal network. By subsequently adding services we can add functionality and verify the services work as intended. - -Start oCIS backend and make read only tests on existing data using the `owncloudsql` storage driver which will read (and write) -- blobs from the same datadirectory layout as in ownCloud 10 -- metadata from the ownCloud 10 database: -The oCIS share manager will read share information from the ownCloud database using an `owncloud` driver as well. - -
- -_TODO @butonic add guide on how to configure `owncloudsql`_ - -_TODO we need a share manager that can read from the ownCloud 10 database as well as from whatever new backend will be used for a pure oCIS setup. Currently, that would be the json file. Or that is migrated after all users have switched to oCIS. -- jfd_ - -
- -#### User impact -None, only administrators will be able to explore oCIS during this stage. - -#### Steps and verifications - -We are going to run and explore a series of services that will together handle the same requests as ownCloud 10. For initial exploration the oCIS binary is recommended. The services can later be deployed using a single oCIS runtime or in multiple containers. - - -##### Storage provider for file metadata -1. Deploy OCIS storage provider with owncloudsql driver. -2. Set `read_only: true` in the storage provider config.
_TODO @butonic add read only flag to storage drivers_
-3. Use cli tool to list files using the CS3 api - -##### File ID alternatives -Multiple ownCloud instances can be merged into one oCIS instance. To prevent the numeric ids from colliding, the file ids will be prefixed with a new storage space id which is used by oCIS to route requests to the correct storage provider. See Stage 8 below. - -
- -{{< hint warning >}} -**Alternative 1** -Add a routable prefix to fileids in oc10, and replicate the prefix in oCIS. -### Stage-3.1 -Let oc10 render file ids with prefixes: `$!`. This will allow clients to handle moved files. - -### Stage-3.2 -Roll out new clients that understand the spaces API and know how to convert local sync pairs for legacy oc10 `/webdav` or `/dav/files/` home folders into multiple sync pairs. -One pair for `/webdav/home` or `/dav/files//home` and another pair for every accepted share. The shares will be accessible at `/webdav/shares/` when the server side enables the spaces API. -Files can be identified using `$!` and moved to the correct sync pair. - -### Stage-3.3 -Enable spaces API in oc10: -- New clients will get a response from the spaces API and can set up new sync pairs. -- Legacy clients will still poll `/webdav` or `/dav/files/` where they will see new subfolders instead of the users home. They will move down the users files into `/home` and shares into `/shares`. Custom sync pairs will no longer be available, causing the legacy client to leave local files in place. They can be picked up manually when installing a new client. - -{{< /hint >}} - -{{< hint warning >}} -**Alternative 2** -An additional `uuid` property used only to detect moves. A lookup by uuid is not necessary for this. The `/dav/meta` endpoint would still take the fileid. Clients would use the `uuid` to detect moves and set up new sync pairs when migrating to a global namespace. -### Stage-3.1 -Generate a `uuid` for every file as a file property. Clients can submit a `uuid` when creating files. The server will create a `uuid` if the client did not provide one. - -### Stage-3.2 -Roll out new clients that understand the spaces API and know how to convert local sync pairs for legacy oc10 `/webdav` or `/dav/files/` home folders into multiple sync pairs. -One pair for `/webdav/home` or `/dav/files//home` and another pair for every accepted share. The shares will be accessible at `/webdav/shares/` when the server side enables the spaces API. Files can be identified using the `uuid` and moved to the correct sync pair. - -### Stage-4.1 -When reading the files from oCIS return the same `uuid`. It can be migrated to an extended attribute or it can be read from oc10. If users change it the client will not be able to detect a move and maybe other weird stuff happens. *What if the uuid gets lost on the server side due to a partial restore?* - -{{< /hint >}} -
- - -
- -##### graph API endpoint -1. Deploy graph api to list spaces -2. Use curl to list spaces using graph drives endpoint - -##### owncloud flavoured WebDAV endpoint -1. Deploy ocdav -2. Use curl to send PROPFIND - -##### data provider for up and download -1. Deploy dataprovider -2. Use curl to up and download files -3. Use tus to upload files - -Deploy ... - -##### share manager -Deploy share manager with ownCloud driver - -##### reva gateway -1. Deploy gateway to authenticate requests? I guess we need that first... Or we need the to mint a token. Might be a good exercise. - -##### automated deployment -Finally, deploy oCIS with a config to set up everything running in a single oCIS runtime or in multiple containers. - -#### Rollback -You can stop the oCIS process at any time. - -#### Notes -
-Multiple ownCloud instances can be merged into one oCIS instance. The file ids will be prefixed with a new storage space id which is used to route requests to the correct storage provider. - -
- -#### FAQ -_Feel free to add your question as a PR to this document using the link at the top of this page!_ - -
- -
- -### Stage 4: internal write access with oCIS -Test writing data with oCIS into the existing ownCloud 10 data directory using the `owncloudsql` storage driver. - -#### User impact -Only administrators will be able to explore oCIS during this stage. End users should not be affected if the testing is limited to test users. - -#### Steps -Set `read_only: false` in the storage provider config. - -
- -_TODO @butonic add read only flag to storage drivers_ - -
- -#### Verification -#### Rollback -Set `read_only: true` in the storage provider config. - -
- -_TODO @butonic add read only flag to storage drivers_ - -
- -#### Notes -
-With write access it becomes possible to manipulate existing files and shares. - -
- -#### FAQ -_Feel free to add your question as a PR to this document using the link at the top of this page!_ - -
- -
- -### Stage-5: introduce user aware proxy -In the previous stages oCIS was only accessible for administrators with access to the network. To expose only a single service to the internet, oCIS comes with a user aware proxy that can be used to route requests to the existing ownCloud 10 installation or oCIS, based on the authenticated user. The proxy uses OIDC to identify the logged-in user and route them to the configured backend. - -#### User impact -The IP address of the ownCloud host changes. There is no change for the file sync and share functionality when requests are handled by the oCIS codebase as it uses the same database and storage system as owncloud 10. - -#### Steps and verifications - -##### Deploy oCIS proxy -1. Deploy the `ocis proxy` -2. Verify the requests are routed based on the ownCloud 10 routing policy `oc10` by default - -##### Test user based routing -1. Change the routing policy for a user or an early adopters group to `ocis`
_TODO @butonic currently, the migration selector will use the `ocis` policy for users that have been added to the accounts service. IMO we need to evaluate a claim from the IdP._
-2. Verify the requests are routed based on the oCIS routing policy `oc10` for 'migrated' users. - -At this point you are ready to rock & roll! - -##### Let ownCloud domain point to proxy -1. Update the dns to use the oCIS proxy instead of the ownCloud application servers directly. -2. Let DNS propagate the change and monitor requests moving from the ownCloud application servers to the oCIS proxy. -3. Verify the DNS change has propagated sufficiently. All requests should now use the oCIS Proxy. - -#### Rollback -Should there be a problem with the oCIS routes the user can be routed to ownCloud by changing his routing policy. In case of unfixable problems with the proxy the DNS needs to be updated to use the ownCloud 10 application servers directly. This could also be done in a load balancer. - -#### Notes -
-The proxy is stateless, multiple instances can be deployed as needed. - -
- -#### FAQ -_Feel free to add your question as a PR to this document using the link at the top of this page!_ - -
- -
- -### Stage-6: parallel deployment -Running ownCloud 10 and oCIS in parallel is a crucial stage for the migration: it allows users access to group shares regardless of the system that is being used to access the data. A user by user migration with multiple domains would technically break group shares when users vanish because they (and their data) are no longer available in the old system. - -Depending on the amount of power users on an instance, the admin may want to allow users to voluntarily migrate to the oCIS backend. A monitoring system can be used to visualize the behavior for the two systems and gain trust in the overall stability and performance. - -#### User impact -Since the underling data is still stored in the same systems, a similar or performance can be expected. -
- -See _TODO hmpf outdated didn't we want to run them nightly? ..._ -_TODO @butonic update performance comparisons nightly_ - -
- -#### Steps -There are several options to move users to the oCIS backend: -- Use a canary app to let users decide themselves -- Use an early adopters group with an opt-in -- Force migrate users in batch or one by one at the administrators will - -#### Verification -The same verification steps as for the internal testing stage apply. Just from the outside. - -#### Rollback -Until now, the oCIS configuration mimics ownCloud 10 and uses the old data directory layout and the ownCloud 10 database. Users can seamlessly be switched from ownCloud 10 to oCIS and back again. -
- -_TODO @butonic we need a canary app that allows users to decide for themselves which backend to use_ - -
- -
- -#### Notes -Running the two systems in parallel stage -Try to keep the duration of this stage short. Until now we only added services and made the system more complex. oCIS aims to reduce the maintenance cost of an ownCloud instance. You will not get there if you keep both systems alive. - -
- -#### FAQ -_Feel free to add your question as a PR to this document using the link at the top of this page!_ - -
- -
- -### Stage-7: introduce spaces using ocis -To encourage users to switch you can promote the workspaces feature that is built into oCIS. The ownCloud 10 storage backend can be used for existing users. New users and group or project spaces can be provided by storage providers that better suit the underlying storage system. - -#### Steps -First, the admin needs to -- deploy a storage provider with the storage driver that best fits the underlying storage system and requirements. -- register the storage in the storage registry with a new storage id (we recommend a uuid). - -Then a user with the necessary create storage space role can create a storage space and assign Managers. - -
- -_TODO @butonic a user with management permission needs to be presented with a list of storage spaces where he can see the amount of free space and decide on which storage provider the storage space should be created. For now a config option for the default storage provider for a specific type might be good enough._ - -
- -#### Verification -The new storage space should show up in the `/graph/drives` endpoint for the managers and the creator of the space. - -#### Notes -Depending on the requirements and acceptable tradeoffs, a database less deployment using the ocis or s3ng storage driver is possible. There is also a [cephfs driver](https://github.com/cs3org/reva/pull/1209) on the way, that directly works on the API level instead of POSIX. - -### Stage-8: shut down ownCloud 10 -Disable ownCloud 10 in the proxy, all requests are now handled by oCIS, shut down oc10 web servers and redis (or keep for calendar & contacts only? rip out files from oCIS?) - -#### User impact -All users are already sent to the oCIS backend. Shutting down ownCloud 10 will remove the old web UI, apps and functionality that is not yet present in ownCloud web. For example contacts and calendar. - -
- -_TODO @butonic recommend alternatives_ - -
- -#### Steps -1. Shut down the apache servers that are running the ownCloud 10 PHP code. -2. DO NOT SHUT DOWN THE DATABASE, YET! - -#### Verification -The ownCloud 10 classic web UI should no longer be reachable. - -#### Rollback -Redeploy ownCloud 10. - -#### Notes -
-The database needs to remain online until the storage layer and share metadata have been migrated as well. One thing at a time. - -
- -#### FAQ -_Feel free to add your question as a PR to this document using the link at the top of this page!_ - -
- -
- -### Stage 9: storage migration -To get rid of the database we will move the metadata from the old ownCloud 10 database into dedicated storage providers. This can happen in a user by user fashion. group drives can properly be migrated to group, project or workspaces in this stage. - -#### User impact -Noticeable performance improvements because we effectively shard the storage logic and persistence layer. - -#### Steps -1. User by user storage migration from `owncloud` or `ownclouds3` driver to `ocis`/`s3ng`/`cephfs`... currently this means copying the metadata from one storage provider to another using the cs3 api. -2. Change the responsible storage provider for a storage space (e.g. a user home, a group or project space are a workspace) in the storage registry. - -
- -_TODO @butonic implement `ownclouds3` based on `s3ng`_ -_TODO @butonic implement tiered storage provider for seamless migration_ -_TODO @butonic document how to manually do that until the storage registry can discover that on its own._ - -
- -#### Verification -Start with a test user, then move to early adopters and finally migrate all users. - -#### Rollback -To switch the storage provider again the same storage space migration can be performed again: copy metadata and blob data using the CS3 api, then change the responsible storage provider in the storage registry. - -#### Notes -
-Multiple ownCloud instances can be merged into one oCIS instance. The file ids will be prefixed with a new storage space id which is used to route requests to the correct storage provider. - -The storage space migration will become a seamless feature in the future that allows administrators to move users to storage systems with different capabilities, to implement premium features, deprovisioning strategies or archiving. - -
- -#### FAQ -_Feel free to add your question as a PR to this document using the link at the top of this page!_ - -
- -
- -### Stage-10: share metadata migration -Migrate share data to _yet to determine_ share manager backend and shut down ownCloud database. - -The ownCloud 10 database still holds share information in the `oc_share` and `oc_share_external` tables. They are used to efficiently answer queries about who shared what with whom. In oCIS shares are persisted using a share manager and if desired these grants are also sent to the storage provider so it can set ACLs if possible. Only one system should be responsible for the shares, which in case of treating the storage as the primary source effectively turns the share manager into a cache. - -#### User impact -Depending on chosen the share manager provider some sharing requests should be faster: listing incoming and outgoing shares is no longer bound to the ownCloud 10 database but to whatever technology is used by the share provider: - - For non HA scenarios they can be served from memory, backed by a simple json file. - - TODO: implement share manager with redis / nats / ... key value store backend: use the micro store interface please ... - -#### Steps -1. Start new share manager -2. Migrate metadata using the CS3 API (copy from old to new) -3. Shut down old share manager -4. Shut down ownCloud 10 database - -
- -_TODO for HA implement share manager with redis / nats / ... key value store backend: use the micro store interface please ..._ -_TODO for batch migration implement share data migration cli with progress that reads all shares via the cs3 api from one provider and writes them into another provider_ -_TODO for seamless migration implement tiered/chained share provider that reads share data from the old provider and writes new shares to the new one_ -_TODO for storage provider as source of truth persist ALL share data in the storage provider. Currently, part is stored in the share manager, part is in the storage provider. We can keep both, but the share manager should directly persist its metadata to the storage system used by the storage provider so metadata is kept in sync_ - -
- -#### Verification -After copying all metadata start a dedicated gateway and change the configuration to use the new share manager. Route a test user, a test group and early adopters to the new gateway. When no problems occur you can start the desired number of share managers and roll out the change to all gateways. - -
- -_TODO let the gateway write updates to multiple share managers ... or rely on the tiered/chained share manager provider to persist to both providers_ - -
- -#### Rollback -To switch the share manager to the database one revert routing users to the new share manager. If you already shut down the old share manager start it again. Use the tiered/chained share manager provider in reverse configuration (new share provider as read only, old as write) and migrate the shares again. You can also restore a database backup if needed. - -
- -### Stage-11 -Profit! Well, on the one hand you do not need to maintain a clustered database setup and can rely on the storage system. On the other hand you are now in microservice wonderland and will have to relearn how to identify bottlenecks and scale oCIS accordingly. The good thing is that tools like jaeger and prometheus have evolved and will help you understand what is going on. But this is a different topic. See you on the other side! - -#### FAQ -_Feel free to add your question as a PR to this document using the link at the top of this page!_ - -
- -
- -## Architectural differences - -The fundamental difference between ownCloud 10 and oCIS is that the file metadata is moved from the database in the `oc_filecache` table (which is misnamed, as it actually is an index) to the storage provider who can place metadata as close to the underlying storage system as possible. In effect, the file metadata is sharded over multiple specialized services. - - -## Data that will be migrated - -Currently, oCIS focuses on file sync and share use cases. - -### Blob data - -In ownCloud 10 the files are laid out on disk in the *data directory* using the following layout: -``` -data -├── einstein -│ ├── cache -│ ├── files -│ │ ├── Photos -│ │ │ └── Portugal.jpg -│ │ ├── Projects -│ │ │ └── Notes.md -│ │ └── ownCloud Manual.pdf -│ ├── files_external -│ ├── files_trashbin -│ │ ├── files -│ │ │ ├── Documents.d1564687985 -│ │ │ ├── TODO.txt.d1565721976 -│ │ │ └── welcome.txt.d1564775872 -│ │ └── versions -│ │ │ ├── TODO.txt.v1564605543.d1565721976 -│ │ │ └── TODO.txt.v1564775936.d1565721976 -│ ├── files_versions -│ │ ├── Projects -│ │ │ ├── Notes.md.v1496912691 -│ │ │ └── Notes.md.v1540305560 -│ │ └── ownCloud Manual.pdf.v1396628249 -│ ├── thumbnails -│ │ └── 123 -│ │ │ ├── 2048-1536-max.png -│ │ │ └── 32-32.png // the file id, e.g. of /Photos/Portugal.jpg -│ └── uploads -├── marie -│ ├── cache -│ ├── files -│ ├── files_external -│ ├── files_trashbin -│ ├── files_versions -│ └── thumbnails -│ … -├── moss -… -``` - -The *data directory* may also contain subfolders for ownCloud 10 applications like `avatars`, `gallery`, `files_external` and `cache`. - -When an object storage is used as the primary storage all file blobs are stored by their file id and a prefix, e.g.: `urn:oid:`. - -The three types of blobs we need to migrate are stored in -- `files` for file blobs, the current file content, -- `files_trashbin` for trashed files (and their versions) and -- `files_versions` for file blobs of older versions. - -
- -### Filecache table - -In both cases the file metadata, including a full replication of the file tree, is stored in the `oc_filecache` table of an ownCloud 10 database. The primary key of a row is the file id. It is used to attach additional metadata like shares, tags, favorites or arbitrary file properties. - -The `filecache` table itself has more metadata: - -| Field | Type | Null | Key | Default | Extra | Comment | Migration | -|--------------------|---------------|------|-----|---------|----------------|----------------|----------------| -| `fileid` | bigint(20) | NO | PRI | NULL | auto_increment | | MUST become the oCIS `opaqueid` of a file reference. `ocis` driver stores it in extended attributes and can use numbers as node ids on disk. for eos see note below table | -| `storage` | int(11) | NO | MUL | 0 | | *the filecache holds metadata for multiple storages* | corresponds to an oCIS *storage space* | -| `path` | varchar(4000) | YES | | NULL | | *the path relative to the storages root* | MUST become the `path` relative to the storage root. `files` prefix needs to be trimmed. | -| `path_hash` | varchar(32) | NO | | | | *mysql once had problems indexing long paths, so we stored a hash for lookup by path. | - | -| `parent` | bigint(20) | NO | MUL | 0 | | *used to implement the hierarchy and listing children of a folder by id. redundant with `path`* | - | -| `name` | varchar(250) | YES | | NULL | | *basename of `path`* | - | -| `mimetype` | int(11) | NO | | 0 | | *joined with the `oc_mimetypes` table. only relevant for object storage deployments* | can be determined from blob / file extension | -| `mimepart` | int(11) | NO | | 0 | | *"* | can be determined from blob / file extension | -| `size` | bigint(20) | NO | | 0 | | *same as blob size unless encryption is used* | MAY become size, can be determined from blob | -| `mtime` | bigint(20) | NO | | 0 | | *same as blob mtime* | for files MAY become mtime (can be determined from blob as well), for directories MUST become tmtime | -| `encrypted` | int(11) | NO | | 0 | | *encrypted flag* | oCIS currently does not support encryption | -| `etag` | varchar(40) | YES | | NULL | | *used to propagate changes in a tree* | MUST be migrated (or calculated in the same way) to prevent clients from syncing unnecessarily | -| `unencrypted_size` | bigint(20) | NO | | 0 | | *same as blob size* | oCIS currently does not support encryption | -| `storage_mtime` | bigint(20) | NO | | 0 | | *used to detect external storage changes* | oCIS delegates that to the storage providers and drivers | -| `permissions` | int(11) | YES | | 0 | | *used as the basis for permissions. synced from disk when running a file scan. * | oCIS delegates that to the storage providers and drivers | -| `checksum` | varchar(255) | YES | | NULL | | *same as blob checksum* | SHOULD become the checksum in the storage provider. eos calculates it itself, `ocis` driver stores it in extended attributes | - - -> Note: for EOS a hot migration only works seamlessly if file ids in oc10 are already read from eos. Otherwise, either a mapping from the oc10 filecache file id to the new eos file id has to be created under the assumption that these id sets do not intersect or files and corresponding shares need to be exported and imported offline to generate a new set of ids. While this will preserve public links, user, group and even federated shares, old internal links may still point to different files because they contain the oc10 fileid - -
- -### share table - -used to store -- Public links -- Private shares with users and groups -- Federated shares *partly* -- Guest shares - -| Field | Type | Null | Key | Default | Extra | Comment | [CS3 API](https://cs3org.github.io/cs3apis/) | -|---------------|--------------|------|-----|---------|----------------|---------|-| -| `id` | int(11) | NO | PRI | NULL | auto_increment | | `ShareId.opaqueid` string | -| `share_type` | smallint(6) | NO | | 0 | | *in CS3 every type is handled by a dedicated API. See below the table* | does NOT map to [`Share.ShareType`](https://cs3org.github.io/cs3apis/#cs3.sharing.ocm.v1beta1.Share.ShareType) *TODO clarify* | -| `share_with` | varchar(255) | YES | MUL | NULL | | | `Share.grantee` [`Grantee`](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.Grantee) | -| `uid_owner` | varchar(64) | NO | | | | | `ShareId.owner` [`UserID`](https://cs3org.github.io/cs3apis/#cs3.identity.user.v1beta1.UserId) | -| `parent` | int(11) | YES | | NULL | | | - | -| `item_type` | varchar(64) | NO | MUL | | | | `Share.resource_id` [`ResourceId`](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.ResourceId) | -| `item_source` | varchar(255) | YES | MUL | NULL | | | `Share.resource_id` [`ResourceId`](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.ResourceId) | -| `item_target` | varchar(255) | YES | | NULL | | | `Share.resource_id` [`ResourceId`](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.ResourceId) | -| `file_source` | bigint(20) | YES | MUL | NULL | | *cannot store uuid style file ids from oCIS. when all users have migrated to oCIS the share manager needs to be updated / migrated to a version that does.* | `Share.resource_id` [`ResourceId`](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.ResourceId) | -| `file_target` | varchar(512) | YES | | NULL | | | `Share.resource_id` [`ResourceId`](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.ResourceId) | -| `permissions` | smallint(6) | NO | | 0 | | | `Share.Permissions` [`SharePermissions`](https://cs3org.github.io/cs3apis/#cs3.sharing.ocm.v1beta1.SharePermissions) | -| `stime` | bigint(20) | NO | | 0 | | | `Share.ctime`, `Share.mtime` | -| `accepted` | smallint(6) | NO | | 0 | | | `ReceivedShare.ShareState` [`ShareState`](https://cs3org.github.io/cs3apis/#cs3.sharing.collaboration.v1beta1.ShareState) | -| `expiration` | datetime | YES | | NULL | | *only used for the Link API and storage provider api, currently cannot be added using the Collaboration or OCM API* | [`Grant`](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.Grant) | -| `token` | varchar(32) | YES | MUL | NULL | | | [`PublicShare.token`](https://cs3org.github.io/cs3apis/#cs3.sharing.link.v1beta1.PublicShare) | -| `mail_send` | smallint(6) | NO | | 0 | | | - | -| `uid_initiator` | varchar(64) | YES | | NULL | | | `ShareId.creator` [`UserID`](https://cs3org.github.io/cs3apis/#cs3.identity.user.v1beta1.UserId) | -| `share_name` | varchar(64) | YES | | NULL | | *only exists for public shares* | [`PublicShare.display_name`](https://cs3org.github.io/cs3apis/#cs3.sharing.link.v1beta1.PublicShare) | -| `attributes` | longtext | YES | | NULL | | *additional share attributes* | *could be implemented using opaque data, but should be added to the CS3 api* | - -In the CS3 API -1. public links are handled by the PublicShareProvider using the [Link API](https://cs3org.github.io/cs3apis/#cs3.sharing.link.v1beta1.LinkAPI) -2. internal shares are handled by the UserShareProvider using the [Collaboration API](https://cs3org.github.io/cs3apis/#cs3.sharing.collaboration.v1beta1.CollaborationAPI). This covers user and group shares. -3. federated shares are handled by the OcmShareProvider using the [OCM Share Provider AP](https://cs3org.github.io/cs3apis/#cs3.sharing.ocm.v1beta1.OcmAPI) aka. Open Cloud Mesh. - - -
- -### share_external - -Used to store additional metadata for federated shares. - -| Field | Type | Null | Key | Default | Extra | Comment | -|-----------------|---------------|------|-----|---------|----------------|---------| -| `id` | bigint(20) | NO | PRI | NULL | auto_increment | | -| `remote` | varchar(512) | NO | | NULL | | Url of the remote owncloud instance | -| `share_token` | varchar(64) | NO | | NULL | | Public share token | -| `password` | varchar(64) | YES | | NULL | | Optional password for the public share | -| `name` | varchar(64) | NO | | NULL | | Original name on the remote server | -| `owner` | varchar(64) | NO | | NULL | | User that owns the public share on the remote server | -| `user` | varchar(64) | NO | MUL | NULL | | Local user which added the external share | -| `mountpoint` | varchar(4000) | NO | | NULL | | Full path where the share is mounted | -| `mountpoint_hash` | varchar(32) | NO | | NULL | | md5 hash of the mountpoint | -| `remote_id` | varchar(255) | NO | | -1 | | | -| `accepted` | int(11) | NO | | 0 | | | - -
- -_TODO document how the reva OCM service currently persists the data_ - -
- -
- -### trusted_servers - -used to determine if federated shares can automatically be accepted - -| Field | Type | Null | Key | Default | Extra | Comment | -|---------------|--------------|------|-----|---------|----------------|---------| -| `id` | int(11) | NO | PRI | NULL | auto_increment | | -| `url` | varchar(512) | NO | | NULL | | Url of trusted server | -| `url_hash` | varchar(255) | NO | UNI | | | sha1 hash of the url without the protocol | -| `token` | varchar(128) | YES | | NULL | | token used to exchange the shared secret | -| `shared_secret` | varchar(256) | YES | | NULL | | shared secret used to authenticate | -| `status` | int(11) | NO | | 2 | | current status of the connection | -| `sync_token` | varchar(512) | YES | | NULL | | cardDav sync token | - -
- -_TODO clarify how OCM handles this and where we store / configure this. It seems related to trusted IdPs_ - -
- -
- -### user data - -Users are migrated in two steps: -1. They should all be authenticated using OpenID Connect, which already moves them to a common identity management system. -2. To search share recipients, both, ownCloud 10 and oCIS need access to the same user directory using e.g. LDAP. - -
- -_TODO add state to CS3 API, so we can 'disable' users_ -_TODO how do we map (sub) admins? -> map to roles & permissions_ - -
- -accounts: - -| Field | Type | Null | Key | Default | Extra | Comment | -|---------------|---------------------|------|-----|---------|----------------|---------| -| `id` | bigint(20) unsigned | NO | PRI | NULL | auto_increment | | -| `email` | varchar(255) | YES | MUL | NULL | | | -| `user_id` | varchar(255) | NO | UNI | NULL | | | -| `lower_user_id` | varchar(255) | NO | UNI | NULL | | | -| `display_name` | varchar(255) | YES | MUL | NULL | | | -| `quota` | varchar(32) | YES | | NULL | | | -| `last_login` | int(11) | NO | | 0 | | | -| `backend` | varchar(64) | NO | | NULL | | | -| `home` | varchar(1024) | NO | | NULL | | | -| `state` | smallint(6) | NO | | 0 | | | - -users: - -| Field | Type | Null | Key | Default | Extra | Comment | -|-------------|--------------|------|-----|---------|-------|---------| -| `uid` | varchar(64) | NO | PRI | | | -| `password` | varchar(255) | NO | | | | -| `displayname` | varchar(64) | YES | | NULL | | - -groups: - -The groups table really only contains the group name. - -| Field | Type | Null | Key | Default | Extra | -|-------|-------------|------|-----|---------|-------| -| `gid` | varchar(64) | NO | PRI | | | - -
- -### LDAP - -
- -_TODO clarify if metadata from ldap & user_shibboleth needs to be migrated_ - -
- -The `dn` -> *owncloud internal username* mapping that currently lives in the `oc_ldap_user_mapping` table needs to move into a dedicated `ownclouduuid` attribute in the LDAP server. The idp should send it as a claim so the proxy does not have to look up the user using LDAP again. The username cannot be changed in ownCloud 10 and the oCIS provisioning API will not allow changing it as well. When we introduce the graph api we may allow changing usernames when all clients have moved to that api. - -The problem is that the username in owncloud 10 and in oCIS also need to be the same, which might not be the case when the ldap mapping used a different column. In that case we should add another owncloudusername attribute to the ldap server. - - -
- -### activities - -*dedicated service, not yet implemented, requires decisions about an event system -- jfd* - -| Field | Type | Null | Key | Default | Extra | Comment | -|---------------|---------------|------|-----|---------|----------------|---------| -| `activity_id` | bigint(20) | NO | PRI | NULL | auto_increment | -| `timestamp` | int(11) | NO | MUL | 0 | | -| `priority` | int(11) | NO | | 0 | | -| `type` | varchar(255) | YES | | NULL | | -| `user` | varchar(64) | YES | | NULL | | -| `affecteduser` | varchar(64) | NO | MUL | NULL | | -| `app` | varchar(255) | NO | | NULL | | -| `subject` | varchar(255) | NO | | NULL | | -| `subjectparams` | longtext | NO | | NULL | | -| `message` | varchar(255) | YES | | NULL | | -| `messageparams` | longtext | YES | | NULL | | -| `file` | varchar(4000) | YES | | NULL | | -| `link` | varchar(4000) | YES | | NULL | | -| `object_type` | varchar(255) | YES | MUL | NULL | | -| `object_id` | bigint(20) | NO | | 0 | | - -## Links - -The [data_exporter](https://github.com/owncloud/data_exporter) has logic that allows exporting and importing users, including shares. The [model classes](https://github.com/owncloud/data_exporter/tree/master/lib/Model) contain the exact mapping. - -
diff --git a/docs/ocis/release_notes.md b/docs/ocis/release_notes.md deleted file mode 100644 index 3de7e40732..0000000000 --- a/docs/ocis/release_notes.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -title: "Release Notes" -date: 2020-12-16T20:35:00+01:00 -weight: 0 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis -geekdocFilePath: release_notes.md ---- - -The Infinite Scale Release Notes have been moved and are published with the [ownCloud Documentation](https://doc.owncloud.com/docs/next/ocis_release_notes.html). diff --git a/docs/ocis/release_roadmap.md b/docs/ocis/release_roadmap.md deleted file mode 100644 index 95ca50a95b..0000000000 --- a/docs/ocis/release_roadmap.md +++ /dev/null @@ -1,152 +0,0 @@ ---- -title: "Release Life Cycle" -date: 2024-05-10T21:20:00+01:00 -weight: 0 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis -geekdocFilePath: release_roadmap.md ---- - -{{< toc >}} - -This page is designed to provide clarity and transparency regarding the scheduling, nature, and support of our releases, ensuring you have all the information you need to stay updated and manage your deployments effectively. Find here an overview of our plans for future enhancements and features: [owncloud.com/roadmap](https://owncloud.com/roadmap) - -## Dates - - -| Release Date | Type | Version | Notes | Support | -|----------------|----------------|---------------------------------------------------------------------------------------|-------------------------------------------------------------------------------------------------------|--------------------| -| 22.09.2025 | Production | - | - | - | -| 01.09.2025 | Rolling | - | - | - | -| 11.08.2025 | Rolling | - | - | - | -| 21.07.2025 | Rolling | - | - | - | -| 30.06.2025 | Rolling | - | - | - | -| 09.06.2025 | Rolling | - | - | - | -| 19.05.2025 | Rolling | - | - | - | -| 28.04.2025 | Rolling | - | - | - | -| 17.03.2025 | Production | - | - | - | -| 24.02.2025 | Rolling | - | - | - | -| 03.02.2025 | Rolling | - | - | - | -| 13.01.2025 | Rolling | - | - | - | -| 02.12.2024 | Rolling | - | - | - | -| 11.11.2024 | Production | - | - | - | -| **14.11.2024** | **Production** | **[Infinite Scale 5 (5.0.9)](https://download.owncloud.com/ocis/ocis/stable/5.0.9/)** | **[Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-5-0-9-production)** | **Active Support** | -| 24.10.2024 | Rolling | [Infinite Scale 6 (6.6.1)](https://download.owncloud.com/ocis/ocis/rolling/6.6.1/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-6-6-1-rolling) | - | -| 22.10.2024 | Rolling | [Infinite Scale 6 (6.6.0)](https://download.owncloud.com/ocis/ocis/rolling/6.6.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-6-6-0-rolling) | - | -| 01.10.2024 | Rolling | [Infinite Scale 6 (6.5.0)](https://download.owncloud.com/ocis/ocis/rolling/6.5.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-6-5-0-rolling) | - | -| 30.09.2024 | Production | [Infinite Scale 5 (5.0.8)](https://download.owncloud.com/ocis/ocis/stable/5.0.8/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-5-0-8-production) | Active Support | -| 12.09.2024 | Rolling | [Infinite Scale 6 (6.4.0)](https://download.owncloud.com/ocis/ocis/rolling/6.4.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-6-4-0-rolling) | - | -| 04.09.2024 | Production | [Infinite Scale 5 (5.0.7)](https://download.owncloud.com/ocis/ocis/stable/5.0.7/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-5-0-7-production) | Active Support | -| 19.08.2024 | Rolling | [Infinite Scale 6 (6.3.0)](https://download.owncloud.com/ocis/ocis/rolling/6.3.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-6-3-0-rolling) | - | -| 30.07.2024 | Rolling | [Infinite Scale 6 (6.2.0)](https://download.owncloud.com/ocis/ocis/rolling/6.2.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-6-2-0-rolling) | - | -| 08.07.2024 | Rolling | [Infinite Scale 6 (6.1.0)](https://download.owncloud.com/ocis/ocis/rolling/6.1.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-6-1-0-rolling) | - | -| 19.06.2024 | Rolling | [Infinite Scale 6 (6.0.0)](https://download.owncloud.com/ocis/ocis/rolling/6.0.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-6-0-0-rolling) | - | -| 17.07.2024 | Production | [Infinite Scale 5 (5.0.6)](https://download.owncloud.com/ocis/ocis/stable/5.0.6/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-5-0-6) | Active Support | -| 22.05.2024 | Production | [Infinite Scale 5 (5.0.5)](https://download.owncloud.com/ocis/ocis/stable/5.0.5/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-5-0-5) | Active Support | -| 14.05.2024 | Production | [Infinite Scale 5 (5.0.4)](https://download.owncloud.com/ocis/ocis/stable/5.0.4/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-5-0-4) | Active Support | -| 02.05.2024 | Production | [Infinite Scale 5 (5.0.3)](https://download.owncloud.com/ocis/ocis/stable/5.0.3/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-5-0-3) | Active Support | -| 17.04.2024 | Production | [Infinite Scale 5 (5.0.2)](https://download.owncloud.com/ocis/ocis/stable/5.0.2/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-5-0-2) | Active Support | -| 11.04.2024 | Production | [Infinite Scale 5 (5.0.1)](https://download.owncloud.com/ocis/ocis/stable/5.0.1/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-5-0-1) | Active Support | -| 18.03.2024 | Production | [Infinite Scale 5 (5.0.0)](https://download.owncloud.com/ocis/ocis/stable/5.0.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-5-0-0) | Active Support | -| 27.03.2024 | Production | [Infinite Scale 4 (4.0.7)](https://download.owncloud.com/ocis/ocis/stable/4.0.7/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-4-0-7) | Discontinued | -| 07.02.2024 | Production | [Infinite Scale 4 (4.0.6)](https://download.owncloud.com/ocis/ocis/stable/4.0.6/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-4-0-6) | Discontinued | -| 21.12.2023 | Production | [Infinite Scale 4 (4.0.5)](https://download.owncloud.com/ocis/ocis/stable/4.0.5/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-4-0-5) | Discontinued | -| 07.12.2023 | Production | [Infinite Scale 4 (4.0.4)](https://download.owncloud.com/ocis/ocis/stable/4.0.4/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-4-0-4) | Discontinued | -| 24.11.2023 | Production | [Infinite Scale 4 (4.0.3)](https://download.owncloud.com/ocis/ocis/stable/4.0.3/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-4-0-3) | Discontinued | -| 06.10.2023 | Production | [Infinite Scale 4 (4.0.2)](https://download.owncloud.com/ocis/ocis/stable/4.0.2/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-4-0-2) | Discontinued | -| 01.09.2023 | Production | [Infinite Scale 4 (4.0.1)](https://download.owncloud.com/ocis/ocis/stable/4.0.1/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-4-0-1) | Discontinued | -| 25.08.2023 | Production | [Infinite Scale 4 (4.0.0)](https://download.owncloud.com/ocis/ocis/stable/4.0.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-4-0-0) | Discontinued | -| 07.06.2023 | Production | [Infinite Scale 3 (3.0.0)](https://download.owncloud.com/ocis/ocis/stable/3.0.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-3-0-0) | Discontinued | -| 30.11.2022 | Production | [Infinite Scale 2 (2.0.0)](https://download.owncloud.com/ocis/ocis/stable/2.0.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#infinite-scale-2-0-0) | Discontinued | -| 04.04.2022 | Beta | [Infinite Scale 1 (1.9.0)](https://download.owncloud.com/ocis/ocis/stable/1.9.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#beta-releases) | Discontinued | -| 04.04.2022 | Beta | [Infinite Scale 1 (1.8.0)](https://download.owncloud.com/ocis/ocis/stable/1.8.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#beta-releases) | Discontinued | -| 04.04.2022 | Beta | [Infinite Scale 1 (1.7.0)](https://download.owncloud.com/ocis/ocis/stable/1.7.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#beta-releases) | Discontinued | -| 04.04.2022 | Beta | [Infinite Scale 1 (1.6.0)](https://download.owncloud.com/ocis/ocis/stable/1.6.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#beta-releases) | Discontinued | -| 04.04.2022 | Beta | [Infinite Scale 1 (1.5.0)](https://download.owncloud.com/ocis/ocis/stable/1.5.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#beta-releases) | Discontinued | -| 04.04.2022 | Beta | [Infinite Scale 1 (1.4.0)](https://download.owncloud.com/ocis/ocis/stable/1.4.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#beta-releases) | Discontinued | -| 04.04.2022 | Beta | [Infinite Scale 1 (1.3.0)](https://download.owncloud.com/ocis/ocis/stable/1.3.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#beta-releases) | Discontinued | -| 13.04.2022 | Beta | [Infinite Scale 1 (1.20.0)](https://download.owncloud.com/ocis/ocis/stable/1.20.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#beta-releases) | Discontinued | -| 04.04.2022 | Tech Preview | [Infinite Scale 1 (1.2.0)](https://download.owncloud.com/ocis/ocis/stable/1.2.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#technology-preview-releases) | Discontinued | -| 05.04.2022 | Tech Preview | [Infinite Scale 1 (1.19.1)](https://download.owncloud.com/ocis/ocis/stable/1.19.1/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#technology-preview-releases) | Discontinued | -| 05.04.2022 | Tech Preview | [Infinite Scale 1 (1.19.0)](https://download.owncloud.com/ocis/ocis/stable/1.19.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#technology-preview-releases) | Discontinued | -| 04.04.2022 | Tech Preview | [Infinite Scale 1 (1.18.0)](https://download.owncloud.com/ocis/ocis/stable/1.18.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#technology-preview-releases) | Discontinued | -| 04.04.2022 | Tech Preview | [Infinite Scale 1 (1.17.0)](https://download.owncloud.com/ocis/ocis/stable/1.17.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#technology-preview-releases) | Discontinued | -| 04.04.2022 | Tech Preview | [Infinite Scale 1 (1.16.0)](https://download.owncloud.com/ocis/ocis/stable/1.16.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#technology-preview-releases) | Discontinued | -| 04.04.2022 | Tech Preview | [Infinite Scale 1 (1.15.0)](https://download.owncloud.com/ocis/ocis/stable/1.15.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#technology-preview-releases) | Discontinued | -| 04.04.2022 | Tech Preview | [Infinite Scale 1 (1.14.0)](https://download.owncloud.com/ocis/ocis/stable/1.14.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#technology-preview-releases) | Discontinued | -| 04.04.2022 | Tech Preview | [Infinite Scale 1 (1.13.0)](https://download.owncloud.com/ocis/ocis/stable/1.13.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#technology-preview-releases) | Discontinued | -| 04.04.2022 | Tech Preview | [Infinite Scale 1 (1.12.0)](https://download.owncloud.com/ocis/ocis/stable/1.12.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#technology-preview-releases) | Discontinued | -| 04.04.2022 | Tech Preview | [Infinite Scale 1 (1.11.0)](https://download.owncloud.com/ocis/ocis/stable/1.11.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#technology-preview-releases) | Discontinued | -| 04.04.2022 | Tech Preview | [Infinite Scale 1 (1.10.0)](https://download.owncloud.com/ocis/ocis/stable/1.10.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#technology-preview-releases) | Discontinued | -| 04.04.2022 | Tech Preview | [Infinite Scale 1 (1.1.0)](https://download.owncloud.com/ocis/ocis/stable/1.1.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#technology-preview-releases) | Discontinued | -| 04.04.2022 | Tech Preview | [Infinite Scale 1 (1.0.06)](https://download.owncloud.com/ocis/ocis/stable/1.0.0/) | [Release Notes](https://doc.owncloud.com/ocis_release_notes.html#technology-preview-releases) | Discontinued | - -Please find the daily release here: [https://download.owncloud.com/ocis/ocis/daily/](https://download.owncloud.com/ocis/ocis/daily/). - - -## Release Types - -ownCloud Infinite Scale is released in three different release types: **Production**, **Rolling** and **Daily**. Each of them is targeted to a specific use case and audience group: - -{{< columns >}} -{{< hint type=tip title=Production >}} -- Stable and tested release, suitable for critical data. -- Slow cycle, but most stable with slow feature additions. -- Patch releases are provided for critical- and security-bugs as defined by ownCloud support regulations. -{{< /hint >}} -<---> -{{< hint title=Rolling icon=gdoc_check >}} -- Chances are high that some manual testing has happened, yet not structured. -- Features are mostly completed. An upgrade path from the previous rolling release is provided and tested. Great release to use with non critical data. -- Critical bugs are guaranteed to be fixed with the next rolling release. -{{< /hint >}} -## -<---> -{{< hint type=important title=Daily >}} -- Mainly for test use cases. As the releases are done completely unattended, only the automatic test suite has tested the release. Manual testing was only applied by chance. -- Based on ownClouds strong test suite the daily releases are pretty stable, but the risk of unfinished changes is high. -- For example, if a feature requires three commits, and only one was committed, the daily is cut anyway.{{< /columns >}} -{{< /hint >}} - -| Type | Production | Rolling | Daily | -| ----------------------------- | ------------------------------------------------------------------------------------------------------ | -------------------------------------------------- | ---------------------------------------- | -| Frequency | About every 6 month | Every 3 weeks | Daily | -| Audience | Everyone | Early adopters | Developers | -| Risk | Low (known) risk | Low-medium risk | High (unknown) risk | -| Support | Commercially supported | Company support on special agreement with ownCloud | Community support | -| Documentation | Official | Moving documentation | Moving documentation, engineering output | -| Updates | Patch releases based on last stable | Rolling every three weeks | None | -| Update path | Incremental: from previous production to new production, from last rolling before a production release | from previous rolling to new rolling | Clean slate | -| Downgrade | No | No | No | -| Service-level agreement (SLA) | Yes | No | No | -| Overlapping support | Yes | No | No | - - - - -## Documentation -- **Production** will come with released documentation that is specific for the release. It will remain valid throughout the whole livetime of the release. If patches require documentation changes, addendums will be delivered. - -- **Daily** and **Rolling** have access to the documentation as it moves forward in the development process along with the product which will be available on ownClouds web site. There wont be specific releases. Changelog entries, PR comments and similar engineering output can complement the information. - -## Updating and Overlap - -- **Production** provides a guaranteed upgrade path from the last Production release, as well as from the previous Rolling release before the new Production. For that, support from ownCloud is required. Upgrades between two Production releases are only supported to tested patch releases provided by ownCloud. In an upgrade process, all released patch releases have to be installed in the correct sequence. - -- **Rolling** is guaranteed to upgrade from the last rolling release or from the previous daily before the new Rolling release. If a critical bug is found in a rolling release, it is guaranteed to be fixed in the next Rolling. There are no backports to the Rolling. In critical cases, an upgrade to a daily release in between has to be done at own risk. - -- **Daily** does not come with any guaranteed update path. Chances are good that updates will go smooth, but that might have hickups in cases where the upgrade code is not finalized in time. - -Only production gives a reasonable overlap time between releases, for example if version 9 was released, version 8 will still receive a patch release for critical bugs for a reasonable time frame. That time frame will be announced separately and will be aligned with customer needs. -## Support -ownCloud only offers commercial support for **Production**. Rolling might be considered for customer installations in the sales process but always requires an individual agreement between all parties. - -**Daily** and **Rolling** are supported on best effort provided by community and ownCloud staff. There is **no SLA** and no guarantee for attention. - -As ownCloud understands that the effort taken to report a problem is significant and results benefit all users in the community and ownCloud customers, there are resources available to respectfully work on community issues. - -Please consider the [Contribution guidelines](https://github.com/owncloud/ocis/blob/master/CONTRIBUTING.md) for this. - -## Versioning Scheme -{{< figure src="../storage/static/semver-schema.png" width="70%" alt="Schema of Semantic Versioning" >}} -We adhere to **Semantic Versioning** (SemVer) to ensure clarity and predictability in each of our releases. Learn how Semantic Versioning works on [https://semver.org/](https://semver.org/ ). diff --git a/docs/ocis/static/architecture-overview.drawio.svg b/docs/ocis/static/architecture-overview.drawio.svg deleted file mode 100644 index 19102f8110..0000000000 --- a/docs/ocis/static/architecture-overview.drawio.svg +++ /dev/null @@ -1,4 +0,0 @@ - - - -
Storage
Storage
identity management
identity management
reva
reva
proxy
reverse proxy
+ api gateway
proxy...
users
users
idp
konnectd / keycloak
idp...
ldap
AD, openldap, idm
ldap...
web
(aka phoenix)
web...
graph
graph
graph-explorer
graph-explorer
hello
hello
onlyoffice
onlyoffice
settings
settings
store
store
idm
idm
OCIS
OCIS
ocs
ocs
webdav
webdav
registry
registry
authbasic
authbasic
authbearer
authbearer
authprovider
(basic)
authprovider...
authprovider
(oidc)
authprovider...
userprovider
userprovider
gateway
gateway
gateway
gateway
authregistry
authregistry
storageregistry
storageregistry
frontend
frontend
ocs
ocs
ocdav
ocdav
ocm
ocm
datagateway
datagateway
storagehome
storagehome
storageprovider
storageprovider
dataprovider
dataprovider
storageusers
storageusers
storageprovider
storageprovider
dataprovider
dataprovider
storagemeta
storagemeta
storageprovider
storageprovider
dataprovider
dataprovider
storagepubliclink
storagepubliclink
publicstorageprovider
publicstorageprovider
authprovider
(publicshares)
authprovider...
sharing
sharing
usershareprovider
usershareprovider
publicshareprovider
publicshareprovider

single host

- all services run on a single host
- no redundancy
- minimize resource usage
- home setup
single host...Text is not SVG - cannot display \ No newline at end of file diff --git a/docs/ocis/static/cs3org.png b/docs/ocis/static/cs3org.png deleted file mode 100644 index 6f06e21695..0000000000 Binary files a/docs/ocis/static/cs3org.png and /dev/null differ diff --git a/docs/ocis/static/grpc-logo.png b/docs/ocis/static/grpc-logo.png deleted file mode 100644 index 11ad9b1eb6..0000000000 Binary files a/docs/ocis/static/grpc-logo.png and /dev/null differ diff --git a/docs/ocis/static/http-logo.png b/docs/ocis/static/http-logo.png deleted file mode 100644 index b37f746738..0000000000 Binary files a/docs/ocis/static/http-logo.png and /dev/null differ diff --git a/docs/ocis/static/idea.drawio.svg b/docs/ocis/static/idea.drawio.svg deleted file mode 100644 index 068b7318de..0000000000 --- a/docs/ocis/static/idea.drawio.svg +++ /dev/null @@ -1,489 +0,0 @@ - - - - - - - - -
-
-
- storage provider -
-
-
- - - storage provider - - - - - - - -
-
-
- storage provider -
-
-
- - - storage provider - - - - - - - storage space - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - storage space - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - storage space - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-
- a sea of storage spaces -
-
-
- - - a sea of storage spaces - - - - - - storage space - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - storage space - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-
- einstein -
-
-
- - - einst... - - - - - - - - -
-
-
- marie -
-
-
- - - marie - - - - - - - - -
-
-
- richard -
-
-
- - - richa... - - - - - - - - - -
-
-
- storage space -
- registry at -
- - https://cloud.zurich.test - -
-
-
- - - storage sp... - - - - - - - -
-
-
- storage space -
- registry at -
- - https://cloud.paris.test - -
-
-
- - - storage sp... - - - - - - - -
-
-
- storage space -
- registry at -
- - https://cloud.princeton.test - -
-
-
- - - storage sp... - - - - - - - -
-
-
- oCIS = federated storage -
-
-
- - - oCIS = federated storage - - - - - - - -
-
-
- multiple -
- storage registries -
-
-
- - - multiple... - - - - - - - -
-
-
- end user devices -
-
-
- - - end user devices - - - - - - - -
-
-
- storage provider -
-
-
- - - storage provider - - - - - - storage space - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Viewer does not support full SVG 1.1 - - - - \ No newline at end of file diff --git a/docs/ocis/static/monitoring_tracing_overview.drawio.svg b/docs/ocis/static/monitoring_tracing_overview.drawio.svg deleted file mode 100644 index 79ea637533..0000000000 --- a/docs/ocis/static/monitoring_tracing_overview.drawio.svg +++ /dev/null @@ -1,280 +0,0 @@ - - - - - - - - - - - - -
-
-
- Prometheus -
-
-
- - - Prometheus - - - - - - - - - - - -
-
-
- Jaeger Query -
-
-
- - - Jaeger Query - - - - - - - - - -
-
-
- Jaeger Collector -
-
-
- - - Jaeger Collector - - - - - - - -
-
-
- ElasticSearch -
-
-
- - - ElasticSearch - - - - - - - - - - - -
-
-
- Grafana -
-
-
- - - Grafana - - - - - - - - - -
-
-
- oCIS -
-
-
- - - oCIS - - - - - - - -
-
-
- Telegraf -
-
-
- - - Telegraf - - - - - - - -
-
-
- Prometheus output -
-
-
- - - Prometheus output - - - - - - - - - - - -
-
-
- Prometheus input -
-
-
- - - Prometheus input - - - - - - - -
-
-
- Host & Docker metrics -
-
-
- - - Host & Docker metrics - - - - - - - - - -
-
-
- Jaeger Agent -
-
-
- - - Jaeger Agent - - - - - - - - - - - -
-
-
- server for monitoring & tracing infrastructure -
-
-
- - - server for monitoring & tracing infrastru... - - - - - - - -
-
-
- server(s) for oCIS with monitoring & tracing clients -
-
-
- - - server(s) for oCIS with monitoring & tracing c... - - - - - - - -
-
-
- Visualization and querying of -
- metrics and traces -
-
-
- - - Visualization and querying o... - - - - - - - - - Viewer does not support full SVG 1.1 - - - - \ No newline at end of file diff --git a/docs/ocis/static/ocis-apis.drawio.svg b/docs/ocis/static/ocis-apis.drawio.svg deleted file mode 100644 index 85721884e0..0000000000 --- a/docs/ocis/static/ocis-apis.drawio.svg +++ /dev/null @@ -1,286 +0,0 @@ - - - - - - - -
-
-
- Client 1 -
-
-
- - - Client 1 - - - - - - - -
-
-
- HTTP Gateway -
- (proxy service) -
-
-
- - - HTTP Gateway... - - - - - - - -
-
-
- Client 2 -
-
-
- - - Client 2 - - - - - - - -
-
-
- Client 3 -
-
-
- - - Client 3 - - - - - - - - - -
-
-
- HTTP -
-
-
- - - HTTP - - - - - - - - - -
-
-
- HTTP -
-
-
- - - HTTP - - - - - - - - - -
-
-
- HTTP -
-
-
- - - HTTP - - - - - - - -
-
-
- ocis service -
-
-
- - - ocis service - - - - - - - -
-
-
- ocis service -
-
-
- - - ocis service - - - - - - - -
-
-
- ocis service -
-
-
- - - ocis service - - - - - - - - - -
-
-
- HTTP -
-
-
- - - HTTP - - - - - - - -
-
-
- GRPC Gateway -
- (gateway service) -
-
-
- - - GRPC Gateway... - - - - - - - - - -
-
-
- gRPC -
-
-
- - - gRPC - - - - - - - - - -
-
-
- gRPC -
-
-
- - - gRPC - - - - - - - - - -
-
-
- HTTP -
-
-
- - - HTTP - - - - - - - - - Viewer does not support full SVG 1.1 - - - - \ No newline at end of file diff --git a/docs/ocis/static/ocis-config-redesign.drawio.svg b/docs/ocis/static/ocis-config-redesign.drawio.svg deleted file mode 100644 index e7615dd022..0000000000 --- a/docs/ocis/static/ocis-config-redesign.drawio.svg +++ /dev/null @@ -1,4 +0,0 @@ - - - -
> ocis server
> ocis server
# global logging config
log:
  pretty: true
  color: true
  level: info
proxy:
  http:
    addr: localhost:9200
  log:
    pretty: false
    color: false
    level: info
accounts:
  log:
    level: debug
    color: false
    pretty: false

# global logging config...
ocis.yaml
ocis.yaml
  http:
    addr: localhost:1234
  log:
    pretty: false
    color: false
    level: info

http:...
proxy.yaml
proxy.yaml
  http:
    addr: localhost:5678


http:...
accounts.yaml
accounts.yaml
resulting proxy config values
resulting proxy config values
resulting accounts config values
resulting accounts config values
  http:
    addr: localhost:1234
  log:
    pretty: false
    color: false
    level: info


http:...
notice how even if ocis supplies
with logging configuration, the values
from the extension overwrite the inherited
values. This can also be achieved using an
environment variable.
notice how even if ocis supplies...
  http:
    addr: localhost:5678
  log:
    pretty: false
    color: false
    level: debug


http:...
on the other hand here we see the extension
inherited the logging information from the parent.
The same holds true from any value. Values from
ocis.yaml are carried down to their respective
extensions.
on the other hand here we see the extension...Viewer does not support full SVG 1.1 diff --git a/docs/ocis/static/ocis-services-communication.drawio.svg b/docs/ocis/static/ocis-services-communication.drawio.svg deleted file mode 100644 index 06d30268e8..0000000000 --- a/docs/ocis/static/ocis-services-communication.drawio.svg +++ /dev/null @@ -1,4 +0,0 @@ - - - -
public share auth provider
public share auth pr...
machine auth provider
machine auth provider
proxy
proxy
web
web
grpc
grpc
grpc
grpc
ocs
ocs
grpc
grpc
ocdav
ocdav
grpc
grpc
ocs
ocs
grpc
grpc
settings
settings
LDAP
LDAP
idp
idp
nats
nats
grpc
grpc
LDAP
LDAP
graph
graph
http
http
graph-explorer
graph-explorer
grpc
grpc
webdav
webdav
grpc
grpc
thumbnails
thumbnails
gateway
gateway
grpc
grpc
storage registry
storage registry
grpc
grpc
storage provider
storage provider
share storage provider
share storage provid...
public storage provider
public storage provi...
user provider
user provider
group provider
group provider
http
http
http
http
http
http
http
http
http
http
http
http
http
http
http

http
http
http
grpc
grpc
grpc
grpc
grpc
grpc
grpc
grpc
grpc
grpc
grpc
grpc
Storage
Storage
Reva
Reva
oCIS
oCIS
http
http
libregraph/idm
libregraph/idm
oidc authprovider
oidc authprovider
LDAP
LDAP
basic auth provider
basic auth provider
grpc
grpc
grpc
grpcText is not SVG - cannot display \ No newline at end of file diff --git a/docs/ocis/static/runtime.drawio.svg b/docs/ocis/static/runtime.drawio.svg deleted file mode 100644 index 754593d792..0000000000 --- a/docs/ocis/static/runtime.drawio.svg +++ /dev/null @@ -1,4 +0,0 @@ - - - -
Runtime
Runtime
ocs
ocs
graph
graph
idm
idm
storage
storage
proxy
proxy
idp
idp
thumbnails
thumbnails
webdav
webdav
suture
suture
$ ocis server
$ ocis kill proxy
$ ocis start proxy
$ ocis list
$ ocis server...
the runtime component starts services
and suture then takes over, keeping
track of every started service, restarting
it when needed if an error occurred.
the runtime component starts services...
each service is implemented as a sub-command. The binary essentially calls itself with the right arguments and the side effect is that a
service is started. The service will then be monitored by Suture.
each service is implemented as a sub-command. The binary essentially calls itself with the right arguments and the side e...
the runtime is a service in itself. Starting an
oCIS instance will start a runtime service.
the runtime is a service in itself. Star...Text is not SVG - cannot display \ No newline at end of file diff --git a/docs/ocis/static/src/tus-public-upload.drawio b/docs/ocis/static/src/tus-public-upload.drawio deleted file mode 100644 index 544651b408..0000000000 --- a/docs/ocis/static/src/tus-public-upload.drawio +++ /dev/null @@ -1 +0,0 @@ -7T1rc5u42r8mMz0fzCDufEwbJ+2ZbtNxstvd86VDbGxz6hgfjHN5f/0rAcLwSNgyllx8ye6ksQySEM/9emV+en67S4LF9I94FM6uDH30dmXeXBmG6dkI/0NG3vMRZJt6PjJJolExth54iP4vLAbpZatoFC5rF6ZxPEujRX1wGM/n4TCtjQVJEr/WLxvHs/qqi2ASMgMPw2DGjv6IRum0GEWOv/7icxhNpsXSnuHmXzwH9OLiSZbTYBS/VobM/pX5KYnjNP/r+e1TOCOnR88lv++24dtyY0k4T0VuMLxiIy/BbFU83ZXhzPDNHxdkf+l78dDO/1ZkUx/T8C3tBbNoMr8yr/EV/10t02j8jv/CX2aPmEyi4jtr8YZ/6+vfdBL816T4N1vqiQ7Ew2jZS8KXID+bJJpP6DX4IZ7gfXhsAcemCRzhP0h1ozrcqO7xtjvo/3X98+Hz9eDLt7uf1zc3g+ypb8hNWvYfns1Hts7fnlHbhvESJmmEYeo6P8ubpzhN42d8ZXG4N7NwTG5cLoIhPobHeIHHvPXA1+zrG2M9MiggDmVj02BBVhqunkLyMUciRN7SKEowVkQxWWQZrwhIfhzH8/Sh2By5Zpo+z8j15c6rMFWAGXmC8K0yVMDYXRg/h2lCYILifAFlBcIbroE05OVjr2sMsuziumkFeZBTXBgUWDspp18DNv6jgO0GONe7C+fjBJ99OB91CNAXcZKWsO0jqx1EpwRkTxGcEYBn2/Y032LA2UE8cDaRpjv7Q7SHGgF6iugr+nMxi4NRxh7JctnrihPC3fAJJPELZqNJ5dWub6xAVHWmJb5vtSR3p1Py+/HPh3ymNB7GM7pOmgTz5ZjMXFz29J6GyxzSn8vB4Swib4Dek40Fw3QVzGrbXL4v0xDfhQ9EDyca/t2/f9A24UU58JjNOYqCSRKQdWdh8JLtAwMJWQyDCt4BhtgMePAAwcHK0rM4/rVaNKwFYJ+QizqcLdMk/hV+imdxgkfm8ZzA7TiazcBQAe14wIbo0cuIzes0SsMHPE6WesUiFaEfGFjHs0xymEajUYhh/2MSr+ajcFRAvAQwt+pQTj9WINz2eBBOae0+4I3Q7vCdw9Bi9TSLhnuA+nc6wSya/1pmImOYwX0mjBAscoJn8hLmT8tFzgzwsRMwCkfZ+ovm9fEegzRHomW54xTDCYG/aF4OkaXJZUmJVBVoXeNfEv5vFS7T8wVRQIiR5bJA6lgcIPVkwKhv7ChUsKy4Kkz0Moa5Fijy76AgMsSnlYFS5etROMSwlvNAcg055QTDUCgqimAIfXs/nABSe+pcMLgWk0UyQU6WLFIBUQL1VG4oZAuj+HwbPEczAmCfw9lLSGaVLlBYAI4tgwVjHqm1pUCxxYFicJxYPL0mivOaJlQOIBxh7bi4Fr+saTyJ58Gsvx4tz72A3Q1nhgW4ZBgC/EoxoIT0Or9QssmqG882CWcYJV7qOjvvpIpbv8dRJo8U78S36+/EgyQj32pxV1XHBhNhVrZlpvz5mJmyN1c+kODLdBtJUonTRoZtPFzXv98/PLL8Lb8U0/05F78hhUoyAGUQeZqmOXm7xf8TqpNpy4Q43ybhc5yG2mKKEfp2FLzg3xghCYu8DaM5FgAJa7yt7DnfSwPuV0CzUcmuAPTTLB7+2glIt4LeW+1yqiWgRpzeE1RNH5AP09AQRpTypx3gmsZO0zZAMT7m4L1y2YJcsNzwMEKrrlEkn58/Vw/gcA8Z9T3H4/Ey3B/p/JOQAzLE66QIkITj6K0UAmoXrP/apBBK31IaPYe5GpnvycNSZimZPDGnckKyClQLHWSUBo0KaSu1wKq84rilnWQ/a94pCN6jIA0mWJt7DboqeTehHdn5BfUOj3oO6gDqmSeAetT22EWsOwtIhgovcg6n8GJQ44BwFxTeErnqCq8hqHXsqUVY0N5r2+30BgOoIw40CMvTdw3dbiRHJU6jTQrv9eOnzwTIsHK6rGinWviGleBZqMXJJNNJCce7vXI/5sZa94ZF08fVsjcIl6vn4InAAEFwlDmFJeunuXotXT1FrANLknpqOXV4MB29HWDBiSxBwNpVBW1aR1DpBFy6/CxV6TQo4++gR/vgUu3ODm1DHk89RYe2Z7iaazD0wOY6tA1Tg2aVdmy52XR5PJJlpxU66pjvhW8LDGPLM1ShDGTXId3TNc9kbJpVbYoXlCRFDqXYdNQAX3i5MemfRMvsBLoI+WcB27au7wrbPIIuB7Z54Rtd0LFKY31Vxyp5z6F1LNtoqWOZ4F07hsGElUlUsyiD36hmWY1qVt2hWNW5WIeg7az1rVVv1Yt6IwZyzk2DcoAfy9UdjQab7wo5zFwQ3yUpUU3rdEqJQjxrZhfIVEmRamSKHoJqMsVQFx+cflsy5fmYJWFZk/6AncmkWDwjH6BYogTrLsS6VybmfC8j+eRSJFUxB6atiiRZuqEBUdo3NMdrfLfiRh53t4mlGX3E1hWkX6YB6JephH4JmD9tUbZcwPaX+Tg+FvimPEYBfLt1yuUbutZWWLN0di698gOsJ7IAml11DwZsquG/3TVicsO3p/jpOmTW1DSx0O9zyjWDtkyk2wZDJByDo/jKyTRDp2DGLICfkzjRQaNONRgUGPptq7LNetDoYYNWeHsdJZg9JeVuw3gJyAtvwydtwYLWWYSRt3QubLPJOpbmSUFg7wQQmBhQuo29EFOdQ6PkZvQ7aTxzdAbPTM3mRJLx7MOy8IyaWo7F9nIgE/EJ2F6M5hjBkgA5glrpl3mURkEa3n6ZhTTdU65uqsgaTD/KV03Leahi51jtIAROhHTdEwKKXVXRxoXaGoPBNuUoowZrMuzfPzDgVmo775gXjzKywst/rUDlU572+vWpHAiGvyZZMuz9Ks04urzISsPXfN9GhuXblmV4NqD0hkm+d1zHcnXb8wzWQIiQo3mu5bm2btm2iyh01XyEwBLSjgHwjFeKGQD+N3n/myieGrLp53+yz3r5+eat0EzzT+/VT9/DJMKPSibbnMRc4yiIx1EovCnnKMDpiLm6u8n+JMxg4LyGhzRDjIK0ws9mY1HJPlxBtvIjwRh7G83CDytaQyCaj+N/yWYuqgyfFFUUJBNCWo2MlgKIZfkalDPhXLJsnc1LibIYH7AYJfZOQyA91xME4Vwa6s9Hi/xRoN7y29zrhbYjGeItZa4sKCgj3ZIkcmNGrDmuas+V2KpieAAkLQtIlpKwoNnCUkK7LxELtgb2w5vyIP/MdLDEMP1BGJWk8w81uOQeDJc8ZGmmub+oAaZ1rUN40MRWbYVYrhrEak5EX4dp6YKYZRDCoX9KwrywEcSRr/GwYptskT9zDIiizr8MYcu2JaGG5R2Gy9B12vEVELwmB/yp569zFkVuJZsyi/1oEvsOHHRqNpeAW1MzdKFmHRChLaA0Gm5bnRFOZGKWW63+osZAKbisGK2DBWyUaJI0vmwjcmwr9LQN0Hery7TGplwo730N5xMCaFkqLC/BqDlltskJN4pewCJ/hGmQIWR2O9nePHjOCn8a/vvT3WD8nzs/DX7Y09Hd7OVp5r8+3d2uvs4//voPKWiYndynyiFVFuCsOYqSnWbmTyuXVhxdNDtMr82RrSW9gLnFiJ1LUVZwZalOxbSbAt43ZErJ1ciKt3UpN14N33SUufJsKJrBMEvhrA4oYMOJZGV1NKwjiAHOYTCguwU+eHoA9WZeIgu2v1mBeHdR0na0kQXqkjqgn96FBTbaRha4UB9QFFhA12nJkE0lSRomz2+pmBxV/NzeIf3cHoe+HczP7UIXoFWm9OwsV9r4VsMxbYd4Eh0LyMaGbWiuxURRqKB4Ah5DJJrik3m9P2TtGI7G000VXQXCl79O6dnb2W0jX2Pgj5MzJInwbVlOjP6Zh5HGBLx9qDkcUM/qtenfSBOET1mnnFQ26KrRGgw2nlZWOjjITWvvsGZn0m1VILtprVZOBMpXJIOriA+tOczoAq5bX7zdlsbCiSxFUmXTOh2CUorwG6G0OZLoaKFUnTQAXQBm234PzESQOCvyWdB1WkGpmvReKjZ3ML23g133svaSt4P7b4/9bze1/pJ1Kb7abLKpNZ+Krd1dP/Z/XP/z88/BV/7G1nbhNTFijuvqUnHxiimRS0rw8VoIIp0ipooegoZl7IifXUx17HoDq++D+7//+fn58fG7GE6fZosrB3jFkc8p+V26zqXXo7M6W+iJ4mDNZEYjNVSbzJAJW/NauqtV4h78lvYzZEEKt2ViiSYzGrTMoWoE2LkoTr7o5Swhc06aFTQndKhHITL7lnBdu4rp+rDomFgdNMfZz0YSxtnKOjmsV8yaNdWaPH3QyZayTqiVv/7Fnb8e+wQHthDK/JQayK3IXJc2YursoZw2rLLsoR4wKPquwZR2FreHCkwmzRjavJagJwj44Xtgo5LUoWbv5TGJW5c+YeJbOt9mRSYwomGRQD94tyJr1/piXcS4S6OwC+7taF2Awvdvwb1TKIR26RT2u+0GAJRRGZN0iFZhFs933Q2zAa+iBLUlqDYbuDBjurWdwLZZSiWkI7SSvwVcu2osBcX3+6j2O5sY6iaATTYAnr4vGhS+Y5rUaQWGU2ogXxd3YW0VJoJSFMOYmTxFoeGNC7VySPZgkIAcFZySmw56JLvXNW1nWoi2+g6rHhC95sg0thOki99wjRZl7pRt81q1rUPCao5D32IKNLWSi2iy+lHL9pfWVZ2R8j3GW2RaPG/RQXpX2ayvsP+2iJcFlUsTPKpICdiaMVLXAWyODuDtKNH0SEaA59SZL5IjxXiQWuk2yLAQDv2DCdrI1kVrD+wcWAV3Td3SjRFfW25oknwkizbNbs+T126sbFopCs2lI5lQ4IAOAwcMTLHb9iTjzOa2iRbYFdNF1+1UfrfN8yJ2wiZlIw4/oqKiapsUwyEMT0okCzOv5Xm1tpquEGi2etPN3qvzDGSxNhixeCJ7nQ/ovD5uULj+8DDFUD4IxyGG9WF4NGlyFPcUmKJAdAWpJ6W5dmNJHmHDFINYm+eVZaYSW1Y0bsQFJB9QA0kkv9mV1hhOpVJaExQmt22BS6vU0CIB0scnOfZeJKch0kw/xl57lrIEMRYlHU8zjb1Zt8ukYuF5FbU44K/lypEkDSBXS6Iqze6wozPidbvXUWYCf3i8H1zf9X9+vv+j32wHX3cs22bwO+R2bwZf/uoPGFKY7Z7tW/abNtn/+/v9A97r9SP+oj/INlyc8DiYLYVbOx30YNebreVV/eaNskxP5/DB2uettpOTM1rb0OznGkijFVAqXNLkumKQrtkbOKWwtZoWJ2uwVheQ3wn7gMe1D/i7CSXEXo35au3kJZmrO25C2NmODY1bdr3aArtPWJjRFivPIFcscYxGseQ8rR7OflaPss5ZtK5zdmirhyr7tqlKJbEIeQbIQLFj54IAUJp3dE+zvDX6A5+YLPQXW1ZQIwHtcZQ0YHM4jteja8Dm2qABW/0leFZn+q/RiTvoSPA5ggKFDuXBrYxY5zoa7DgobIKAk/m2rlkVa6MaFzbDyT3Xbcb2VrgqUInzRL3NyL7ay9t87L3nKHYqqBQFBWXP89ujnsWbrGKRA0kuisJgG5YVZLsgPN4ERyqJ7178jHUMdff2M35fPc2iYSZVy0ZrVVWFDVVYzVREc2FghHBZYUakdfwDhIkILtvOtq+m8pYjUDYW4LggRkpBQEEev8VB2MCe/Q3YuyuvltJe8Ag7BSmLJrCMuiZpmJatWS2jQtnJYMFyaSGhDQu1636mBuU31tnd0yfeXhj4jVGhPJ9FW0Jw6R+mshsiY6rWW1ffZGbSgfNclXWdLtShhog0Hrd7Fh5+1TNHEDolpyUg3/sNaQltXihNAj1Dqwt5zWdKzY9O44NWT+QTq7ckEyryofooy3LTtFCXFDu3uaTyedpqNpGF7bYakZN7rZzOUzwbNaqn3PRnQap1ach5acj5u5K5GMLnuu07cjKTebaylpyb1upUzhbN0Fcmt8k3wUmT20yJctulHenVuiiVfELg2ST0AAhBbQvP+IbAZJIIwaa12mbyqCEE3a1DXmit9ZgLXRBQpUdeIkWRl+gQkZfr6iulx6iuSux+x/4RGy4v3OecNYdNjEnAy8uLqzwOQVJZ/AYTcsgowa1jJrEIpRleI0FQFTPJX7atbAkMg5JYSmfrAVDu8XvC+GwYeYkczWkO/xGFTM/c1BkWSyJIw9JIGd+pJrbXd+DDyY7vc5tjgk7e0rwp57dVsN+RtdxV5+fzmbjUPQL8fJ03mfIAP8FlxXgEkPrUxPe5uwcDnQwub0qe2d1rhF/tETbNVNfaFemwfrPt25oNtCrxMlDMbNYh4vtE1+1Q/1f3EuwDcHNTzO4F0eUjum61ZNvMVEhVqZ/mlbqEyWdclN674KzKKAxYkN2H5XFb15BXFoLRtFCHmlrTKgZHXTZnkeWnHEXxnDCrZtEjfr3eMkxeimO4uaKlmM+gPjabQuNYGq38UW2gy2sXjS/1ZBR994zTAXySmNVtsD8LuIZCZQbWOuOeq2bH84rpSINwnqGkE6Z0bukcipCqTem24WgGrIZhbnSkikoWJrTSu7qpWZXSf2pseGWj8XWlG2fjPhE0+oEb9je4e80a/Xm6ZzcpB9vds6wGtXUutWm78oz1uoYsE9RjofKBguxdBvKRrhnW3qEZiKlOpUinYBfSWxj3JOsQzUr/eSL7ppzd7ciuH1+6vcGKNrJ8bFCm0r3WFnk4l6Mqfq9hnZblcpXEWfiXzAuQeaEfmkMfH5ojZRZ5xiTQuj4dW97iMDK42LLt6tMhEHcjiQQ0W0DOlATIyL7aiQSwUZcfHjN4VFe8UpHdX5nEbsFQ4tb1drCaAatgHqbijvDC7Rx5SpLtfV5ofxvicOAOGBLcgA3EwdhPqBdq16Ma+VXF2FFnsoIkHt2AuEPQSULHHs9xd5xZEjkQXlhUX4C5PmoUhhYJFx1qmaOAIOyXcQFSAY+xhY6yzAvPBSzOwigjoYWOB61/ZF5FLXT4a7VtoeMB8UEJhp9xEVxrAy5vj93hZE8dqRyPDFU47Th1pba9hs/M5OjWATR8wWXFELqOzz01Ivz5Jr2g/QLldZFCmYKtleGt29vZdJIw0O7sCggDZPYusmQwe2bewyj7gsu2q6unJGbXP9+EGrRrnH1jg1L4/MaO1ZPqLTVZoiSpdC9zX15WJNvzEtOPD8KU7VgEGnW1f6Fhsn1LHaZaAulto6iPzoa1BGlS/YB7anwTGzOCTpsm7ZdHICS77FgAcpMMk0ctyyUFityXlH0epMGWC5127RtsKQpTaFyoXZwCJFiS2vqeQn7CJEjDV/JuuhyaLUxGuYUhs2awj4Prbw+3/QFpXvtl0H+4oqkNnmOtCzQ2OU6Zp+WdicoTEBbumk/gdnD/7bH/7YZtf9sg4x37U7O8ihNHs6UQ6DYh+KDHsZfU3wwYpDXy3fVj/8f1P8Kw0czvj/xEZAAN7MN8OcDNHa1lHBWQ8g6YnTOZBUsiV5DzjxfBMErJxZ5ebktuQppJ5cKKqGhR9a7W+BrqfK0ydXw2gPrHNCTwEWQnnoUNkIdsjBzAktaSSCpTclkhnhv6eBZgTNHjMZlpXuoGeD838eu86Na31hT0lOQbF0bJYq5SdMFHkW0660dKv10l2XPQnf77x2O20iiTqNNVMi+vzGletpN8gKDvevJgFs8n2SL4uPPJ0iSYL8dh0sv0EI2BPto4dR6n+J9tTVOXBcBZV6xKwoXbJYGy+eSRfHfTc0RgkAE4Dlg2wiDTgcNCxL3AgCE3KdKzNVtGyhiF5qOWtglkdTsbMpMIHh7vB9d3/Z+f7//oZ+LBz+ubm0EpMuta9l9pfjss62rY4c3gy1/99R7DeDmNn88jadlrKmlaRU4TcZBTUj6nqbMheXf311+pGSanlvjPrDwbIeRJ/FyS2+EsyopI6KtFtj0Sc65rGktWh6vkJRwV51ax0QwJ9YuG9XMFL4u8oU+l7csce8NwSO5Ypgmm4ZVvnjzbsvXi5VXGfV/HP+ULA2aeXchpT9d826/bZNhK0zbnddGxfetV+KaGaXr5A8zSbttaoj7MLvFcsDdZmWYG4EiIRt42JsExcpTnCVmUpJqMTL05Um03qbuBX2XAvt1OnLU1L+zD4G9OdFmGirkAliPsWupbvi/TkGDyEh/Da4G6IyzAlYjcINkDzCbPAYSiGl4WCeBVJC6GmEgySLqfo9Fo1iSFJXm/+kJyqkpRTdgvX7pCOtOMeR2FuS0h39hdxscfk5i84DUQ48OY/hGPQnLF/wM= \ No newline at end of file diff --git a/docs/ocis/static/tus-public-upload.svg b/docs/ocis/static/tus-public-upload.svg deleted file mode 100644 index ad2a5c5f49..0000000000 --- a/docs/ocis/static/tus-public-upload.svg +++ /dev/null @@ -1,3 +0,0 @@ - - -

ocis-reva sharing

REVA_SHARING_ADDR = 0.0.0.0:9150

ocis-reva sharing...

ocis-reva frontend

REVA_FRONTEND_ADDR = 0.0.0.0:9140

REVA_GATEWAY_URL = ocis:9142

ocis-reva frontend...

ocis-proxy

PROXY_HTTP_ADDR = 0.0.0.0:9200

ocis-proxy...
 2  POST http://ocis:9140/remote.php/dav/files/einstein/
2  POST http:/...

ocdav

prefix = ""

timeout = 86400

ocdav...

datagateway

prefix = "data"

timeout = 86400

datagateway...

client


client
 22  PATCH https://oc.example.org/data/{token}
Tus-Resumable: 1.0.0
22  PATCH http...

ocis-reva gateway

REVA_GATEWAY_ADDR = 0.0.0.0:9142

ocis-reva gateway...

storage-registry


storage-registry
Expose: true
Expose: true
 24  PATCH http://ocis:9156/data/u-u-i-d
24  PATCH http...
 4  GetStorageProvider
(ShareReference)
4  GetStorageP...
 5  ProviderInfo
 5  ProviderInfo

storageprovider

REVA_STORAGE_HOME_ADDR = 0.0.0.0:9154

REVA_STORAGE_HOME_DRIVER = eoshome

REVA_STORAGE_HOME_EXPOSE_DATA_SERVER = false

REVA_STORAGE_HOME_DATA_SERVER_URL =

    http://ocis:9156/data

storageprovider...
Expose: false
Expose: false
 6  InitiateFileUpload
(ShareReference)
6  InitiateFil...
EOS
EOS
 15  WriteFile(upload info)
15  WriteFile(...
 7  GetPublicShare
7  GetPublicSh...
 19  UploadEndpoint
https://oc.example.org/data/{token}
19  UploadEndp...
 20  201 Created
Location: https://oc.example.org/data/{token}
20  201 Create...
 21  201 Created
Location: https://oc.example.org/data/{token}
21  201 Create...
 1  POST https://oc.example.org/remote.php/dav/files/einstein/
Upload-Length: 100
Tus-Resumable: 1.0.0
Upload-Metadata: filename d29ybGRfZG9taW5hdGlvbl9wbGFuLnBkZg==,
dir d29ybGRfZG9taW5hdGlvbl9wbGFuLnBkZg==
1  POST https:...
 23  PATCH http://ocis:9140/data/{token}
Tus-Resumable: 1.0.0
23  PATCH http...
 3  InitiateFileUpload
3  InitiateFil...
 25  Write(bytes)
25  Write(byte...
 26  204 No Content
26  204 No Con...
 27  204 No Content
27  204 No Con...
 28  204 No Content
28  204 No Con...

publicstorageprovider

expose-data-server = true

publicstorageprovider...

publicshareprovider


publicshareprovider
 8  GetPublicShare
8  GetPublicSh...
 9  PublicShare
 9  PublicShare
 10  PublicShare
 10  PublicShare
 11  InitiateFileUpload(TargetReference)
11  InitiateFi...
 12  GetStorageProvider
(TargetReference)
12  GetStorage...
 13  ProviderInfo
13  ProviderIn...
 14  InitiateFileUpload(TargetReference)
14  InitiateFi...
 16  UploadEndpoint
http://ocis:9156/data/u-u-i-d
Expose: false
16  UploadEndp...
 17  UploadEndpoint
https://oc.example.org/data/
token: sign(http://ocis:9156/data/u-u-i-d)
17  UploadEndp...
 18  UploadEndpoint
https://oc.example.org/data/{token}
Expose: true
18  UploadEndp...

gateway

REVA_TRANSFER_EXPIRES = 86400

REVA_FRONTEND_URL =

    https://oc.example.org

REVA_DATAGATEWAY_URL =

    https://oc.example.org/data

    

gateway...
When a storage provider
sets the Expose flag of an Upload/Download Endpoint to false the gateway will wrap the url in a JWT and return the URL of the datagateway along with a transfer-token.
When a storage provider...

dataprovider

REVA_STORAGE_HOME_DATA_ADDR = 0.0.0.0:9156

REVA_STORAGE_HOME_DATA_DRIVER = eoshome

dataprovider...
GOAL: transfer bytes from the client up here ...
GOAL: tran...
... to the storage system somewhere down here
... to the storage syst...Viewer does not support full SVG 1.1 \ No newline at end of file diff --git a/docs/ocis/storage-backends/_index.md b/docs/ocis/storage-backends/_index.md deleted file mode 100644 index 8f709252dd..0000000000 --- a/docs/ocis/storage-backends/_index.md +++ /dev/null @@ -1,9 +0,0 @@ ---- -title: "Storage backends" -date: 2020-02-27T20:35:00+01:00 -weight: 40 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/storage-backends -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- diff --git a/docs/ocis/storage-backends/cephfs.md b/docs/ocis/storage-backends/cephfs.md deleted file mode 100644 index ed1e1133a3..0000000000 --- a/docs/ocis/storage-backends/cephfs.md +++ /dev/null @@ -1,77 +0,0 @@ ---- -title: "cephfs" -date: 2021-09-13T15:36:00+01:00 -weight: 30 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/storage-backends/ -geekdocFilePath: cephfs.md ---- - -{{< toc >}} - -oCIS intends to make the aspects of existing storage systems available as transparently as possible, but the static sync algorithm of the desktop client relies on some form of recursive change time propagation on the server side to detect changes. While this can be bolted on top of existing file systems with inotify, the kernel audit or a fuse based overlay filesystem, a storage system that already implements this aspect is preferable. Aside from EOS, cephfs supports a recursive change time that oCIS can use to calculate an etag for the webdav API. - -## Development - -The cephfs development happens in a [Reva branch](https://github.com/cs3org/reva/pull/1209) and is currently driven by CERN. - -## Architecture - -In the original approach the driver was based on the [localfs](https://github.com/cs3org/reva/blob/a8c61401b662d8e09175416c0556da8ef3ba8ed6/pkg/storage/utils/localfs/localfs.go) driver, relying on a locally mounted cephfs. It would interface with it using the POSIX apis. This has been changed to directly call the Ceph API using https://github.com/ceph/go-ceph. It allows using the ceph admin APIs to create sub-volumes for user homes and maintain a file id to path mapping using symlinks. - -## Implemented Aspects -The recursive change time built ino cephfs is used to implement the etag propagation expected by the ownCloud clients. This allows oCIS to pick up changes that have been made by external tools, bypassing any oCIS APIs. - -Like other filesystems cephfs uses inodes and like most other filesystems inodes are reused. To get stable file identifiers the current cephfs driver assigns every node a file id and maintains a custom fileid to path mapping in a system directory: -``` -/tmp/cephfs $ tree -a -. -├── reva -│ └── einstein -│ ├── Pictures -│ └── welcome.txt -└── .reva_hidden - ├── .fileids - │ ├── 50BC39D364A4703A20C58ED50E4EADC3_570078 -> /tmp/cephfs/reva/einstein - │ ├── 571EFB3F0ACAE6762716889478E40156_570081 -> /tmp/cephfs/reva/einstein/Pictures - │ └── C7A1397524D0419B38D04D539EA531F8_588108 -> /tmp/cephfs/reva/einstein/welcome.txt - └── .uploads -``` - -Versions are not file but snapshot based, a [native feature of cephfs](https://docs.ceph.com/en/latest/dev/cephfs-snapshots/). The driver maps entries in the native cephfs `.snap` folder to the CS3 api recycle bin concept and makes them available in the web UI using the versions sidebar. Snapshots can be triggered by users themselves or on a schedule. - -Trash is not implemented, as cephfs has no native recycle bin and instead relies on the snapshot functionality that can be triggered by end users. It should be possible to automatically create a snapshot before deleting a file. This needs to be explored. - -Shares [are mapped to ACLs](https://github.com/cs3org/reva/pull/1209/files#diff-5e532e61f99bffb5754263bc6ce75f84a30c6f507a58ba506b0b487a50eda1d9R168-R224) supported by cephfs. The share manager is used to persist the intent of a share and can be used to periodically verify or reset the ACLs on cephfs. - -## Future work -- The spaces concept matches cephfs sub-volumes. We can implement the CreateStorageSpace call with that, keep track of the list of storage spaces using symlinks, like for the id based lookup. -- The share manager needs a persistence layer. -- Currently we persist using a single json file. -- As it basically provides two lists, *shared with me* and *shared with others*, we could persist them directly on cephfs! - - If needed for redundancy, the share manager can be run multiple times, backed by the same cephfs - - To save disk io the data can be cached in memory, and invalidated using stat requests. -- A good tradeoff would be a folder for each user with a json file for each list. That way, we only have to open and read a single file when the user want's to list the shares. -- To allow deprovisioning a user the data should be sharded by userid. That way all share information belonging to a user can easily be removed from the system. If necessary it can also be restored easily by copying the user specific folder back in place. -- For consistency over metadata any file blob data, backups can be done using snapshots. -- An example where einstein has shared a file with marie would look like this on disk: -``` -/tmp/cephfs $ tree -a -. -├── reva -│ └── einstein -│ ├── Pictures -│ └── welcome.txt -├── .reva_hidden -│ ├── .fileids -│ │ ├── 50BC39D364A4703A20C58ED50E4EADC3_570078 -> /tmp/cephfs/reva/einstein -│ │ ├── 571EFB3F0ACAE6762716889478E40156_570081 -> /tmp/cephfs/reva/einstein/Pictures -│ │ └── C7A1397524D0419B38D04D539EA531F8_588108 -> /tmp/cephfs/reva/einstein/welcome.txt -│ └── .uploads -└── .reva_share_manager - ├── einstein - │ └── sharedWithOthers.json - └── marie - └── sharedWithMe.json -``` -- The fileids should [not be based on the path](https://github.com/cs3org/reva/pull/1209/files#diff-eba5c8b77ccdd1ac570c54ed86dfa7643b6b30e5625af191f789727874850172R125-R127) and instead use a uuid that is also persisted in the extended attributes to allow rebuilding the index from scratch if necessary. diff --git a/docs/ocis/storage-backends/dcfsnfs.md b/docs/ocis/storage-backends/dcfsnfs.md deleted file mode 100644 index 0a0238f301..0000000000 --- a/docs/ocis/storage-backends/dcfsnfs.md +++ /dev/null @@ -1,63 +0,0 @@ ---- -title: "Decomposed FS on NFS" -date: 2020-03-15T16:35:00+01:00 -weight: 30 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/storage-backends/ -geekdocFilePath: dcfsnfs.md ---- - -{{< toc >}} - -oCIS' default storage backend is the Decomposed FS. The Decomposed FS can be set up to run on a NFS share. That way the same storage can be provided over the network to other nodes running oCIS. - -This document summarizes a few important considerations of the NFS setup and describes a tested setup. The test has not covered concurrent access of data from different nodes yet. - -## NFS Server Setup - -This document covers the linux kernel NFS server on a standard Linux running on x86_64. - -The NFS server needs to be set up in a way that it supports [extended file attributes](https://en.wikipedia.org/wiki/Extended_file_attributes). - -Extended attributes are supported by NFS starting with Kernel version 5.9, which means that the server with the NFS server has to run a kernel with that or a higher version number. To check that, run the command `uname -a` on the NFS server and compare the displayed version number. - -The NFS server in the test setup was configured with the following line in the config file `/etc/exports`: - -`/space/nfstest 192.168.178.0/24(rw,root_squash,async,subtree_check,anonuid=0,anongid=100,all_squash)` - -This exports the directory `/space/nfstest` to the internal network with certain options. - -Important: - -- The share needs to be exported with the `async` option for proper NFS performance. - -## NFS Client Mount - -The nodes that run oCIS need to mount the NFS storage to a local mount point. - -The test setup uses the client mount command: `mount -t nfs -o nfsvers=4 192.168.178.28:/space/nfstest /mnt/ocisdata/` - -It sets the NFS version to 4, which is important to support extended attributes. - -After successfully mounting the storage on the client, it can be checked if the NFS setup really supports extended attributes properly using the following commands. - -`setfattr -n user.test -v "xattr test string" ocisdata/foo` to write an extended attribute to a file, and `getfattr -d ocisdata/foo` to list all the attributes a file has set. - -{{< hint info >}} -The NFS server setup can be optimized considering system administrative-, performance- and security options. This is not (yet) covered in this documentation. -{{< /hint >}} - -## oCIS Start using the NFS Share - -The oCIS server can be instructed to set up the decomposed FS at a certain path by setting the environment variable `OC_BASE_DATA_PATH`. - -The test setup started an oCIS tech preview single binary release using this start command: - -```bash -./ocis init -OC_BASE_DATA_PATH=/mnt/ocisdata/ OC_LOG_LEVEL=debug OC_INSECURE=true PROXY_HTTP_ADDR=0.0.0.0:9200 OC_URL=https://hostname:9200 ./ocis server -``` - -This starts oCIS and a decomposed FS skeleton file system structure is set up on the NFS share. - -The oCIS instance is passing a smoke test. diff --git a/docs/ocis/storage-backends/eos.md b/docs/ocis/storage-backends/eos.md deleted file mode 100644 index 6b029f6ec7..0000000000 --- a/docs/ocis/storage-backends/eos.md +++ /dev/null @@ -1,245 +0,0 @@ ---- -title: "EOS" -date: 2020-02-27T20:35:00+01:00 -weight: 30 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/storage-backends/ -geekdocFilePath: eos.md ---- - -{{< toc >}} - -oCIS can be configured to run on top of [eos](https://eos.web.cern.ch/). While the [eos documentation](http://eos-docs.web.cern.ch/) does cover a lot of topics, it leaves out some details that you may have to either pull from various [docker containers](https://gitlab.cern.ch/eos/eos-docker), the [forums](https://eos-community.web.cern.ch/) or even the [source](https://github.com/cern-eos/eos) itself. - -This document is a work in progress of the current setup. - -## Docker dev environment for eos storage - -We begin with the docker-compose.yml found in https://github.com/owncloud/ocis/tree/master/ocis/ and -switch it to eos-storage. - -### 1. Start eos & ocis containers - -Start the eos cluster and ocis via the compose stack. -``` -docker-compose up -d -``` - -{{< hint info >}} -The first time the **ocis** container starts up, it will compile ocis from scratch which can take a while. -To follow progress, run `docker-compose logs -f --tail=10 ocis` -{{< /hint >}} - -### 2. LDAP support - -Configure the OS to resolve users and groups using ldap - -``` -docker-compose exec -d ocis /start-ldap -``` - -Check that the OS in the ocis container can now resolve einstein or the other demo users - -``` -$ docker-compose exec ocis id einstein -uid=20000(einstein) gid=30000(users) groups=30000(users),30001(sailing-lovers),30002(violin-haters),30007(physics-lovers) -``` - -{{< hint info >}} -If the user is not found at first you might need to wait a few more minutes in case the ocis container is still compiling. -{{< /hint >}} - -We also need to restart the storage-userprovider service, so it picks up the changed environment. Without a restart it is not able to resolve users from LDAP. -``` -docker-compose exec ocis ./bin/ocis kill storage-userprovider -docker-compose exec ocis ./bin/ocis run storage-userprovider -``` - -### 3. Home storage - -Kill the home storage. By default it uses the `ocis` storage driver. We need to switch it to the `eoshome` driver: - -``` -docker-compose exec ocis ./bin/ocis kill storage-home -docker-compose exec -e STORAGE_HOME_DRIVER=eoshome ocis ./bin/ocis run storage-home -``` - -### 4. Users storage - -Kill the users storage. By default it uses the `ocis` storage driver. We need to switch it to the `eos` driver: - -``` -docker-compose exec ocis ./bin/ocis kill storage-users -docker-compose exec -e STORAGE_USERS_DRIVER=eos ocis ./bin/ocis run storage-users -``` - -### 5. Metadata storage - -First we need to create the metadata root in eos and set an owner: -``` -docker-compose exec ocis eos mkdir -p /eos/dockertest/ocis/metadata -docker-compose exec ocis eos chown 2:2 /eos/dockertest/ocis/metadata -``` - -{{< hint info >}} -The uid and gid `2` are referencing the user `daemon` inside the ocis container. That user is also configured when restarting the accounts service later. For production systems you should create a dedicated user for the metadata storage. -{{< /hint >}} - -Kill the metadata storage. By default it uses the `ocis` storage driver. We need to switch it to the `eos` driver: - -``` -docker-compose exec ocis ./bin/ocis kill storage-system -docker-compose exec -e STORAGE_SYSTEM_DRIVER=eos -e STORAGE_SYSTEM_ROOT=/eos/dockertest/ocis/metadata ocis ./bin/ocis run storage-system -``` - - -### 6. Accounts service - -Kill the accounts service. By default it uses the `ocis` storage driver. We need to switch it to the `eos` driver: - -``` -docker-compose exec ocis ./bin/ocis kill accounts -docker-compose exec -e ACCOUNTS_SERVICE_USER_USERNAME=daemon -e ACCOUNTS_SERVICE_USER_UID=2 -e ACCOUNTS_SERVICE_USER_GID=2 ocis ./bin/ocis run accounts -``` - -## Verification - -Login with `einstein / relativity`, upload a file to einsteins home and verify the file is there using - -``` -docker-compose exec ocis eos ls -l /eos/dockertest/reva/users/4/4c510ada-c86b-4815-8820-42cdf82c3d51/ --rw-r--r-- 1 einstein users 10 Jul 1 15:24 newfile.txt -``` - -If the problem persists, please check the [troubleshooting section about uploads](#creation-and-upload-of-files-does-not-work). - -## Further exploration - -EOS has a built-in shell that you can enter using -``` -$ docker-compose exec mgm-master eos -# --------------------------------------------------------------------------- -# EOS Copyright (C) 2011-2019 CERN/Switzerland -# This program comes with ABSOLUTELY NO WARRANTY; for details type `license'. -# This is free software, and you are welcome to redistribute it -# under certain conditions; type `license' for details. -# --------------------------------------------------------------------------- -EOS_INSTANCE=eostest -EOS_SERVER_VERSION=4.6.5 EOS_SERVER_RELEASE=1 -EOS_CLIENT_VERSION=4.6.5 EOS_CLIENT_RELEASE=1 -EOS Console [root://localhost] |/> help -access Access Interface -accounting Accounting Interface -acl Acl Interface -archive Archive Interface -attr Attribute Interface -backup Backup Interface -clear Clear the terminal -cd Change directory -chmod Mode Interface -chown Chown Interface -config Configuration System -console Run Error Console -cp Cp command -debug Set debug level -exit Exit from EOS console -file File Handling -fileinfo File Information -find Find files/directories -newfind Find files/directories (new implementation) -fs File System configuration -fsck File System Consistency Checking -fuse Fuse Mounting -fusex Fuse(x) Administration -geosched Geoscheduler Interface -group Group configuration -health Health information about system -help Display this text -info Retrieve file or directory information -inspector Interact with File Inspector -io IO Interface -json Toggle JSON output flag for stdout -license Display Software License -ls List a directory -ln Create a symbolic link -map Path mapping interface -member Check Egroup membership -mkdir Create a directory -motd Message of the day -mv Rename file or directory -node Node configuration -ns Namespace Interface -pwd Print working directory -quit Exit from EOS console -quota Quota System configuration -reconnect Forces a re-authentication of the shell -recycle Recycle Bin Functionality -rmdir Remove a directory -rm Remove a file -role Set the client role -route Routing interface -rtlog Get realtime log output from mgm & fst servers -silent Toggle silent flag for stdout -space Space configuration -stagerrm Remove disk replicas of a file if it has tape replicas -stat Run 'stat' on a file or directory -squash Run 'squashfs' utility function -test Run performance test -timing Toggle timing flag for execution time measurement -touch Touch a file -token Token interface -tracker Interact with File Tracker -transfer Transfer Interface -version Verbose client/server version -vid Virtual ID System Configuration -whoami Determine how we are mapped on server side -who Statistics about connected users -? Synonym for 'help' -.q Exit from EOS console -EOS Console [root://localhost] |/> -``` - -But this is a different adventure. See the links at the top of this page for other sources of information on eos. - -## Cleaning up - -To clean up and start completely from scratch, run `docker-compose down -v`. -Then delete the local "bin" folder as root which contains the ocis binaries compiled by the "ocis" docker. - -## Troubleshooting - -### Docker-compose exits right away - -When running `docker-compose up -d` ocis exits right away. - -You can check the error code using `docker-compose ps` and investigate further by running only ocis again using `docker-compose up ocis` (without `-d` so you can see what is going on in the foreground). -One reason might be that the binary was already built but does not match the container env. Try running `make clean` before running `docker-compose up ocis` so it gets built inside the container. - -### Where are the logs ? - -The ocis logs can be accessed using `docker-compose logs ocis`. Add `-f` for following. - -### How do I update a service in the ocis container? - -1. `docker-compose exec ocis make clean build` to update the binary -2. `docker-compose exec ocis ./bin/ocis kill ` to kill the service -3. `docker-compose exec ocis ./bin/ocis run ` to start the service. Do not forget to set any env vars, e.g. - `docker-compose exec -e STORAGE_HOME_DRIVER=eoshome -e STORAGE_DRIVER_EOS_LAYOUT="{{substr 0 1 .Id.OpaqueId}}/{{.Id.OpaqueId}}" ocis ./bin/ocis run storage-home` - -### Creation and upload of files does not work - -If the upload did not work, please check the status of the eos space using the command `docker-compose exec mgm-master eos fs ls`. -In case the default space appears as offline, run `docker-compose exec mgm-master eos space set default on`. - -### Uploading big files appears to hang - -Please note that the uploads first go into the "ocis" docker and land in its "/tmp" folder, then gets copied over to the EOS docker using `xrdcopy`. -This is why uploading first transfers all bytes and then seem to hang for a while during the final copy. - -### Running out of space quickly - -The EOS dockers are configured with replication, so every file uploaded there will be replicated 4 times, -so make sure there is enough physical space on disk when testing. - -Also please note that older failed uploads might still be present in the "/tmp" directory of the "ocis" container. - diff --git a/docs/ocis/storage/.gitignore b/docs/ocis/storage/.gitignore deleted file mode 100644 index 63536ebfa2..0000000000 --- a/docs/ocis/storage/.gitignore +++ /dev/null @@ -1 +0,0 @@ -grpc.md diff --git a/docs/ocis/storage/_index.md b/docs/ocis/storage/_index.md deleted file mode 100644 index 1354c1b466..0000000000 --- a/docs/ocis/storage/_index.md +++ /dev/null @@ -1,34 +0,0 @@ ---- -title: "Storage" -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/storage -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -## Overview - -OCIS wraps [reva](https://github.com/cs3org/reva/) and adds an opinionated configuration to provide two core services for the oCIS platform: -1. A [*Spaces Registry*]({{< ref "./spacesregistry.md" >}}) that acts as a dictionary for storage *Spaces* and their metadata -2. A [*Spaces Provider*]({{< ref "./spacesprovider.md" >}}) that organizes *Resources* in storage *Spaces* and persists them in an underlying *Storage System* - -*Clients* will use the *Spaces Registry* to poll or get notified about changes in all *Spaces* a user has access to. Every *Space* has a dedicated `/dav/spaces/` WebDAV endpoint that is served by a *Spaces Provider* which uses a specific reva storage driver to wrap an underlying *Storage System*. - -{{< figure src="/ocis/storage/static/overview.drawio.svg" >}} - -The dashed lines in the diagram indicate requests that are made to authenticate requests or lookup the storage provider: -1. After authenticating a request, the proxy may either use the CS3 `userprovider` or the accounts service to fetch the user information that will be minted into the `x-access-token`. -2. The gateway will verify the JWT signature of the `x-access-token` or try to authenticate the request itself, e.g. using a public link token. - -{{< hint warning >}} -The bottom part is lighter because we will deprecate it in favor of using only the CS3 user and group providers after moving some account functionality into reva and glauth. The metadata storage is not registered in the reva gateway to separate metadata necessary for running the service from data that is being served directly. -{{< /hint >}} - -## Endpoints and references - -In order to reason about the request flow, two aspects in the architecture need to be understood well: -1. What kind of [*namespaces*]({{< ref "./namespaces.md" >}}) are presented at the different WebDAV and CS3 endpoints? -2. What kind of [*resource*]({{< ref "./terminology.md#resources" >}}) [*references*]({{< ref "./terminology.md#references" >}}) are exposed or required: path or id based? -{{< figure src="/ocis/storage/static/storage.drawio.svg" >}} diff --git a/docs/ocis/storage/namespaces.md b/docs/ocis/storage/namespaces.md deleted file mode 100644 index 2c0a512fd5..0000000000 --- a/docs/ocis/storage/namespaces.md +++ /dev/null @@ -1,97 +0,0 @@ ---- -title: "Namespaces" -date: 2018-05-02T00:00:00+00:00 -weight: 15 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/storage -geekdocFilePath: namespaces.md ---- - -A *namespace* is a set of paths with a common prefix. Depending on the endpoint you are talking to you will encounter a different kind of namespace: -In ownCloud 10 all paths are considered relative to the users home. The CS3 API uses a global namespace and the *storage providers* use a local namespace with paths relative to the storage providers root. - -{{< figure src="/ocis/storage/static/namespaces.drawio.svg" >}} - -The different paths in the namespaces need to be translated while passing [*references*]({{< ref "./terminology.md#references" >}}) from service to service. While the oc10 endpoints all work on paths we internally reference shared resources by id, so the shares don't break when a file is renamed or moved inside a storage [*space*]({{< ref "./spaces" >}}). The following table lists the various namespaces, paths and id based references: - -| oc10 namespace | CS3 global namespace | storage provider | reference | content | -|--------------------------------------------------|----------------------------------------|------------------|-----------|---------| -| `/webdav/path/to/file.ext` `/dav/files//path/to/file.ext` | `/home/path/to/file.ext` | home | `//path/to/file.ext` | currently logged in users home | -| `/webdav/Shares/foo` `/dav/files//Shares/foo` | `/home/Shares/foo` | users | id based access | all users, used to access collaborative shares | -| `/dav/public-files//rel/path/to/file.ext` | `/public//rel/path/to/file.ext` | public | id based access | publicly shared files, used to access public links | - - -{{< hint danger >}} -oCIS currently is configured to jail users into the CS3 `/home` namespace in the oc10 endpoints to mimic ownCloud 10. CernBox has been exposing a global namespace on `/webdav` for years already. The ocs service returns urls that are relative to the CS3 global namespace which makes both scenarios work, but only one of them at a time. Which is why the testsuite hiccups when trying to [Allow full paths targets in reva#1605](https://github.com/cs3org/reva/pull/1605). -{{< /hint >}} - - -{{< hint warning >}} -In the global CS3 namespaces we plan to move `/home/Shares`, which currently lists all mounted shares of the currently logged-in user to a dedicated `/shares` namespace. See [below]({{< ref "#cs3-namespaces" >}}) and [Move shares folder out from home directory to a separate mount reva#1584](https://github.com/cs3org/reva/pull/1584). -{{< /hint >}} - -## ownCloud namespaces - -In contrast to the global namespace of CS3, ownCloud always presented a user specific namespace on all endpoints. It will always list the users private files under `/`. Shares can be mounted at an arbitrary location in the users private spaces. See the [webdav]({{< ref "./spacesprovider#webdav" >}}) and [ocs]({{< ref "./spacesprovider#sharing" >}}) sections for more details end examples. - -With the spaces concept we are planning to introduce a global namespace to the ownCloud webdav endpoints. This will push the users private space down in the hierarchy: it will move from `/webdav` to `/webdav/home` or `/webdav/users/`. The related [migration stages]({{< ref "../../ocis/migration.md" >}}) are subject to change. - -## CS3 global namespaces - -The *CS3 global namespace* in oCIS is configured in the storage [*spaces registry*]({{< ref "./spacesregistry" >}}). oCIS uses these defaults: - -| global namespace | description | -|-|-| -| `/home` | an alias for the currently logged in uses private space | -| `/users/` | user private spaces | -| `/shares` | a virtual listing of share spaces a user has access to | -| `/public/` | a virtual folder listing public shares | -| `/spaces/` | *TODO: project or group spaces* | - -Technically, the `/home` namespace is not necessary: the storage [*spaces registry*]({{< ref "./spacesregistry" >}}) knows the path to a users private space in the `/users` namespace and the gateway can forward the requests to the responsible storage provider. - -{{< hint warning >}} -*@jfd: Why don't we use `/home/` instead of `/users/`. Then the paths would be consistent with most unix systems. -{{< /hint >}} - -The `/shares` namespace is used to solve two problems: -- To query all shares the current user has access to the *share manager* can be used to list the resource ids. While the shares can then be navigated by resource id, they will return the relative path in the actual [*storage provider*]({{< ref "./terminology.md#storage-providers" >}}), leaking parent folders of the shared resource. -- When accepting a remote share e.g., for OCM the resource does not exist on the local instance. They are made accessible in the global namespace under the `/shares` namespace. - -{{< hint warning >}} -*@jfd: Should we split `/shares` into `/collaborations`, `/ocm` and `/links`? We also have `/public` which uses token based authentication. They may have different latencies or polling strategies? Well, I guess we can cache them differently regardless of the mount point.* -{{< /hint >}} - -## Browser URLs vs API URLs -In ownCloud 10 you can not only create *public links* but also *private links*. Both can be copy pasted into an email or chat to grant others access to a file. Most often though, end users will copy and paste the URL from their browsers location bar. - -| URL | description | -|-|-| -| https://demo.owncloud.com/apps/files/?dir=/Photos/Vacation&fileid=24 | The normal browser URL | -| https://demo.owncloud.com/apps/files/?fileid=24 | the `dir` is actually not used to find the directory and will be filled when pasting this URL | -| https://demo.owncloud.com/f/24 | *private links* are the shortened version of this and work in the same way | -| https://demo.owncloud.com/s/piLdAAt1m3Bg0Fk | public link | - -{{< hint >}} -The `dir` parameter alone cannot be used to look up the directory, because the path for a file may be different depending on the currently logged-in user: -- User A shares his `/path/to/Photos` with User X. -- User B shares his `/other/path/to/Photos` with User X and Y. -- User A shares his `/path/to/Photos` with User Y. - -(Depending on the order in which they accept the shares) X and Y now have two folders `/shares/Photos` and `/shares/Photos (1)`. But if they were to copy paste a link with that path in the URL and if the directory were only looked up by path X and Y would end up in different folders. - -You could argue that the path should always use a global path in the CS3 namespace: -- User A shares his `/users/a/path/to/Photos` with User X. -- User B shares his `/users/b/other/path/to/Photos` with User X and Y. -- User A shares his `/users/a/path/to/Photos` with User Y. - -By using a global path like this X and Y would always end up in the correct folder. However, there are two caveats: -- This only works for resources that reside on the instance (because only they have unique and global path). Shares from other instances need to be identified by id, or they cannot be uniquely addressed -- User A may not want to leak path `path/to` segments leading to `Photos`. They might contain things like `low-priority` or personal data. - -That is the reason why URLs always have to contain some kind of stable identifier. By introducing the concept of *storage spaces* and treating user homes, project drives and shares we can create a URL that contains an identifier for the *storage space* and a path relative to the root of it. -{{< /hint >}} - -In ocis we will unify the way links sharing works, however there will always be at least two types of URLs: -1. the URL you see in the browsers location bar, and -2. the URL that a client uses to actually access a file. diff --git a/docs/ocis/storage/proposedchanges.md b/docs/ocis/storage/proposedchanges.md deleted file mode 100644 index 77dc0a64ca..0000000000 --- a/docs/ocis/storage/proposedchanges.md +++ /dev/null @@ -1,177 +0,0 @@ ---- -title: "Proposed Changes" -date: 2018-05-02T00:00:00+00:00 -weight: 18 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/storage -geekdocFilePath: proposedchanges.md ---- - -Some architectural changes still need to be clarified or changed. Maybe an ADR is in order for all of the below. - -## Reva Gateway changes - -## A dedicated shares storage provider - -Currently, when a user accepts a share, a cs3 reference is created in the users `/home/shares` folder. This reference represents the mount point of a share and can be renamed, similar to the share jail in ownCloud 10. This spreads the metadata of a share in two places: -- the share is persisted in the *share manager* -- the mount point of a share is persisted in the home *storage provider* - -Furthermore, the *gateway* treats `/home/shares` different than any other path: it will stat all children and calculate an etag to allow clients to discover changes in accepted shares. This requires the storage provider to cooperate and provide this special `/shares` folder in the root of a users home when it is accessed as a home storage. That is the origin of the `enable_home` config flag that needs to be implemented for every storage driver. - -In order to have a single source of truth we need to make the *share manager* aware of the mount point. We can then move all the logic that aggregates the etag in the share folder to a dedicated *shares storage provider* that is using the *share manager* for persistence. The *shares storage provider* would provide a `/shares` namespace outside of `/home` that lists all accepted shares for the current user. As a result the storage drivers no longer need to have a `enable_home` flag that jails users into their home. The `/home/shares` folder would move outside of the `/home`. In fact `/home` will no longer be needed, because the home folder concept can be implemented as a space: `CreateHome` would create a `personal` space on the. - -Work on this is done in https://github.com/cs3org/reva/pull/2023 - -{{< hint warning >}} -What about copy pasting links from the browser? Well this storage is only really needed to have a path to ocm shares that actually reside on other instances. In the UI the shares would be listed by querying a *share manager*. It returns ResourceIds, which can be stated to fetch a path that is then accessible in the CS3 global namespace. Two caveats: -- This only works for resources that are actually hosted by the current instance. For those it would leak the parent path segments to a shared resource. -- For accepted OCM shares there must be a path in the [*CS3 global namespace*]({{< ref "./namespaces.md#cs3-global-namespaces" >}}) that has to be the same for all users, otherwise they cannot copy and share those URLs. -{{< /hint >}} - -### The gateway should be responsible for path transformations - -Currently, storage providers are aware af their mount point, coupling them tightly with the gateway. - -Tracked in https://github.com/cs3org/reva/issues/578 - -Work is done in https://github.com/cs3org/reva/pull/1866 - -## URL escaped string representation of a CS3 reference - -For the spaces concept we introduced the `/dav/spaces/` endpoint. It encodes a cs3 *reference* in a URL compatible way. -1. We can separate the path using a `/`: `/dav/spaces//` -2. The `spaceid` currently is a cs3 resourceid, consisting of `` and ``. Since the opaqueid might contain `/` e.g. for the local driver we have to urlencode the spaceid. - -To access resources by id we need to make the `/dav/meta/` able to list directories... Otherwise id based navigation first has to look up the path. Or we use the libregraph api for id based navigation. - -A *reference* is a logical concept. It identifies a [*resource*]({{< ref "#resources" >}}) and consists of a `` and a ``. A `` consists of a `` and a ``. They can be concatenated using the separators `!` and `:`: -``` -!: -``` -While all components are optional, only three cases are used: -| format | example | description | -|-|-|-| -| `!:` | `!:/absolute/path/to/file.ext` | absolute path | -| `!:` | `ee1687e5-ac7f-426d-a6c0-03fed91d5f62!:path/to/file.ext` | path relative to the root of the storage space | -| `!:` | `ee1687e5-ac7f-426d-a6c0-03fed91d5f62!c3cf23bb-8f47-4719-a150-1d25a1f6fb56:to/file.ext` | path relative to the specified node in the storage space, used to reference resources without disclosing parent paths | - -`` should be a UUID to prevent references from breaking when a *user* or [*storage space*]({{< ref "#storage-spaces" >}}) gets renamed. But it can also be derived from a migration of an oc10 instance by concatenating an instance identifier and the numeric storage id from oc10, e.g. `oc10-instance-a$1234`. - -A reference will often start as an absolute/global path, e.g. `!:/home/Projects/Foo`. The gateway will look up the storage provider that is responsible for the path - -| Name | Description | Who resolves it? | -|------|-------------|-| -| `!:/home/Projects/Foo` | the absolute path a client like davfs will use. | The gateway uses the storage registry to look up the responsible storage provider | -| `ee1687e5-ac7f-426d-a6c0-03fed91d5f62!:/Projects/Foo` | the `storage_space` is the same as the `root`, the path becomes relative to the root | the storage provider can use this reference to identify this resource | - -Now, the same file is accessed as a share -| Name | Description | -|------|-------------| -| `!:/users/Einstein/Projects/Foo` | `Foo` is the shared folder | -| `ee1687e5-ac7f-426d-a6c0-03fed91d5f62!56f7ceca-e7f8-4530-9a7a-fe4b7ec8089a:` | `56f7ceca-e7f8-4530-9a7a-fe4b7ec8089a` is the id of `Foo`, the path is empty | - - -The `:`, `!` and `$` are chosen from the set of [RFC3986 sub delimiters](https://tools.ietf.org/html/rfc3986#section-2.2) on purpose. They can be used in URLs without having to be encoded. In some cases, a delimiter can be left out if a component is not set: -| reference | interpretation | -|-|-| -| `/absolute/path/to/file.ext` | absolute path, all delimiters omitted | -| `ee1687e5-ac7f-426d-a6c0-03fed91d5f62!path/to/file.ext` | relative path in the given storage space, root delimiter `:` omitted | -| `56f7ceca-e7f8-4530-9a7a-fe4b7ec8089a:to/file.ext` | relative path in the given root node, storage space delimiter `!` omitted | -| `ee1687e5-ac7f-426d-a6c0-03fed91d5f62!56f7ceca-e7f8-4530-9a7a-fe4b7ec8089a:` | node id in the given storage space, `:` must be present | -| `ee1687e5-ac7f-426d-a6c0-03fed91d5f62` | root of the storage space, all delimiters omitted, can be distinguished by the `/` | - -## space providers -When looking up an id based resource the reference must use a logical space id, not a CS3 resource id. Otherwise id based requests, which only have a resourceid consisting of a storage id and a node id cannot be routed to the correct storage provider if the storage has moved from one storage provider to another. - -if the registry routes based on the storageid AND the nodeid it has to keep a cache of all nodeids in order to route all requests for a storage space (which consists of storage it + nodeid) to the correct storage provider. the correct resourceid for a node in a storage space would be `$!`. The `$` part allow the storage registry to route all id based requests to the correct storage provider. This becomes relevant when the storage space was moved from one storage provider to another. The storage space id remains the same, but the internal address and port change. - -TODO discuss to clarify further - -## Storage drivers - -### allow clients to send a uuid on upload -iOS clients can only queue single requests to be executed in the background. They queue an upload and need to be able to identify the uploaded file after it has been uploaded to the server. The disconnected nature of the connection might cause workflows or manual user interaction with the file on the server to move the file to a different place or changing the content while the device is offline. However, on the device users might have marked the file as favorite or added it to other iOS specific collections. To be able to reliably identify the file the client can generate a `uuid` and attach it to the file metadata during the upload. While it is not necessary to look up files by this `uuid` having a second file id that serves exactly the same purpose as the `file id` is redundant. - -Another aspect for the `file id` / `uuid` is that it must be a logical identifier that can be set, at least by internal systems. Without a writeable fileid we cannot restore backups or migrate storage spaces from one storage provider to another storage provider. - -Technically, this means that every storage driver needs to have a map of a `uuid` to an internal resource identifier. This internal resource identifier can be -- an eos fileid, because eos can look up files by id -- an inode if the filesystem and the storage driver support looking up by inode -- a path if the storage driver has no way of looking up files by id. - - In this case other mechanisms like inotify, kernel audit or a fuse overlay might be used to keep the paths up to date. - - to prevent excessive writes when deep folders are renamed a reverse map might be used: it will map the `uuid` to `:`, in order to trade writes for reads - - as a fallback a sync job can read the file id from the metadata of the resources and populate the uuid to internal id map. - -The TUS upload can take metadata, for PUT we might need a header. - -### Space id vs resource id vs storage id - -We have `/dav/meta/` where the `fileid` is a string that was returned by a PROPFIND or by the `/graph/v1.0/me/drives/` endpoint? That returns a space id and the root drive item which has an `id` - -Does that `id` have a specific format? We currently concatenate as `!`. - -A request against `/dav/meta/fileid` will use the reva storage registry to look up a path. - -What if the storage space is moved to another storage provider. This happens during a migration: - -1. the current oc10 fileids need to be prefixed with at least the numeric storage id to shard them. - -`123` becomes `instanceprefix$345!123` if we use a custom prefix that identifies an instance (so we can merge multiple instances into one ocis instance) and append the numeric storageid `345`. The pattern is `$!`. - -Every `$` identifies a space. - -- [ ] the owncloudsql driver can return these spaceids when listing spaces. - -Why does it not work if we just use the fileid of the root node in the db? - -Say we have a space with three resources: -`$!` -`instanceprefix$345!1` -`instanceprefix$345!2` -`instanceprefix$345!3` - -All users have moved to ocis and the registry contains a regex to route all `instanceprefix.*` references to the storageprovider with the owncloudsql driver. It is up to the driver to locate the correct resource by using the filecache table. In this case the numeric storage id is unnecessary. - -Now we migrate the space `345` to another storage driver: -- the storage registry contains a new entry for `instanceprefix$345` to send all resource ids for that space to the new storage provider -- the new storage driver has to take into account the full storageid because the nodeid may only be unique per storage space. - -If we now have to fetch the path on the `/dav/meta/` endpoint: -`/dav/meta/instanceprefix$345!1` -`/dav/meta/instanceprefix$345!2` -`/dav/meta/instanceprefix$345!3` - -This would work because the registry always sees `instanceprefix$345` as the storageid. - -Now if we use the fileids directly and leave out the numeric storageid: -`!` -`instanceprefix!1` -`instanceprefix!2` -`instanceprefix!3` - -This is the current `!` format. - -The reva storage registry contains a `instanceid` entry pointing to the storage provider with the owncloudsql driver. - -Resources can be looked up because the oc_filecache has a unique fileid over all storages. - -Now we again migrate the space `345` to another storage driver: -- the storage registry contains a new entry for `instanceprefix!1` so the storage space root now points to the new storage provider -- The registry needs to be aware of node ids to route properly. This is a no-go. We don't want to keep a cache of *all* nodeids in the registry. Only the root nodes of spaces. -- The new storage driver only has a nodeid which might collide with other nodeids from other storage spaces, e.g. when two instances are imported into one ocis instance. Although it would be possible to just set up two storage providers extra care would have to be taken to prevent nodeid collisions when importing a space. - -If we now have to fetch the path on the `/dav/meta/` endpoint: -`/dav/meta/instanceprefix!1` would work because it is the root of a space -`/dav/meta/instanceprefix!2` would cause the gateway to poll all storage providers because the registry has no way to determine the responsible storage provider -`/dav/meta/instanceprefix!3` same - -The problem is that without a part in the storageid that allows differentiating storage spaces we cannot route them individually. - -Now, we could use the nodeid of the root of a storage space as the spaceid ... if it is a uuid. If it is numeric it needs a prefix to distinguish it from other spaces. -`!` would be easy for the decomposedfs. -eos might use numeric ids: `$!`, but it needs a custom prefix to distinguish multiple eos instances. - -Furthermore, when migrating spaces between storage providers we want to stay collision free, which is why we should recommend uuids. - -All this has implications for the decomposedfs, because it needs to split the nodes per space to prevent them from colliding. diff --git a/docs/ocis/storage/spaces.md b/docs/ocis/storage/spaces.md deleted file mode 100644 index 36259c6b28..0000000000 --- a/docs/ocis/storage/spaces.md +++ /dev/null @@ -1,208 +0,0 @@ ---- -title: "Spaces" -date: 2020-04-27T18:46:00+01:00 -weight: 38 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/storage -geekdocFilePath: spaces.md ---- - -{{< toc >}} - -## Editing a Storage Space - -The OData specification allows for a mirage of ways of addressing an entity. We will support addressing a Drive entity by its unique identifier, which is the one the graph-api returns when listing spaces, and its format is: - -```json -{ - "id": "1284d238-aa92-42ce-bdc4-0b0000009157!b6e2c9cc-9dbe-42f0-b522-4f2d3e175e9c" -} -``` - -This is an extract of an element of the list spaces response. An entire object has the following shape: - -```json -{ - "driveType": "project", - "id": "1284d238-aa92-42ce-bdc4-0b0000009157!b6e2c9cc-9dbe-42f0-b522-4f2d3e175e9c", - "lastModifiedDateTime": "2021-10-07T11:06:43.245418+02:00", - "name": "marketing", - "owner": { - "user": { - "id": "ddc2004c-0977-11eb-9d3f-a793888cd0f8" - } - }, - "quota": { - "total": 65536 - }, - "root": { - "id": "1284d238-aa92-42ce-bdc4-0b0000009157!b6e2c9cc-9dbe-42f0-b522-4f2d3e175e9c", - "webDavUrl": "https://localhost:9200/dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157!b6e2c9cc-9dbe-42f0-b522-4f2d3e175e9c" - } -} -``` - -### Updating a space property - -Having introduced the above, one can refer to a Drive with the following URL format: - -```console -'https://localhost:9200/graph/v1.0/drives/1284d238-aa92-42ce-bdc4-0b0000009157!07c26b3a-9944-4f2b-ab33-b0b326fc7570 -``` - -Updating an entity attribute: - -```console -curl -X PATCH 'https://localhost:9200/graph/v1.0/drives/1284d238-aa92-42ce-bdc4-0b0000009157!07c26b3a-9944-4f2b-ab33-b0b326fc7570' -d '{"name":"42"}' -v -``` - -The previous URL resource path segment (`1284d238-aa92-42ce-bdc4-0b0000009157!07c26b3a-9944-4f2b-ab33-b0b326fc7570`) is parsed and handed over to the storage registry in order to apply the patch changes in the body, in this case update the space name attribute to `42`. Since space names are not unique we only support addressing them by their unique identifiers, any other query would render too ambiguous and explode in complexity. - - -### Updating a space description - -Since every space is the root of a webdav directory, following some conventions we can make use of this to set a default storage description and image. In order to do so, every space is created with a hidden `.space` folder at its root, which can be used to store such data. - -```curl -curl -k -X PUT https://localhost:9200/dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157\!07c26b3a-9944-4f2b-ab33-b0b326fc7570/.space/description.md -d "Add a description to your spaces" -u admin:admin -``` - -Verify the description was updated: - -```curl -❯ curl -k https://localhost:9200/dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157\!07c26b3a-9944-4f2b-ab33-b0b326fc7570/.space/description.md -u admin:admin -Add a description to your spaces -``` - -This feature makes use of the internal storage layout and is completely abstracted from the end user. - -### Quotas - -Spaces capacity (quota) is independent of the Storage quota. As a Space admin you can set the quota for all users of a space, and as such, there are no limitations and is up to the admin to make a correct use of this. - -It is possible to have a space quota greater than the storage quota. A Space may also have "infinite" quota, meaning a single space without quota can occupy the entirety of a disk. - -#### Quota Enforcement - -Creating a Space with a quota of 10 bytes: - -`curl -k -X POST 'https://localhost:9200/graph/v1.0/drives' -u admin:admin -d '{"name":"marketing", "quota": {"total": 10}}' -v` - -```console -/var/tmp/ocis/storage/users -├── blobs -├── nodes -│   ├── 627981c2-2a71-4adf-b680-177e245afdda -│   ├── 9541e7c3-8fda-4b49-b697-e7e51457cf5a -│   ├── b5692345-108d-4b80-9747-3a7e9739ad57 -│   └── root -│   ├── 118351d7-67a4-4cdf-b495-6093d1e572ed -> ../627981c2-2a71-4adf-b680-177e245afdda -│   └── ddc2004c-0977-11eb-9d3f-a793888cd0f8 -> ../b5692345-108d-4b80-9747-3a7e9739ad57 -├── spaces -│   ├── personal -│   │   └── b5692345-108d-4b80-9747-3a7e9739ad57 -> ../../nodes/b5692345-108d-4b80-9747-3a7e9739ad57 -│   ├── project -│   │   └── 627981c2-2a71-4adf-b680-177e245afdda -> ../../nodes/627981c2-2a71-4adf-b680-177e245afdda -│   └── share -├── trash -└── uploads -``` - -Verify the new space has 10 bytes, and none of it is used: - -```json -{ - "driveType": "project", - "id": "1284d238-aa92-42ce-bdc4-0b0000009157!627981c2-2a71-4adf-b680-177e245afdda", - "lastModifiedDateTime": "2021-10-15T11:16:26.029188+02:00", - "name": "marketing", - "owner": { - "user": { - "id": "ddc2004c-0977-11eb-9d3f-a793888cd0f8" - } - }, - "quota": { - "remaining": 10, - "total": 10, - "used": 0 - }, - "root": { - "id": "1284d238-aa92-42ce-bdc4-0b0000009157!627981c2-2a71-4adf-b680-177e245afdda", - "webDavUrl": "https://localhost:9200/dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157!627981c2-2a71-4adf-b680-177e245afdda" - } -} -``` - -Upload a 6 bytes file: - -`curl -k -X PUT https://localhost:9200/dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157\!627981c2-2a71-4adf-b680-177e245afdda/6bytes.txt -d "012345" -u admin:admin -v` - -Query the quota again: - -```json -{ - "quota": { - "remaining": 4, - "total": 10, - "used": 6 - } -} -``` - -Now attempt to upload 5 bytes to the space: - -`curl -k -X PUT https://localhost:9200/dav/spaces/1284d238-aa92-42ce-bdc4-0b0000009157\!627981c2-2a71-4adf-b680-177e245afdda/5bytes.txt -d "01234" -u admin:admin -v` - -The request will fail with `507 Insufficient Storage`: - -``` - HTTP/1.1 507 Insufficient Storage -< Access-Control-Allow-Origin: * -< Content-Length: 0 -< Content-Security-Policy: default-src 'none'; -< Date: Fri, 15 Oct 2021 09:24:46 GMT -< Vary: Origin -< X-Content-Type-Options: nosniff -< X-Download-Options: noopen -< X-Frame-Options: SAMEORIGIN -< X-Permitted-Cross-Domain-Policies: none -< X-Robots-Tag: none -< X-Xss-Protection: 1; mode=block -< -* Connection #0 to host localhost left intact -* Closing connection 0 -``` - -##### Considerations - -- If a Space quota is updated to unlimited, the upper limit is the entire available space on disk -{{< hint warning >}} - -The current implementation in oCIS might not yet fully reflect this concept. Feel free to add links to ADRs, PRs and Issues in short warning boxes like this. - -{{< /hint >}} - -## Storage Spaces -A storage *space* is a logical concept. It organizes a set of [*resources*]({{< ref "#resources" >}}) in a hierarchical tree. It has a single *owner* (*user* or *group*), -a *quota*, *permissions* and is identified by a `storage space id`. - -{{< figure src="/ocis/storage/static/storagespace.drawio.svg" >}} - -Examples would be every user's personal storage *space*, project storage *spaces* or group storage *spaces*. While they all serve different purposes and may or may not have workflows like antivirus scanning enabled, we need a way to identify and manage these subtrees in a generic way. By creating a dedicated concept for them this becomes easier and literally makes the codebase cleaner. A storage [*Spaces Registry*]({{< ref "./spacesregistry.md" >}}) then allows listing the capabilities of storage *spaces*, e.g. free space, quota, owner, syncable, root etag, upload workflow steps, ... - -Finally, a logical `storage space id` is not tied to a specific [*spaces provider*]({{< ref "./spacesprovider.md" >}}). If the [*storage driver*]({{< ref "./storagedrivers.md" >}}) supports it, we can import existing files including their `file id`, which makes it possible to move storage *spaces* between [*spaces providers*]({{< ref "./spacesprovider.md" >}}) to implement storage classes, e.g. with or without archival, workflows, on SSDs or HDDs. - -## Shares -*To be clarified: we are aware that [*storage spaces*]({{< ref "#storage-spaces" >}}) may be too 'heavyweight' for ad hoc sharing with groups. That being said, there is no technical reason why group shares should not be treated like storage [*spaces*]({{< ref "#storage-spaces" >}}) that users can provision themselves. They would share the quota with the users home or personal storage [*space*]({{< ref "#storage-spaces" >}}) and the share initiator would be the sole owner. Technically, the mechanism of treating a share like a new storage [*space*]({{< ref "#storage-spaces" >}}) would be the same. This obviously also extends to user shares and even file individual shares that would be wrapped in a virtual collection. It would also become possible to share collections of arbitrary files in a single storage space, e.g. the ten best pictures from a large album.* - -## Notes - -We can implement [ListStorageSpaces](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.ListStorageSpacesRequest) by either -- iterating over the root of the storage and treating every folder following the `` as a `home` *storage space*, -- iterating over the root of the storage and treating every folder following a new `` as a `project` *storage space*, or -- iterating over the root of the storage and treating every folder following a generic `` as a *storage space* for a configurable space type, or -- we allow configuring a map of `space type` to `layout` (based on the [CreateStorageSpaceRequest](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.CreateStorageSpaceRequest)) which would allow things like -``` -home=/var/lib/ocis/storage/home/{{substr 0 1 .Owner.Username}}/{{.Owner.Username}} -spaces=/spaces/var/lib/ocis/storage/projects/{{.Name}} -``` diff --git a/docs/ocis/storage/spacesprovider.md b/docs/ocis/storage/spacesprovider.md deleted file mode 100644 index 2d8df11f0a..0000000000 --- a/docs/ocis/storage/spacesprovider.md +++ /dev/null @@ -1,112 +0,0 @@ ---- -title: "Spaces Provider" -date: 2018-05-02T00:00:00+00:00 -weight: 6 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/storage -geekdocFilePath: spacesprovider.md ---- - -{{< hint warning >}} - -The current implementation in oCIS might not yet fully reflect this concept. Feel free to add links to ADRs, PRs and Issues in short warning boxes like this. - -{{< /hint >}} - -## Spaces Provider -A *storage provider* manages [*resources*]({{< ref "#resources" >}}) identified by a [*reference*]({{< ref "#references" >}}) -by accessing a [*storage system*]({{< ref "#storage-systems" >}}) with a [*storage driver*]({{< ref "./storagedrivers.md" >}}). - -{{< figure src="/ocis/storage/static/spacesprovider.drawio.svg" >}} - - -## Frontend - -The oCIS frontend service starts all services that handle incoming HTTP requests: -- *ocdav* for ownCloud flavoured WebDAV -- *ocs* for sharing, user provisioning, capabilities and other OCS API endpoints -- *datagateway* for up and downloads -- TODO: *ocm* - -{{< figure src="/ocis/storage/static/frontend.drawio.svg" >}} - -### WebDAV - -The ocdav service not only handles all WebDAV requests under `(remote.php/)(web)dav` but also some other legacy endpoints like `status.php`: - -| endpoint | service | CS3 api | CS3 namespace | description | TODO | -|----------|---------|-------------|------|------|------| -| *ownCloud 10 / current ocis setup:* ||||| -| `status.php` | ocdav | - | - | currently static | should return compiled version and dynamic values | -| `(remote.php/)webdav` | ocdav | storageprovider | `/home` | the old webdav endpoint | | -| `(remote.php/)dav/files/` | ocdav | storageprovider | `/home` | the new webdav endpoint | | -| `(remote.php/)dav/meta//v` | ocdav | storageprovider | id based | versions | | -| `(remote.php/)dav/trash-bin/` | ocdav | recycle | - | trash | should aggregate the trash of [*storage spaces*]({{< ref "./terminology.md#storage-spaces" >}}) the user has access to | -| `(remote.php/)dav/public-files/` | ocdav | storageprovider | `/public/` | public links | | -| `(remote.php/)dav/avatars/` | ocdav | - | - | avatars, hardcoded | look up from user provider and cache | -| *CernBox setup:* ||||| -| `(remote.php/)webdav` | ocdav | storageprovider | `/` | | | -| *Note: existing folder sync pairs in legacy clients will break when moving the user home down in the path hierarchy* ||||| -| `(remote.php/)webdav/home` | ocdav | storageprovider | `/home` | | | -| `(remote.php/)webdav/users` | ocdav | storageprovider | `/users` | | | -| `(remote.php/)dav/files/` | ocdav | storageprovider | `/users/` | | | -| *Spaces concept also needs a new endpoint:* ||||| -| `(remote.php/)dav/spaces//` | ocdav | storageregistry & storageprovider | bypass path based namespace and directly talk to the responsible storage provider using a relative path | [spaces concept](https://github.com/owncloud/ocis/pull/1827) needs to point to storage [*spaces*]({{< ref "./spaces.md" >}}) | allow accessing spaces, listing is done by the graph api | - - -The correct endpoint for a users home storage [*space*]({{< ref "./spaces.md" >}}) in oc10 is `remote.php/dav/files/`. In oc10 all requests at this endpoint use a path based reference that is relative to the users home. In oCIS this can be configured and defaults to `/home` as well. Other API endpoints like ocs and the web UI still expect this to be the users home. - -In oc10 we originally had `remote.php/webdav` which would render the current users home [*storage space*]({{< ref "./terminology.md#storage-spaces" >}}). The early versions (pre OC7) would jail all received shares into a `remote.php/webdav/shares` subfolder. The semantics for syncing such a folder are [not trivially predictable](https://github.com/owncloud/core/issues/5349), which is why we made shares [freely mountable](https://github.com/owncloud/core/pull/8026) anywhere in the users home. - -The current reva implementation jails shares into a `remote.php/webdav/Shares` folder for performance reasons. Obviously, this brings back the [special semantics for syncing](https://github.com/owncloud/product/issues/7). In the future we will follow [a different solution](https://github.com/owncloud/product/issues/302) and jail the received shares into a dedicated `/shares` space, on the same level as `/home` and `/spaces`. We will add a dedicated [API to list all *storage spaces*](https://github.com/owncloud/ocis/pull/1827) a user has access to and where they are mounted in the users *namespace*. - -{{< hint warning >}} -TODO rewrite this hint with `/dav/spaces` -Existing folder sync pairs in legacy clients will break when moving the user home down in the path hierarchy like CernBox did. -For legacy clients the `remote.php/webdav` endpoint will no longer list the users home directly, but instead present the different types of storage spaces: -- `remote.php/webdav/home`: the users home is pushed down into a new `home` [*storage space*]({{< ref "./terminology.md#storage-spaces" >}}) -- `remote.php/webdav/shares`: all mounted shares will be moved to a new `shares` [*storage space*]({{< ref "./terminology.md#storage-spaces" >}}) -- `remote.php/webdav/spaces`: other [*storage spaces*]({{< ref "./terminology.md#storage-spaces" >}}) the user has access to, e.g. group or project drives -{{< /hint >}} - - -### Sharing - -The [OCS Share API](https://doc.owncloud.com/server/developer_manual/core/apis/ocs-share-api.html) endpoint `/ocs/v1.php/apps/files_sharing/api/v1/shares` returns shares, which have their own share id and reference files using a path relative to the users home. They API also lists the numeric storage id as well as the string type `storage_id` (which is confusing ... but yeah) which would allow constructing combined references with a `storage space id` and a `path` relative to the root of that [*storage space*]({{< ref "./terminology.md#storage-spaces" >}}). The web UI however assumes that it can take the path from the `file_target` and append it to the users home to access it. - -{{< hint >}} -The API [already returns the storage id](https://doc.owncloud.com/server/developer_manual/core/apis/ocs-share-api.html#example-request-response-payloads-4) (and numeric id) in addition to the file id: -``` - home::auser - 993 - 3994486 - 3994486 - 3994485 - /Shared/Paris.jpg -``` -[Creating shares only takes the **path** as the argument](https://doc.owncloud.com/server/developer_manual/core/apis/ocs-share-api.html#function-arguments) so creating and navigating shares only needs the path. When you update or delete a share it takes the `share id` not the `file id`. -{{< /hint >}} - -The OCS service makes a stat request to the storage provider to get a [ResourceInfo](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.ResourceInfo) object. It contains both, a [`ResourceId`](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.ResourceId) *and* an absolute path. If the *resource* exists a request is sent to the gateway. Depending on the type of share the [Collaboration API](https://cs3org.github.io/cs3apis/#cs3.sharing.collaboration.v1beta1.CollaborationAPI), the [Link API](https://cs3org.github.io/cs3apis/#cs3.sharing.link.v1beta1.LinkAPI) or the [Open Cloud Mesh API](https://cs3org.github.io/cs3apis/#cs3.sharing.ocm.v1beta1.OcmAPI) endpoints are used. - -| API | Request | Resource identified by | Grant type | Further arguments | -|-----|---------|------------------------|------------|-------------------| -| Collaboration | [CreateShareRequest](https://cs3org.github.io/cs3apis/#cs3.sharing.collaboration.v1beta1.CreateShareRequest) | [ResourceInfo](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.ResourceInfo) | [ShareGrant](https://cs3org.github.io/cs3apis/#cs3.sharing.collaboration.v1beta1.ShareGrant) | - | -| Link | [CreatePublicShareRequest](https://cs3org.github.io/cs3apis/#cs3.sharing.link.v1beta1.CreatePublicShareRequest) | [ResourceInfo](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.ResourceInfo) | Link [Grant](https://cs3org.github.io/cs3apis/#cs3.sharing.link.v1beta1.Grant) | We send the public link `name` in the `ArbitraryMetadata` of the `ResourceInfo` | -| Open Cloud Mesh | [CreateOCMShareRequest](https://cs3org.github.io/cs3apis/#cs3.sharing.ocm.v1beta1.CreateOCMShareRequest) | [ResourceId](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.ResourceId) | OCM [ShareGrant](https://cs3org.github.io/cs3apis/#cs3.sharing.ocm.v1beta1.ShareGrant) | OCM [ProviderInfo](https://cs3org.github.io/cs3apis/#cs3.ocm.provider.v1beta1.ProviderInfo) | - - -{{< hint >}} -The user and public share provider implementations identify the file using the [`ResourceId`](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.ResourceId). The [`ResourceInfo`](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.ResourceInfo) is passed so the share provider can also store who the owner of the resource is. The *path* is not part of the other API calls, e.g. when listing shares. -The OCM API takes an id based reference on the CS3 api, even if the OCM HTTP endpoint takes a path argument. *@jfd: Why? Does it not need the owner? It only stores the owner of the share, which is always the currently logged-in user, when creating a share. Afterwards only the owner can update a share ... so collaborative management of shares is not possible. At least for OCM shares.* -{{< /hint >}} - - -## REVA Storage Registry - -The reva *storage registry* manages the [*CS3 global namespace*]({{< ref "./namespaces.md#cs3-global-namespaces" >}}): -It is used by the reva *gateway* -to look up `address` and `port` of the [*storage provider*]({{< ref "#storage-providers" >}}) -that should handle a [*reference*]({{< ref "#references" >}}). - -{{< figure src="/ocis/storage/static/storageregistry.drawio.svg" >}} diff --git a/docs/ocis/storage/spacesregistry.md b/docs/ocis/storage/spacesregistry.md deleted file mode 100644 index 47ee58bcbc..0000000000 --- a/docs/ocis/storage/spacesregistry.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -title: "Spaces Registry" -date: 2018-05-02T00:00:00+00:00 -weight: 9 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/storage -geekdocFilePath: spacesregistry.md ---- - -{{< hint warning >}} - -The current implementation in oCIS might not yet fully reflect this concept. Feel free to add links to ADRs, PRs and Issues in short warning boxes like this. - -{{< /hint >}} - -## Storage Space Registries - -A storage *spaces registry* manages the [*namespace*]({{< ref "./namespaces.md" >}}) for a *user*: it is used by *clients* to look up storage spaces a user has access to, the `/dav/spaces` endpoint to access it via WabDAV, and where the client should mount it in the users personal namespace. - -{{< figure src="/ocis/storage/static/spacesregistry.drawio.svg" >}} diff --git a/docs/ocis/storage/static/frontend.drawio.svg b/docs/ocis/storage/static/frontend.drawio.svg deleted file mode 100644 index 45289f3419..0000000000 --- a/docs/ocis/storage/static/frontend.drawio.svg +++ /dev/null @@ -1,303 +0,0 @@ - - - - - - - - -
-
-
- - GET /data/<transfer_token> - -
-
-
- - - GET /da... - - - - - - - - -
-
-
- - PROPFIND /webdav - -
-
-
- - - PROPFIN... - - - - - - - - -
-
-
-
- - POST /ocs/v1/apps/files_sharing/api/v1/shares - -
-
- - path=/path/to/file - -
-
- - shareType=0 - -
-
- - shareWith=<username> - -
-
-
-
- - - POST /o... - - - - - - - -
-
-
- frontend -
-
-
- - - frontend - - - - - - - - - - -
-
-
- datagateway -
-
-
- - - datagateway - - - - - - - -
-
-
- ocdav -
-
-
- - - ocdav - - - - - - - -
-
-
- ocs -
-
-
- - - ocs - - - - - - - -
-
-
- gateway -
-
-
- - - gateway - - - - - - - - - - -
-
-
- storage home | users | ... -
-
-
- - - storage home | users | ... - - - - - - - - - - -
-
-
- storageprovider -
-
-
- - - storageprovider - - - - - - - -
-
-
- dataprovider -
-
-
- - - dataprovider - - - - - - - - -
-
-
- - GET target URL extracted from transfer token (JWT) - -
-
-
- - - GET tar... - - - - - - - - -
-
-
- - Stat -
- ListContainer - -
-
-
- - - Stat... - - - - - - - - -
-
-
- - Stat -
- CreateShare -
- CreatePublicShare -
- CreateOCMShare - -
-
-
- - - Stat... - - - - - - - - - Viewer does not support full SVG 1.1 - - - - \ No newline at end of file diff --git a/docs/ocis/storage/static/namespaces.drawio.svg b/docs/ocis/storage/static/namespaces.drawio.svg deleted file mode 100644 index b3baa5895a..0000000000 --- a/docs/ocis/storage/static/namespaces.drawio.svg +++ /dev/null @@ -1,341 +0,0 @@ - - - - - - - - -
-
-
- /rel/path/to/file.ext -
-
-
- - - /rel/p... - - - - - - - - -
-
-
-
- / -
-
-
- /home -
-
- /users/<user_layout> -
-
- /public -
-
- /shares -
-
-
-
- - - /... - - - - - - - -
-
-
- storage home -
-
-
- - - storage home - - - - - - - - - -
-
-
- storageprovider -
-
-
- - - storageprovider - - - - - - - -
-
-
- dataprovider -
-
-
- - - dataprovider - - - - - - - -
-
-
- frontend -
-
-
- - - frontend - - - - - - - - - -
-
-
- ocdav -
-
-
- - - ocdav - - - - - - - -
-
-
- ocs -
-
-
- - - ocs - - - - - - - - -
-
-
- - /webdav -
- /dav/files/<username> -
- -
- - /dav/trash-bin/<username> - -
-
- - /dav/public-files/<token> - -
-
- - /dav/meta/<fileid>/v - -
-
- - /dav/avatars/<username> - -
-
-
-
- - - /webdav... - - - - - - - - -
-
-
- - /ocs/v1.php/apps/files_sharing/api/v1/shares - -
-
-
- - - /ocs/v1.ph... - - - - - - - -
-
-
- gateway -
-
-
- - - gateway - - - - - - - - - -
-
-
- gateway -
-
-
- - - gateway - - - - - - - -
-
-
- authregistry -
-
-
- - - authregistry - - - - - - - -
-
-
- storageregistry -
-
-
- - - storageregistry - - - - - - - - - -
-
-
- oc10 namespace -
- (all paths aere relative to the users home) -
-
-
- - - oc10 names... - - - - - - - -
-
-
- CS3 global namespace -
-
-
- - - CS3 global... - - - - - - - - - Viewer does not support full SVG 1.1 - - - - \ No newline at end of file diff --git a/docs/ocis/storage/static/overview.drawio.svg b/docs/ocis/storage/static/overview.drawio.svg deleted file mode 100644 index 8dc5bf16b7..0000000000 --- a/docs/ocis/storage/static/overview.drawio.svg +++ /dev/null @@ -1,685 +0,0 @@ - - - - - - - - - - - - - - - - - -
-
-
- proxy -
-
-
- - - proxy - - - - - - - - - - - - -
-
-
- gateway -
-
-
- - - gateway - - - - - - - - - - -
-
-
- gateway -
-
-
- - - gateway - - - - - - - -
-
-
- authregistry -
-
-
- - - authregistry - - - - - - - -
-
-
- storageregistry -
-
-
- - - storageregistry - - - - - - - - - - - - - -
-
-
- storage users -
-
-
- - - storage users - - - - - - - - - - -
-
-
- storageprovider -
-
-
- - - storageprovider - - - - - - - -
-
-
- dataprovider -
-
-
- - - dataprovider - - - - - - - -
-
-
- storage home -
-
-
- - - storage home - - - - - - - - - - -
-
-
- storageprovider -
-
-
- - - storageprovider - - - - - - - -
-
-
- dataprovider -
-
-
- - - dataprovider - - - - - - - -
-
-
- storage public link -
-
-
- - - storage public link - - - - - - - - - - -
-
-
- publicstorageprovider -
-
-
- - - publicstorageprovider - - - - - - - -
-
-
- authprovider -
- publicshares -
-
-
- - - authprovider... - - - - - - - -
-
-
- storage metadata -
-
-
- - - storage metadata - - - - - - - - - - -
-
-
- storageprovider -
-
-
- - - storageprovider - - - - - - - -
-
-
- dataprovider -
-
-
- - - dataprovider - - - - - - - -
-
-
- sharing -
-
-
- - - sharing - - - - - - - - - - -
-
-
- usershareprovider -
-
-
- - - usershareprovider - - - - - - - -
-
-
- publicshareprovider -
-
-
- - - publicshareprovider - - - - - - - -
-
-
- users -
-
-
- - - users - - - - - - - - - - -
-
-
- userprovider -
-
-
- - - userprovider - - - - - - - -
-
-
- groups -
-
-
- - - groups - - - - - - - - - - -
-
-
- groupprovider -
-
-
- - - groupprovider - - - - - - - -
-
-
- authbasic -
-
-
- - - authbasic - - - - - - - - - - -
-
-
- authprovider -
-
-
- - - authprovider - - - - - - - -
-
-
- authbearer -
-
-
- - - authbearer - - - - - - - - - - -
-
-
- authprovider -
-
-
- - - authprovider - - - - - - - -
-
-
- accounts -
-
-
- - - accounts - - - - - - - - - - - -
-
-
- frontend -
-
-
- - - frontend - - - - - - - - - - -
-
-
- datagateway -
-
-
- - - datagateway - - - - - - - -
-
-
- ocdav -
-
-
- - - ocdav - - - - - - - -
-
-
- ocs -
-
-
- - - ocs - - - - - - - -
-
-
- ocis -
-
-
- - - ocis - - - - - - - -
-
-
- reva -
-
-
- - - reva - - - - - - - -
-
-
- deprecated -
-
-
- - - deprec... - - - - - - - - - Viewer does not support full SVG 1.1 - - - - \ No newline at end of file diff --git a/docs/ocis/storage/static/semver-schema.png b/docs/ocis/storage/static/semver-schema.png deleted file mode 100644 index f47823e9f9..0000000000 Binary files a/docs/ocis/storage/static/semver-schema.png and /dev/null differ diff --git a/docs/ocis/storage/static/spacesprovider.drawio.svg b/docs/ocis/storage/static/spacesprovider.drawio.svg deleted file mode 100644 index d122c58f7a..0000000000 --- a/docs/ocis/storage/static/spacesprovider.drawio.svg +++ /dev/null @@ -1,352 +0,0 @@ - - - - - - - -
-
-
- oCIS spaces provider -
- [Software System] -
-
-
- - - oCIS spaces provider... - - - - - - - -
-
-
- - reva storage provider - -
- [Component: golang] -
-
-
- hosts multiple storage spaces using a storage driver -
-
-
-
- - - reva storage provider... - - - - - - - -
-
-
- - reva gateway - -
- [Component: golang] -
-
-
- API facade for internal reva services -
-
-
-
- - - reva gateway... - - - - - - - -
-
-
- - Storage System - -
- [Software System] -
-
-
- provides persistent storage -
-
-
-
- - - Storage System... - - - - - - - - -
-
-
-
-
- - Reads from and writes to - -
-
- [POSIX, S3] -
-
-
-
-
- - - Reads from and writes to... - - - - - - - -
-
-
- - reva frontend - -
- [Component: golang] -
-
-
- handles protocol translation -
-
-
-
- - - reva frontend... - - - - - - - -
-
-
- - oCIS proxy - -
- [Component: golang] -
-
-
- Routes requests to oc10 or ecis -
-
-
-
- - - oCIS proxy... - - - - - - - - -
-
-
-
-
- - Mints an internal JWT -
- and torwards requests to - -
-
- [WebDAV, OCS, OCM, tus] -
-
-
-
-
- - - Mints an internal JWT... - - - - - - - -
-
-
- - Client - -
- [Container: C++, Kotlin, -
- Swift or Vue] -
-
-
- A desktop, mobile or web Client -
-
-
-
- - - Client... - - - - - - - - -
-
-
-
-
- - Reads from and writes to - -
-
- [WebDAV, libregraph, CS3] -
-
-
-
-
- - - Reads from and writes to... - - - - - - - - -
-
-
-
-
- - Reads from and writes to - -
-
- [CS3, tus] -
-
-
-
-
- - - Reads from and writes to... - - - - - - - - -
-
-
-
-
- - Forwards to - -
-
- [CS3, storage registry] -
-
-
-
-
- - - Forwards to... - - - - - - - -
-
-
-

- C4 Component diagram for an oCIS spaces provider -

-

- An oCIS spaces provider manages resources in storage spaces by persisting them with a specific storage driver in a storage system. -

-

- Date: 2021-07-22T12:40 -

-
-
-
- - - C4 Component diagram for an oCIS spaces provider... - - - - - - - - - Viewer does not support full SVG 1.1 - - - - \ No newline at end of file diff --git a/docs/ocis/storage/static/spacesregistry.drawio.svg b/docs/ocis/storage/static/spacesregistry.drawio.svg deleted file mode 100644 index f716b0bb0d..0000000000 --- a/docs/ocis/storage/static/spacesregistry.drawio.svg +++ /dev/null @@ -1,405 +0,0 @@ - - - - - - - -
-
-
- oCIS spaces registry -
- [Software System] -
-
-
- - - oCIS spaces registry... - - - - - - - -
-
-
- - reva storage registry - -
- [Component: golang] -
-
-
- manages and caches storage space metadata -
-
-
-
- - - reva storage registry... - - - - - - - -
-
-
- - reva gateway - -
- [Component: golang] -
-
-
- API facade for internal reva services -
-
-
-
- - - reva gateway... - - - - - - - -
-
-
- - Storage System - -
- [Software System] -
-
-
- provides persistent storage -
-
-
-
- - - Storage System... - - - - - - - - -
-
-
-
-
- - Provisions and manages spaces in - -
-
- [CS3] -
-
-
-
-
- - - Provisions and manages spaces... - - - - - - - -
-
-
- - reva frontend - -
- [Component: golang] -
-
-
- handles protocol translation -
-
-
-
- - - reva frontend... - - - - - - - -
-
-
- - oCIS proxy - -
- [Component: golang] -
-
-
- Routes requests to oc10 or ecis -
-
-
-
- - - oCIS proxy... - - - - - - - - -
-
-
-
-
- - Mints an internal JWT -
- and torwards requests to - -
-
- [libregraph] -
-
-
-
-
- - - Mints an internal JWT... - - - - - - - -
-
-
- - Client - -
- [Container: C++, Kotlin, -
- Swift or Vue] -
-
-
- A desktop, mobile or web Client -
-
-
-
- - - Client... - - - - - - - - -
-
-
-
-
- - polls or gets notified about changes in - -
-
- [libregraph] -
-
-
-
-
- - - polls or gets notified about c... - - - - - - - - -
-
-
-
-
- - Reads from and writes to - -
-
- [CS3, tus] -
-
-
-
-
- - - Reads from and writes to... - - - - - - - - -
-
-
-
-
- - Lists spaces using - -
-
- [CS3] -
-
-
-
-
- - - Lists spaces using... - - - - - - - -
-
-
-

- C4 Component diagram for an oCIS spaces registry -

-

- An oCIS spaces provider manages resources in storage spaces by persisting them with a specific storage driver in a storage system. -

-

- Date: 2021-07-22T12:40 -

-
-
-
- - - C4 Component diagram for an oCIS spaces registry... - - - - - - - -
-
-
- - reva storage provider - -
- [Component: golang] -
-
-
- hosts multiple storage spaces using a storage driver -
-
-
-
- - - reva storage provider... - - - - - - - - -
-
-
-
-
- - Reads from and writes to - -
-
- [POSIX, S3] -
-
-
-
-
- - - Reads from and writes to... - - - - - - - - - Viewer does not support full SVG 1.1 - - - - \ No newline at end of file diff --git a/docs/ocis/storage/static/storage.drawio.svg b/docs/ocis/storage/static/storage.drawio.svg deleted file mode 100644 index fd6e759cf3..0000000000 --- a/docs/ocis/storage/static/storage.drawio.svg +++ /dev/null @@ -1,434 +0,0 @@ - - - - - - - -
-
-
- oCIS System -
- [Software System] -
-
-
- - - oCIS System... - - - - - - - - - -
-
-
- - Einstein - -
- [Person] -
-
-
- End user -
-
-
-
- - - Einstein... - - - - - - - -
-
-
- - Client - -
- [Container: C++, Kotlin, Swift or Vue] -
-
-
- A desktop, mobile or web Client -
-
-
-
- - - Client... - - - - - - - -
-
-
- - Storage Space Registry - -
- [Container: golang, HTTP, libregraph] -
-
-
- Manages spaces for users -
-
-
-
- - - Storage Space Registry... - - - - - - - -
-
-
- - Storage Space Provider - -
- [Container: golang] -
-
-
- Persists storage spaces using reva -
-
-
-
- - - Storage Space Provider... - - - - - - - -
-
-
- - Storage System - -
- [Software System] -
-
-
- provides persistent storage -
-
-
-
- - - Storage System... - - - - - - - - - -
-
-
- - Moss - -
- [Person] -
-
-
- Administrator -
-
-
-
- - - Moss... - - - - - - - - -
-
-
-
-
- - Reads from and writes to - -
-
- [POSIX, S3] -
-
-
-
-
- - - Reads from and writes to... - - - - - - - - -
-
-
-
-
- - Reads from and writes to - -
-
- [WebDAV, libregraph, CS3, tus] -
-
-
-
-
- - - Reads from and writes to... - - - - - - - - -
-
-
-
-
- - Manages the users Storage Spaces in - -
-
- [libregraph] -
-
-
-
-
- - - Manages the users Storage Spac... - - - - - - - - -
-
-
-
-
- - Manages resources with - -
-
- [Web UI or native clients] -
-
-
-
-
- - - Manages resources with... - - - - - - - - -
-
-
-
-
- - Registers itself at and -
- sends space root etag changes to - -
-
- [CS3, libregraph?, PUSH] -
-
-
-
-
- - - Registers itself at and... - - - - - - - - -
-
-
-
-
- - Manages organizational Storage Spaces in - -
-
- [WebDAV, libregraph, CS3, CLI] -
-
-
-
-
- - - Manages organizational Storage... - - - - - - - -
-
-
- - Identity Management System - -
- [Software System] -
-
-
- provides users and groups -
-
-
-
- - - Identity Management System... - - - - - - - - -
-
-
-
-
- - Authenticates users and searches recipients with - -
-
- [OpenID Connect, LDAP, REST] -
-
-
-
-
- - - Authenticates users and search... - - - - - - - -
-
-
-

- C4 Container diagram for the oCIS System -

-

- As a platform, the oCIS system may not only includes web, mobile and desktop clients but also the underlying storage system or an identity management system -

-

- Date: 2021-07-22T16:43 -

-
-
-
- - - C4 Container diagram for the oCIS System... - - - - - - - - - Viewer does not support full SVG 1.1 - - - - \ No newline at end of file diff --git a/docs/ocis/storage/static/storageprovider-spaces.drawio.svg b/docs/ocis/storage/static/storageprovider-spaces.drawio.svg deleted file mode 100644 index 9aed50401d..0000000000 --- a/docs/ocis/storage/static/storageprovider-spaces.drawio.svg +++ /dev/null @@ -1,471 +0,0 @@ - - - - - - - - - -
-
-
- - CS3 -
- storage provider -
- API (GRPC) -
- -
-
-
- - - CS3... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-
- storage provider -
-
-
- - - storage provider - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Viewer does not support full SVG 1.1 - - - - \ No newline at end of file diff --git a/docs/ocis/storage/static/storageprovider.drawio.svg b/docs/ocis/storage/static/storageprovider.drawio.svg deleted file mode 100644 index e7ba5ea770..0000000000 --- a/docs/ocis/storage/static/storageprovider.drawio.svg +++ /dev/null @@ -1,352 +0,0 @@ - - - - - - - -
-
-
- oCIS storage provider -
- [Software System] -
-
-
- - - oCIS storage provider... - - - - - - - -
-
-
- - reva storage provider - -
- [Component: golang] -
-
-
- hosts multiple storage spaces using a storage driver -
-
-
-
- - - reva storage provider... - - - - - - - -
-
-
- - reva gateway - -
- [Component: golang] -
-
-
- API facade for internal reva services -
-
-
-
- - - reva gateway... - - - - - - - -
-
-
- - Storage System - -
- [Software System] -
-
-
- provides persistent storage -
-
-
-
- - - Storage System... - - - - - - - - -
-
-
-
-
- - Reads from and writes to - -
-
- [POSIX, S3] -
-
-
-
-
- - - Reads from and writes to... - - - - - - - -
-
-
- - reva frontend - -
- [Component: golang] -
-
-
- handles protocol translation -
-
-
-
- - - reva frontend... - - - - - - - -
-
-
- - oCIS proxy - -
- [Component: golang] -
-
-
- Routes requests to oc10 or ecis -
-
-
-
- - - oCIS proxy... - - - - - - - - -
-
-
-
-
- - Mints an internal JWT -
- and torwards requests to - -
-
- [WebDAV, OCS, OCM, tus] -
-
-
-
-
- - - Mints an internal JWT... - - - - - - - -
-
-
- - Client - -
- [Container: C++, Kotlin, -
- Swift or Vue] -
-
-
- A desktop, mobile or web Client -
-
-
-
- - - Client... - - - - - - - - -
-
-
-
-
- - Reads from and writes to - -
-
- [WebDAV, libregraph, CS3] -
-
-
-
-
- - - Reads from and writes to... - - - - - - - - -
-
-
-
-
- - Reads from and writes to - -
-
- [CS3, tus] -
-
-
-
-
- - - Reads from and writes to... - - - - - - - - -
-
-
-
-
- - Forwards to - -
-
- [CS3, storage registry] -
-
-
-
-
- - - Forwards to... - - - - - - - -
-
-
-

- C4 Component diagram for an oCIS storage provider -

-

- An oCIS storage provider manages resources in storage spaces by persisting them with a specific storage driver in a storage system. -

-

- Date: 2021-07-22T12:40 -

-
-
-
- - - C4 Component diagram for an oCIS storage provider... - - - - - - - - - Viewer does not support full SVG 1.1 - - - - \ No newline at end of file diff --git a/docs/ocis/storage/static/storageregistry.drawio.svg b/docs/ocis/storage/static/storageregistry.drawio.svg deleted file mode 100644 index 2b24b386d3..0000000000 --- a/docs/ocis/storage/static/storageregistry.drawio.svg +++ /dev/null @@ -1,233 +0,0 @@ - - - - - - - - -
-
-
- The storage registry currently maps paths and storageids to the -
- - address:port - - of the corresponding storage provider -
-
-
- - - The storage registry currently maps... - - - - - - - - - - -
-
-
- storage registry -
-
-
- - - storage registry - - - - - - - - - - -
-
-
- storage providers -
-
-
- - - storage providers - - - - - - - - - - - - - - - -
-
-
- The gateway uses the storage registry to look up the storage provider that is responsible for path and id based references in incoming requests. -
-
-
- - - The gateway uses the storage regist... - - - - - - - - - - -
-
-
- gateway -
-
-
- - - gateway - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-
- - / - -
-
-
- - - / - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-
- - / - -
-
-
- - - / - - - - - - - - - Viewer does not support full SVG 1.1 - - - - \ No newline at end of file diff --git a/docs/ocis/storage/static/storagespace.drawio.svg b/docs/ocis/storage/static/storagespace.drawio.svg deleted file mode 100644 index 6e60631bac..0000000000 --- a/docs/ocis/storage/static/storagespace.drawio.svg +++ /dev/null @@ -1,163 +0,0 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
-
-
- the root resource of the storage space -
-
-
- - - the root resource of... - - - - - - - -
-
-
- RESOURCE_TYPE_CONTAINER -
-
-
- - - RESOURCE_TYPE_CONTAINER - - - - - - - -
-
-
- RESOURCE_TYPE_FILE -
-
-
- - - RESOURCE_TYPE_FILE - - - - - - - - - -
-
-
- if the gateway encounters a resource type reference it will look it up and replace the reference with the results of the actual node (which can live in another storage provider) -
-
-
- - - if the gateway encounters a... - - - - - - - -
-
-
- every resource can be referenced by path or by id -
-
-
- - - every resource can be... - - - - - - - -
-
-
- RESOURCE_TYPE_SYMLINK -
-
-
- - - RESOURCE_TYPE_SYMLINK - - - - - - - - - - - -
-
-
- RESOURCE_TYPE_REFERENCE -
-
-
- - - RESOURCE_TYPE_REFERENCE - - - - - - - - - Viewer does not support full SVG 1.1 - - - - \ No newline at end of file diff --git a/docs/ocis/storage/storagedrivers.md b/docs/ocis/storage/storagedrivers.md deleted file mode 100644 index 9a8ca3eefe..0000000000 --- a/docs/ocis/storage/storagedrivers.md +++ /dev/null @@ -1,186 +0,0 @@ ---- -title: "Storage drivers" -date: 2020-04-27T18:46:00+01:00 -weight: 12 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/storage -geekdocFilePath: storagedrivers.md ---- - -A *storage driver* implements access to a [*storage system*]({{< ref "#storage-systems" >}}): - -It maps the *path* and *id* based CS3 *references* to an appropriate [*storage system*]({{< ref "#storage-systems" >}}) specific reference, e.g.: -- eos file ids -- posix inodes or paths -- deconstructed filesystem nodes - -## Storage providers - -To manage the file tree oCIS uses *storage providers* that are accessing the underlying storage using a *storage driver*. The driver can be used to change the implementation of a storage aspect to better reflect the actual underlying storage capabilities. As an example a move operation on a POSIX filesystem ([theoretically](https://danluu.com/deconstruct-files/)) is an atomic operation. When trying to implement a file tree on top of S3 there is no native move operation that can be used. A naive implementation might fall back on a COPY and DELETE. Some S3 implementations provide a COPY operation that uses an existing key as the source, so the file at least does not need to be reuploaded. In the worst case scenario, which is renaming a folder with hundreds of thousands of objects, a reupload for every file has to be made. Instead of hiding this complexity a better choice might be to disable renaming of files or at least folders on S3. There are however implementations of filesystems on top of S3 that store the tree metadata in dedicated objects or use a completely different persistence mechanism like a distributed key value store to implement the file tree aspect of a storage. - - -{{< hint info >}} -While the *storage provider* is responsible for managing the tree, file up- and downloads are delegated to a dedicated *data provider*. See below. -{{< /hint >}} - -## Storage aspects -A lot of different storage technologies exist, ranging from general purpose file systems with POSIX semantics to software defined storage with multiple APIs. Choosing any of them is making a tradeoff decision. Or, if a storage technology is already in place it automatically predetermines the capabilities that can be made available. *Not all storage systems are created equal.* - -Unfortunately, no POSIX filesystem natively supports all storage aspects that ownCloud 10 requires: - -### A hierarchical file tree -An important aspect of a filesystem is organizing files and directories in a file hierarchy, or tree. It allows you to create, move and delete nodes. Beside the name a node also has well known metadata like size and mtime that are persisted in the tree as well. - -{{< hint info >}} -**Folders are not directories** -There is a difference between *folder* and *directory*: a *directory* is a file system concept. A *folder* is a metaphor for the concept of a physical file folder. There are also *virtual folders* or *smart folders* like the recent files folder which are no file system *directories*. So, every *directory* and every *virtual folder* is a *folder*, but not every *folder* is a *directory*. See [the folder metaphor in wikipedia](https://en.wikipedia.org/wiki/Directory_(computing)#Folder_metaphor). Also see the activity history below. -{{< /hint >}} - -#### Id based lookup -While traditionally nodes in the tree are reached by traversing the path the tree persistence should be prepared to look up a node by an id. Think of an inode in a POSIX filesystem. If this operation needs to be cached for performance reasons keep in mind that cache invalidation is hard and crawling all files to update the inode to path mapping takes O(n), not O(1). - -#### ETag propagation -For the state based sync a client can discover changes by recursively descending the tree and comparing the ETag for every node. If the storage technology supports propagating ETag changes up the tree, only the root node of a tree needs to be checked to determine if a discovery needs to be started and which nodes need to be traversed. This allows using the storage technology itself to persist all metadata that is necessary for sync, without additional services or caches. - -#### Subtree size accounting -The tree can keep track of how many bytes are stored in a folder. Similar to ETag propagation a change in file size is propagated up the hierarchy. - -{{< hint info >}} -**ETag and Size propagation** -When propagating the ETag (mtime) and size changes up the tree the question is where to stop. If all changes need to be propagated to the root of a storage then the root or busy folders will become a hotspot. There are two things to keep in mind: 1. propagation only happens up to the root of a single space (a user private drive or a single group drive), 2. no cross storage propagation. The latter was used in oc10 to let clients detect when a file in a received shared folder changed. This functionality is moving to the storage registry which caches the ETag for every root so clients can discover if and which storage changed. -{{< /hint >}} - -#### Rename -Depending on the underlying storage technology some operations may either be slow, up to a point where it makes more sense to disable them entirely. One example is a folder rename: on S3 a *simple* folder rename translates to a copy and delete operation for every child of the renamed folder. There is an exception though: this restriction only applies if the S3 storage is treated like a filesystem, where the keys are the path and the value is the file content. There are smarter ways to implement file systems on top of S3, but again: there is always a tradeoff. - -{{< hint info >}} -**S3 has no rename** -Technically, [S3 has no rename operation at all](https://docs.aws.amazon.com/sdk-for-java/v1/developer-guide/examples-s3-objects.html#copy-object). By design, the location of the value is determined by the key, so it always has to do a copy and delete. Another example is the [redis RENAME operation](https://redis.io/commands/rename): while being specified as O(1) it *executes an implicit DEL operation, so if the deleted key contains a very big value it may cause high latency...* -{{< /hint >}} - -#### Arbitrary metadata persistence -In addition to well known metadata like name size and mtime, users might be able to add arbitrary metadata like tags, comments or [dublin core](https://en.wikipedia.org/wiki/Dublin_Core). In POSIX filesystems this maps to extended attributes. - -### Grant persistence -The CS3 API uses grants to describe access permissions. Storage systems have a wide range of permissions granularity and not all grants may be supported by every storage driver. POSIX ACLs for example have no expiry. If the storage system does not support certain grant properties, e.g. expiry, then the storage driver may choose to implement them in a different way. Expiries could be persisted in a different way and checked periodically to remove the grants. Again: every decision is a tradeoff. - -### Trash persistence -After deleting a node the storage allows listing the deleted nodes and has an undo mechanism for them. - -### Versions persistence -A user can restore a previous version of a file. - -{{< hint info >}} -**Snapshots are not versions** -Modern POSIX filesystems support snapshotting of volumes. This is different from keeping track of versions to a file or folder, but might be another implementation strategy for a storage driver to allow users to restore content. -{{< /hint >}} - -### Activity History -The storage keeps an activity history, tracking the different actions that have been performed. This does not only include file changes but also metadata changes like renames and permission changes. - -## Storage drivers - -Reva currently has several storage driver implementations that can be used for *storage providers* as well as *data providers*. - -### OCIS and S3NG Storage Driver - -The oCIS storage driver is the default storage driver. It decomposes the metadata and persists it in a POSIX filesystem. Blobs are stored on the filesystem as well. The layout makes extensive use of symlinks and extended attributes. A filesystem like xfs or zfs without practical inode size limitations is recommended. We will evolve this to further integrate with file systems like cephfs or gpfs. - -{{< hint warning >}} -Ext4 limits the number of bytes that can be used for extended attribute names and their values to the size of a single block (by default 4k). This reduces the number of shares for a single file or folder to roughly 20-30, as grants have to share the available space with other metadata. -{{< /hint >}} - -The S3NG storage driver uses the same metadata layout on a POSIX storage as the oCIS driver, but it uses S3 as the blob storage. - -#### Tradeoffs -➕ Efficient ID based lookup - -➕ Leverages Kernel VFS cache - -➕ No database needed - -➖ Not intended to be accessed by end users on the server side as it does not reflect a normal filesystem on disk - -➖ Metadata limited by Kernel VFS limits (see below) - -#### Related Kernel limits -The Decomposed FS currently stores CS3 grants in extended attributes. When listing extended attributes the result is currently limited to 64kB. Assuming a 20 byte uuid a grant has ~40 bytes. Which would limit the number of extended attributes to ~1630 entries or ~1600 shares. This can be extended by moving the grants from extended attributes into a dedicated file and is tracked in [ocis/issues/4638](https://github.com/owncloud/ocis/issues/4638). - -From [Wikipedia on Extended file attributes](https://en.wikipedia.org/wiki/Extended_file_attributes#Linux): -> The Linux kernel allows extended attribute to have names of up to 255 bytes and values of up to 64 KiB,[14] as do XFS and ReiserFS, but ext2/3/4 and btrfs impose much smaller limits, requiring all the attributes (names and values) of one file to fit in one "filesystem block" (usually 4 KiB). Per POSIX.1e,[citation needed] the names are required to start with one of security, system, trusted, and user plus a period. This defines the four namespaces of extended attributes.[15] - -And from the [man page on listxattr](https://www.man7.org/linux/man-pages/man2/listxattr.2.html): -> As noted in xattr(7), the VFS imposes a limit of 64 kB on the size of the extended attribute name list returned by listxattr(7). If the total size of attribute names attached to a file exceeds this limit, it is no longer possible to retrieve the list of attribute names. - -### Local Storage Driver - -The *minimal* storage driver for a POSIX based filesystem. It literally supports none of the storage aspect other than basic file tree management. Sharing can - to a degree - be implemented using POSIX ACLs. - -- tree provided by a POSIX filesystem - - inefficient path by id lookup, currently uses the file path as id, so ids are not stable - - can store a uuid in extended attributes and use a cache to look them up, similar to the ownCloud driver - - no native ETag propagation, five options are available: - - built in propagation (changes bypassing ocis are not picked up until a rescan) - - built in inotify (requires 48 bytes of RAM per file, needs to keep track of every file and folder) - - external inotify (same RAM requirement, but could be triggered by external tools, e.g. a workflow engine) - - kernel audit log (use the linux kernel audit to capture file events on the storage and offload them to a queue) - - fuse filesystem overlay - - no subtree accounting, same options as for ETag propagation - - efficient rename - - arbitrary metadata using extended attributes -- grant persistence - - using POSIX ACLs - - requires an LDAP server to make guest accounts available in the OS - - an existing LDAP could be used if guests ar provisioned in another way - - using extended attributes to implement expiry or sharing that does not require OS level integration - - fuse filesystem overlay -- no native trash - - could use [The FreeDesktop.org Trash specification](https://specifications.freedesktop.org/trash-spec/trashspec-latest.html) - - fuse filesystem overlay -- no native versions, multiple options possible - - git for folders - - rcs for single files - - rsnapshot for hourly / daily / weekly / monthly backups ... but this is not versioning as known from oc10 - - design new freedesktop spec, basically what is done in oc10 without the limitations or borrow ideas from the freedesktop trash spec - - fuse filesystem overlay - -To provide the other storage aspects we plan to implement a FUSE overlay filesystem which will add the different aspects on top of local filesystems like ext4, btrfs or xfs. It should work on NFSv4 as well, although NFSv4 supports RichACLs and we will explore how to leverage them to implement sharing at a future date. The idea is to use the storages native capabilities to deliver the best user experience. But again: that means making the right tradeoffs. - -### EOS Storage Driver - -The CERN eos storage has evolved with ownCloud and natively supports id based lookup, ETag propagation, subtree size accounting, sharing, trash and versions. To use it you need to change the default configuration of the `storage storage-home` command (or have a look at the Makefile ̀ eos-start` target): - -``` -export STORAGE_DRIVER_EOS_NAMESPACE=/eos -export STORAGE_DRIVER_EOS_MASTER_URL="root://eos-mgm1.eoscluster.cern.ch:1094" -export STORAGE_DRIVER_EOS_ENABLE_HOME=true -export STORAGE_DRIVER_EOS_LAYOUT="dockertest/{{.Username}}" -``` - -Running it locally also requires the `eos` and `xrootd` binaries. Running it using `make eos-start` will use CentOS based containers that already have the necessary packages installed. - -{{< hint info >}} -Pull requests to add explicit `storage storage-(s3|custom|...)` commands with working defaults are welcome. -{{< /hint >}} - -### S3 Storage Driver - -A naive driver that treats the keys in an S3 capable storage as `/` delimited path names. While it does not support MOVE or ETag propagation it can be used to read and write files. Better integration with native capabilities like versioning is possible but depends on the Use Case. Several storage solutions that provide an S3 interface also support some form of notifications that can be used to implement ETag propagation. - -## Data Providers - -Clients using the CS3 API use an [InitiateFileDownload](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.InitiateFileDownloadRequest) and [InitiateUpload](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.InitiateFileUploadRequest) request at the [storage gateway](https://cs3org.github.io/cs3apis/#cs3.gateway.v1beta1.GatewayAPI) to obtain a URL endpoint that can be used to either GET the file content or upload content using the resumable [tus.io](https://tus.io) protocol. - -The *data provider* uses the same *storage driver* as the *storage provider* but can be scaled independently. - -The dataprovider allows uploading the file to a quarantine area where further data analysis may happen before making the file accessible again. One use case for this is antivirus scanning for files coming from untrusted sources. - -## Future work - -### FUSE overlay filesystem -We are planning to further separate the concerns and use a local storage provider with a FUSE filesystem overlaying the actual POSIX storage that can be used to capture deletes and writes that might happen outside of ocis/reva. - -It would allow us to extend the local storage driver with missing storage aspects while keeping a tree like filesystem that end users are used to see when sshing into the machine. - -### Upload to Quarantine area -Antivirus scanning of random files uploaded from untrusted sources and executing metadata extraction or thumbnail generation should happen in a sandboxed system to prevent malicious users from gaining any information about the system. By spawning a new container with access to only the uploaded data we can further limit the attack surface. diff --git a/docs/ocis/storage/terminology.md b/docs/ocis/storage/terminology.md deleted file mode 100644 index 3676e82a14..0000000000 --- a/docs/ocis/storage/terminology.md +++ /dev/null @@ -1,100 +0,0 @@ ---- -title: "Terminology" -date: 2018-05-02T00:00:00+00:00 -weight: 17 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/storage -geekdocFilePath: terminology.md ---- - -Communication is hard. And clear communication is even harder. You may encounter the following terms throughout the documentation, in the code or when talking to other developers. Just keep in mind that whenever you hear or read *storage*, that term needs to be clarified, because on its own it is too vague. PR welcome. - -## Logical concepts - -### Resources -A *resource* is the basic building block that oCIS manages. It can be of [different types](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.ResourceType): -- an actual *file* -- a *container*, e.g. a folder or bucket -- a *symlink*, or -- a [*reference*]({{< ref "#references" >}}) which can point to a resource in another [*storage provider*]({{< ref "#storage-providers" >}}) - -### References -A *reference* identifies a [*resource*]({{< ref "#resources" >}}). A [*CS3 reference*](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.Reference) can carry a *path* and a [CS3 *resource id*](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.ResourceId). The references come in two flavors: absolute and combined. -Absolute references have either the *path* or the *resource id* set: -- An absolute *path* MUST start with a `/`. The *resource id* MUST be empty. -- An absolute *resource id* uniquely identifies a [*resource*]({{< ref "#resources" >}}) and is used as a stable identifier for sharing. The *path* MUST be empty. -Combined references have both, *path* and *resource id* set: -- the *resource id* identifies the root [*resource*]({{< ref "#resources" >}}) -- the *path* is relative to that root. It MUST start with `.` -## References - -A *reference* is a logical concept that identifies a [*resource*]({{< ref "#resources" >}}). A [*CS3 reference*](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.Reference) consists of either -- a *path* based reference, used to identify a [*resource*]({{< ref "#resources" >}}) in the [*namespace*]({{< ref "./namespaces.md" >}}) of a [*storage provider*]({{< ref "#storage-providers" >}}). It must start with a `/`. -- a [CS3 *id* based reference](https://cs3org.github.io/cs3apis/#cs3.storage.provider.v1beta1.ResourceId), uniquely identifying a [*resource*]({{< ref "#resources" >}}) in the [*namespace*]({{< ref "./namespaces.md" >}}) of a [*storage provider*]({{< ref "#storage-providers" >}}). It consists of a `storage provider id` and an `opaque id`. The `storage provider id` must NOT start with a `/`. - -{{< hint info >}} -The `/` is important because currently the static [*storage registry*]({{< ref "#storage-space-registries" >}}) uses a map to look up which [*storage provider*]({{< ref "#storage-providers" >}}) is responsible for the resource. Paths must be prefixed with `/` so there can be no collisions between paths and storage provider ids in the same map. -{{< /hint >}} - -## Storage Drivers - -A *storage driver* implements access to a [*storage system*]({{< ref "#storage-systems" >}}): - -It maps the *path* and *id* based CS3 *references* to an appropriate [*storage system*]({{< ref "#storage-systems" >}}) specific reference, e.g.: -- eos file ids -- posix inodes or paths -- deconstructed filesystem nodes - -{{< hint warning >}} -**Proposed Change** -iOS clients can only queue single requests to be executed in the background. The queue an upload and need to be able to identify the uploaded file after it has been uploaded to the server. The disconnected nature of the connection might cause workflows or manual user interaction with the file on the server to move the file to a different place or changing the content while the device is offline. However, on the device users might have marked the file as favorite or added it to other iOS specific collections. To be able to reliably identify the file the client can generate a `uuid` and attach it to the file metadata during the upload. While it is not necessary to look up files by this `uuid` having a second file id that serves exactly the same purpose as the `file id` is redundant. - -Another aspect for the `file id` / `uuid` is that it must be a logical identifier that can be set, at least by internal systems. Without a writeable fileid we cannot restore backups or migrate storage spaces from one storage provider to another storage provider. - -Technically, this means that every storage driver needs to have a map of a `uuid` to in internal resource identifier. This internal resource identifier can be -- an eos fileid, because eos can look up files by id -- an inode if the filesystem and the storage driver support looking up by inode -- a path if the storage driver has no way of looking up files by id. - - In this case other mechanisms like inotify, kernel audit or a fuse overlay might be used to keep the paths up to date. - - to prevent excessive writes when deep folders are renamed a reverse map might be used: it will map the `uuid` to `:`, allowing to trade writes for reads - -{{< /hint >}} -## Storage Providers - -## Technical concepts - -### Storage Systems -{{< figure src="/ocis/storage/static/storageprovider.drawio.svg" >}} - -A *storage provider* manages multiple [*storage spaces*]({{< ref "#storage-space" >}}) -by accessing a [*storage system*]({{< ref "#storage-systems" >}}) with a [*storage driver*]({{< ref "#storage-drivers" >}}). - -{{< figure src="/ocis/storage/static/storageprovider-spaces.drawio.svg" >}} - -## Storage Space Registries - -A [*storage spaces registry*]({{< ref "./spacesregistry.md" >}}) manages the [*namespace*]({{< ref "./namespaces.md" >}}) for a *user* - -## Storage Spaces -A *storage space* is a logical concept: -It is a tree of [*resources*]({{< ref "#resources" >}})*resources* -with a single *owner* (*user* or *group*), -a *quota* and *permissions*, identified by a `storage space id`. - -{{< figure src="/ocis/storage/static/storagespace.drawio.svg" >}} - -Examples would be every user's home storage space, project storage spaces or group storage spaces. While they all serve different purposes and may or may not have workflows like antivirus scanning enabled, we need a way to identify and manage these subtrees in a generic way. By creating a dedicated concept for them this becomes easier and literally makes the codebase cleaner. A [*storage space registry*]({{< ref "#storage-space-registries" >}}) then allows listing the capabilities of [*storage spaces*]({{< ref "#storage-spaces" >}}), e.g. free space, quota, owner, syncable, root etag, upload workflow steps, ... - -Finally, a logical `storage space id` is not tied to a specific [*storage provider*]({{< ref "#storage-providers" >}}). If the [*storage driver*]({{< ref "#storage-drivers" >}}) supports it, we can import existing files including their `file id`, which makes it possible to move [*storage spaces*]({{< ref "#storage-spaces" >}}) between [*storage providers*]({{< ref "#storage-providers" >}}) to implement storage classes, e.g. with or without archival, workflows, on SSDs or HDDs. - -## Shares -*To be clarified: we are aware that [*storage spaces*]({{< ref "#storage-spaces" >}}) may be too 'heavyweight' for ad hoc sharing with groups. That being said, there is no technical reason why group shares should not be treated like [*storage spaces*]({{< ref "#storage-spaces" >}}) that users can provision themselves. They would share the quota with the users home [*storage space*]({{< ref "#storage-spaces" >}}) and the share initiator would be the sole owner. Technically, the mechanism of treating a share like a new [*storage space*]({{< ref "#storage-spaces" >}}) would be the same. This obviously also extends to user shares and even file individual shares that would be wrapped in a virtual collection. It would also become possible to share collections of arbitrary files in a single storage space, e.g. the ten best pictures from a large album.* - - -## Storage Systems -Every *storage system* has different native capabilities like id and path based lookups, recursive change time propagation, permissions, trash, versions, archival and more. -A [*storage provider*]({{< ref "#storage-providers" >}}) makes the storage system available in the CS3 API by wrapping the capabilities as good as possible using a [*storage driver*]({{< ref "./storagedrivers.md" >}}). -There might be multiple [*storage drivers*]({{< ref "./storagedrivers.md" >}}) for a *storage system*, implementing different tradeoffs to match varying requirements. - -### Gateways -A *gateway* acts as a facade to the storage related services. It authenticates and forwards API calls that are publicly accessible. diff --git a/docs/ocis/storage/users.md b/docs/ocis/storage/users.md deleted file mode 100644 index adf04599f4..0000000000 --- a/docs/ocis/storage/users.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: "Users" -date: 2020-01-16T00:00:00+00:00 -weight: 17 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis/storage -geekdocFilePath: users.md ---- - -TODO add this to the storage overview? or is this a different part? That should be started as a separate service ? And documented elsewhere, e.g. in the accounts? - -### User and Group provisioning - -In oc10 users are identified by a username, which cannot change, because it is used as a foreign key in several tables. For oCIS we are internally identifying users by a UUID, while using the username in the WebDAV and OCS APIs for backwards compatability. To distinguish this in the URLs we are using `` instead of ``. You may have encountered ``, which refers to a template that can be configured to build several path segments by filling in user properties, e.g. the first character of the username (`{{substr 0 1 .Username}}/{{.Username}}`), the identity provider (`{{.Id.Idp}}/{{.Username}}`) or the email (`{{.Mail}}`) - -{{< hint warning >}} -Make no mistake, the [OCS Provisioning API](https://doc.owncloud.com/server/developer_manual/core/apis/provisioning-api.html) uses `userid` while it actually is the username, because it is what you use to login. -{{< /hint >}} - -We are currently working on adding [user management through the CS3 API](https://github.com/owncloud/ocis/pull/1930) to handle user and group provisioning (and deprovisioning). - -### Demo driver - -This is a simple user driver for testing. It contains three users: -``` -einstein:relativity -marie:radioactivity -richard:superfluidity -``` -In order to use the `demo` driver you need to export the relevant environment variable: -``` -export STORAGE_USERS_DRIVER=demo -``` - -### JSON driver - -In order to switch from the `ldap` driver to JSON based users you need to export the relevant environment variables: -``` -export STORAGE_USERS_DRIVER=json -export STORAGE_USERS_JSON=/path/to/users.json -``` - -For the format of the users.json have a look at the [reva examples](https://github.com/cs3org/reva/blob/master/examples/oc-phoenix/users.demo.json) - -### LDAP driver - -This is the default user driver. - -If the following defaults don't match your environment then change them accordingly: -``` -export STORAGE_LDAP_HOSTNAME=localhost -export STORAGE_LDAP_PORT=9126 -export STORAGE_LDAP_BASE_DN='dc=ocis,dc=test' -export STORAGE_LDAP_USER_FILTER='(&(objectclass=posixAccount)(cn=%s))' -export STORAGE_LDAP_GROUP_FILTER='(&(objectclass=posixGroup)(cn=%s))' -export STORAGE_LDAP_BIND_DN='cn=reva,ou=sysusers,dc=ocis,dc=test' -export STORAGE_LDAP_BIND_PASSWORD=reva -export STORAGE_LDAP_USER_SCHEMA_UID=uid -export STORAGE_LDAP_USER_SCHEMA_MAIL=mail -export STORAGE_LDAP_USER_SCHEMA_DISPLAYNAME=sn -export STORAGE_LDAP_USER_SCHEMA_CN=cn -``` - -Then restart the `bin/storage users` and `bin/storage auth-basic` services for the changes to take effect. diff --git a/docs/ocis/storage_registry_discovery.md b/docs/ocis/storage_registry_discovery.md deleted file mode 100644 index 4ba72aeb4a..0000000000 --- a/docs/ocis/storage_registry_discovery.md +++ /dev/null @@ -1,107 +0,0 @@ ---- -title: "Storage Registry Discovery" -date: 2021-05-04T14:01:00+01:00 -weight: 40 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/ocis -geekdocFilePath: storage_registry_discovery.md ---- - -## Introduction - -In order for an oCIS client to access oCIS storage spaces for an End-User, the client needs to know where the oCIS instance is. oCIS uses WebFinger [RFC7033](http://tools.ietf.org/html/rfc7033) to locate the oCIS instance for an End-User. - -This discovery is optional. If the client has another way of discovering the OpenID instance, e.g. when logging in with a username a static domain might be configured or the domain in the URL might be used. - -For guest accounts that do not have an OIDC issuer or whose IdP is not part of a trusted federation clients may fall back to a local IdP. - -## User Input using E-Mail Address Syntax - -To find the oCIS instance for the given user input in the form of an e-mail address `joe@example.com`, the WebFinger parameters are as follows: - -| WebFinger Parameter | Value | -|-|-| -| `resource` | `acct:joe@example.com` | -| `host` | `example.com` | -| `rel` | http://owncloud.com/specs/ocis/1.0/instance | - -Note that in this case, [the `acct:` scheme](http://tools.ietf.org/html/draft-ietf-appsawg-acct-uri-07) is prepended to the identifier. - -The client (relying party) would make the following WebFinger request to discover the oCIS instance location (with line wraps within lines for display purposes only): - -``` - GET /.well-known/webfinger - ?resource=acct%3Ajoe%40example.com - &rel=http%3A%2F%2Fowncloud.com%2Fspecs%2Focis%2F1.0%2Finstance - HTTP/1.1 - Host: example.com - - HTTP/1.1 200 OK - Content-Type: application/jrd+json - - { - "subject": "acct:joe@example.com", - "links": - [ - { - "rel": "http://owncloud.com/specs/ocis/1.0/instance", - "href": "https://cloud.example.com" - } - ] - } -``` - -{{< hint >}} -Note: the `example.com` domain is derived from the email. -{{< /hint >}} - -{{< hint danger >}} -The `https://cloud.example.com` domain above would point to the ocis instance. -TODO that ins ocis web ... not the registry ... hmmmm -maybe introduce an ocis provider which then has an `/.well-known/ocis-configuration`, similar to `/.well-known/openid-configuration`? -It would contain -- the ocis domain, e.g. `https://cloud.example.com` -- the web endpoint, e.g. `https://cloud.example.com` -- the registry / drives endpoint, e.g. `https://cloud.example.com/graph/v0.1/drives/me` see [Add draft of adr for spaces API. #1827](https://github.com/owncloud/ocis/pull/1827) - - -example: -``` -HTTP/1.1 200 OK - Content-Type: application/json - - { - "instance": "https://cloud.example.com", - "graph_endpoint": "https://cloud.example.com/graph/v0.0", - "ocis_web_config": "https://cloud.example.com/web/config.json", - "issuer": "https://idp.example.com", - } -``` - -`graph_endpoint` is the open-graph-api endpoint that is used to list storage spaces at e.g. `https://cloud.example.com/graph/v0.1/me/drives`. - -`ocis_web_config` points ocis web to the config for the instance. Maybe we can add more config in the `/.well-known/ocis-configuration` to replace the config.json? Is this the new status.php? How safe is it to expose all this info ...? - -The `issuer` could be used to detect the issuer that is used if no other issuer is found ... might be a fallback_issuer, but actually we may decide to skid the OIDC discovery and rely on this property. Maybe we need it if no IdP is present yet or the `/.well-known/openid-configuration` is not set up / reachable. - - -{{< /hint >}} - -## Obtaining oCIS Provider Configuration Information -Using the `instance` location discovered as described above or by other means, the oCIS Provider's configuration information can be retrieved. - -oCIS Providers supporting Discovery MUST make a JSON document available at the path formed by concatenating the string `/.well-known/openid-configuration` to the `instance`. The syntax and semantics of `.well-known` are defined in [RFC5785](http://tools.ietf.org/html/rfc5785) and apply to the `instance` value when it contains no path component. `ocis-configuration` MUST point to a JSON document compliant with this specification and MUST be returned using the `application/json` content type. - -### oCIS Provider Configuration Request - -An oCIS Provider Configuration Document MUST be queried using an HTTP GET request at the previously specified path. - -The client (relying party) would make the following request to the instance https://example.com to obtain its Configuration information, since the Issuer contains no path component: - - GET /.well-known/openid-configuration HTTP/1.1 - Host: example.com -If the Issuer value contains a path component, any terminating / MUST be removed before appending /.well-known/openid-configuration. The RP would make the following request to the Issuer https://example.com/issuer1 to obtain its Configuration information, since the Issuer contains a path component: - - GET /issuer1/.well-known/openid-configuration HTTP/1.1 - Host: example.com -Using path components enables supporting multiple issuers per host. This is required in some multi-tenant hosting configurations. This use of .well-known is for supporting multiple issuers per host; unlike its use in RFC 5785 [RFC5785], it does not provide general information about the host. \ No newline at end of file diff --git a/docs/services/_includes/.gitignore b/docs/services/_includes/.gitignore deleted file mode 100644 index 9d0d8ab10d..0000000000 --- a/docs/services/_includes/.gitignore +++ /dev/null @@ -1,4 +0,0 @@ -*_configvars.md -*-example.yaml -adoc/*adoc -adoc/env-var-deltas/*adoc diff --git a/docs/services/_includes/_index.md b/docs/services/_includes/_index.md deleted file mode 100644 index b58ce0c82f..0000000000 --- a/docs/services/_includes/_index.md +++ /dev/null @@ -1,3 +0,0 @@ ---- -GeekdocHidden: true ---- \ No newline at end of file diff --git a/docs/services/_includes/adoc/.gitkeep b/docs/services/_includes/adoc/.gitkeep deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/docs/services/_includes/adoc/env-var-deltas/.gitkeep b/docs/services/_includes/adoc/env-var-deltas/.gitkeep deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/docs/services/_index.md b/docs/services/_index.md deleted file mode 100644 index bfa8cb0874..0000000000 --- a/docs/services/_index.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Services -date: 2023-12-06T13:00:00+01:00 -weight: 10 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/ -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -The documentation of services is intended for developers and only reflects the state of the master branch of the ocis repo. - -{{< hint warning >}} -See the [admin documentation](https://doc.owncloud.com/ocis/next/deployment/services/services.html) which provides versioned content suitable for administrators. This documentation also offers other useful information including deployment guides. -{{< /hint >}} diff --git a/docs/services/antivirus/configuration.md b/docs/services/antivirus/configuration.md deleted file mode 100644 index 98a05bc7a6..0000000000 --- a/docs/services/antivirus/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2023-03-16T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/antivirus -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/antivirus-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/antivirus_configvars.md" >}} diff --git a/docs/services/app-provider/_index.md b/docs/services/app-provider/_index.md deleted file mode 100644 index c26192066e..0000000000 --- a/docs/services/app-provider/_index.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: App-Provider -date: 2022-03-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/app-provider -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -## Abstract - - -## Table of Contents - -{{< toc-tree >}} diff --git a/docs/services/app-provider/configuration.md b/docs/services/app-provider/configuration.md deleted file mode 100644 index b215390a30..0000000000 --- a/docs/services/app-provider/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/app-provider -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/app-provider-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/app-provider_configvars.md" >}} diff --git a/docs/services/app-registry/configuration.md b/docs/services/app-registry/configuration.md deleted file mode 100644 index ed96c59023..0000000000 --- a/docs/services/app-registry/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/app-registry -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/app-registry-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/app-registry_configvars.md" >}} diff --git a/docs/services/audit/configuration.md b/docs/services/audit/configuration.md deleted file mode 100644 index fd8026dacd..0000000000 --- a/docs/services/audit/configuration.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/audit -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - - -## Example YAML Config - -{{< include file="services/_includes/audit-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/audit_configvars.md" >}} diff --git a/docs/services/auth-basic/configuration.md b/docs/services/auth-basic/configuration.md deleted file mode 100644 index 672746f057..0000000000 --- a/docs/services/auth-basic/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/auth-basic -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/auth-basic-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/auth-basic_configvars.md" >}} diff --git a/docs/services/auth-bearer/configuration.md b/docs/services/auth-bearer/configuration.md deleted file mode 100644 index 5b3ef4ef6d..0000000000 --- a/docs/services/auth-bearer/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/auth-bearer -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/auth-bearer-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/auth-bearer_configvars.md" >}} diff --git a/docs/services/auth-machine/configuration.md b/docs/services/auth-machine/configuration.md deleted file mode 100644 index 000c6bae31..0000000000 --- a/docs/services/auth-machine/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/auth-machine -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/auth-machine-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/auth-machine_configvars.md" >}} diff --git a/docs/services/eventhistory/configuration.md b/docs/services/eventhistory/configuration.md deleted file mode 100644 index 752ebd654f..0000000000 --- a/docs/services/eventhistory/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/eventhistory -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/eventhistory-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/eventhistory_configvars.md" >}} diff --git a/docs/services/frontend/configuration.md b/docs/services/frontend/configuration.md deleted file mode 100644 index 5822f76c9e..0000000000 --- a/docs/services/frontend/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/frontend -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/frontend-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/frontend_configvars.md" >}} diff --git a/docs/services/gateway/configuration.md b/docs/services/gateway/configuration.md deleted file mode 100644 index ff90bf0b4e..0000000000 --- a/docs/services/gateway/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/gateway -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/gateway-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/gateway_configvars.md" >}} diff --git a/docs/services/general-info/_index.md b/docs/services/general-info/_index.md deleted file mode 100644 index 8233f56a47..0000000000 --- a/docs/services/general-info/_index.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -title: General Information -date: 2023-04-12T00:00:00+00:00 -weight: 10 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/general-info -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -## General Information - -This section provides general information valid for all services. diff --git a/docs/services/general-info/add-translations.md b/docs/services/general-info/add-translations.md deleted file mode 100644 index 4852aca265..0000000000 --- a/docs/services/general-info/add-translations.md +++ /dev/null @@ -1,113 +0,0 @@ ---- -title: Add Translations -date: 2024-04-08T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/general-info -geekdocFilePath: add-translations.md -geekdocCollapseSection: true ---- - -Services can have texts that need to be translated. These translations will be shown in the ownCloud Web UI. Compared to web, these translations are: - -* Independent of [ownCloud Web](https://app.transifex.com/owncloud-org/owncloud-web/translate/) on Transifex. -* Are located in the [ownCloud](https://app.transifex.com/owncloud-org/owncloud/translate) Transifex Project. -* Have a name starting with `ocis-` for ease of identification. - -The process for _synchronisation_ with Transifex is already setup and nothing needs to be done here. For any translation, it is necessary to set it up in the respective service and tell to sync it. - -**IMPORTANT**\ -Translations are automatically synced on a daily basis in the night. To do so, there is an own repo that covers the process for ALL translations from all configured repos: [translation-sync](https://github.com/owncloud/translation-sync). If there is a manual "emergency" sync necessary, you only need to trigger [drone](https://drone.owncloud.com/owncloud/translation-sync) via cli - -```bash -drone cron exec owncloud/translation-sync nightly -``` -Note that you need to be logged on in drone to execute the command. - -## Implementing ocis Translations - -The implementation example is a guide and shall show how to do it. You can derive at any time according to your needs. - -Note that paths are examples and can be adapted based on requirements.\ -Replace `` with the name of the respective service.\ -Translations have a `context` and a `translatable string`. The context is shown on Transifex but not translated and helps translators to get a context for the string to be translated. - -* Add the `OC_DEFAULT_LANGUAGE` envvar in `services//pkg/config/config.go`.\ - For details see the userlog or notifications service code. - -* Add the `_TRANSLATION_PATH` envvar in `services//pkg/config/config.go`.\ - For details see the userlog or notifications service code. - -* Use `"github.com/owncloud/ocis/v2/ocis-pkg/l10n"` for the translation.\ - Use `l10n.Template` to define the translation string.\ - Use `l10n.NewTranslator` or `l10n.NewTranslatorFromCommonConfig` to get the translator.\ - Use `t.Get` to translate the string. See package for more advanced usage. - -* Create a config in `services//pkg/service/l10n/.tx/config` with the following content. Note that it is important to stick with `ocis-` to easily identify all ocis translations on Transifex: - ``` - [main] - host = https://www.transifex.com - - [o:owncloud-org:p:owncloud:r:ocis-] - file_filter = locale//LC_MESSAGES/.po - minimum_perc = 75 - resource_name = ocis- - source_file = .pot - source_lang = en - type = PO - ``` - Note: o: organization, p: project, r: resource - -* Create an empty file `services//pkg/service/l10n/locale/en/LC_MESSAGES/.po`. This is required for ocis to build. This file will be replaced nightly with the latest translations from Transifex. - -* Create a go file like `templates.go` in e.g. `ocis/services//pkg/service` that will define your translation sources like the following: - ``` - // this comment will appear in transifex as context - var yourString = l10n.Template("Translation String") - ``` - -* In the `Makefile` in the **ocis root**, add in the following section the service you want to synchronize translations with Transifex: - ``` - # add a service here when it uses transifex - L10N_MODULES := \ - services/notifications \ - services/userlog \ - services/graph \ - services/activitylog \ - services/ - ``` - -* In the `Makefile` of the **``** add:\ - _At the beginning:_ - ``` - # Where to write the files generated by this makefile. - OUTPUT_DIR = ./pkg/service/<...>/l10n - TEMPLATE_FILE = ./pkg/service/<...>/l10n/.pot - ``` - _In the `.PHONY` list:_ - ``` - ############ translations ######## - .PHONY: l10n-pull - l10n-pull: - cd $(OUTPUT_DIR) && tx pull --all --force --skip --minimum-perc=75 - - .PHONY: l10n-push - l10n-push: - cd $(OUTPUT_DIR) && tx push -s --skip - - .PHONY: l10n-read - l10n-read: $(GO_XGETTEXT) - go-xgettext -o $(OUTPUT_DIR)/.pot \ - --keyword=l10n.Template --add-comments -s \ - pkg/service/templates.go - - .PHONY: l10n-write - l10n-write: - - .PHONY: l10n-clean - l10n-clean: - rm -f $(TEMPLATE_FILE); - ``` - -* Add Description Text to README\ - Add the full `Translations` and `Default Language` text blocks including their sub sections to the service readme. You can derive from the `activitylog` or `userlog` service for easy copy/paste. diff --git a/docs/services/general-info/added-services.md b/docs/services/general-info/added-services.md deleted file mode 100644 index e2206eba7d..0000000000 --- a/docs/services/general-info/added-services.md +++ /dev/null @@ -1,64 +0,0 @@ ---- -title: Added Services per Release -date: 2024-07-12T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/general-info -geekdocFilePath: added-services.md -geekdocCollapseSection: true ---- - -Over time, services get added with new releases published. This page gives an overview of which services exist and which -have been added per release. - -## Added Services - -The following table gives an overview about releases and their services. Note that v6.x were rolling releases only and not mentioned therefore. Any changes from v6.x were incorporated in v7. - -[//]: # (for ease of handling, use the .excel table from the same folder and convert it via https://tabletomarkdown.com/convert-spreadsheet-to-markdown/) - -| 3.0 | 4.0 | 5.0 | 7.0 | Rolling | -| ------------------ | ------------------ | ------------------ | ------------------ | ------------------ | -| | | | activitylog | activitylog | -| antivirus | antivirus | antivirus | antivirus | antivirus | -| app-provider | app-provider | app-provider | app-provider | app-provider | -| app-registry | app-registry | app-registry | app-registry | app-registry | -| audit | audit | audit | audit | audit | -| | | | | auth-app | -| auth-basic | auth-basic | auth-basic | auth-basic | auth-basic | -| auth-bearer | auth-bearer | auth-bearer | auth-bearer | auth-bearer | -| auth-machine | auth-machine | auth-machine | auth-machine | auth-machine | -| eventhistory | eventhistory | auth-service | auth-service | auth-service | -| | | clientlog | clientlog | clientlog | -| | | | collaboration | collaboration | -| | | eventhistory | eventhistory | eventhistory | -| frontend | frontend | frontend | frontend | frontend | -| gateway | gateway | gateway | gateway | gateway | -| graph | graph | graph | graph | graph | -| groups | groups | groups | groups | groups | -| idm | idm | idm | idm | idm | -| idp | idp | idp | idp | idp | -| invitations | invitations | invitations | invitations | invitations | -| nats | nats | nats | nats | nats | -| notifications | notifications | notifications | notifications | notifications | -| ocdav | ocdav | ocdav | ocdav | ocdav | -| | | ocm | ocm | ocm | -| ocs | ocs | ocs | ocs | ocs | -| policies | policies | policies | policies | policies | -| postprocessing | postprocessing | postprocessing | postprocessing | postprocessing | -| proxy | proxy | proxy | proxy | proxy | -| search | search | search | search | search | -| settings | settings | settings | settings | settings | -| sharing | sharing | sharing | sharing | sharing | -| | | sse | sse | sse | -| store | store | store | store | store | -| storage-publiclink | storage-publiclink | storage-publiclink | storage-publiclink | storage-publiclink | -| storage-shares | storage-shares | storage-shares | storage-shares | storage-shares | -| storage-system | storage-system | storage-system | storage-system | storage-system | -| storage-users | storage-users | storage-users | storage-users | storage-users | -| thumbnails | thumbnails | thumbnails | thumbnails | thumbnails | -| userlog | userlog | userlog | userlog | userlog | -| users | users | users | users | users | -| web | web | web | web | web | -| webdav | webdav | webdav | webdav | webdav | -| webfinger | webfinger | webfinger | webfinger | webfinger | diff --git a/docs/services/general-info/added-services.xlsx b/docs/services/general-info/added-services.xlsx deleted file mode 100644 index dc8fd74935..0000000000 Binary files a/docs/services/general-info/added-services.xlsx and /dev/null differ diff --git a/docs/services/general-info/additional-information.md b/docs/services/general-info/additional-information.md deleted file mode 100644 index 88c9ee1311..0000000000 --- a/docs/services/general-info/additional-information.md +++ /dev/null @@ -1,19 +0,0 @@ ---- -title: Additional Information -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/general-info -geekdocFilePath: additional-information.md -geekdocCollapseSection: true ---- - -This section contains information on general topics - -## GRPC Maximum Message Size - -ocis is using grpc for inter-service communication. When having a folder with a lot of files (25.000+, the size does not matter) and doing a `PROPFIND` on that folder, the server will run into errors. This is because the grpc message body becomes to big. With introduction of the envvar `OC_GRPC_MAX_RECEIVED_MESSAGE_SIZE`, the max size for the grpc body can be raised. - -NOTE: With a certain amount of files even raising the grpc message size will not suffice as the requests will run into network timeouts. Also generally the more files are in a folder, the longer it will take time to load. - -It is recommended to use `OC_GRPC_MAX_RECEIVED_MESSAGE_SIZE` only *temporary* to copy files out of the folder (like via the web ui) and use the default value in general. diff --git a/docs/services/general-info/deprecating-variables.md b/docs/services/general-info/deprecating-variables.md deleted file mode 100644 index bd42e8caa2..0000000000 --- a/docs/services/general-info/deprecating-variables.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: "Envvar Deprecation" -date: 2024-08-22T15:41:00+01:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/general-info -geekdocFilePath: deprecating-variables.md ---- - -{{< toc >}} - -## Deprecating Environment Variables - -Sometimes it is necessary to deprecate an environment variable to align the naming with conventions or remove it completely. We therefore added annotations to automate the *documentation* process. - -The relevant annotations in the envvar struct tag are: - -* `deprecationVersion`\ - The release an envvar is announced for deprecation. -* `removalVersion`\ - The version it is finally going to be removed is defined via the mandatory placeholder `%%NEXT_PRODUCTION_VERSION%%`, not an actual version number. -* `deprecationInfo`\ - The reason why it was deprecated. -* `deprecationReplacement`\ - Only if it is going to be replaced, not necessary if removed. - -{{< hint warning >}} -During the development cycle, the value for the `removalVersion` must be set to `%%NEXT_PRODUCTION_VERSION%%`. This placeholder will be replaced by the real version number during the production releasing process. -{{< /hint >}} - -For the documentation to show the correct value for the `removalVersion`, our docs helper scripts will automatically generate the correct version to be printed in the documentation. If `%%NEXT_PRODUCTION_VERSION%%` is found in the query, it will be replaced with `next-prod`, else the value found is used. - -### Example - -```golang -// Notifications defines the config options for the notifications service. -type Notifications struct { -RevaGateway string `yaml:"reva_gateway" env:"OC_REVA_GATEWAY;REVA_GATEWAY" desc:"CS3 gateway used to look up user metadata" deprecationVersion:"3.0" removalVersion:"%%NEXT_PRODUCTION_VERSION%%" deprecationInfo:"REVA_GATEWAY changing name for consistency" deprecationReplacement:"OC_REVA_GATEWAY"` -... -} -``` - -There are four different annotation variables that need to be filled: - -| Annotation |Description| Format| -|---|---|---| -| deprecationVersion | The version the variable will be deprecated | semver (e.g. 3.0)| -| removalVersion| The version the variable will be removed from the codebase. Note that according to semver, a removal **MUST NOT** be made in a minor or patch version change, but only in a major release | `%%NEXT_PRODUCTION_VERSION%%` | -| deprecationInfo | Information why the variable is deprecated, must start with the name of the variable in order to avoid confusion, when there are multiple options in the `env:`-field | string (e.g. NATS_NATS_HOST is confusing) | -| deprecationReplacement | The name of the variable that is going to replace the deprecated one.| string (e.g. NATS_HOST_ADDRESS) | - -### What Happens Next? - -Once a variable has been finally been removed, the annotations must be removed again from the code, since they don't serve any purpose. diff --git a/docs/services/general-info/document-cli-commands.md b/docs/services/general-info/document-cli-commands.md deleted file mode 100644 index eec6028399..0000000000 --- a/docs/services/general-info/document-cli-commands.md +++ /dev/null @@ -1,35 +0,0 @@ ---- -title: Document CLI Commands -date: 2025-01-09T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/general-info -geekdocFilePath: document-cli-commands.md -geekdocCollapseSection: true ---- - -Any CLI command that is added to Infinite Scale must be documented in the dev docs and the [admin docs](https://doc.owncloud.com/ocis/latest/maintenance/commands/commands.html). Note that the admin docs mainly differentiate between online and offline commands as the docs structure is different. Any command documented in the dev docs is properly integrated into the admin docs. The following description is for dev docs, admin docs derive from it. - -Note that ANY CLI command needs documentation, but it can be decided that a CLI command will not be added to the admin docs (the reasons should be really valid for such a case). - -## Type of CLI Commands - -There are three types of CLI commands that require different documentation locations: - -1. Commands that depend on a service dependent like\ -`ocis storage-users uploads` -2. Commands that are service independent like\ -`ocis trash purge-empty-dirs` or `ocis revisions purge` -3. `curl` commands that can be one of the above. - - -## Rules - -* Add any service dependent command into the repsective `README.md` _of the service_. -* Add any service independent command into `ocis/README.md` - -## Tips - -For examples, see either `ocis/README.md` or\ -one of the respective service readme's like in\ -`services/storage-users/README.md` or `services/auth-app/README.md`. diff --git a/docs/services/general-info/env-var-deltas/4.0.0-5.0.0-added.adoc b/docs/services/general-info/env-var-deltas/4.0.0-5.0.0-added.adoc deleted file mode 100644 index 301b7f1404..0000000000 --- a/docs/services/general-info/env-var-deltas/4.0.0-5.0.0-added.adoc +++ /dev/null @@ -1,1021 +0,0 @@ -// # Added Variables between oCIS 4.0.0 and oCIS 5.0.0 -// commenting the headline to make it better includable - -// table created based on the .md file per 2024.02.12 -// the table should be recreated/updated based on the final .md file - -[width="100%",cols="~,~,~,~",options="header"] -|=== -| Service| Variable| Description| Default - -| xref:deployment/services/env-vars-special-scope.adoc[Special Scope Envvars] -| `OC_CACHE_DISABLE_PERSISTENCE` -| Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured.| `false` -| -| `MICRO_REGISTRY` + -(important change) -| The Go micro registry type to use. Supported types are: 'memory', 'nats-js-kv' (default) and 'kubernetes'. Note that 'nats', 'etcd', 'consul' and 'mdns' are deprecated and will be removed in a later version. Only change on supervision of ownCloud Support.| nats-js-kv -| -| `MICRO_REGISTRY_AUTH_PASSWORD` -| Optional when using nats to authenticate with the nats cluster.| -| -| `MICRO_REGISTRY_AUTH_USERNAME` -| Optional when using nats to authenticate with the nats cluster.| - -| xref:{s-path}/antivirus.adoc[antivirus] -| `OC_EVENTS_AUTH_USERNAME` -| The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_EVENTS_AUTH_PASSWORD` -| The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `ANTIVIRUS_ICAP_SCAN_TIMEOUT` -| Scan timeout for the ICAP client. Defaults to '5m' (5 minutes). See the Environment Variable Types description for more details.| 5m0s - -| xref:{s-path}/audit.adoc[audit] -| `OC_EVENTS_AUTH_USERNAME` -| The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_EVENTS_AUTH_PASSWORD` -| The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| - -| xref:{s-path}/auth-service.adoc[auth-service] -| `OC_TRACING_ENABLED` + -`AUTH_SERVICE_TRACING_ENABLED` -| Activates tracing.| -| -| `OC_TRACING_TYPE` + -`AUTH_SERVICE_TRACING_TYPE` -| The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now."| -| -| `OC_TRACING_ENDPOINT` + -`AUTH_SERVICE_TRACING_ENDPOINT` -| The endpoint of the tracing agent.| -| -| `OC_TRACING_COLLECTOR` + -`AUTH_SERVICE_TRACING_COLLECTOR` -| The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.| -| -| `OC_LOG_LEVEL` + -`AUTH_SERVICE_LOG_LEVEL` -| The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'."| -| -| `OC_LOG_PRETTY` + -`AUTH_SERVICE_LOG_PRETTY` -| Activates pretty log output.| -| -| `OC_LOG_COLOR` + -`AUTH_SERVICE_LOG_COLOR` -| Activates colorized log output.| -| -| `OC_LOG_FILE` + -`AUTH_SERVICE_LOG_FILE` -| The path to the log file. Activates logging to this file if set.| -| -| `AUTH_SERVICE_DEBUG_ADDR` -| Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.| -| -| `AUTH_SERVICE_DEBUG_PPROF` -| Enables pprof, which can be used for profiling.| -| -| `AUTH_SERVICE_DEBUG_TOKEN` -| Enables pprof, which can be used for profiling.| -| -| `AUTH_SERVICE_DEBUG_ZPAGES` -| Enables zpages, which can be used for collecting and viewing in-memory traces.| -| -| `AUTH_SERVICE_GRPC_ADDR` -| The bind address of the GRPC service.| -| -| `AUTH_SERVICE_GRPC_PROTOCOL` -| The transport protocol of the GRPC service.| -| -| `OC_SERVICE_ACCOUNT_ID` + -`AUTH_SERVICE_SERVICE_ACCOUNT_ID` -| The ID of the service account the service should use. See the 'auth-service' service description for more details.| -| -| `OC_SERVICE_ACCOUNT_SECRET` + -`AUTH_SERVICE_SERVICE_ACCOUNT_SECRET` -| The service account secret.| - -| -| `OC_JWT_SECRET` + -`AUTH_SERVICE_JWT_SECRET` -| The secret to mint and validate jwt tokens.| - -| xref:{s-path}/clientlog.adoc[clientlog] -| `OC_REVA_GATEWAY` + -`CLIENTLOG_REVA_GATEWAY` -| CS3 gateway used to look up user metadata| -| -| `OC_EVENTS_ENDPOINT` + -`CLIENTLOG_EVENTS_ENDPOINT` -| The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.| -| -| `OC_EVENTS_CLUSTER` + -`CLIENTLOG_EVENTS_CLUSTER` -| The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.| -| -| `OC_INSECURE` + -`CLIENTLOG_EVENTS_TLS_INSECURE` -| Whether to verify the server TLS certificates.| -| -| `OC_EVENTS_TLS_ROOT_CA_CERTIFICATE` + -`CLIENTLOG_EVENTS_TLS_ROOT_CA_CERTIFICATE` -| The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.| -| -| `OC_EVENTS_ENABLE_TLS` + -`CLIENTLOG_EVENTS_ENABLE_TLS` -| Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_EVENTS_AUTH_USERNAME` + -`CLIENTLOG_EVENTS_AUTH_USERNAME` -| The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_EVENTS_AUTH_PASSWORD` + -`CLIENTLOG_EVENTS_AUTH_PASSWORD` -| The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_JWT_SECRET` + -`CLIENTLOG_JWT_SECRET` -| The secret to mint and validate jwt tokens.| -| -| `OC_SERVICE_ACCOUNT_ID` + -`CLIENTLOG_SERVICE_ACCOUNT_ID` -| The ID of the service account the service should use. See the 'auth-service' service description for more details.| -| -| `OC_SERVICE_ACCOUNT_SECRET` + -`CLIENTLOG_SERVICE_ACCOUNT_SECRET` -| The service account secret.| - -| -| `CLIENTLOG_DEBUG_ADDR` -| Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.| -| -| `CLIENTLOG_DEBUG_TOKEN` -| Token to secure the metrics endpoint.| -| -| `CLIENTLOG_DEBUG_PPROF` -| Enables pprof, which can be used for profiling.| -| -| `CLIENTLOG_DEBUG_ZPAGES` -| Enables zpages, which can be used for collecting and viewing in-memory traces.| - -| -| `OC_LOG_LEVEL` + -`CLIENTLOG_USERLOG_LOG_LEVEL` -| The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'."| -| -| `OC_LOG_PRETTY` + -`CLIENTLOG_USERLOG_LOG_PRETTY` -| Activates pretty log output.| -| -| `OC_LOG_COLOR` + -`CLIENTLOG_USERLOG_LOG_COLOR` -| Activates colorized log output.| -| -| `OC_LOG_FILE` + -`CLIENTLOG_USERLOG_LOG_FILE` -| The path to the log file. Activates logging to this file if set.| - -| -| `OC_TRACING_ENABLED` + -`CLIENTLOG_TRACING_ENABLED` -| Activates tracing.| -| -| `OC_TRACING_TYPE` + -`CLIENTLOG_TRACING_TYPE` -| The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now."` -| -| -| `OC_TRACING_ENDPOINT` + -`CLIENTLOG_TRACING_ENDPOINT` -| The endpoint of the tracing agent.| -| -| `OC_TRACING_COLLECTOR` + -`CLIENTLOG_TRACING_COLLECTOR` -| The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.| - -| xref:{s-path}/eventhistory.adoc[eventhistory] -| `OC_PERSISTENT_STORE_AUTH_USERNAME` + -`EVENTHISTORY_STORE_AUTH_USERNAME` -| The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.| -| -| `OC_PERSISTENT_STORE_AUTH_PASSWORD` + -`EVENTHISTORY_STORE_AUTH_PASSWORD` -| The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.| -| -| `OC_EVENTS_AUTH_USERNAME` + -`EVENTHISTORY_EVENTS_AUTH_USERNAME` -| The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_EVENTS_AUTH_PASSWORD` + -`EVENTHISTORY_EVENTS_AUTH_PASSWORD` -| The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| - -| xref:{s-path}/frontend.adoc[frontend] -| `FRONTEND_DEFAULT_LINK_PERMISSIONS` -| Defines the default permissions a link is being created with. Possible values are 0 (= internal link, for instance members only) and 1 (= public link with viewer permissions). Defaults to 1.| -| -| `FRONTEND_AUTO_ACCEPT_SHARES` -| Defines if shares should be auto accepted by default. Users can change this setting individually in their profile.| true -| -| `OC_CACHE_DISABLE_PERSISTENCE` + -`FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE` -| Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false.| false -| -| `OC_CACHE_AUTH_USERNAME` + -`FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME` -| The username to use for authentication. Only applies when using the 'nats-js-kv' store type.| -| -| `OC_CACHE_AUTH_PASSWORD` + -`FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD` -| The password to use for authentication. Only applies when using the 'nats-js-kv' store type.| -| -| `FRONTEND_OCS_LIST_OCM_SHARES` -| Include OCM shares when listing shares. See the OCM service documentation for more details.| -| -| `OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD` + -`FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD` -| Set this to true if you want to enforce passwords on all public shares.| -| -| `OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD` + -`FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD` -| Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares.| -| -| `FRONTEND_OCS_INCLUDE_OCM_SHAREES` -| Include OCM sharees when listing sharees.| -| -| `OC_EVENTS_ENDPOINT` + -`FRONTEND_EVENTS_ENDPOINT` -| The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.| -| -| `OC_EVENTS_CLUSTER` + -`FRONTEND_EVENTS_CLUSTER` -| The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.| -| -| `OC_INSECURE` + -`FRONTEND_EVENTS_TLS_INSECURE` -| Whether to verify the server TLS certificates.| -| -| `FRONTEND_EVENTS_TLS_ROOT_CA_CERTIFICATE` + -`OCS_EVENTS_TLS_ROOT_CA_CERTIFICATE` -| The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.| -| -| `OC_EVENTS_ENABLE_TLS` + -`FRONTEND_EVENTS_ENABLE_TLS` -| Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_EVENTS_AUTH_USERNAME` + -`FRONTEND_EVENTS_AUTH_USERNAME` -| The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_EVENTS_AUTH_PASSWORD` + -`FRONTEND_EVENTS_AUTH_PASSWORD` -| The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_SERVICE_ACCOUNT_ID` + -`FRONTEND_SERVICE_ACCOUNT_ID` -| The ID of the service account the service should use. See the 'auth-service' service description for more details.| -| -| `OC_SERVICE_ACCOUNT_SECRET` + -`FRONTEND_SERVICE_ACCOUNT_SECRET` -| The service account secret.| -| -| `OC_PASSWORD_POLICY_DISABLED` + -`FRONTEND_PASSWORD_POLICY_DISABLED` -| Define the minimum password length. Defaults to 0 if not set.| 0 -| -| `OC_PASSWORD_POLICY_MIN_CHARACTERS` + -`FRONTEND_PASSWORD_POLICY_MIN_CHARACTERS` -| Disable the password policy. Defaults to false if not set.| -| -| `OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS` + -`FRONTEND_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS` -| Define the minimum number of lowercase characters. Defaults to 0 if not set.| 0 -| -| `OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS` + -`FRONTEND_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS` -| Define the minimum number of uppercase characters. Defaults to 0 if not set.| 0 -| -| `OC_PASSWORD_POLICY_MIN_DIGITS` + -`FRONTEND_PASSWORD_POLICY_MIN_DIGITS` -| Define the minimum number of digits. Defaults to 0 if not set.| 0 -| -| `OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS` + -`FRONTEND_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS` -| Define the minimum number of special characters. Defaults to 0 if not set.| 0 -| -| `OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST` + -`FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST` -| Path to the 'banned passwords list' file. See the documentation for more details.| - -| xref:{s-path}/gateway.adoc[gateway] -| `OC_CACHE_DISABLE_PERSISTENCE` + -`GATEWAY_STAT_CACHE_DISABLE_PERSISTENCE` -| Disables persistence of the stat cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.| false -| -| `OC_CACHE_DISABLE_PERSISTENCE` + -`GATEWAY_PROVIDER_CACHE_DISABLE_PERSISTENCE` -| Disables persistence of the provider cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.| false -| -| `OC_CACHE_AUTH_USERNAME` + -`GATEWAY_PROVIDER_CACHE_AUTH_USERNAME` -| The username to use for authentication. Only applies when store type 'nats-js-kv' is configured.| -| -| `OC_CACHE_AUTH_PASSWORD` + -`GATEWAY_PROVIDER_CACHE_AUTH_PASSWORD` -| The password to use for authentication. Only applies when store type 'nats-js-kv' is configured.| -| -| `OC_CACHE_DISABLE_PERSISTENCE` + -`GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE` -| Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.| false -| -| `OC_CACHE_AUTH_USERNAME` + -`GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME` -| The username to use for authentication. Only applies when store type 'nats-js-kv' is configured.| -| -| `OC_CACHE_AUTH_PASSWORD` + -`GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORDv` -| The password to use for authentication. Only applies when store type 'nats-js-kv' is configured.| - -| xref:{s-path}/graph.adoc[graph] -| `OC_CACHE_DISABLE_PERSISTENCE` + -`GRAPH_CACHE_DISABLE_PERSISTENCE` -| Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.| false -| -| `OC_CACHE_AUTH_USERNAME` + -`GRAPH_CACHE_AUTH_USERNAME` -| The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.| -| -| `OC_CACHE_AUTH_PASSWORD` + -`GRAPH_CACHE_AUTH_PASSWORD` -| The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.| - -| -| `GRAPH_IDENTITY_SEARCH_MIN_LENGTH` -| The minimum length the search term needs to have for unprivileged users when searching for users or groups.| -| -| `OC_EVENTS_AUTH_USERNAME` + -`GRAPH_EVENTS_AUTH_USERNAME` -| The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_EVENTS_AUTH_PASSWORD` + -`GRAPH_EVENTS_AUTH_PASSWORD` -| The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_SERVICE_ACCOUNT_ID` + -`GRAPH_SERVICE_ACCOUNT_ID` -| The ID of the service account the service should use. See the 'auth-service' service description for more details.| -| -| `OC_SERVICE_ACCOUNT_SECRET` + -`GRAPH_SERVICE_ACCOUNT_SECRET` -| The service account secret.| -| -| `OC_ENABLE_RESHARING` + -`GRAPH_ENABLE_RESHARING` -| Changing this value is NOT supported. Enables the support for resharing in the clients.| - -| xref:{s-path}/idp.adoc[idp] -| `IDP_LOGIN_BACKGROUND_URL` -| Configure an alternative URL to the background image for the login page.| - -| xref:{s-path}/notifications.adoc[notifications] -| `OC_DEFAULT_LANGUAGE` -| The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.| -| -| `OC_EVENTS_AUTH_USERNAME` + -`NOTIFICATIONS_EVENTS_AUTH_USERNAME` -| The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_EVENTS_AUTH_PASSWORD` + -`NOTIFICATIONS_EVENTS_AUTH_PASSWORD` -| The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_SERVICE_ACCOUNT_ID` + -`NOTIFICATIONS_SERVICE_ACCOUNT_ID` -| The ID of the service account the service should use. See the 'auth-service' service description for more details.| -| -| `OC_SERVICE_ACCOUNT_SECRET` + -`NOTIFICATIONS_SERVICE_ACCOUNT_SECRET` -| The service account secret.| - -| xref:{s-path}/ocdav.adoc[ocdav] -| `OCDAV_OCM_NAMESPACE` -| The human readable path prefix for the ocm shares.| - -| xref:{s-path}/ocm.adoc[ocm] -| `SHARING_OCM_PROVIDER_AUTHORIZER_DRIVER` -| Driver to be used to persist ocm invites. Supported value is only 'json'.| `json` -| -| `OCM_HTTP_ADDR` -| The bind address of the HTTP service.| -| -| `OCM_HTTP_PROTOCOL` -| The transport protocol of the HTTP service.| -| -| `OCM_HTTP_PREFIX` -| The path prefix where OCM can be accessed (defaults to /).| -| -| `OC_SERVICE_ACCOUNT_ID` + -`OCM_SERVICE_ACCOUNT_ID` -| The ID of the service account the service should use. See the 'auth-service' service description for more details.| -| -| `OC_SERVICE_ACCOUNT_SECRET` + -`OCM_SERVICE_ACCOUNT_SECRET` -| The service account secret.| -| -| `OC_CORS_ALLOW_ORIGINS` + -`OCM_CORS_ALLOW_ORIGINS` -| A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.| -| -| `OC_CORS_ALLOW_METHODS` + -`OCM_CORS_ALLOW_METHODS` -| A list of allowed CORS methods. See following chapter for more details: *Access-Control-Allow-Methods* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods. See the Environment Variable Types description for more details.| -| -| `OC_CORS_ALLOW_HEADERS` + -`OCM_CORS_ALLOW_HEADERS` -| A list of allowed CORS headers. See following chapter for more details: *Access-Control-Allow-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers. See the Environment Variable Types description for more details.| -| -| `OC_CORS_ALLOW_CREDENTIALS` + -`OCM_CORS_ALLOW_CREDENTIALS` -| Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.| -| -| `OCM_GRPC_ADDR` -| The bind address of the GRPC service.| -| -| `OCM_GRPC_PROTOCOL` -| The transport protocol of the GRPC service.| -| -| `OCM_SCIENCEMESH_PREFIX` -| URL path prefix for the ScienceMesh service. Note that the string must not start with '/'.| -| -| `OCM_MESH_DIRECTORY_URL` -| URL of the mesh directory service.| -| -| `OCM_OCMD_PREFIX` -| URL path prefix for the OCMd service. Note that the string must not start with '/'.| -| -| `OCM_OCMD_EXPOSE_RECIPIENT_DISPLAY_NAME` -| Expose the display name of OCM share recipients.| -| -| `OCM_OCM_INVITE_MANAGER_DRIVER` -| Driver to be used to persist ocm invites. Supported value is only 'json'.| `json` -| -| `OCM_OCM_INVITE_MANAGER_INSECURE` -| Disable TLS certificate validation for the OCM connections. Do not set this in production environments.| -| -| `OCM_OCM_INVITE_MANAGER_JSON_FILE` -| Path to the JSON file where OCM invite data will be stored. If not defined, the root directory derives from $OC_BASE_DATA_PATH:/storage.| -| -| `OCM_OCM_PROVIDER_AUTHORIZER_PROVIDERS_FILE` -| Path to the JSON file where ocm invite data will be stored. If not defined, the root directory derives from $OC_BASE_DATA_PATH:/storage.| -| -| `OCM_OCM_PROVIDER_AUTHORIZER_VERIFY_REQUEST_HOSTNAME` -| Verify the hostname of the request against the hostname of the OCM provider.| -| -| `OCM_OCM_CORE_DRIVER` -| Driver to be used to persist ocm shares. Supported value is only 'json'.| `json` -| -| `OCM_OCM_STORAGE_PROVIDER_INSECURE` -| Disable TLS certificate validation for the OCM connections. Do not set this in production environments.| -| -| `OCM_OCM_STORAGE_PROVIDER_STORAGE_ROOT` -| Directory where the ocm storage provider persists its data like tus upload info files.| -| -| `OCM_OCM_CORE_JSON_FILE` -| Path to the JSON file where OCM share data will be stored. If not defined, the root directory derives from $OC_BASE_DATA_PATH:/storage.| -| -| `OCM_OCM_SHARE_PROVIDER_DRIVER` -| Driver to be used to persist ocm shares. Supported value is only 'json'.| `json` -| -| `OCM_OCM_SHARE_PROVIDER_INSECURE` -| Disable TLS certificate validation for the OCM connections. Do not set this in production environments.| -| -| `OCM_WEBAPP_TEMPLATE` -| Template for the webapp url.| -| -| `OCM_OCM_SHAREPROVIDER_JSON_FILE` -| Path to the JSON file where OCM share data will be stored. If not defined, the root directory derives from $OC_BASE_DATA_PATH:/storage.| - -| -| `OCM_DEBUG_ADDR` -| Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.| -| -| `OCM_DEBUG_TOKEN` -| Token to secure the metrics endpoint.| -| -| `OCM_DEBUG_PPROF` -| Enables pprof, which can be used for profiling.| -| -| `OCM_DEBUG_ZPAGES` -| Enables zpages, which can be used for collecting and viewing in-memory traces.| - -| -| `OC_LOG_LEVEL` + -`OCM_LOG_LEVEL` -| The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'."| -| -| `OC_LOG_PRETTY` + -`OCM_LOG_PRETTY` -| Activates pretty log output.| -| -| `OC_LOG_COLOR` + -`OCM_LOG_COLOR` -| Activates colorized log output.| -| -| `OC_LOG_FILE` + -`OCM_LOG_FILE` -| The path to the log file. Activates logging to this file if set.| - -| -| `OC_TRACING_ENABLED` + -`OCM_TRACING_ENABLED` -| Activates tracing.| -| -| `OC_TRACING_TYPE` + -`OCM_TRACING_TYPE` -| The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now."` -| -| -| `OC_TRACING_ENDPOINT` + -`OCM_TRACING_ENDPOINT` -| The endpoint of the tracing agent.| -| -| `OC_TRACING_COLLECTOR` + -`OCM_TRACING_COLLECTOR` -| The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.| - -| xref:{s-path}/ocs.adoc[ocs] -| `OC_CACHE_STORE` + -`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE` -| The type of the signing key store. Supported values are: 'redis-sentinel' and 'nats-js-kv'. See the text description for details.| -| -| `OC_CACHE_STORE_NODES` + -`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES` -| A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.| - -| -| `OC_CACHE_TTL` + -`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL` -| Default time to live for signing keys. See the Environment Variable Types description for more details.| - -| -| `OC_CACHE_AUTH_USERNAME` + -`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME` -| The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.| - -| -| `OC_CACHE_AUTH_PASSWORD` + -`OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD` -| The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.| - -| xref:{s-path}/policies.adoc[policies] -| `OC_EVENTS_AUTH_USERNAME` + -`POLICIES_EVENTS_AUTH_USERNAME` -| The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_EVENTS_AUTH_PASSWORD` + -`POLICIES_EVENTS_AUTH_PASSWORD` -| The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| - -| -| `OC_TRACING_ENABLED` + -`POLICIES_TRACING_ENABLED` -| Activates tracing.| -| -| `OC_TRACING_TYPE` + -`POLICIES_TRACING_TYPE` -| The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now."` -| -| -| `OC_TRACING_ENDPOINT` + -`POLICIES_TRACING_ENDPOINT` -| The endpoint of the tracing agent.| -| -| `OC_TRACING_COLLECTOR` + -`POLICIES_TRACING_COLLECTOR` -| The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.| - -| xref:{s-path}/postprocessing.adoc[postprocessing] -| `POSTPROCESSING_RETRY_BACKOFF_DURATION` -| The base for the exponential backoff duration before retrying a failed postprocessing step. See the Environment Variable Types description for more details.| -| -| `POSTPROCESSING_MAX_RETRIES` -| The maximum number of retries for a failed postprocessing step.| -| -| `OC_EVENTS_AUTH_USERNAME` + -`POSTPROCESSING_EVENTS_AUTH_USERNAME` -| The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_EVENTS_AUTH_PASSWORD` + -`POSTPROCESSING_EVENTS_AUTH_PASSWORD` -| The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_PERSISTENT_STORE_AUTH_USERNAME` + -`POSTPROCESSING_STORE_AUTH_USERNAME` -| The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.| -| -| `OC_PERSISTENT_STORE_AUTH_PASSWORD` + -`POSTPROCESSING_STORE_AUTH_PASSWORD` -| The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.| - -| -| `OC_TRACING_ENABLED` + -`POSTPROCESSING_TRACING_ENABLED` -| Activates tracing.| -| -| `OC_TRACING_TYPE` + -`POSTPROCESSING_TRACING_TYPE` -| The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now."` -| -| -| `OC_TRACING_ENDPOINT` + -`POSTPROCESSING_TRACING_ENDPOINT` -| The endpoint of the tracing agent.| -| -| `OC_TRACING_COLLECTOR` + -`POSTPROCESSING_TRACING_COLLECTOR` -| The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.| - -| xref:{s-path}/proxy.adoc[proxy] -| `OC_CACHE_AUTH_USERNAME` + -`PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME` -| The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.| -| -| `OC_CACHE_AUTH_PASSWORD` + -`PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD` -| The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.| - -| -| `OC_CACHE_STORE` + -`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE` -| The type of the signing key store. Supported values are: 'redis-sentinel' and 'nats-js-kv'. See the text description for details.| -| -| `OC_CACHE_STORE_NODES` + -`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES` -| A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.| - -| -| `OC_CACHE_TTL` + -`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL` -| Default time to live for signing keys. See the Environment Variable Types description for more details.| - -| -| `OC_CACHE_DISABLE_PERSISTENCE` + -`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE` -| Disables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true.| - -| -| `OC_CACHE_AUTH_USERNAME` + -`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME` -| The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.| - -| -| `OC_CACHE_AUTH_PASSWORD` + -`PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD` -| The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.| - -| -| `OC_SERVICE_ACCOUNT_ID` + -`PROXY_SERVICE_ACCOUNT_ID` -| The ID of the service account the service should use. See the 'auth-service' service description for more details.| -| -| `OC_SERVICE_ACCOUNT_SECRET` + -`PROXY_SERVICE_ACCOUNT_SECRET` -| The service account secret.| - -| xref:{s-path}/search.adoc[search] -| `OC_SERVICE_ACCOUNT_ID` + -`SEARCH_SERVICE_ACCOUNT_ID` -| The ID of the service account the service should use. See the 'auth-service' service description for more details.| -| -| `OC_SERVICE_ACCOUNT_SECRET` + -`SEARCH_SERVICE_ACCOUNT_SECRET` -| The service account secret.| - -| -| `SEARCH_EXTRACTOR_TIKA_CLEAN_STOP_WORDS` -| Defines if stop words should be cleaned or not. See the documentation for more details.| - -| -| `OC_EVENTS_AUTH_USERNAME` + -`SEARCH_EVENTS_AUTH_USERNAME` -| The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_EVENTS_AUTH_PASSWORD` + -`SEARCH_EVENTS_AUTH_PASSWORD` -| The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| - -| xref:{s-path}/settings.adoc[settings] -| `SETTINGS_SERVICE_ACCOUNT_IDS` + -`OC_SERVICE_ACCOUNT_ID` -| The list of all service account IDs. These will be assigned the hidden 'service-account' role. Note: When using 'OC_SERVICE_ACCOUNT_ID' this will contain only one value while 'SETTINGS_SERVICE_ACCOUNT_IDS' can have multiple. See the 'auth-service' service description for more details about service accounts.| -| -| `OC_DEFAULT_LANGUAGE` -| The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.| -| -| `OC_CACHE_DISABLE_PERSISTENCE` + -`SETTINGS_CACHE_DISABLE_PERSISTENCE` -| Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.| -| -| `OC_CACHE_AUTH_USERNAME` + -`SETTINGS_CACHE_AUTH_USERNAME` -| The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.| -| -| `OC_CACHE_AUTH_PASSWORD` + -`SETTINGS_CACHE_AUTH_PASSWORD` -| The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.| -| -| `OC_EVENTS_AUTH_USERNAME` + -`SETTINGS_EVENTS_AUTH_USERNAME` -| The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.| -| -| `OC_EVENTS_AUTH_PASSWORD` + -`SETTINGS_EVENTS_AUTH_PASSWORD` -| The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.| - -| xref:{s-path}/sharing.adoc[sharing] -| `OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD` + -`SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD` -| Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares. If not using the global OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD, you must define the FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD in the frontend service.| -| -| `OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD` + -`SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD` -| Set this to true if you want to enforce passwords on all public shares.| -| -| `OC_EVENTS_AUTH_USERNAME` + -`SHARING_EVENTS_AUTH_USERNAME` -| Username for the events broker.| -| -| `OC_EVENTS_AUTH_PASSWORD` + -`SHARING_EVENTS_AUTH_PASSWORD` -| Password for the events broker.| -| -| `OC_PASSWORD_POLICY_DISABLED` + -`SHARING_PASSWORD_POLICY_DISABLED` -| Disable the password policy. Defaults to false if not set.| -| -| `OC_PASSWORD_POLICY_MIN_CHARACTERS` + -`SHARING_PASSWORD_POLICY_MIN_CHARACTERS` -| Define the minimum password length. Defaults to 0 if not set.| 0 -| -| `OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS` + -`SHARING_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS` -| Define the minimum number of lowercase characters. Defaults to 0 if not set.| 0 -| -| `OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS` + -`SHARING_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS` -| Define the minimum number of uppercase characters. Defaults to 0 if not set.| 0 -| -| `OC_PASSWORD_POLICY_MIN_DIGITS` + -`SHARING_PASSWORD_POLICY_MIN_DIGITS` -| Define the minimum number of digits. Defaults to 0 if not set.| 0 -| -| `OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS` + -`SHARING_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS` -| Define the minimum number of special characters. Defaults to 0 if not set.| 0 -| -| `OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST` + -`SHARING_PASSWORD_POLICY_BANNED_PASSWORDS_LIST` -| Path to the 'banned passwords list' file. See the documentation for more details.| - -| xref:{s-path}/sse.adoc[sse] -| `OC_LOG_LEVEL` + -`SSE_LOG_LEVEL` -| The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'."| -| -| `OC_LOG_PRETTY` + -`SSE_LOG_PRETTY` -| Activates pretty log output.| -| -| `OC_LOG_COLOR` + -`SSE_LOG_COLOR` -| Activates colorized log output.| -| -| `OC_LOG_FILE` + -`SSE_LOG_FILE` -| The path to the log file. Activates logging to this file if set.| -| -| `SSE_DEBUG_ADDR` -| Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.| -| -| `SSE_DEBUG_TOKEN` -| Token to secure the metrics endpoint.| -| -| `SSE_DEBUG_PPROF` -| Enables pprof, which can be used for profiling.| -| -| `SSE_DEBUG_ZPAGES` -| Enables zpages, which can be used for collecting and viewing in-memory traces.| -| -| `OC_EVENTS_ENDPOINT` + -`SSE_EVENTS_ENDPOINT` -| The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.| -| -| `OC_EVENTS_CLUSTER` + -`SSE_EVENTS_CLUSTER` -| The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.| -| -| `OC_INSECURE` + -`SSE_EVENTS_TLS_INSECURE` -| Whether to verify the server TLS certificates.| -| -| `OC_EVENTS_TLS_ROOT_CA_CERTIFICATE` + -`SSE_EVENTS_TLS_ROOT_CA_CERTIFICATE` -| The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.| -| -| `OC_EVENTS_ENABLE_TLS` + -`SSE_EVENTS_ENABLE_TLS` -| Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_EVENTS_AUTH_USERNAME` + -`SSE_EVENTS_AUTH_USERNAME` -| The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_EVENTS_AUTH_PASSWORD` + -`SSE_EVENTS_AUTH_PASSWORD` -| The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_CORS_ALLOW_ORIGINS` + -`SSE_CORS_ALLOW_ORIGINS` -| A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.| -| -| `OC_CORS_ALLOW_METHODS` + -`SSE_CORS_ALLOW_METHODS` -| A list of allowed CORS methods. See following chapter for more details: *Access-Control-Allow-Methods* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods. See the Environment Variable Types description for more details.| -| -| `OC_CORS_ALLOW_HEADERS` + -`SSE_CORS_ALLOW_HEADERS` -| A list of allowed CORS headers. See following chapter for more details: *Access-Control-Allow-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers. See the Environment Variable Types description for more details.| -| -| `OC_CORS_ALLOW_CREDENTIALS` + -`SSE_CORS_ALLOW_CREDENTIALS` -| Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.| -| -| `SSE_HTTP_ADDR` -| The bind address of the HTTP service. | -| -| `SSE_HTTP_ROOT` -| The root path of the HTTP service.| -| -| `OC_JWT_SECRET` + -`SSE_JWT_SECRET` -| The secret to mint and validate jwt tokens.| - -| -| `OC_TRACING_ENABLED` + -`SSE_TRACING_ENABLED` -| Activates tracing.| -| -| `OC_TRACING_TYPE` + -`SSE_TRACING_TYPE` -| The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now."` -| -| -| `OC_TRACING_ENDPOINT` + -`SSE_TRACING_ENDPOINT` -| The endpoint of the tracing agent.| -| -| `OC_TRACING_COLLECTOR` + -`SSE_TRACING_COLLECTOR` -| The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.| - -| xref:{s-path}/storage-system.adoc[storage-system] -| `OC_CACHE_DISABLE_PERSISTENCE` + -`STORAGE_SYSTEM_CACHE_DISABLE_PERSISTENCE` -| Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.| false -| -| `OC_CACHE_AUTH_USERNAME` + -`STORAGE_SYSTEM_CACHE_AUTH_USERNAME` -| Username for the configured store. Only applies when store type 'nats-js-kv' is configured.| -| -| `OC_CACHE_AUTH_PASSWORD` + -`STORAGE_SYSTEM_CACHE_AUTH_PASSWORD` -| Password for the configured store. Only applies when store type 'nats-js-kv' is configured.| -| -| `OC_MACHINE_AUTH_API_KEY` + -`STORAGE_USERS_MACHINE_AUTH_API_KEY` -| Machine auth API key used to validate internal requests necessary for the access to resources from other services.| - -| xref:{s-path}/storage-users.adoc[storage-users] -| `OC_GATEWAY_GRPC_ADDR` + -`STORAGE_USERS_GATEWAY_GRPC_ADDR` -| The bind address of the gateway GRPC address.| -| -| `OC_MACHINE_AUTH_API_KEY` + -`STORAGE_USERS_MACHINE_AUTH_API_KEY` -| Machine auth API key used to validate internal requests necessary for the access to resources from other services.| -| -| `STORAGE_USERS_CLI_MAX_ATTEMPTS_RENAME_FILE` -| The maximum number of attempts to rename a file when a user restores a file to an existing destination with the same name. The minimum value is 100.| -| -| `OC_EVENTS_AUTH_USERNAME` + -`STORAGE_USERS_EVENTS_AUTH_USERNAME` -| The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_EVENTS_AUTH_PASSWORD` + -`STORAGE_USERS_EVENTS_AUTH_PASSWORD` -| The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_CACHE_DISABLE_PERSISTENCE` + -`STORAGE_USERS_STAT_CACHE_DISABLE_PERSISTENCE` -| Disables persistence of the stat cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.| false -| -| `OC_CACHE_DISABLE_PERSISTENCE` + -`STORAGE_USERS_FILEMETADATA_CACHE_DISABLE_PERSISTENCE` -| Disables persistence of the file metadata cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.| false -| -| `OC_CACHE_AUTH_USERNAME` + -`STORAGE_USERS_FILEMETADATA_CACHE_AUTH_USERNAME` -| The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.| -| -| `OC_CACHE_AUTH_PASSWORD` + -`STORAGE_USERS_FILEMETADATA_CACHE_AUTH_PASSWORD` -| The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.| -| -| `OC_CACHE_DISABLE_PERSISTENCE` + -`STORAGE_USERS_ID_CACHE_DISABLE_PERSISTENCE` -| Disables persistence of the id cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.| false -| -| `OC_CACHE_AUTH_USERNAME` + -`STORAGE_USERS_ID_CACHE_AUTH_USERNAME` -| The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.| -| -| `OC_CACHE_AUTH_PASSWORD` + -`STORAGE_USERS_ID_CACHE_AUTH_PASSWORD` -| The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured.| -| -| `OC_SERVICE_ACCOUNT_ID` + -`STORAGE_USERS_SERVICE_ACCOUNT_ID` -| The ID of the service account the service should use. See the 'auth-service' service description for more details.| -| -| `OC_SERVICE_ACCOUNT_SECRET` + -`STORAGE_USERS_SERVICE_ACCOUNT_SECRET` -| The service account secret.| - -| xref:{s-path}/userlog.adoc[userlog] -| `OC_DEFAULT_LANGUAGE` -| The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.| -| -| `OC_PERSISTENT_STORE_AUTH_USERNAME` + -`USERLOG_STORE_AUTH_USERNAME` -| The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.| -| -| `OC_PERSISTENT_STORE_AUTH_PASSWORD` + -`USERLOG_STORE_AUTH_PASSWORD` -| The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.| -| -| `OC_EVENTS_AUTH_USERNAME` + -`USERLOG_EVENTS_AUTH_USERNAME` -| The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_EVENTS_AUTH_PASSWORD` + -`USERLOG_EVENTS_AUTH_PASSWORD` -| The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.| -| -| `OC_SERVICE_ACCOUNT_ID` + -`USERLOG_SERVICE_ACCOUNT_ID` -| The ID of the service account the service should use. See the 'auth-service' service description for more details.| -| -| `OC_SERVICE_ACCOUNT_SECRET` + -`USERLOG_SERVICE_ACCOUNT_SECRET` -| The service account secret.| - -| xref:{s-path}/web.adoc[web] -| `WEB_OPTION_LOGIN_URL` -| Specifies the target URL to the login page. This is helpful when an external IdP is used. This option is disabled by default. Example URL like: https://www.myidp.com/login.| -| -| `WEB_OPTION_DISABLED_EXTENSIONS` -| A list to disable specific Web extensions identified by their ID. The ID can e.g. be taken from the 'index.ts' file of the web extension. Example: 'com.github.owncloud.web.files.search,com.github.owncloud.web.files.print'. See the Environment Variable Types description for more details.| -| -| `WEB_OPTION_USER_LIST_REQUIRES_FILTER` -| Defines whether one or more filters must be set in order to list users in the Web admin settings. Set this option to 'true' if running in an environment with a lot of users and listing all users could slow down performance. Defaults to 'false'.| false -| -| `WEB_OPTION_EMBED_ENABLED` -| Defines whether Web should be running in 'embed' mode. Setting this to 'true' will enable a stripped down version of Web with reduced functionality used to integrate Web into other applications like via iFrame. Setting it to 'false' or not setting it (default) will run Web as usual with all functionality enabled. See the text description for more details.| -| -| `WEB_OPTION_EMBED_TARGET` -| Defines how Web is being integrated when running in 'embed' mode. Currently, the only supported options are '' (empty) and 'location'. With '' which is the default, Web will run regular as defined via the 'embed.enabled' config option. With 'location', Web will run embedded as location picker. Resource selection will be disabled and the selected resources array always includes the current folder as the only item. See the text description for more details. | -| -| `WEB_OPTION_EMBED_MESSAGES_ORIGIN` -| Defines a URL under which Web can be integrated via iFrame in 'embed' mode. Note that setting this is mandatory when running Web in 'embed' mode. Use '*' as value to allow running the iFrame under any URL, although this is not recommended for security reasons. See the text description for more details.| -| -| `WEB_OPTION_EMBED_DELEGATE_AUTHENTICATION` -| Defines whether Web should require authentication to be done by the parent application when running in 'embed' mode. If set to 'true' Web will not try to authenticate the user on its own but will require an access token coming from the parent application. Defaults to being unset.| -| -| `WEB_OPTION_EMBED_DELEGATE_AUTHENTICATION_ORIGIN` -| Defines the host to validate the message event origin against when running Web in 'embed' mode with delegated authentication. Defaults to event message origin validation being omitted, which is only recommended for development setups.| -| -| `WEB_OPTION_CONCURRENT_REQUESTS_RESOURCE_BATCH_ACTIONS` -| Defines the maximum number of concurrent requests per file/folder/space batch action. Defaults to 4.| -| -| `WEB_OPTION_CONCURRENT_REQUESTS_SSE` -| Defines the maximum number of concurrent requests in SSE event handlers. Defaults to 4.| -| -| `WEB_OPTION_CONCURRENT_REQUESTS_SHARES_CREATE` -| Defines the maximum number of concurrent requests per sharing invite batch. Defaults to 4.| -| -| `WEB_OPTION_CONCURRENT_REQUESTS_SHARES_LIST` -| Defines the maximum number of concurrent requests when loading individual share information inside listings. Defaults to 2.| -|=== diff --git a/docs/services/general-info/env-var-deltas/4.0.0-5.0.0-added.md b/docs/services/general-info/env-var-deltas/4.0.0-5.0.0-added.md deleted file mode 100644 index ab8c659c99..0000000000 --- a/docs/services/general-info/env-var-deltas/4.0.0-5.0.0-added.md +++ /dev/null @@ -1,263 +0,0 @@ -# Added Variables between oCIS 4.0.0 and oCIS 5.0.0 - -| File | Variable | Description | Default | -|-----------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------| -| ocis-pkg/shared/shared_types.go | `OC_CACHE_DISABLE_PERSISTENCE` | Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. | `false` | -| ocis-pkg/registry/registry.go | `MICRO_REGISTRY` (important change) | The Go micro registry type to use. Supported types are: 'memory', 'nats-js-kv' (default) and 'kubernetes'. Note that 'nats', 'etcd', 'consul' and 'mdns' are deprecated and will be removed in a later version. Only change on supervision of ownCloud Support. | `nats-js-kv` | -| ocis-pkg/natsjsregistry/registry.go | `MICRO_REGISTRY_AUTH_USERNAME` | Optional when using nats to authenticate with the nats cluster. | | -| | `MICRO_REGISTRY_AUTH_PASSWORD` | Optional when using nats to authenticate with the nats cluster. | | -| services/antivirus/pkg/config/config.go | `OC_EVENTS_AUTH_USERNAME` | The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| | `OC_EVENTS_AUTH_PASSWORD` | The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| | `ANTIVIRUS_ICAP_SCAN_TIMEOUT` | Scan timeout for the ICAP client. Defaults to '5m' (5 minutes). See the Environment Variable Types description for more details. | 5m0s | -| services/audit/pkg/config/config.go | `OC_EVENTS_AUTH_USERNAME` | The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| | `OC_EVENTS_AUTH_PASSWORD` | The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| services/auth-service/pkg/config/config.go | `OC_LOG_LEVEL;AUTH_SERVICE_LOG_LEVEL` | The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'." | | -| | `OC_LOG_PRETTY;AUTH_SERVICE_LOG_PRETTY` | Activates pretty log output. | | -| | `OC_LOG_COLOR;AUTH_SERVICE_LOG_COLOR` | Activates colorized log output. | | -| | `OC_LOG_FILE;AUTH_SERVICE_LOG_FILE` | The path to the log file. Activates logging to this file if set. | | -| | `AUTH_SERVICE_DEBUG_ADDR` | Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. | | -| | `AUTH_SERVICE_DEBUG_PPROF` | Enables pprof, which can be used for profiling. | | -| | `AUTH_SERVICE_DEBUG_TOKEN` | Enables pprof, which can be used for profiling. | | -| | `AUTH_SERVICE_DEBUG_ZPAGES` | Enables zpages, which can be used for collecting and viewing in-memory traces. | | -| | `AUTH_SERVICE_GRPC_ADDR` | The bind address of the GRPC service. | | -| | `AUTH_SERVICE_GRPC_PROTOCOL` | The transport protocol of the GRPC service. | | -| | `OC_SERVICE_ACCOUNT_ID;AUTH_SERVICE_SERVICE_ACCOUNT_ID` | The ID of the service account the service should use. See the 'auth-service' service description for more details. | | -| | `OC_SERVICE_ACCOUNT_SECRET;AUTH_SERVICE_SERVICE_ACCOUNT_SECRET` | The service account secret. | | -| services/auth-service/pkg/config/reva.go | `OC_JWT_SECRET;AUTH_SERVICE_JWT_SECRET` | The secret to mint and validate jwt tokens. | | -| services/auth-service/pkg/config/tracing.go | `OC_TRACING_ENABLED;AUTH_SERVICE_TRACING_ENABLED` | Activates tracing. | | -| | `OC_TRACING_TYPE;AUTH_SERVICE_TRACING_TYPE` | The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now."` | | -| | `OC_TRACING_ENDPOINT;AUTH_SERVICE_TRACING_ENDPOINT` | The endpoint of the tracing agent. | | -| | `OC_TRACING_COLLECTOR;AUTH_SERVICE_TRACING_COLLECTOR` | The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. | | -| services/clientlog/pkg/config/config.go | `OC_REVA_GATEWAY;CLIENTLOG_REVA_GATEWAY` | CS3 gateway used to look up user metadata | | -| | `OC_EVENTS_ENDPOINT;CLIENTLOG_EVENTS_ENDPOINT` | The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. | | -| | `OC_EVENTS_CLUSTER;CLIENTLOG_EVENTS_CLUSTER` | The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system. | | -| | `OC_INSECURE;CLIENTLOG_EVENTS_TLS_INSECURE` | Whether to verify the server TLS certificates. | | -| | `OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;CLIENTLOG_EVENTS_TLS_ROOT_CA_CERTIFICATE` | The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false. | | -| | `OC_EVENTS_ENABLE_TLS;CLIENTLOG_EVENTS_ENABLE_TLS` | Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.. | | -| | `OC_EVENTS_AUTH_USERNAME;CLIENTLOG_EVENTS_AUTH_USERNAME` | The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.. | | -| | `OC_EVENTS_AUTH_PASSWORD;CLIENTLOG_EVENTS_AUTH_PASSWORD` | The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.. | | -| | `OC_JWT_SECRET;CLIENTLOG_JWT_SECRET` | The secret to mint and validate jwt tokens. | | -| | `OC_SERVICE_ACCOUNT_ID;CLIENTLOG_SERVICE_ACCOUNT_ID` | The ID of the service account the service should use. See the 'auth-service' service description for more details. | | -| | `OC_SERVICE_ACCOUNT_SECRET;CLIENTLOG_SERVICE_ACCOUNT_SECRET` | The service account secret. | | -| services/clientlog/pkg/config/debug.go | `CLIENTLOG_DEBUG_ADDR` | Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. | | -| | `CLIENTLOG_DEBUG_TOKEN` | Token to secure the metrics endpoint. | | -| | `CLIENTLOG_DEBUG_PPROF` | Enables pprof, which can be used for profiling. | | -| | `CLIENTLOG_DEBUG_ZPAGES` | Enables zpages, which can be used for collecting and viewing in-memory traces. | | -| services/clientlog/pkg/config/log.go | `OC_LOG_LEVEL;CLIENTLOG_USERLOG_LOG_LEVEL` | The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'." | | -| | `OC_LOG_PRETTY;CLIENTLOG_USERLOG_LOG_PRETTY` | Activates pretty log output. | | -| | `OC_LOG_COLOR;CLIENTLOG_USERLOG_LOG_COLOR` | Activates colorized log output. | | -| | `OC_LOG_FILE;CLIENTLOG_USERLOG_LOG_FILE` | The path to the log file. Activates logging to this file if set. | | -| services/clientlog/pkg/config/tracing.go | `OC_TRACING_ENABLED;CLIENTLOG_TRACING_ENABLED` | Activates tracing. | | -| | `OC_TRACING_TYPE;CLIENTLOG_TRACING_TYPE` | The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now."` | | -| | `OC_TRACING_ENDPOINT;CLIENTLOG_TRACING_ENDPOINT` | The endpoint of the tracing agent. | | -| | `OC_TRACING_COLLECTOR;CLIENTLOG_TRACING_COLLECTOR` | The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. | | -| services/eventhistory/pkg/config/config.go | `OC_PERSISTENT_STORE_AUTH_USERNAME;EVENTHISTORY_STORE_AUTH_USERNAME` | The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. | | -| | `OC_PERSISTENT_STORE_AUTH_PASSWORD;EVENTHISTORY_STORE_AUTH_PASSWORD` | The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. | | -| | `OC_EVENTS_AUTH_USERNAME;EVENTHISTORY_EVENTS_AUTH_USERNAME` | The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| | `OC_EVENTS_AUTH_PASSWORD;EVENTHISTORY_EVENTS_AUTH_PASSWORD` | The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| services/frontend/pkg/config/config.go | `OC_ENABLE_RESHARING` | Changing this value is NOT supported. Enables the support for resharing in the clients. | | -| | `FRONTEND_DEFAULT_LINK_PERMISSIONS` | Defines the default permissions a link is being created with. Possible values are 0 (= internal link, for instance members only) and 1 (= public link with viewer permissions). Defaults to 1. | | -| | `FRONTEND_AUTO_ACCEPT_SHARES` | Defines if shares should be auto accepted by default. Users can change this setting individually in their profile. | true | -| | `OC_CACHE_DISABLE_PERSISTENCE;FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE` | Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false. | false | -| | `OC_CACHE_AUTH_USERNAME;FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME` | The username to use for authentication. Only applies when using the 'nats-js-kv' store type. | | -| | `OC_CACHE_AUTH_PASSWORD;FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD` | The password to use for authentication. Only applies when using the 'nats-js-kv' store type. | | -| | `FRONTEND_OCS_LIST_OCM_SHARES` | Include OCM shares when listing shares. See the OCM service documentation for more details. | | -| | `OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD;FRONTEND_OCS_PUBLIC_SHARE_MUST_HAVE_PASSWORD` | Set this to true if you want to enforce passwords on all public shares. | | -| | `OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD;FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD` | Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares. | | -| | `FRONTEND_OCS_INCLUDE_OCM_SHAREES` | Include OCM sharees when listing sharees. | | -| | `OC_EVENTS_ENDPOINT;FRONTEND_EVENTS_ENDPOINT` | The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. | | -| | `OC_EVENTS_CLUSTER;FRONTEND_EVENTS_CLUSTER` | The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system. | | -| | `OC_INSECURE;FRONTEND_EVENTS_TLS_INSECURE` | Whether to verify the server TLS certificates. | | -| | `FRONTEND_EVENTS_TLS_ROOT_CA_CERTIFICATE;OCS_EVENTS_TLS_ROOT_CA_CERTIFICATE` | The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false. | | -| | `OC_EVENTS_ENABLE_TLS;FRONTEND_EVENTS_ENABLE_TLS` | Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| | `OC_EVENTS_AUTH_USERNAME;FRONTEND_EVENTS_AUTH_USERNAME` | The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.. | | -| | `OC_EVENTS_AUTH_PASSWORD;FRONTEND_EVENTS_AUTH_PASSWORD` | The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.. | | -| | `OC_SERVICE_ACCOUNT_ID;FRONTEND_SERVICE_ACCOUNT_ID` | The ID of the service account the service should use. See the 'auth-service' service description for more details. | | -| | `OC_SERVICE_ACCOUNT_SECRET;FRONTEND_SERVICE_ACCOUNT_SECRET` | The service account secret. | | -| | `OC_PASSWORD_POLICY_DISABLED;FRONTEND_PASSWORD_POLICY_DISABLED` | Disable the password policy. Defaults to false if not set. | | -| | `OC_PASSWORD_POLICY_MIN_CHARACTERS;FRONTEND_PASSWORD_POLICY_MIN_CHARACTERS` | Define the minimum password length. Defaults to 0 if not set. | 0 | -| | `OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS;FRONTEND_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS` | Define the minimum number of lowercase characters. Defaults to 0 if not set. | 0 | -| | `OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS;FRONTEND_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS` | Define the minimum number of uppercase characters. Defaults to 0 if not set. | 0 | -| | `OC_PASSWORD_POLICY_MIN_DIGITS;FRONTEND_PASSWORD_POLICY_MIN_DIGITS` | Define the minimum number of digits. Defaults to 0 if not set. | 0 | -| | `OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS;FRONTEND_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS` | Define the minimum number of special characters. Defaults to 0 if not set. | 0 | -| | `OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST;FRONTEND_PASSWORD_POLICY_BANNED_PASSWORDS_LIST` | Path to the 'banned passwords list' file. See the documentation for more details. | | -| services/gateway/pkg/config/config.go | `OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_STAT_CACHE_DISABLE_PERSISTENCE` | Disables persistence of the stat cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false. | false | -| | `OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_PROVIDER_CACHE_DISABLE_PERSISTENCE` | Disables persistence of the provider cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false. | false | -| | `OC_CACHE_AUTH_USERNAME;GATEWAY_PROVIDER_CACHE_AUTH_USERNAME` | The username to use for authentication. Only applies when store type 'nats-js-kv' is configured. | | -| | `OC_CACHE_AUTH_PASSWORD;GATEWAY_PROVIDER_CACHE_AUTH_PASSWORD` | The password to use for authentication. Only applies when store type 'nats-js-kv' is configured. | | -| | `OC_CACHE_DISABLE_PERSISTENCE;GATEWAY_CREATE_HOME_CACHE_DISABLE_PERSISTENCE` | Disables persistence of the create home cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false. | | -| | `OC_CACHE_AUTH_USERNAME;GATEWAY_CREATE_HOME_CACHE_AUTH_USERNAME` | The username to use for authentication. Only applies when store type 'nats-js-kv' is configured. | false | -| | `OC_CACHE_AUTH_PASSWORD;GATEWAY_CREATE_HOME_CACHE_AUTH_PASSWORD` | The password to use for authentication. Only applies when store type 'nats-js-kv' is configured. | | -| services/graph/pkg/config/cache.go | `OC_CACHE_DISABLE_PERSISTENCE;GRAPH_CACHE_DISABLE_PERSISTENCE` | Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false. | false | -| | `OC_CACHE_AUTH_USERNAME;GRAPH_CACHE_AUTH_USERNAME` | The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured. | | -| | `OC_CACHE_AUTH_PASSWORD;GRAPH_CACHE_AUTH_PASSWORD` | The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured. | | -| services/graph/pkg/config/config.go | `GRAPH_IDENTITY_SEARCH_MIN_LENGTH` | The minimum length the search term needs to have for unprivileged users when searching for users or groups. | | -| | `OC_EVENTS_AUTH_USERNAME;GRAPH_EVENTS_AUTH_USERNAME` | The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| | `OC_EVENTS_AUTH_PASSWORD;GRAPH_EVENTS_AUTH_PASSWORD` | The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| | `OC_SERVICE_ACCOUNT_ID;GRAPH_SERVICE_ACCOUNT_ID` | The ID of the service account the service should use. See the 'auth-service' service description for more details. | | -| | `OC_SERVICE_ACCOUNT_SECRET;GRAPH_SERVICE_ACCOUNT_SECRET` | The service account secret. | | -| | `OC_ENABLE_RESHARING;GRAPH_ENABLE_RESHARING` | Changing this value is NOT supported. Enables the support for resharing in the clients. | | -| services/idp/pkg/config/config.go | `IDP_LOGIN_BACKGROUND_URL` | Configure an alternative URL to the background image for the login page. | | -| services/notifications/pkg/config/config.go | `OC_DEFAULT_LANGUAGE` | The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details. | | -| | `OC_EVENTS_AUTH_USERNAME;NOTIFICATIONS_EVENTS_AUTH_USERNAME` | The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| | `OC_EVENTS_AUTH_PASSWORD;NOTIFICATIONS_EVENTS_AUTH_PASSWORD` | The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| | `OC_SERVICE_ACCOUNT_ID;NOTIFICATIONS_SERVICE_ACCOUNT_ID` | The ID of the service account the service should use. See the 'auth-service' service description for more details. | | -| | `OC_SERVICE_ACCOUNT_SECRET;NOTIFICATIONS_SERVICE_ACCOUNT_SECRET` | The service account secret. | | -| services/ocdav/pkg/config/config.go | `OCDAV_OCM_NAMESPACE` | The human readable path prefix for the ocm shares. | | -| services/ocm/pkg/config/config.go | `SHARING_OCM_PROVIDER_AUTHORIZER_DRIVER` | Driver to be used to persist ocm invites. Supported value is only 'json'. | `json` | -| | `OCM_HTTP_ADDR` | The bind address of the HTTP service. | | -| | `OCM_HTTP_PROTOCOL` | The transport protocol of the HTTP service. | | -| | `OCM_HTTP_PREFIX` | The path prefix where OCM can be accessed (defaults to /). | | -| | `OC_SERVICE_ACCOUNT_ID;OCM_SERVICE_ACCOUNT_ID` | The ID of the service account the service should use. See the 'auth-service' service description for more details. | | -| | `OC_SERVICE_ACCOUNT_SECRET;OCM_SERVICE_ACCOUNT_SECRET` | The service account secret. | | -| | `OC_CORS_ALLOW_ORIGINS;OCM_CORS_ALLOW_ORIGINS` | A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details. | | -| | `OC_CORS_ALLOW_METHODS;OCM_CORS_ALLOW_METHODS` | A list of allowed CORS methods. See following chapter for more details: *Access-Control-Allow-Methods* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods. See the Environment Variable Types description for more details. | | -| | `OC_CORS_ALLOW_HEADERS;OCM_CORS_ALLOW_HEADERS` | A list of allowed CORS headers. See following chapter for more details: *Access-Control-Allow-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers. See the Environment Variable Types description for more details. | | -| | `OC_CORS_ALLOW_CREDENTIALS;OCM_CORS_ALLOW_CREDENTIALS` | Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials. | | -| | `OCM_GRPC_ADDR` | The bind address of the GRPC service. | | -| | `OCM_GRPC_PROTOCOL` | The transport protocol of the GRPC service. | | -| | `OCM_SCIENCEMESH_PREFIX` | URL path prefix for the ScienceMesh service. Note that the string must not start with '/'. | | -| | `OCM_MESH_DIRECTORY_URL ` | URL of the mesh directory service. | | -| | `OCM_OCMD_PREFIX` | URL path prefix for the OCMd service. Note that the string must not start with '/'. | | -| | `OCM_OCMD_EXPOSE_RECIPIENT_DISPLAY_NAME` | Expose the display name of OCM share recipients. | | -| | `OCM_OCM_INVITE_MANAGER_DRIVER` | Driver to be used to persist ocm invites. Supported value is only 'json'. | `json` | -| | `OCM_OCM_INVITE_MANAGER_INSECURE` | Disable TLS certificate validation for the OCM connections. Do not set this in production environments. | | -| | `OCM_OCM_INVITE_MANAGER_JSON_FILE` | Path to the JSON file where OCM invite data will be stored. If not defined, the root directory derives from $OC_BASE_DATA_PATH:/storage. | | -| | `OCM_OCM_PROVIDER_AUTHORIZER_PROVIDERS_FILE` | Path to the JSON file where ocm invite data will be stored. If not defined, the root directory derives from $OC_BASE_DATA_PATH:/storage. | | -| | `OCM_OCM_PROVIDER_AUTHORIZER_VERIFY_REQUEST_HOSTNAME` | Verify the hostname of the request against the hostname of the OCM provider. | | -| | `OCM_OCM_CORE_DRIVER` | Driver to be used to persist ocm shares. Supported value is only 'json'. | `json` | -| | `OCM_OCM_STORAGE_PROVIDER_INSECURE` | Disable TLS certificate validation for the OCM connections. Do not set this in production environments. | | -| | `OCM_OCM_STORAGE_PROVIDER_STORAGE_ROOT` | Directory where the ocm storage provider persists its data like tus upload info files. | | -| | `OCM_OCM_CORE_JSON_FILE` | Path to the JSON file where OCM share data will be stored. If not defined, the root directory derives from $OC_BASE_DATA_PATH:/storage. | | -| | `OCM_OCM_SHARE_PROVIDER_DRIVER` | Driver to be used to persist ocm shares. Supported value is only 'json'. | `json` | -| | `OCM_OCM_SHARE_PROVIDER_INSECURE` | Disable TLS certificate validation for the OCM connections. Do not set this in production environments. | | -| | `OCM_WEBAPP_TEMPLATE` | Template for the webapp url. | | -| | `OCM_OCM_SHAREPROVIDER_JSON_FILE` | Path to the JSON file where OCM share data will be stored. If not defined, the root directory derives from $OC_BASE_DATA_PATH:/storage. | | -| services/ocm/pkg/config/debug.go | `OCM_DEBUG_ADDR` | Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. | | -| | `OCM_DEBUG_TOKEN` | Token to secure the metrics endpoint. | | -| | `OCM_DEBUG_PPROF` | Enables pprof, which can be used for profiling. | | -| | `OCM_DEBUG_ZPAGES` | Enables zpages, which can be used for collecting and viewing in-memory traces. | | -| services/ocm/pkg/config/log.go | `OC_LOG_LEVEL;OCM_LOG_LEVEL` | The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'." | | -| | `OC_LOG_PRETTY;OCM_LOG_PRETTY` | Activates pretty log output. | | -| | `OC_LOG_COLOR;OCM_LOG_COLOR` | Activates colorized log output. | | -| | `OC_LOG_FILE;OCM_LOG_FILE` | The path to the log file. Activates logging to this file if set. | | -| services/ocm/pkg/config/tracing.go | `OC_TRACING_ENABLED;OCM_TRACING_ENABLED` | Activates tracing. | | -| | `OC_TRACING_TYPE;OCM_TRACING_TYPE` | The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now."` | | -| | `OC_TRACING_ENDPOINT;OCM_TRACING_ENDPOINT` | The endpoint of the tracing agent. | | -| | `OC_TRACING_COLLECTOR;OCM_TRACING_COLLECTOR` | The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. | | -| services/ocs/pkg/config/config.go | `OC_CACHE_STORE;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE` | The type of the signing key store. Supported values are: 'redis-sentinel' and 'nats-js-kv'. See the text description for details. | | -| | `OC_CACHE_STORE_NODES;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES` | A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | | -| | `OC_CACHE_TTL;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL` | Default time to live for signing keys. See the Environment Variable Types description for more details. | | -| | `OC_CACHE_AUTH_USERNAME;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME` | The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. | | -| | `OC_CACHE_AUTH_PASSWORD;OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD` | The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. | | -| services/policies/pkg/config/config.go | `OC_EVENTS_AUTH_USERNAME;POLICIES_EVENTS_AUTH_USERNAME` | The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| | `OC_EVENTS_AUTH_PASSWORD;POLICIES_EVENTS_AUTH_PASSWORD` | The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| services/policies/pkg/config/tracing.go | `OC_TRACING_ENABLED;POLICIES_TRACING_ENABLED` | Activates tracing. | | -| | `OC_TRACING_TYPE;POLICIES_TRACING_TYPE` | The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now."` | | -| | `OC_TRACING_ENDPOINT;POLICIES_TRACING_ENDPOINT` | The endpoint of the tracing agent. | | -| | `OC_TRACING_COLLECTOR;POLICIES_TRACING_COLLECTOR` | The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. | | -| services/postprocessing/pkg/config/config.go | `POSTPROCESSING_RETRY_BACKOFF_DURATION` | The base for the exponential backoff duration before retrying a failed postprocessing step. See the Environment Variable Types description for more details. | | -| | `POSTPROCESSING_MAX_RETRIES` | The maximum number of retries for a failed postprocessing step. | | -| | `OC_EVENTS_AUTH_USERNAME;POSTPROCESSING_EVENTS_AUTH_USERNAME` | The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| | `OC_EVENTS_AUTH_PASSWORD;POSTPROCESSING_EVENTS_AUTH_PASSWORD` | The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| | `OC_PERSISTENT_STORE_AUTH_USERNAME;POSTPROCESSING_STORE_AUTH_USERNAME` | The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. | | -| | `OC_PERSISTENT_STORE_AUTH_PASSWORD;POSTPROCESSING_STORE_AUTH_PASSWORD` | The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. | | -| services/postprocessing/pkg/config/tracing.go | `OC_TRACING_ENABLED;POSTPROCESSING_TRACING_ENABLED` | Activates tracing. | | -| | `OC_TRACING_TYPE;POSTPROCESSING_TRACING_TYPE` | The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now."` | | -| | `OC_TRACING_ENDPOINT;POSTPROCESSING_TRACING_ENDPOINT` | The endpoint of the tracing agent. | | -| | `OC_TRACING_COLLECTOR;POSTPROCESSING_TRACING_COLLECTOR` | The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. | | -| services/proxy/pkg/config/config.go | `OC_CACHE_AUTH_USERNAME;PROXY_OIDC_USERINFO_CACHE_AUTH_USERNAME` | The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured. | | -| | `OC_CACHE_AUTH_PASSWORD;PROXY_OIDC_USERINFO_CACHE_AUTH_PASSWORD` | The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured. | | -| | `OC_CACHE_STORE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE` | The type of the signing key store. Supported values are: 'redis-sentinel' and 'nats-js-kv'. See the text description for details. | | -| | `OC_CACHE_STORE_NODES;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES` | A list of nodes to access the configured store. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. | | -| | `OC_CACHE_TTL;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_TTL` | Default time to live for signing keys. See the Environment Variable Types description for more details. | | -| | `OC_CACHE_DISABLE_PERSISTENCE;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_DISABLE_PERSISTENCE` | Disables persistence of the store. Only applies when store type 'nats-js-kv' is configured. Defaults to true. | | -| | `OC_CACHE_AUTH_USERNAME;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_USERNAME` | The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. | | -| | `OC_CACHE_AUTH_PASSWORD;PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_AUTH_PASSWORD` | The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. | | -| | `OC_SERVICE_ACCOUNT_ID;PROXY_SERVICE_ACCOUNT_ID` | The ID of the service account the service should use. See the 'auth-service' service description for more details. | | -| | `OC_SERVICE_ACCOUNT_SECRET;PROXY_SERVICE_ACCOUNT_SECRET` | The service account secret. | | -| services/search/pkg/config/config.go | `OC_SERVICE_ACCOUNT_ID;SEARCH_SERVICE_ACCOUNT_ID` | The ID of the service account the service should use. See the 'auth-service' service description for more details. | | -| | `OC_SERVICE_ACCOUNT_SECRET;SEARCH_SERVICE_ACCOUNT_SECRET` | The service account secret. | | -| services/search/pkg/config/content.go | `SEARCH_EXTRACTOR_TIKA_CLEAN_STOP_WORDS` | Defines if stop words should be cleaned or not. See the documentation for more details. | | -| services/search/pkg/config/search.go | `OC_EVENTS_AUTH_USERNAME;SEARCH_EVENTS_AUTH_USERNAME` | The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| | `OC_EVENTS_AUTH_PASSWORD;SEARCH_EVENTS_AUTH_PASSWORD` | The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| services/settings/pkg/config/config.go | `SETTINGS_SERVICE_ACCOUNT_IDS;OC_SERVICE_ACCOUNT_ID` | The list of all service account IDs. These will be assigned the hidden 'service-account' role. Note: When using 'OC_SERVICE_ACCOUNT_ID' this will contain only one value while 'SETTINGS_SERVICE_ACCOUNT_IDS' can have multiple. See the 'auth-service' service description for more details about service accounts. | | -| | `OC_DEFAULT_LANGUAGE` | The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details. | | -| | `OC_CACHE_DISABLE_PERSISTENCE;SETTINGS_CACHE_DISABLE_PERSISTENCE` | Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false. | | -| | `OC_CACHE_AUTH_USERNAME;SETTINGS_CACHE_AUTH_USERNAME` | The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured. | | -| | `OC_CACHE_AUTH_PASSWORD;SETTINGS_CACHE_AUTH_PASSWORD` | The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured. | | -| | `OC_EVENTS_AUTH_USERNAME;SETTINGS_EVENTS_AUTH_USERNAME` | The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured. | | -| | `OC_EVENTS_AUTH_PASSWORD;SETTINGS_EVENTS_AUTH_PASSWORD` | The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured. | | -| services/sharing/pkg/config/config.go | `OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD;SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD` | Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares. If not using the global OC_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD, you must define the FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD in the frontend service. | | -| | `OC_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD;SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD` | Set this to true if you want to enforce passwords on all public shares. | | -| | `OC_EVENTS_AUTH_USERNAME;SHARING_EVENTS_AUTH_USERNAME` | Username for the events broker. | | -| | `OC_EVENTS_AUTH_PASSWORD;SHARING_EVENTS_AUTH_PASSWORD` | Password for the events broker. | | -| | `OC_PASSWORD_POLICY_DISABLED;SHARING_PASSWORD_POLICY_DISABLED` | Disable the password policy. Defaults to false if not set. | | -| | `OC_PASSWORD_POLICY_MIN_CHARACTERS;SHARING_PASSWORD_POLICY_MIN_CHARACTERS` | Define the minimum password length. Defaults to 0 if not set. | 0 | -| | `OC_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS;SHARING_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS` | Define the minimum number of lowercase characters. Defaults to 0 if not set. | 0 | -| | `OC_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS;SHARING_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS` | Define the minimum number of uppercase characters. Defaults to 0 if not set. | 0 | -| | `OC_PASSWORD_POLICY_MIN_DIGITS;SHARING_PASSWORD_POLICY_MIN_DIGITS` | Define the minimum number of digits. Defaults to 0 if not set. | 0 | -| | `OC_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS;SHARING_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS` | Define the minimum number of special characters. Defaults to 0 if not set. | 0 | -| | `OC_PASSWORD_POLICY_BANNED_PASSWORDS_LIST;SHARING_PASSWORD_POLICY_BANNED_PASSWORDS_LIST` | Path to the 'banned passwords list' file. See the documentation for more details. | | -| services/sse/pkg/config/config.go | `OC_LOG_LEVEL;SSE_LOG_LEVEL` | The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'." | | -| | `OC_LOG_PRETTY;SSE_LOG_PRETTY` | Activates pretty log output. | | -| | `OC_LOG_COLOR;SSE_LOG_COLOR` | Activates colorized log output. | | -| | `OC_LOG_FILE;SSE_LOG_FILE` | The path to the log file. Activates logging to this file if set. | | -| | `SSE_DEBUG_ADDR` | Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. | | -| | `SSE_DEBUG_TOKEN` | Token to secure the metrics endpoint. | | -| | `SSE_DEBUG_PPROF` | Enables pprof, which can be used for profiling. | | -| | `SSE_DEBUG_ZPAGES` | Enables zpages, which can be used for collecting and viewing in-memory traces. | | -| | `OC_EVENTS_ENDPOINT;SSE_EVENTS_ENDPOINT` | The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. | | -| | `OC_EVENTS_CLUSTER;SSE_EVENTS_CLUSTER` | The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system. | | -| | `OC_INSECURE;SSE_EVENTS_TLS_INSECURE` | Whether to verify the server TLS certificates. | | -| | `OC_EVENTS_TLS_ROOT_CA_CERTIFICATE;SSE_EVENTS_TLS_ROOT_CA_CERTIFICATE` | The root CA certificate used to validate the server's TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false. | | -| | `OC_EVENTS_ENABLE_TLS;SSE_EVENTS_ENABLE_TLS` | Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.. | | -| | `OC_EVENTS_AUTH_USERNAME;SSE_EVENTS_AUTH_USERNAME` | The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.. | | -| | `OC_EVENTS_AUTH_PASSWORD;SSE_EVENTS_AUTH_PASSWORD` | The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.. | | -| | `OC_CORS_ALLOW_ORIGINS;SSE_CORS_ALLOW_ORIGINS` | A list of allowed CORS origins. See following chapter for more details: *Access-Control-Allow-Origin* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details. | | -| | `OC_CORS_ALLOW_METHODS;SSE_CORS_ALLOW_METHODS` | A list of allowed CORS methods. See following chapter for more details: *Access-Control-Allow-Methods* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Methods. See the Environment Variable Types description for more details. | | -| | `OC_CORS_ALLOW_HEADERS;SSE_CORS_ALLOW_HEADERS` | A list of allowed CORS headers. See following chapter for more details: *Access-Control-Allow-Headers* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Headers. See the Environment Variable Types description for more details. | | -| | `OC_CORS_ALLOW_CREDENTIALS;SSE_CORS_ALLOW_CREDENTIALS` | Allow credentials for CORS.See following chapter for more details: *Access-Control-Allow-Credentials* at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials. | | -| | `SSE_HTTP_ADDR` | The bind address of the HTTP service. | | -| | `SSE_HTTP_ROOT` | The root path of the HTTP service. | | -| | `OC_JWT_SECRET;SSE_JWT_SECRET` | The secret to mint and validate jwt tokens. | | -| services/sse/pkg/config/tracing.go | `OC_TRACING_ENABLED;SSE_TRACING_ENABLED` | Activates tracing. | | -| | `OC_TRACING_TYPE;SSE_TRACING_TYPE` | The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now."` | | -| | `OC_TRACING_ENDPOINT;SSE_TRACING_ENDPOINT` | The endpoint of the tracing agent. | | -| | `OC_TRACING_COLLECTOR;SSE_TRACING_COLLECTOR` | The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. | | -| services/storage-system/pkg/config/config.go | `OC_CACHE_DISABLE_PERSISTENCE;STORAGE_SYSTEM_CACHE_DISABLE_PERSISTENCE` | Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false. | false | -| | `OC_CACHE_AUTH_USERNAME;STORAGE_SYSTEM_CACHE_AUTH_USERNAME` | Username for the configured store. Only applies when store type 'nats-js-kv' is configured. | | -| | `OC_CACHE_AUTH_PASSWORD;STORAGE_SYSTEM_CACHE_AUTH_PASSWORD` | TPassword for the configured store. Only applies when store type 'nats-js-kv' is configured. | | -| services/storage-users/pkg/config/config.go | `OC_GATEWAY_GRPC_ADDR;STORAGE_USERS_GATEWAY_GRPC_ADDR` | The bind address of the gateway GRPC address. | | -| | `OC_MACHINE_AUTH_API_KEY;STORAGE_USERS_MACHINE_AUTH_API_KEY` | Machine auth API key used to validate internal requests necessary for the access to resources from other services. | | -| | `STORAGE_USERS_CLI_MAX_ATTEMPTS_RENAME_FILE` | The maximum number of attempts to rename a file when a user restores a file to an existing destination with the same name. The minimum value is 100. | | -| | `OC_EVENTS_AUTH_USERNAME;STORAGE_USERS_EVENTS_AUTH_USERNAME` | The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| | `OC_EVENTS_AUTH_PASSWORD;STORAGE_USERS_EVENTS_AUTH_PASSWORD` | The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| | `OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_STAT_CACHE_DISABLE_PERSISTENCE` | Disables persistence of the stat cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false. | false | -| | `OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_FILEMETADATA_CACHE_DISABLE_PERSISTENCE` | Disables persistence of the file metadata cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false. | false | -| | `OC_CACHE_AUTH_USERNAME;STORAGE_USERS_FILEMETADATA_CACHE_AUTH_USERNAME` | The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured. | | -| | `OC_CACHE_AUTH_PASSWORD;STORAGE_USERS_FILEMETADATA_CACHE_AUTH_PASSWORD` | The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured. | | -| | `OC_CACHE_DISABLE_PERSISTENCE;STORAGE_USERS_ID_CACHE_DISABLE_PERSISTENCE` | Disables persistence of the id cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false. | false | -| | `OC_CACHE_AUTH_USERNAME;STORAGE_USERS_ID_CACHE_AUTH_USERNAME` | The username to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured | | -| | `OC_CACHE_AUTH_PASSWORD;STORAGE_USERS_ID_CACHE_AUTH_PASSWORD` | The password to authenticate with the cache store. Only applies when store type 'nats-js-kv' is configured. | | -| | `OC_SERVICE_ACCOUNT_ID;STORAGE_USERS_SERVICE_ACCOUNT_ID` | The ID of the service account the service should use. See the 'auth-service' service description for more details. | | -| | `OC_SERVICE_ACCOUNT_SECRET;STORAGE_USERS_SERVICE_ACCOUNT_SECRET` | The service account secret. | | -| services/userlog/pkg/config/config.go | `OC_DEFAULT_LANGUAGE` | The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details. | | -| | `OC_PERSISTENT_STORE_AUTH_USERNAME;USERLOG_STORE_AUTH_USERNAME` | The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. | | -| | `OC_PERSISTENT_STORE_AUTH_PASSWORD;USERLOG_STORE_AUTH_PASSWORD` | The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. | | -| | `OC_EVENTS_AUTH_USERNAME;USERLOG_EVENTS_AUTH_USERNAME` | The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| | `OC_EVENTS_AUTH_PASSWORD;USERLOG_EVENTS_AUTH_PASSWORD` | The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. | | -| | `OC_SERVICE_ACCOUNT_ID;USERLOG_SERVICE_ACCOUNT_ID` | The ID of the service account the service should use. See the 'auth-service' service description for more details. | | -| | `OC_SERVICE_ACCOUNT_SECRET;USERLOG_SERVICE_ACCOUNT_SECRET` | The service account secret. | | -| services/web/pkg/config/options.go | `WEB_OPTION_LOGIN_URL` | Specifies the target URL to the login page. This is helpful when an external IdP is used. This option is disabled by default. Example URL like: https://www.myidp.com/login. | | | -| | `WEB_OPTION_DISABLED_EXTENSIONS` | A list to disable specific Web extensions identified by their ID. The ID can e.g. be taken from the 'index.ts' file of the web extension. Example: 'com.github.owncloud.web.files.search,com.github.owncloud.web.files.print'. See the Environment Variable Types description for more details. | | -| | `WEB_OPTION_USER_LIST_REQUIRES_FILTER` | Defines whether one or more filters must be set in order to list users in the Web admin settings. Set this option to 'true' if running in an environment with a lot of users and listing all users could slow down performance. Defaults to 'false'. | false | -| | `WEB_OPTION_EMBED_ENABLED` | Defines whether Web should be running in 'embed' mode. Setting this to 'true' will enable a stripped down version of Web with reduced functionality used to integrate Web into other applications like via iFrame. Setting it to 'false' or not setting it (default) will run Web as usual with all functionality enabled. See the text description for more details. | | -| | `WEB_OPTION_EMBED_TARGET` | Defines how Web is being integrated when running in 'embed' mode. Currently, the only supported options are '' (empty) and 'location'. With '' which is the default, Web will run regular as defined via the 'embed.enabled' config option. With 'location', Web will run embedded as location picker. Resource selection will be disabled and the selected resources array always includes the current folder as the only item. See the text description for more details. | | -| | `WEB_OPTION_EMBED_MESSAGES_ORIGIN` | Defines a URL under which Web can be integrated via iFrame in 'embed' mode. Note that setting this is mandatory when running Web in 'embed' mode. Use '*' as value to allow running the iFrame under any URL, although this is not recommended for security reasons. See the text description for more details. | | -| | `WEB_OPTION_EMBED_DELEGATE_AUTHENTICATION` | Defines whether Web should require authentication to be done by the parent application when running in 'embed' mode. If set to 'true' Web will not try to authenticate the user on its own but will require an access token coming from the parent application. Defaults to being unset. | | -| | `WEB_OPTION_EMBED_DELEGATE_AUTHENTICATION_ORIGIN` | Defines the host to validate the message event origin against when running Web in 'embed' mode with delegated authentication. Defaults to event message origin validation being omitted, which is only recommended for development setups. | | -| | `WEB_OPTION_CONCURRENT_REQUESTS_RESOURCE_BATCH_ACTIONS` | Defines the maximum number of concurrent requests per file/folder/space batch action. Defaults to 4. | | -| | `WEB_OPTION_CONCURRENT_REQUESTS_SSE` | Defines the maximum number of concurrent requests in SSE event handlers. Defaults to 4. | | -| | `WEB_OPTION_CONCURRENT_REQUESTS_SHARES_CREATE` | Defines the maximum number of concurrent requests per sharing invite batch. Defaults to 4. | | -| | `WEB_OPTION_CONCURRENT_REQUESTS_SHARES_LIST` | Defines the maximum number of concurrent requests when loading individual share information inside listings. Defaults to 2. | | diff --git a/docs/services/general-info/env-var-deltas/4.0.0-5.0.0-removed.adoc b/docs/services/general-info/env-var-deltas/4.0.0-5.0.0-removed.adoc deleted file mode 100644 index 47de4f3904..0000000000 --- a/docs/services/general-info/env-var-deltas/4.0.0-5.0.0-removed.adoc +++ /dev/null @@ -1,55 +0,0 @@ -// Removed Variables between oCIS 4.0.0 and oCIS 5.0.0 -// commenting the headline to make it better includable - -// table created based on the .md file per 2024.02.12 -// the table should be recreated/updated based on the final .md file - -[width="100%",cols="~,~,~,~",options="header"] -|=== -| Service| Variable| Replacement| Description - -| xref:{s-path}/auth-basic.adoc[auth-basic] -| `LDAP_BIND_PASSWORD` -| `OC_LDAP_BIND_PASSWORD` -| Password to use for authenticating the 'bind_dn'. - -| xref:{s-path}/graph.adoc[graph] -| `LDAP_BIND_PASSWORD` -| `OC_LDAP_BIND_PASSWORD` -| Password to use for authenticating the 'bind_dn'. - -| xref:{s-path}/groups.adoc[groups] -| `LDAP_BIND_PASSWORD` -| `OC_LDAP_BIND_PASSWORD` -| Password to use for authenticating the 'bind_dn'. - -| xref:{s-path}/idp.adoc[idp] -| `LDAP_BIND_PASSWORD` -| `OC_LDAP_BIND_PASSWORD` -| Password to use for authenticating the 'bind_dn'. - -| xref:{s-path}/sharing.adoc[sharing] -| `SHARING_EVENTS_TLS_ROOT_CA_CERT` -| `SHARING_EVENTS_TLS_ROOT_CA_CERTIFICATE` -| The root CA certificate used to validate the server's TLS certificate. If provided SHARING_EVENTS_TLS_INSECURE will be seen as false. - -| xref:{s-path}/users.adoc[users] -| `LDAP_BIND_PASSWORD` -| `OC_LDAP_BIND_PASSWORD` -| Password to use for authenticating the 'bind_dn'. - -| -| `LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` -| `OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` -| Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID's. - -| xref:{s-path}/web.adoc[web] -| `WEB_OPTION_IMPRINT_URL` -| To be configured via the `theme.json` file -| Specifies the target URL for the imprint link valid for the ocis instance in the account menu. - -| -| `WEB_OPTION_PRIVACY_URL` -| To be configured via the `theme.json` file -| Specifies the target URL for the privacy link valid for the ocis instance in the account menu. -|=== diff --git a/docs/services/general-info/env-var-deltas/4.0.0-5.0.0-removed.md b/docs/services/general-info/env-var-deltas/4.0.0-5.0.0-removed.md deleted file mode 100644 index d877a37b7b..0000000000 --- a/docs/services/general-info/env-var-deltas/4.0.0-5.0.0-removed.md +++ /dev/null @@ -1,13 +0,0 @@ -# Removed Variables between oCIS 4.0.0 and oCIS 5.0.0 - -| File | Variable | Replacement | Description | -|------------------------------------------|--------------------------------------|-------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| services/auth-basic/pkg/config/config.go | `LDAP_BIND_PASSWORD` | `OC_LDAP_BIND_PASSWORD` | Password to use for authenticating the 'bind_dn'. | -| services/graph/pkg/config/config.go | `LDAP_BIND_PASSWORD` | `OC_LDAP_BIND_PASSWORD` | Password to use for authenticating the 'bind_dn'. | -| services/groups/pkg/config/config.go | `LDAP_BIND_PASSWORD` | `OC_LDAP_BIND_PASSWORD` | Password to use for authenticating the 'bind_dn'. | -| services/idp/pkg/config/config.go | `LDAP_BIND_PASSWORD` | `OC_LDAP_BIND_PASSWORD` | Password to use for authenticating the 'bind_dn'. | -| services/sharing/pkg/config/config.go | `SHARING_EVENTS_TLS_ROOT_CA_CERT` | `SHARING_EVENTS_TLS_ROOT_CA_CERTIFICATE` | The root CA certificate used to validate the server's TLS certificate. If provided SHARING_EVENTS_TLS_INSECURE will be seen as false. | -| services/users/pkg/config/config.go | `LDAP_BIND_PASSWORD` | `OC_LDAP_BIND_PASSWORD` | Password to use for authenticating the 'bind_dn'. | -| | `LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` | `OC_LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` | Set this to true if the defined 'ID' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID's. | -| services/web/pkg/config/options.go | `WEB_OPTION_IMPRINT_URL` | To be configured via the `theme.json` file | Specifies the target URL for the imprint link valid for the ocis instance in the account menu. | -| | `WEB_OPTION_PRIVACY_URL` | To be configured via the `theme.json` file | Specifies the target URL for the privacy link valid for the ocis instance in the account menu. | diff --git a/docs/services/general-info/env-var-deltas/5.0.0-7.0.0-added.adoc b/docs/services/general-info/env-var-deltas/5.0.0-7.0.0-added.adoc deleted file mode 100644 index 1c107483a1..0000000000 --- a/docs/services/general-info/env-var-deltas/5.0.0-7.0.0-added.adoc +++ /dev/null @@ -1,637 +0,0 @@ -// # Added Variables between oCIS 5.0.0 and oCIS 7.0.0 -// commenting the headline to make it better includable - -// table created per 2024.12.02 -// the table should be recreated/updated on source () changes - -[width="100%",cols="~,~,~,~",options="header"] -|=== -| Service | Variable | Description | Default - -| xref:deployment/services/env-vars-special-scope.adoc[Special Scope Envvars] -| OC_ASSET_THEMES_PATH -| Serve ownCloud themes from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/themes -| /var/lib/ocis/web/assets/themes - -| -| OC_DISABLE_VERSIONING -| Disables versioning of files. When set to true, new uploads with the same filename will overwrite existing files instead of creating a new version. -| false - -| -| OC_SHOW_USER_EMAIL_IN_RESULTS -| Include user email addresses in responses. If absent or set to false emails will be omitted from results. Please note that admin users can always see all email addresses. -| false - -| -| OC_TRANSLATION_PATH -| (optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details. -| - -| -| OC_WOPI_DISABLE_CHAT -| Disable chat in the office web frontend. This feature applies to OnlyOffice and Microsoft. -| false - -| xref:{s-path}/activitylog.adoc[Activitylog] -| ACTIVITYLOG_TRANSLATION_PATH -| (optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details. -| - -| xref:{s-path}/antivirus.adoc[Antivirus] -| ANTIVIRUS_WORKERS -| The number of concurrent go routines that fetch events from the event queue. -| 10 - -| xref:{s-path}/auth-app.adoc[Auth-App] -| AUTH_APP_DEBUG_ADDR -| Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. -| 127.0.0.1:9245 - -| -| AUTH_APP_DEBUG_PPROF -| Enables pprof, which can be used for profiling. -| false - -| -| AUTH_APP_DEBUG_TOKEN -| Token to secure the metrics endpoint. -| - -| -| AUTH_APP_DEBUG_ZPAGES -| Enables zpages, which can be used for collecting and viewing traces in-memory. -| false - -| -| AUTH_APP_ENABLE_IMPERSONATION -| Allows admins to create app tokens for other users. Used for migration. Do NOT use in productive deployments. -| false - -| -| AUTH_APP_GRPC_ADDR -| The bind address of the GRPC service. -| 127.0.0.1:9246 - -| -| AUTH_APP_GRPC_PROTOCOL -| The transport protocol of the GRPC service. -| tcp - -| -| AUTH_APP_JWT_SECRET -| The secret to mint and validate jwt tokens. -| - -| -| AUTH_APP_LOG_COLOR -| Activates colorized log output. -| false - -| -| AUTH_APP_LOG_FILE -| The path to the log file. Activates logging to this file if set. -| - -| -| AUTH_APP_LOG_LEVEL -| The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'. -| - -| -| AUTH_APP_LOG_PRETTY -| Activates pretty log output. -| false - -| -| AUTH_APP_MACHINE_AUTH_API_KEY -| The machine auth API key used to validate internal requests necessary to access resources from other services. -| - -| -| AUTH_APP_SKIP_USER_GROUPS_IN_TOKEN -| Disables the encoding of the user's group memberships in the access token. This reduces the token size, especially when users are members of a large number of groups. -| false - -| -| AUTH_APP_TRACING_COLLECTOR -| The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. -| - -| -| AUTH_APP_TRACING_ENABLED -| Activates tracing. -| false - -| -| AUTH_APP_TRACING_ENDPOINT -| The endpoint of the tracing agent. -| - -| -| AUTH_APP_TRACING_TYPE -| The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now. -| - -| xref:{s-path}/collaboration.adoc[Collaboration] -| COLLABORATION_APP_ADDR -| The URL where the WOPI app is located, such as https://127.0.0.1:8080. -| https://127.0.0.1:9980 - -| -| COLLABORATION_APP_DESCRIPTION -| App description -| Open office documents with Collabora - -| -| COLLABORATION_APP_ICON -| Icon for the app -| image-edit - -| -| COLLABORATION_APP_INSECURE -| Skip TLS certificate verification when connecting to the WOPI app -| false - -| -| COLLABORATION_APP_LICENSE_CHECK_ENABLE -| Enable license checking to edit files. Needs to be enabled when using Microsoft365 with the business flow. -| false - -| -| COLLABORATION_APP_NAME -| The name of the app which is shown to the user. You can chose freely but you are limited to a single word without special characters or whitespaces. We recommend to use pascalCase like 'CollaboraOnline'. -| Collabora - -| -| COLLABORATION_APP_PRODUCT -| The WebOffice app, either Collabora, OnlyOffice, Microsoft365 or MicrosoftOfficeOnline. -| Collabora - -| -| COLLABORATION_APP_PROOF_DISABLE -| Disable the proof keys verification -| false - -| -| COLLABORATION_APP_PROOF_DURATION -| Duration for the proof keys to be cached in memory, using time.ParseDuration format. If the duration can't be parsed, we'll use the default 12h as duration -| 12h - -| -| COLLABORATION_CS3API_DATAGATEWAY_INSECURE -| Connect to the CS3API data gateway insecurely. -| false - -| -| COLLABORATION_DEBUG_ADDR -| Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. -| 127.0.0.1:9304 - -| -| COLLABORATION_DEBUG_PPROF -| Enables pprof, which can be used for profiling. -| false - -| -| COLLABORATION_DEBUG_TOKEN -| Token to secure the metrics endpoint. -| - -| -| COLLABORATION_DEBUG_ZPAGES -| Enables zpages, which can be used for collecting and viewing in-memory traces. -| false - -| -| COLLABORATION_GRPC_ADDR -| The bind address of the GRPC service. -| 127.0.0.1:9301 - -| -| COLLABORATION_GRPC_PROTOCOL -| The transport protocol of the GRPC service. -| tcp - -| -| COLLABORATION_HTTP_ADDR -| The bind address of the HTTP service. -| 127.0.0.1:9300 - -| -| COLLABORATION_LOG_COLOR -| Activates colorized log output. -| false - -| -| COLLABORATION_LOG_FILE -| The path to the log file. Activates logging to this file if set. -| - -| -| COLLABORATION_LOG_LEVEL -| The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'. -| - -| -| COLLABORATION_LOG_PRETTY -| Activates pretty log output. -| false - -| -| COLLABORATION_STORE -| The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details. -| nats-js-kv - -| -| COLLABORATION_STORE_AUTH_PASSWORD -| The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. -| - -| -| COLLABORATION_STORE_AUTH_USERNAME -| The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. -| - -| -| COLLABORATION_STORE_DATABASE -| The database name the configured store should use. -| collaboration - -| -| COLLABORATION_STORE_NODES -| A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. -| [127.0.0.1:9233] - -| -| COLLABORATION_STORE_TABLE -| The database table the store should use. -| - -| -| COLLABORATION_STORE_TTL -| Time to live for events in the store. Defaults to '30m' (30 minutes). See the Environment Variable Types description for more details. -| 30m0s - -| -| COLLABORATION_TRACING_COLLECTOR -| The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. -| - -| -| COLLABORATION_TRACING_ENABLED -| Activates tracing. -| false - -| -| COLLABORATION_TRACING_ENDPOINT -| The endpoint of the tracing agent. -| - -| -| COLLABORATION_TRACING_TYPE -| The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now. -| - -| -| COLLABORATION_WOPI_DISABLE_CHAT -| Disable chat in the office web frontend. This feature applies to OnlyOffice and Microsoft. -| false - -| -| COLLABORATION_WOPI_PROXY_SECRET -| Optional, the secret to authenticate against the ownCloud Office365 WOPI proxy. This secret can be obtained from ownCloud via the office365 proxy subscription. -| - -| -| COLLABORATION_WOPI_PROXY_URL -| The URL to the ownCloud Office365 WOPI proxy. Optional. To use this feature, you need an office365 proxy subscription. If you become part of the Microsoft CSP program (https://learn.microsoft.com/en-us/partner-center/enroll/csp-overview), you can use WebOffice without a proxy. -| - -| -| COLLABORATION_WOPI_SECRET -| Used to mint and verify WOPI JWT tokens and encrypt and decrypt the REVA JWT token embedded in the WOPI JWT token. -| - -| -| COLLABORATION_WOPI_SHORTTOKENS -| Use short access tokens for WOPI access. This is useful for office packages, like Microsoft Office Online, which have URL length restrictions. If enabled, a persistent store must be configured. -| false - -| -| COLLABORATION_WOPI_SRC -| The WOPI source base URL containing schema, host and port. Set this to the schema and domain where the collaboration service is reachable for the wopi app, such as https://office.owncloud.test. -| https://localhost:9300 - -| xref:{s-path}/frontend.adoc[Frontend] -| FRONTEND_APP_HANDLER_SECURE_VIEW_APP_ADDR -| Service name or address of the app provider to use for secure view. Should match the service name or address of the registered CS3 app provider. -| com.owncloud.api.collaboration - -| -| FRONTEND_MAX_CONCURRENCY -| Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used. -| 1 - -| xref:{s-path}/gateway.adoc[Gateway] -| GATEWAY_APP_REGISTRY_ENDPOINT -| The endpoint of the app-registry service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. -| com.owncloud.api.app-registry - -| -| GATEWAY_AUTH_APP_ENDPOINT -| The endpoint of the auth-app service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. -| com.owncloud.api.auth-app - -| -| GATEWAY_AUTH_BASIC_ENDPOINT -| The endpoint of the auth-basic service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. -| com.owncloud.api.auth-basic - -| -| GATEWAY_AUTH_BEARER_ENDPOINT -| The endpoint of the auth-bearer service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. -| - -| -| GATEWAY_AUTH_MACHINE_ENDPOINT -| The endpoint of the auth-machine service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. -| com.owncloud.api.auth-machine - -| -| GATEWAY_AUTH_SERVICE_ENDPOINT -| The endpoint of the auth-service service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. -| com.owncloud.api.auth-service - -| -| GATEWAY_GROUPS_ENDPOINT -| The endpoint of the groups service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. -| com.owncloud.api.groups - -| -| GATEWAY_OCM_ENDPOINT -| The endpoint of the ocm service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. -| com.owncloud.api.ocm - -| -| GATEWAY_PERMISSIONS_ENDPOINT -| The endpoint of the permissions service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. -| com.owncloud.api.settings - -| -| GATEWAY_SHARING_ENDPOINT -| The endpoint of the shares service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. -| com.owncloud.api.sharing - -| -| GATEWAY_STORAGE_PUBLIC_LINK_ENDPOINT -| The endpoint of the storage-publiclink service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. -| com.owncloud.api.storage-publiclink - -| -| GATEWAY_STORAGE_SHARES_ENDPOINT -| The endpoint of the storage-shares service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. -| com.owncloud.api.storage-shares - -| -| GATEWAY_STORAGE_USERS_ENDPOINT -| The endpoint of the storage-users service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. -| com.owncloud.api.storage-users - -| -| GATEWAY_USERS_ENDPOINT -| The endpoint of the users service. Can take a service name or a gRPC URI with the dns, kubernetes or unix protocol. -| com.owncloud.api.users - -| xref:{s-path}/graph.adoc[Graph] -| GRAPH_AVAILABLE_ROLES -| A comma separated list of roles that are available for assignment. -| [b1e2218d-eef8-4d4c-b82d-0f1a1b48f3b5 a8d5fe5e-96e3-418d-825b-534dbdf22b99 fb6c3e19-e378-47e5-b277-9732f9de6e21 58c63c02-1d89-4572-916a-870abc5a1b7d 2d00ce52-1fc2-4dbc-8b95-a73b73395f5a 1c996275-f1c9-4e71-abdf-a42f6495e960 312c0871-5ef7-4b3a-85b6-0e4074c64049] - -| -| GRAPH_MAX_CONCURRENCY -| The maximum number of concurrent requests the service will handle. -| 20 - -| -| GRAPH_TRANSLATION_PATH -| (optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details. -| - -| xref:{s-path}/ocm.adoc[OCM] -| OCM_OCM_INVITE_MANAGER_TIMEOUT -| Timeout specifies a time limit for requests made to OCM endpoints. -| 30s - -| -| OCM_OCM_INVITE_MANAGER_TOKEN_EXPIRATION -| Expiry duration for invite tokens. -| 24h0m0s - -| -| OCM_OCM_STORAGE_DATA_SERVER_URL -| URL of the data server, needs to be reachable by the data gateway provided by the frontend service or the user if directly exposed. -| http://localhost:9280/data - -| xref:{s-path}/postprocessing.adoc[Postprocessing] -| POSTPROCESSING_WORKERS -| The number of concurrent go routines that fetch events from the event queue. -| 3 - -| xref:{s-path}/proxy.adoc[Proxy] -| PROXY_AUTOPROVISION_CLAIM_DISPLAYNAME -| The name of the OIDC claim that holds the display name. -| name - -| -| PROXY_AUTOPROVISION_CLAIM_EMAIL -| The name of the OIDC claim that holds the email. -| email - -| -| PROXY_AUTOPROVISION_CLAIM_GROUPS -| The name of the OIDC claim that holds the groups. -| groups - -| -| PROXY_AUTOPROVISION_CLAIM_USERNAME -| The name of the OIDC claim that holds the username. -| preferred_username - -| -| PROXY_CSP_CONFIG_FILE_LOCATION -| The location of the CSP configuration file. -| - -| -| PROXY_ENABLE_APP_AUTH -| Allow app authentication. This can be used to authenticate 3rd party applications. Note that auth-app service must be running for this feature to work. -| false - -| -| PROXY_EVENTS_AUTH_PASSWORD -| The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. -| - -| -| PROXY_EVENTS_AUTH_USERNAME -| The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services. -| - -| -| PROXY_EVENTS_CLUSTER -| The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. -| ocis-cluster - -| -| PROXY_EVENTS_ENABLE_TLS -| Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services. -| false - -| -| PROXY_EVENTS_ENDPOINT -| The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events. -| 127.0.0.1:9233 - -| -| PROXY_EVENTS_TLS_INSECURE -| Whether to verify the server TLS certificates. -| false - -| -| PROXY_EVENTS_TLS_ROOT_CA_CERTIFICATE -| The root CA certificate used to validate the server's TLS certificate. If provided PROXY_EVENTS_TLS_INSECURE will be seen as false. -| - -| xref:{s-path}/sharing.adoc[Sharing] -| SHARING_USER_JSONCS3_MAX_CONCURRENCY -| Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used. -| 1 - -| xref:{s-path}/sse.adoc[SSE] -| SSE_KEEPALIVE_INTERVAL -| To prevent intermediate proxies from closing the SSE connection, send periodic SSE comments to keep it open. -| 0s - -| xref:{s-path}/storage-users.adoc[Storage-Users] -| STORAGE_USERS_OCIS_GENERAL_SPACE_PATH_TEMPLATE -| Template string to construct the paths of the projects space roots. -| - -| -| STORAGE_USERS_OCIS_MAX_CONCURRENCY -| Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used. -| 1 - -| -| STORAGE_USERS_OCIS_PERSONAL_SPACE_PATH_TEMPLATE -| Template string to construct the paths of the personal space roots. -| - -| -| STORAGE_USERS_PERMISSION_ENDPOINT -| Endpoint of the permissions service. The endpoints can differ for 'ocis', 'posix' and 's3ng'. -| com.owncloud.api.settings - -| -| STORAGE_USERS_POSIX_GENERAL_SPACE_PATH_TEMPLATE -| Template string to construct the paths of the projects space roots. -| projects/{{.SpaceId}} - -| -| STORAGE_USERS_POSIX_PERMISSIONS_ENDPOINT -| Endpoint of the permissions service. The endpoints can differ for 'ocis', 'posix' and 's3ng'. -| com.owncloud.api.settings - -| -| STORAGE_USERS_POSIX_PERSONAL_SPACE_PATH_TEMPLATE -| Template string to construct the paths of the personal space roots. -| users/{{.User.Username}} - -| -| STORAGE_USERS_POSIX_ROOT -| The directory where the filesystem storage will store its data. If not defined, the root directory derives from $OC_BASE_DATA_PATH/storage/users. -| /var/lib/ocis/storage/users - -| -| STORAGE_USERS_POSIX_SCAN_DEBOUNCE_DELAY -| The time in milliseconds to wait before scanning the filesystem for changes after a change has been detected. -| 1s - -| -| STORAGE_USERS_POSIX_USE_SPACE_GROUPS -| Use space groups to manage permissions on spaces. -| false - -| -| STORAGE_USERS_POSIX_WATCH_FOLDER_KAFKA_BROKERS -| Comma-separated list of kafka brokers to read the watchfolder events from. -| - -| -| STORAGE_USERS_POSIX_WATCH_PATH -| Path to the watch directory/file. Only applies to the 'gpfsfileauditlogging' and 'inotifywait' watcher, in which case it is the path of the file audit log file/base directory to watch. -| - -| -| STORAGE_USERS_POSIX_WATCH_TYPE -| Type of the watcher to use for getting notified about changes to the filesystem. Currently available options are 'inotifywait' (default), 'gpfswatchfolder' and 'gpfsfileauditlogging'. -| - -| -| STORAGE_USERS_S3NG_GENERAL_SPACE_PATH_TEMPLATE -| Template string to construct the paths of the projects space roots. -| - -| -| STORAGE_USERS_S3NG_PERSONAL_SPACE_PATH_TEMPLATE -| Template string to construct the paths of the personal space roots. -| - -| -| STORAGE_USERS_SERVICE_NAME -| Service name to use. Change this when starting an additional storage provider with a custom configuration to prevent it from colliding with the default 'storage-users' service. -| storage-users - -| xref:{s-path}/thumbnails.adoc[Thumbnails] -| THUMBNAILS_MAX_CONCURRENT_REQUESTS -| Number of maximum concurrent thumbnail requests. Default is 0 which is unlimited. -| 0 - -| -| THUMBNAILS_MAX_INPUT_HEIGHT -| The maximum height of an input image which is being processed. -| 7680 - -| -| THUMBNAILS_MAX_INPUT_IMAGE_FILE_SIZE -| The maximum file size of an input image which is being processed. Usable common abbreviations: [KB, KiB, MB, MiB, GB, GiB, TB, TiB, PB, PiB, EB, EiB], example: 2GB. -| 50MB - -| -| THUMBNAILS_MAX_INPUT_WIDTH -| The maximum width of an input image which is being processed. -| 7680 - -| xref:{s-path}/userlog.adoc[Userlog] -| USERLOG_MAX_CONCURRENCY -| Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used. -| 1 - -| xref:{s-path}/web.adoc[Web] -| WEB_ASSET_APPS_PATH -| Serve ownCloud Web apps assets from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/apps -| /var/lib/ocis/web/assets/apps - -| -| WEB_ASSET_CORE_PATH -| Serve ownCloud Web assets from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/core -| /var/lib/ocis/web/assets/core - -| -| WEB_ASSET_THEMES_PATH -| Serve ownCloud themes from a path on the filesystem instead of the builtin assets. If not defined, the root directory derives from $OC_BASE_DATA_PATH/web/assets/themes -| /var/lib/ocis/web/assets/themes - -|=== - diff --git a/docs/services/general-info/env-var-deltas/5.0.0-7.0.0-deprecated.adoc b/docs/services/general-info/env-var-deltas/5.0.0-7.0.0-deprecated.adoc deleted file mode 100644 index b86d40bec8..0000000000 --- a/docs/services/general-info/env-var-deltas/5.0.0-7.0.0-deprecated.adoc +++ /dev/null @@ -1,102 +0,0 @@ -// # Deprecated Variables between oCIS 5.0.0 and oCIS 7.0.0 -// commenting the headline to make it better includable - -// table created per 2024.12.02 -// the table should be recreated/updated on source () changes - -[width="100%",cols="~,~,~,~,~",options="header"] -|=== -| Service | Variable | Description | Removal Version | Deprecation Info - -| xref:{s-path}/clientlog.adoc[Clientlog] -| CLIENTLOG_REVA_GATEWAY -| CS3 gateway used to look up user metadata -| %%NEXT_PRODUCTION_VERSION%% -| CLIENTLOG_REVA_GATEWAY removed for simplicity. - -| xref:{s-path}/frontend.adoc[Frontend] -| FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE -| Additional information attribute for the user like {{.Mail}}. -| %%NEXT_PRODUCTION_VERSION%% -| The OCS API is deprecated - -| -| FRONTEND_OCS_ENABLE_DENIALS -| EXPERIMENTAL: enable the feature to deny access on folders. -| %%NEXT_PRODUCTION_VERSION%% -| The OCS API is deprecated - -| -| FRONTEND_OCS_INCLUDE_OCM_SHAREES -| Include OCM sharees when listing sharees. -| %%NEXT_PRODUCTION_VERSION%% -| FRONTEND_OCS_INCLUDE_OCM_SHAREES, the OCS API is deprecated - -| -| FRONTEND_OCS_LIST_OCM_SHARES -| Include OCM shares when listing shares. See the OCM service documentation for more details. -| %%NEXT_PRODUCTION_VERSION%% -| FRONTEND_OCS_LIST_OCM_SHARES, the OCS API is deprecated - -| -| FRONTEND_OCS_PERSONAL_NAMESPACE -| Home namespace identifier. -| %%NEXT_PRODUCTION_VERSION%% -| The OCS API is deprecated - -| -| FRONTEND_OCS_PREFIX -| URL path prefix for the OCS service. Note that the string must not start with '/'. -| %%NEXT_PRODUCTION_VERSION%% -| The OCS API is deprecated - -| -| FRONTEND_OCS_SHARE_PREFIX -| Path prefix for shares as part of an ocis resource. Note that the path must start with '/'. -| %%NEXT_PRODUCTION_VERSION%% -| The OCS API is deprecated - -| -| FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD -| The password to use for authentication. Only applies when using the 'nats-js-kv' store type. -| %%NEXT_PRODUCTION_VERSION%% -| FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD, the OCS API is deprecated - -| -| FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME -| The username to use for authentication. Only applies when using the 'nats-js-kv' store type. -| %%NEXT_PRODUCTION_VERSION%% -| FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME, the OCS API is deprecated - -| -| FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE -| Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false. -| %%NEXT_PRODUCTION_VERSION%% -| FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE, the OCS API is deprecated - -| -| FRONTEND_OCS_STAT_CACHE_STORE -| The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details. -| %%NEXT_PRODUCTION_VERSION%% -| FRONTEND_OCS_STAT_CACHE_STORE, the OCS API is deprecated - -| -| FRONTEND_OCS_STAT_CACHE_STORE_NODES -| A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. -| %%NEXT_PRODUCTION_VERSION%% -| FRONTEND_OCS_STAT_CACHE_STORE_NODES, the OCS API is deprecated - -| -| FRONTEND_OCS_STAT_CACHE_TABLE -| The database table the store should use. -| %%NEXT_PRODUCTION_VERSION%% -| The OCS API is deprecated - -| -| FRONTEND_OCS_STAT_CACHE_TTL -| Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details. -| %%NEXT_PRODUCTION_VERSION%% -| FRONTEND_OCS_STAT_CACHE_TTL, the OCS API is deprecated - -|=== - diff --git a/docs/services/general-info/env-var-deltas/5.0.0-7.0.0-removed.adoc b/docs/services/general-info/env-var-deltas/5.0.0-7.0.0-removed.adoc deleted file mode 100644 index 014b9cc98f..0000000000 --- a/docs/services/general-info/env-var-deltas/5.0.0-7.0.0-removed.adoc +++ /dev/null @@ -1,257 +0,0 @@ -// # Removed Variables between oCIS 5.0.0 and oCIS 7.0.0 -// commenting the headline to make it better includable - -// table created per 2024.12.02 -// the table should be recreated/updated on source () changes - -[width="100%",cols="~,~,~,~",options="header"] -|=== -| Service | Variable | Description | Default - -| xref:deployment/services/env-vars-special-scope.adoc[Special Scope Envvars] -| OC_CACHE_SIZE -| The maximum quantity of items in the user info cache. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not exclicitly set as default. -| 0 - -| -| OC_DECOMPOSEDFS_METADATA_BACKEND -| The backend to use for storing metadata. Supported values are 'messagepack' and 'xattrs'. The setting 'messagepack' uses a dedicated file to store file metadata while 'xattrs' uses extended attributes to store file metadata. Defaults to 'messagepack'. -| messagepack - -| -| OC_ENABLE_RESHARING -| Changing this value is NOT supported. Enables the support for re-sharing in the clients. -| false - -| -| OC_PERSISTENT_STORE_SIZE -| The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not exclicitly set as default. -| 0 - -| xref:{s-path}/antivirus.adoc[Antivirus] -| ANTIVIRUS_ICAP_TIMEOUT -| Timeout for the ICAP client. -| 0 - -| xref:{s-path}/eventhistory.adoc[Eventhistory] -| EVENTHISTORY_STORE_SIZE -| The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived and used from the ocmem package though no explicit default was set. -| 0 - -| xref:{s-path}/frontend.adoc[Frontend] -| FRONTEND_ENABLE_RESHARING -| Changing this value is NOT supported. Enables the support for re-sharing in the clients. -| false - -| -| FRONTEND_OCS_STAT_CACHE_SIZE -| Max number of entries to hold in the cache. -| 0 - -| xref:{s-path}/gateway.adoc[Gateway] -| GATEWAY_CREATE_HOME_CACHE_SIZE -| The maximum quantity of items in the cache. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not explicitly set as default. -| 0 - -| -| GATEWAY_PROVIDER_CACHE_SIZE -| The maximum quantity of items in the cache. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not explicitly set as default. -| 0 - -| xref:{s-path}/graph.adoc[Graph] -| GRAPH_CACHE_SIZE -| The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not explicitly set as default. -| 0 - -| -| GRAPH_ENABLE_RESHARING -| Changing this value is NOT supported. Enables the support for re-sharing. -| false - -| xref:{s-path}/ocm.adoc[OCM] -| OCM_OCM_PROVIDER_AUTHORIZER_VERIFY_REQUEST_HOSTNAME -| Verify the hostname of the incoming request against the hostname of the OCM provider. -| false - -| xref:{s-path}/postprocessing.adoc[Postprocessing] -| POSTPROCESSING_STORE_SIZE -| The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not exclicitly set as default. -| 0 - -| xref:{s-path}/proxy.adoc[Proxy] -| PROXY_OIDC_USERINFO_CACHE_SIZE -| The maximum quantity of items in the user info cache. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not explicitly set as default. -| 0 - -| xref:{s-path}/settings.adoc[Settings] -| SETTINGS_CACHE_SIZE -| The maximum quantity of items in the cache. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not exclicitly set as default. -| 0 - -| -| SETTINGS_DATA_PATH -| The directory where the filesystem storage will store ocis settings. If not defined, the root directory derives from $OC_BASE_DATA_PATH:/settings. -| /var/lib/ocis/settings - -| -| SETTINGS_STORE_TYPE -| Store type configures the persistency driver. Supported values are 'metadata' and 'filesystem'. Note that the value 'filesystem' is considered deprecated. -| metadata - -| xref:{s-path}/sharing.adoc[Sharing] -| SHARING_ENABLE_RESHARING -| Changing this value is NOT supported. Enables the support for resharing. -| false - -| xref:{s-path}/storage-system.adoc[Storage-System] -| STORAGE_SYSTEM_CACHE_SIZE -| The maximum quantity of items in the user info cache. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not exclicitly set as default. -| 0 - -| -| STORAGE_SYSTEM_OC_METADATA_BACKEND -| The backend to use for storing metadata. Supported values are 'messagepack' and 'xattrs'. The setting 'messagepack' uses a dedicated file to store file metadata while 'xattrs' uses extended attributes to store file metadata. Defaults to 'messagepack'. -| messagepack - -| xref:{s-path}/storage-users.adoc[Storage-Users] -| STORAGE_USERS_FILEMETADATA_CACHE_SIZE -| The maximum quantity of items in the user info cache. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not exclicitly set as default. -| 0 - -| -| STORAGE_USERS_ID_CACHE_SIZE -| The maximum quantity of items in the user info cache. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not exclicitly set as default. -| 0 - -| -| STORAGE_USERS_OCIS_METADATA_BACKEND -| The backend to use for storing metadata. Supported values are 'messagepack' and 'xattrs'. The setting 'messagepack' uses a dedicated file to store file metadata while 'xattrs' uses extended attributes to store file metadata. Defaults to 'messagepack'. -| messagepack - -| -| STORAGE_USERS_S3NG_METADATA_BACKEND -| The backend to use for storing metadata. Supported values are 'xattrs' and 'messagepack'. The setting 'xattrs' uses extended attributes to store file metadata while 'messagepack' uses a dedicated file to store file metadata. Defaults to 'xattrs'. -| messagepack - -| The `Store` service has been removed completely -| STORE_DATA_PATH -| The directory where the filesystem storage will store ocis settings. If not defined, the root directory derives from $OC_BASE_DATA_PATH:/store. -| /var/lib/ocis/store - -| -| STORE_DEBUG_ADDR -| Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. -| 127.0.0.1:9464 - -| -| STORE_DEBUG_PPROF -| Enables pprof, which can be used for profiling. -| false - -| -| STORE_DEBUG_TOKEN -| Token to secure the metrics endpoint. -| - -| -| STORE_DEBUG_ZPAGES -| Enables zpages, which can be used for collecting and viewing in-memory traces. -| false - -| -| STORE_GRPC_ADDR -| The bind address of the GRPC service. -| 127.0.0.1:9460 - -| -| STORE_LOG_COLOR -| Activates colorized log output. -| false - -| -| STORE_LOG_FILE -| The path to the log file. Activates logging to this file if set. -| - -| -| STORE_LOG_LEVEL -| The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'. -| - -| -| STORE_LOG_PRETTY -| Activates pretty log output. -| false - -| -| STORE_TRACING_COLLECTOR -| The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. -| - -| -| STORE_TRACING_ENABLED -| Activates tracing. -| false - -| -| STORE_TRACING_ENDPOINT -| The endpoint of the tracing agent. -| - -| -| STORE_TRACING_TYPE -| The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now. -| - -| xref:{s-path}/userlog.adoc[Userlog] -| USERLOG_STORE_SIZE -| The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512 which is derived from the ocmem package though not exclicitly set as default. -| 0 - -| xref:{s-path}/web.adoc[Web] -| WEB_ASSET_PATH -| Serve ownCloud Web assets from a path on the filesystem instead of the builtin assets. -| - -| -| WEB_OPTION_DISABLE_PREVIEWS -| Set this option to 'true' to disable previews in all the different web file listing views. This can speed up file listings in folders with many files. The only list view that is not affected by this setting is the trash bin, as it does not allow previewing at all. -| false - -| -| WEB_OPTION_HOME_FOLDER -| Specifies a folder that is used when the user navigates 'home'. Navigating home gets triggered by clicking on the 'All files' menu item. The user will not be jailed in that directory, it simply serves as a default location. A static location can be provided, or variables of the user object to come up with a user specific home path can be used. This uses the twig template variable style and allows picking a value or a substring of a value of the authenticated user. Examples are '/Shares', '/{{.Id}}' and '/{{substr 0 3 .Id}}/{{.Id}'. -| - -| -| WEB_OPTION_HOVERABLE_QUICK_ACTIONS -| Set this option to 'true' to hide quick actions (buttons appearing on file rows) and only show them when the user hovers over the row with his mouse. Defaults to 'false'. -| false - -| -| WEB_OPTION_OPEN_LINKS_WITH_DEFAULT_APP -| Specifies whether single file link shares should be opened with the default app or not. If not opened by the default app, the Web UI just displays the file details. -| true - -| -| WEB_OPTION_PREVIEW_FILE_MIMETYPES -| A list of mimeTypes to specify which ones will be previewed in the UI. For example, to only preview jpg and text files, set this option to 'image/jpeg,text/plain'. See the Environment Variable Types description for more details. -| [image/gif image/png image/jpeg text/plain image/tiff image/bmp image/x-ms-bmp application/vnd.geogebra.slides] - -| -| WEB_OPTION_ROUTING_ID_BASED -| Enable or disable fileIds being added to the URL. Defaults to 'true', because otherwise spaces with name clashes cannot be resolved correctly. Note: Only disable this if you can guarantee on the server side, that spaces of the same namespace cannot have name clashes. -| true - -| -| WEB_OPTION_SHARING_RECIPIENTS_PER_PAGE -| Sets the number of users shown as recipients in the dropdown menu when sharing resources. -| 200 - -| -| WEB_OPTION_SIDEBAR_SHARES_SHOW_ALL_ON_LOAD -| Sets the list of the (link) shares list in the sidebar to be initially expanded. Default is a collapsed state, only showing the first three shares. -| false - -|=== - diff --git a/docs/services/general-info/env-var-deltas/7.0.0-7.1.0-added.adoc b/docs/services/general-info/env-var-deltas/7.0.0-7.1.0-added.adoc deleted file mode 100644 index a95eb65410..0000000000 --- a/docs/services/general-info/env-var-deltas/7.0.0-7.1.0-added.adoc +++ /dev/null @@ -1,57 +0,0 @@ -// # Added Variables between oCIS 7.0.0 and oCIS 7.1.0 -// commenting the headline to make it better includable - -// table created per 2025.01.10 -// the table should be recreated/updated on source () changes - -[width="100%",cols="~,~,~,~",options="header"] -|=== -| Service | Variable | Description | Default - -| xref:{s-path}/frontend.adoc[Fontend] -| FRONTEND_CONFIGURABLE_NOTIFICATIONS -| Allow configuring notifications via web client. -| false - -| xref:{s-path}/notifications.adoc[Notifications] -| NOTIFICATIONS_STORE -| The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details. -| nats-js-kv - -| -| NOTIFICATIONS_STORE_AUTH_PASSWORD -| The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. -| - -| -| NOTIFICATIONS_STORE_AUTH_USERNAME -| The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured. -| - -| -| NOTIFICATIONS_STORE_DATABASE -| The database name the configured store should use. -| notifications - -| -| NOTIFICATIONS_STORE_NODES -| A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. -| [127.0.0.1:9233] - -| -| NOTIFICATIONS_STORE_TABLE -| The database table the store should use. -| - -| -| NOTIFICATIONS_STORE_TTL -| Time to live for notifications in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details. -| 336h0m0s - -| xref:{s-path}/settings.adoc[Settings] -| SETTINGS_TRANSLATION_PATH -| (optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details. -| - -|=== - diff --git a/docs/services/general-info/env-var-deltas/7.0.0-7.1.0-deprecated.adoc b/docs/services/general-info/env-var-deltas/7.0.0-7.1.0-deprecated.adoc deleted file mode 100644 index 91f4c78fb8..0000000000 --- a/docs/services/general-info/env-var-deltas/7.0.0-7.1.0-deprecated.adoc +++ /dev/null @@ -1,105 +0,0 @@ -// # Deprecated Variables between oCIS 7.0.0 and oCIS 7.1.0 -// commenting the headline to make it better includable - -// table created per 2025.01.10 -// the table should be recreated/updated on source () changes - -Note that these environment variables were listed for deprecation in 7.0.0 already. Removal has been delayed for an upcoming production version. They are listed here for consistency. - - -[width="100%",cols="~,~,~,~,~",options="header"] -|=== -| Service | Variable | Description | Removal Version | Deprecation Info - -| xref:{s-path}/clientlog.adoc[Clientlog] -| CLIENTLOG_REVA_GATEWAY -| CS3 gateway used to look up user metadata -| %%NEXT_PRODUCTION_VERSION%% -| CLIENTLOG_REVA_GATEWAY removed for simplicity. - -| xref:{s-path}/frontend.adoc[Frontend] -| FRONTEND_OCS_ADDITIONAL_INFO_ATTRIBUTE -| Additional information attribute for the user like {{.Mail}}. -| %%NEXT_PRODUCTION_VERSION%% -| The OCS API is deprecated - -| -| FRONTEND_OCS_ENABLE_DENIALS -| EXPERIMENTAL: enable the feature to deny access on folders. -| %%NEXT_PRODUCTION_VERSION%% -| The OCS API is deprecated - -| -| FRONTEND_OCS_INCLUDE_OCM_SHAREES -| Include OCM sharees when listing sharees. -| %%NEXT_PRODUCTION_VERSION%% -| FRONTEND_OCS_INCLUDE_OCM_SHAREES, the OCS API is deprecated - -| -| FRONTEND_OCS_LIST_OCM_SHARES -| Include OCM shares when listing shares. See the OCM service documentation for more details. -| %%NEXT_PRODUCTION_VERSION%% -| FRONTEND_OCS_LIST_OCM_SHARES, the OCS API is deprecated - -| -| FRONTEND_OCS_PERSONAL_NAMESPACE -| Home namespace identifier. -| %%NEXT_PRODUCTION_VERSION%% -| The OCS API is deprecated - -| -| FRONTEND_OCS_PREFIX -| URL path prefix for the OCS service. Note that the string must not start with '/'. -| %%NEXT_PRODUCTION_VERSION%% -| The OCS API is deprecated - -| -| FRONTEND_OCS_SHARE_PREFIX -| Path prefix for shares as part of an ocis resource. Note that the path must start with '/'. -| %%NEXT_PRODUCTION_VERSION%% -| The OCS API is deprecated - -| -| FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD -| The password to use for authentication. Only applies when using the 'nats-js-kv' store type. -| %%NEXT_PRODUCTION_VERSION%% -| FRONTEND_OCS_STAT_CACHE_AUTH_PASSWORD, the OCS API is deprecated - -| -| FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME -| The username to use for authentication. Only applies when using the 'nats-js-kv' store type. -| %%NEXT_PRODUCTION_VERSION%% -| FRONTEND_OCS_STAT_CACHE_AUTH_USERNAME, the OCS API is deprecated - -| -| FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE -| Disable persistence of the cache. Only applies when using the 'nats-js-kv' store type. Defaults to false. -| %%NEXT_PRODUCTION_VERSION%% -| FRONTEND_OCS_STAT_CACHE_DISABLE_PERSISTENCE, the OCS API is deprecated - -| -| FRONTEND_OCS_STAT_CACHE_STORE -| The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details. -| %%NEXT_PRODUCTION_VERSION%% -| FRONTEND_OCS_STAT_CACHE_STORE, the OCS API is deprecated - -| -| FRONTEND_OCS_STAT_CACHE_STORE_NODES -| A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details. -| %%NEXT_PRODUCTION_VERSION%% -| FRONTEND_OCS_STAT_CACHE_STORE_NODES, the OCS API is deprecated - -| -| FRONTEND_OCS_STAT_CACHE_TABLE -| The database table the store should use. -| %%NEXT_PRODUCTION_VERSION%% -| The OCS API is deprecated - -| -| FRONTEND_OCS_STAT_CACHE_TTL -| Default time to live for user info in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details. -| %%NEXT_PRODUCTION_VERSION%% -| FRONTEND_OCS_STAT_CACHE_TTL, the OCS API is deprecated - -|=== - diff --git a/docs/services/general-info/env-var-deltas/7.0.0-7.1.0-removed.adoc b/docs/services/general-info/env-var-deltas/7.0.0-7.1.0-removed.adoc deleted file mode 100644 index 166f2833a5..0000000000 --- a/docs/services/general-info/env-var-deltas/7.0.0-7.1.0-removed.adoc +++ /dev/null @@ -1,12 +0,0 @@ -// # Removed Variables between oCIS 7.0.0 and oCIS 7.1.0 -// commenting the headline to make it better includable - -// table created per 2025.01.10 -// the table should be recreated/updated on source () changes - -[width="100%",cols="~,~,~,~",options="header"] -|=== -| Service | Variable | Description | Default - -|=== - diff --git a/docs/services/general-info/env-var-deltas/make-adoc-and-md-files.txt b/docs/services/general-info/env-var-deltas/make-adoc-and-md-files.txt deleted file mode 100644 index 68c10ae55e..0000000000 --- a/docs/services/general-info/env-var-deltas/make-adoc-and-md-files.txt +++ /dev/null @@ -1 +0,0 @@ -see docs/helpers/README.md#doc-tasks-for-new-releases for details how to create the necessary .adoc and .md files diff --git a/docs/services/general-info/envvar-scopes.md b/docs/services/general-info/envvar-scopes.md deleted file mode 100644 index d67f86134c..0000000000 --- a/docs/services/general-info/envvar-scopes.md +++ /dev/null @@ -1,71 +0,0 @@ ---- -title: Envvar Naming Scopes -date: 2023-03-23T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/general-info -geekdocFilePath: envvar-scopes.md -geekdocCollapseSection: true ---- - -{{< toc >}} - -The scope of an environment variable can be derived from its name. Therefore, it is important to follow the correct naming scheme to enable easy and proper identification. This is important when either: - -- a new local envvar is introduced. -- a new global envvar is added to an existing local envvar. - -## Envvar Definition - -- A variable that is only used in a particular service is a **local envvar**. -- A variable that is used in more than one service is a **global envvar**. -- Mandatory when used in a service, a global envvar must have a local counterpart. -- Variables that do not belong to any service are by definition global. - -## Naming Scope - -### Local Envvars - -A local envvar always starts with the service name like `POSTPROCESSING_LOG_FILE`. - -### Global Envvars - -A global envvar always starts with `OC_` like `OC_LOG_FILE`. - -Note that this envvar is the global representation of the local example from above. - -To get a list of global envvars used in all services, see the [Global Environment Variables](https://doc.owncloud.com/ocis/next/deployment/services/env-vars-special-scope.html#global-environment-variables) table in the ocis admin documentation. - -## Lifecycle of Envvars - -The envvar struct tag contains at maximum the following key/value pairs to document the lifecycle of a config variable: - -* `introductionVersion` -* `deprecationVersion` -* `removalVersion` -* `deprecationInfo` -* `deprecationReplacement` - -### Introduce new Envvars - -If a new envvar is introduced, only the `introductionVersion` is required. - -{{< hint warning >}} -During the development cycle, the value for the `introductionVersion` must be set to `%%NEXT%%`. This placeholder will be removed by the real version number during the production releasing process. -{{< /hint >}} - -For the documentation to show the correct value for the `IV` (introduction version), our docs helper scripts will automatically generate the correct version to be printed in the documentation. If `%%NEXT%%` is found in the query, it will be replaced with `next`, else the value found is used. - -During the releasing process for a production release, the placeholder `%%NEXT%%` has to be replaced with the new production version number like `%%NEXT%%` → `7.0.0`. - -### Adding Envvars to Existing Ones - -If an envvar has been introduced with a particular version, the `introductionVersion` gets a value accordingly. If an additional envvar like a global one is added to this existing envvar later on, the introduction version will *not* be changed. - -### Deprecate Existing Envvars - -See the [deprecation rules]({{< ref "./deprecating-variables.md" >}}) documentation for more details. - -## Separating Multiple Envvars - -When multiple envvars are defined for one purpose like a global and local one, use `;` (semicolon) to properly separate the envvars in go code. Though it is possible to separate with `,` (comma) according go rules, the current implementation of the docs generation process only recognizes semicolons as separator. diff --git a/docs/services/general-info/new-service-checklist.md b/docs/services/general-info/new-service-checklist.md deleted file mode 100644 index 28c43c59b8..0000000000 --- a/docs/services/general-info/new-service-checklist.md +++ /dev/null @@ -1,54 +0,0 @@ ---- -title: New Service Checklist -date: 2023-03-23T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/general-info -geekdocFilePath: new-service-checklist.md -geekdocCollapseSection: true ---- - -When a new service gets introduced, this checklist is a good starting point for things that need to be completed before the service gets published (merged). This list is without claim of completeness or correct sort order. - -## New Service Checklist - -Use this checklist with copy/paste in your PR - right from the beginning. It renders correctly in your PR. - -```markdown -- [ ] Services MUST NOT be named `extended` or `global`. These are reserved names for the automated documentation process. -- [ ] Provide a README.md for that service in the root folder of that service. - - Use CamelCase for section headers. -- [ ] For images and example files used in README.md: - - Create a folder named `md-sources` on the same level where README.md is located. Put all the images and example files referenced by README.md into this folder. - - Use absolute references like `https://raw.githubusercontent.com/owncloud/ocis/master/services//md-sources/file` to make the content accessible for both README.md and owncloud.dev - bad `` - good `` -- [ ] If new CLI commands are introduced, those commands must be described in the README.md. - - Commands are added to `ocis/pkg/command` -- [ ] If new global envvars are introduced, the name must start with `OC_`. -- [ ] Add the service to the makefile in the ocis repo root. -- [ ] Service startup: - - add it to `ocis/pkg/command/services.go` - - Include for automatic startup: - - add it to `ocis/pkg/runtime/service/service.go` - - Exclude from automatic startup: - - add it to the `populate optional services` block in `ocis/pkg/runtime/service/service.go` - - Add the service config to `ocis-pkg/config/defaultconfig.go` -- [ ] If the service is using service accounts, add it to `ocis/pkg/init/init.go` -- [ ] Check that the service properly responds to `ocis health` and has `/healthz` and `/readyz` endpoints -- [ ] Add the service to `.drone.star` to enable CI. -- [ ] Inform doc team in an *early stage* to review the readme AND the environment variables created. - - The description must reflect the behaviour AND usually has a positive code quality impact. -- [ ] Create proper description strings for envvars - see other services for examples, especially when it comes to multiple values. This must include: - - base description, set of available values, description of each value. -- [ ] When suggested commits are created for text changes, and you agree, collect them to a batch and commit them. Do not forget to rebase locally to avoid overwriting the changes made. -- [ ] If new envvars are introduced which serve the same purpose but in multiple services, an additional envvar must be added at the beginning of the list starting with `OC_` (global envvar). -- [ ] Ensure that a service has a debug port -- [ ] If the new service introduces a new port: - - The port must be added to [port-ranges.md](https://github.com/owncloud/ocis/blob/master/docs/services/general-info/port-ranges.md) and to the README.md file. -- [ ] Make sure to have a function `FullDefaultConfig()` in `pkg/config/defaults/defaultconfig.go` of your service. It is needed to create the documentation. -- [ ] Add metrics to the code to enable monitoring. See the proxy service for implementation details. - - Plus add documentation about monitoring in the README.md file -- [ ] When the service requires translations that have to be covered by the service and are not sourced by web, see the [add translation]({{< ref "./add-translations.md" >}}) documentation for more details. -- [ ] If the service requires a `cache` or `store`, check existing services for implementation and add a documentation in the README.md -``` diff --git a/docs/services/general-info/port-ranges.md b/docs/services/general-info/port-ranges.md deleted file mode 100644 index 2e94a82b8e..0000000000 --- a/docs/services/general-info/port-ranges.md +++ /dev/null @@ -1,213 +0,0 @@ ---- -title: Port Ranges -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/general-info -geekdocFilePath: port-ranges.md -geekdocCollapseSection: true ---- - -oCIS services often need a port to expose their services to other services or the outside world. As users may have many different extensions running on the same machine, we should track port usage in the oCIS ecosystem. In the best case, we ensure that each extension uses a non-colliding port range, to make life easier for users. - -This page tracks the knowingly used port ranges. - -Feel free to "reserve" a free port range when you're developing an extension by adding your extension to the list (see the edit button in the top right corner). - -If you're developing a non-public extension, we recommend using ports outside of the ranges listed below. - -We also suggest using the last port in your extensions' range as a debug/metrics port. - -## Allocations - -| Port range | Service | -|------------|----------------------------------------------------------------------------------------| -| 9000-9010 | [reserved for Infinite Scale]({{< ref "../../../ocis/_index.md" >}}) | -| 9100-9104 | [web]({{< ref "../web/_index.md" >}}) | -| 9105-9109 | [hello](https://github.com/owncloud/ocis-hello) | -| 9110-9114 | [ocs]({{< ref "../ocs/_index.md" >}}) | -| 9115-9119 | [webdav]({{< ref "../webdav/_index.md" >}}) | -| 9120-9124 | [graph]({{< ref "../graph/_index.md" >}}) | -| 9125-9129 | [policies]({{< ref "../policies/_index.md" >}}) | -| 9130-9134 | [idp]({{< ref "../idp/_index.md" >}}) | -| 9135-9139 | [sse]({{< ref "../sse/_index.md" >}}) | -| 9140-9141 | [frontend]({{< ref "../frontend/_index.md" >}}) | -| 9142-9143 | [gateway]({{< ref "../gateway/_index.md" >}}) | -| 9144-9145 | [users]({{< ref "../users/_index.md" >}}) | -| 9146-9147 | [auth-basic]({{< ref "../auth-basic/_index.md" >}}) | -| 9148-9149 | [auth-bearer]({{< ref "../auth-bearer/_index.md" >}}) | -| 9150-9153 | [sharing]({{< ref "../sharing/_index.md" >}}) | -| 9154-9156 | [storage-shares]({{< ref "../storage-shares/_index.md" >}}) | -| 9157-9159 | [storage-users]({{< ref "../storage-users/_index.md" >}}) | -| 9160-9162 | [groups]({{< ref "../groups/_index.md" >}}) | -| 9163 | [ocdav]({{< ref "../ocdav/_index.md" >}}) | -| 9164 | [groups]({{< ref "../groups/_index.md" >}}) | -| 9165 | [app-provider]({{< ref "../app-provider/_index.md" >}}) | -| 9166-9169 | [auth-machine]({{< ref "../auth-machine/_index.md" >}}) | -| 9170-9174 | [notifications]({{< ref "../notifications/_index.md" >}}) | -| 9175-9179 | [storage-publiclink]({{< ref "../storage-publiclink/_index.md" >}}) | -| 9180-9184 | FREE (formerly used by accounts) | -| 9185-9189 | [thumbnails]({{< ref "../thumbnails/_index.md" >}}) | -| 9190-9194 | [settings]({{< ref "../settings/_index.md" >}}) | -| 9195-9197 | [activitylog]({{< ref "../activitylog/_index.md" >}}) | -| 9198-9199 | [auth-service]({{< ref "../auth-service/_index.md" >}}) | -| 9200-9204 | [proxy]({{< ref "../proxy/_index.md" >}}) | -| 9205-9209 | [proxy]({{< ref "../proxy/_index.md" >}}) | -| 9210-9214 | [userlog]({{< ref "../userlog/_index.md" >}}) | -| 9215-9219 | [storage-system]({{< ref "../storage-system/_index.md" >}}) | -| 9220-9224 | [search]({{< ref "../search/_index.md" >}}) | -| 9225-9229 | [audit]({{< ref "../audit/_index.md" >}}) | -| 9230-9234 | [nats]({{< ref "../nats/_index.md" >}}) | -| 9235-9239 | [idm]({{< ref "../idm/_index.md" >}}) | -| 9240-9244 | [app-registry]({{< ref "../app-registry/_index.md" >}}) | -| 9245-9249 | [auth-app]({{< ref "../auth-app/_index.md" >}}) | -| 9250-9254 | [ocis server (runtime)](https://github.com/owncloud/ocis/tree/master/ocis/pkg/runtime) | -| 9255-9259 | [postprocessing]({{< ref "../postprocessing/_index.md" >}}) | -| 9260-9264 | [clientlog]({{< ref "../clientlog/_index.md" >}}) | -| 9265-9269 | [clientlog]({{< ref "../clientlog/_index.md" >}}) | -| 9270-9274 | [eventhistory]({{< ref "../eventhistory/_index.md" >}}) | -| 9275-9279 | [webfinger]({{< ref "../webfinger/_index.md" >}}) | -| 9280-9284 | [ocm]({{< ref "../ocm/_index.md" >}}) | -| 9285-9289 | FREE | -| 9290-9294 | FREE | -| 9295-9299 | FREE | -| 9300-9304 | [collaboration]({{< ref "../collaboration/_index.md" >}}) | -| 9305-9309 | FREE | -| 9310-9314 | FREE | -| 9315-9319 | FREE | -| 9320-9324 | FREE | -| 9325-9329 | FREE | -| 9330-9334 | FREE | -| 9335-9339 | FREE | -| 9340-9344 | FREE | -| 9345-9349 | FREE | -| 9350-9354 | [ocdav]({{< ref "../ocdav/_index.md" >}}) | -| 9355-9359 | FREE | -| 9360-9364 | FREE | -| 9365-9369 | FREE | -| 9370-9374 | FREE | -| 9375-9379 | FREE | -| 9380-9384 | FREE | -| 9385-9389 | FREE | -| 9390-9394 | FREE | -| 9395-9399 | FREE | -| 9400-9404 | FREE | -| 9405-9409 | FREE | -| 9410-9414 | FREE | -| 9415-9419 | FREE | -| 9420-9424 | FREE | -| 9425-9429 | FREE | -| 9430-9434 | FREE | -| 9435-9439 | FREE | -| 9440-9444 | FREE | -| 9445-9449 | FREE | -| 9450-9454 | FREE | -| 9455-9459 | FREE | -| 9460-9464 | FREE (formerly used by store-service) | -| 9465-9469 | FREE | -| 9470-9474 | FREE | -| 9475-9479 | FREE | -| 9480-9484 | FREE | -| 9485-9489 | FREE | -| 9490-9494 | FREE | -| 9495-9499 | FREE | -| 9500-9504 | FREE | -| 9505-9509 | FREE | -| 9510-9514 | FREE | -| 9515-9519 | FREE | -| 9520-9524 | FREE | -| 9525-9529 | FREE | -| 9530-9534 | FREE | -| 9535-9539 | FREE | -| 9540-9544 | FREE | -| 9545-9549 | FREE | -| 9550-9554 | FREE | -| 9555-9559 | FREE | -| 9560-9564 | FREE | -| 9565-9569 | FREE | -| 9570-9574 | FREE | -| 9575-9579 | FREE | -| 9580-9584 | FREE | -| 9585-9589 | FREE | -| 9590-9594 | FREE | -| 9595-9599 | FREE | -| 9600-9604 | FREE | -| 9605-9609 | FREE | -| 9610-9614 | FREE | -| 9615-9619 | FREE | -| 9620-9624 | FREE | -| 9625-9629 | FREE | -| 9630-9634 | FREE | -| 9635-9639 | FREE | -| 9640-9644 | FREE | -| 9645-9649 | FREE | -| 9650-9654 | FREE | -| 9655-9659 | FREE | -| 9660-9664 | FREE | -| 9665-9669 | FREE | -| 9670-9674 | FREE | -| 9675-9679 | FREE | -| 9680-9684 | FREE | -| 9685-9689 | FREE | -| 9690-9694 | FREE | -| 9695-9699 | FREE | -| 9700-9704 | FREE | -| 9705-9709 | FREE | -| 9710-9714 | FREE | -| 9715-9719 | FREE | -| 9720-9724 | FREE | -| 9725-9729 | FREE | -| 9730-9734 | FREE | -| 9735-9739 | FREE | -| 9740-9744 | FREE | -| 9745-9749 | FREE | -| 9750-9754 | FREE | -| 9755-9759 | FREE | -| 9760-9764 | FREE | -| 9765-9769 | FREE | -| 9770-9774 | FREE | -| 9775-9779 | FREE | -| 9780-9784 | FREE | -| 9785-9789 | FREE | -| 9790-9794 | FREE | -| 9795-9799 | FREE | -| 9800-9804 | FREE | -| 9805-9809 | FREE | -| 9810-9814 | FREE | -| 9815-9819 | FREE | -| 9820-9824 | FREE | -| 9825-9829 | FREE | -| 9830-9834 | FREE | -| 9835-9839 | FREE | -| 9840-9844 | FREE | -| 9845-9849 | FREE | -| 9850-9854 | FREE | -| 9855-9859 | FREE | -| 9860-9864 | FREE | -| 9865-9869 | FREE | -| 9870-9874 | FREE | -| 9875-9879 | FREE | -| 9880-9884 | FREE | -| 9885-9889 | FREE | -| 9890-9894 | FREE | -| 9895-9899 | FREE | -| 9900-9904 | FREE | -| 9905-9909 | FREE | -| 9910-9914 | FREE | -| 9915-9919 | FREE | -| 9920-9924 | FREE | -| 9925-9929 | FREE | -| 9930-9934 | FREE | -| 9935-9939 | FREE | -| 9940-9944 | FREE | -| 9945-9949 | FREE | -| 9950-9954 | FREE | -| 9955-9959 | FREE | -| 9960-9964 | FREE | -| 9965-9969 | FREE | -| 9970-9974 | FREE | -| 9975-9979 | FREE | -| 9980-9984 | FREE | -| 9985-9989 | FREE | -| 9990-9994 | FREE | -| 9995-9999 | FREE | diff --git a/docs/services/general-info/registry.md b/docs/services/general-info/registry.md deleted file mode 100644 index 376e23ef3b..0000000000 --- a/docs/services/general-info/registry.md +++ /dev/null @@ -1,46 +0,0 @@ ---- -title: Registry -date: 2023-12-19T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/general-info -geekdocFilePath: registry.md -geekdocCollapseSection: true ---- - -To be able to communicate with each other, services need to register in a common registry. - -{{< toc >}} - -## Configuration - -The type of registry to use can be configured with the `MICRO_REGISTRY` environment variable. Supported values are: - -### `nats-js-kv` (Default) - -Set the environment variable to `nats-js-kv` or leave it empty to use a nats-js key value store as registry. - -- Note: If not running build-in nats, `MICRO_REGISTRY_ADDRESS` needs to be set to the address of the nats-js cluster, which is the same value as `OC_EVENTS_ENDPOINT`. -- Optional: Use `MICRO_REGISTRY_AUTH_USERNAME` and `MICRO_REGISTRY_AUTH_PASSWORD` to authenticate with the nats cluster. - -### `kubernetes` - -When deploying in a kubernetes cluster, the Kubernetes registry can be used. Additionally, the `MICRO_REGISTRY_ADDRESS` environment variable needs to be set to the url of the Kubernetes registry. - -### `memory` - -Setting the environment variable to `memory` starts an in-memory registry. This only works with the single binary deployment. - -### Deprecated Registries - -These registries are currently working but will be removed in a later version. It is recommended to switch to a supported one. - -- `nats`\ - Uses a registry based on nats streams. Requires `MICRO_REGISTRY_ADDRESS` to be set. -- `etcd`\ - Uses an etcd cluster as the registry. Requires `MICRO_REGISTRY_ADDRESS` to be set. -- `consul`\ - Uses `HashiCorp Consul` as registry. Requires `MICRO_REGISTRY_ADDRESS` to be set. -- `mdns`\ - Uses multicast dns for registration. This type can have unwanted side effects when other devices in the local network use mdns too. - diff --git a/docs/services/graph/.gitignore b/docs/services/graph/.gitignore deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/docs/services/graph/configuration.md b/docs/services/graph/configuration.md deleted file mode 100644 index 2ca0cc0a1c..0000000000 --- a/docs/services/graph/configuration.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/graph -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- -## Example YAML Config - -{{< include file="services/_includes/graph-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/graph_configvars.md" >}} \ No newline at end of file diff --git a/docs/services/groups/_index.md b/docs/services/groups/_index.md deleted file mode 100644 index 05816eff2e..0000000000 --- a/docs/services/groups/_index.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Groups -date: 2022-03-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/groups -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -## Abstract - - -## Table of Contents - -{{< toc-tree >}} diff --git a/docs/services/groups/configuration.md b/docs/services/groups/configuration.md deleted file mode 100644 index 2e14453920..0000000000 --- a/docs/services/groups/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/groups -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/groups-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/groups_configvars.md" >}} diff --git a/docs/services/idm/admin_password_reset.md b/docs/services/idm/admin_password_reset.md deleted file mode 100644 index 1e3065c37c..0000000000 --- a/docs/services/idm/admin_password_reset.md +++ /dev/null @@ -1,24 +0,0 @@ ---- -title: Resetting a lost administrator password -date: 2022-08-29:00:00+00:00 -weight: 10 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/idm -geekdocFilePath: admin_password_reset.md -geekdocCollapseSection: true ---- - -## Resetting a lost administrator password -By default, when using oCIS with the builtin IDM an ad generates the -user `admin` (DN `uid=admin,ou=users,o=libregraph-idm`) if, for any -reason, the password of that user is lost, it can be reset using -the `resetpassword` sub-command: - -``` -ocis idm resetpassword -``` - -It will prompt for a new password and set the password of that user -accordingly. Note: As this command is accessing the idm database directly -will only work while ocis is not running and nothing else is accessing -database. diff --git a/docs/services/idm/configuration.md b/docs/services/idm/configuration.md deleted file mode 100644 index 6bb9b556d6..0000000000 --- a/docs/services/idm/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/idm -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/idm-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/idm_configvars.md" >}} \ No newline at end of file diff --git a/docs/services/idm/configuration_hints.md b/docs/services/idm/configuration_hints.md deleted file mode 100644 index 5f6d8a5ac0..0000000000 --- a/docs/services/idm/configuration_hints.md +++ /dev/null @@ -1,49 +0,0 @@ ---- -title: Configuration Hints -date: 2022-04-27:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/idm -geekdocFilePath: configuration_hints.md -geekdocCollapseSection: true ---- - -## TLS Server Certificates -By default IDM generates a self-signed certificate and key on first startup to be -able to provide TLS protected services. The certificate is stored in -`idm/ldap.crt` inside the oCIS base data directory. The key is in -`idm/ldap.key` in the same directory. You can use a custom server -certificate by setting the `IDM_LDAPS_CERT` and `IDM_LDAPS_KEY`. - -## Default / Demo Users -On startup IDM creates a set of default services users that are needed -internally to provide access to IDM to other oCIS services. These users are stored -in a separate subtree. The base DN of that subtree is: -`ou=sysusers,o=libregraph-idm`. The service users are: - -* `uid=libregraph,ou=sysusers,o=libregraph-idm`: This is the only user with write - access to the LDAP tree. It is used by the Graph service to look up, create, delete and - modify users and groups. -* `uid=idp,ou=sysusers,o=libregraph-idm`: This user is used by the IDP service to - perform user lookups for authentication. -* `uid=reva,ou=sysusers,o=libregraph-idm`: This user is used by the "reva" services - `user`, `group` and `auth-basic`. - -IDM is also able to create [Demo Users](../../../ocis/getting-started/demo-users) -upon startup. - -## Access via LDAP command line tools -For testing purposes it is sometimes helpful to query IDM using the ldap -command line clients. To e.g. list all users, this command can be used: - -``` -ldapsearch -x -H ldaps://127.0.0.1:9235 -x -D uid=libregraph,ou=sysusers,o=libregraph-idm -w idm -b o=libregraph-idm objectclass=inetorgperson -``` - -When using the default configuration with the self-signed server certificate, -you might need to switch off the certificate validation using the `LDAPTL_REQCERT` env -variable: - -``` -LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://127.0.0.1:9235 -x -D uid=libregraph,ou=sysusers,o=libregraph-idm -w idm -b o=libregraph-idm objectclass=inetorgperson -``` diff --git a/docs/services/idp/.gitignore b/docs/services/idp/.gitignore deleted file mode 100644 index 63536ebfa2..0000000000 --- a/docs/services/idp/.gitignore +++ /dev/null @@ -1 +0,0 @@ -grpc.md diff --git a/docs/services/idp/configuration.md b/docs/services/idp/configuration.md deleted file mode 100644 index cf999eabda..0000000000 --- a/docs/services/idp/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/idp -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/idp-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/idp_configvars.md" >}} \ No newline at end of file diff --git a/docs/services/idp/theming.md b/docs/services/idp/theming.md deleted file mode 100644 index b91f45b316..0000000000 --- a/docs/services/idp/theming.md +++ /dev/null @@ -1,50 +0,0 @@ ---- -title: Theming -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/theming -geekdocFilePath: theming.md ---- - -{{< toc >}} - -## Intro -Our default IDP UI is built with the [LibreGraph Connect](https://github.com/libregraph/lico) React app. Even though this app comes already with a simple theming options, we have compiled our own edited version of the app with more advanced changes than the default theming offers. Because of that, it is not possible at the moment to do any kind of easy theming and including custom theme means again compiling custom assets. - -## Customizing assets -Depending on what changes you wish to do with the theme, there are several files you can edit. All of them are located in the `idp/ui` folder. - -### Static assets -If you wish to add static assets like images, CSS, etc., you can add them to `idp/ui/public/static`. The `public` folder also contains the `index.html` file which can be adjusted to your needs. - -### CSS -LibreGraph Connect is built with [kpop](https://github.com/Kopano-dev/kpop), a collection of React UI components. To include any custom styles on top of that collection, you can define them in the `idp/ui/src/app.css` file. These rules will take precedence over the kpop. - -### Containers -Layouts of all pages are located in the `idp/ui/src/containers` folder. By editing any of files in that folder, you can do any kind of changes in the layout and create advanced themes. It is, however, important to be careful when touching this code as it imports also actions which are responsible for the login flow. - -#### What pages to theme -- Login - - Login - login form used to authenticate the users - - Consent - consent page used to authorise apps for already signed-in users - - Chooseaccount - page with a list of accounts to choose from -- Goodbye - - Goodbyescreen - goodbye message displayed to users after they signed out -- Welcome - - Welcomescreen - welcome message displayed to users after they signed in - -### Components -`idp/ui/src/components` folder contains all custom components which are then imported into containers. - -### Images -Every image placed in `idp/ui/src/images` can be directly import into components or containers and will be optimized when compiling assets. - -### Locales -If you need to edit or add new locales, you can do so with json files in the `idp/ui/src/locales` folder. If adding new locale, make sure to add it also in the `index.js` file in the same folder. - -## Building assets -In order to build all assets, run `pnpm build` in the `idp` folder. This script will compile all assets and output them into `idp/assets` folder. - -At this point, you have two possible ways how to deploy your new theme: -- run `make generate` in the root folder of your oCIS clone and generate the new assets -- start the IDP service directly with custom assets by specifying the env var `IDP_ASSET_PATH` diff --git a/docs/services/invitations/configuration.md b/docs/services/invitations/configuration.md deleted file mode 100644 index 3cc3dea0d8..0000000000 --- a/docs/services/invitations/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2023-03-02T15:27:00+01:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/invitations -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/invitations-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/invitations_configvars.md" >}} \ No newline at end of file diff --git a/docs/services/nats/configuration.md b/docs/services/nats/configuration.md deleted file mode 100644 index 9af5ae0b65..0000000000 --- a/docs/services/nats/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/nats -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/nats-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/nats_configvars.md" >}} \ No newline at end of file diff --git a/docs/services/notifications/configuration.md b/docs/services/notifications/configuration.md deleted file mode 100644 index de4f28af4a..0000000000 --- a/docs/services/notifications/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/notifications -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/notifications-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/notifications_configvars.md" >}} \ No newline at end of file diff --git a/docs/services/ocdav/configuration.md b/docs/services/ocdav/configuration.md deleted file mode 100644 index d9df050871..0000000000 --- a/docs/services/ocdav/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/ocdav -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/ocdav-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/ocdav_configvars.md" >}} diff --git a/docs/services/ocm/configuration.md b/docs/services/ocm/configuration.md deleted file mode 100644 index eab0de7824..0000000000 --- a/docs/services/ocm/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/ocm -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/ocm-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/ocm.md" >}} diff --git a/docs/services/ocm/create_share_flow.md b/docs/services/ocm/create_share_flow.md deleted file mode 100644 index 39890877f9..0000000000 --- a/docs/services/ocm/create_share_flow.md +++ /dev/null @@ -1,65 +0,0 @@ ---- -title: Create Share Flow -date: 2018-05-02T00:00:00+00:00 -weight: 40 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/ocm -geekdocFilePath: create_share_flow.md -geekdocCollapseSection: true ---- - -## OCM Create Share Flow - -{{< mermaid class="text-center">}} -sequenceDiagram - box Instance A - participant osp as ocmsharesprovider - participant gwa as Gateway A - participant httpa as ocs - end - actor usera as User A - box Instance B - participant httpb as ocmd - participant gwb as Gateway B - participant ocmc as OCMCore - end - - Note over usera: A shares a resource with B - usera->>+httpa: CreateShare - httpa->>+gwa: GetInfoByDomain - Note left of gwa: GetInfoByDomain (ocmproviderauthorizer) - gwa-->>-httpa: return - - httpa->>+gwa: GetAcceptedUser - Note left of gwa: GetAcceptedUser (ocminvitemanager) - gwa-->>-httpa: return - - httpa->>+gwa: CreateOCMShare - gwa->>+osp: CreateOCMShare - osp->>+gwa: Stat - gwa-->>-osp: return - - Note left of osp: store share in repo - - osp->>+httpb: POST /shares - httpb->>+gwb: IsProviderAllowed - Note right of gwb: IsProviderAllowed (ocmproviderauthorizer) - gwb-->>-httpb: return - - httpb->>+gwb: GetUser - Note right of gwb: GetUser (userprovider) - gwb-->>-httpb: return - - httpb->>+gwb: CreateOCMCoreShare - gwb->>+ocmc: CreateOCMCoreShare - Note right of ocmc: StoreReceivedShare - ocmc-->>-gwb: return - gwb-->>-httpb: return - httpb-->>-osp: return - osp-->>-gwa: return - gwa-->>-httpa: return - httpa->>+gwa: Stat - Note left of gwa: Stat (storageprovider) - gwa-->>-httpa: return - httpa-->>-usera: return -{{< /mermaid >}} diff --git a/docs/services/ocm/invitation_flow.md b/docs/services/ocm/invitation_flow.md deleted file mode 100644 index 58744c2c5e..0000000000 --- a/docs/services/ocm/invitation_flow.md +++ /dev/null @@ -1,55 +0,0 @@ ---- -title: Invitation flow -date: 2018-05-02T00:00:00+00:00 -weight: 30 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/ocm -geekdocFilePath: invitation_flow.md -geekdocCollapseSection: true ---- - -## OCM Invitation Flow - -{{< mermaid class="text-center">}} -sequenceDiagram - box Instance A - participant ima as InviteManager A - participant gwa as Gateway A - participant httpa as HTTP Api A (ocm, sm) - end - actor usera as User A - actor userb as User B - box Instance B - participant httpb as HTTP Api B (ocm, sm) - participant gwb as Gateway B - participant imb as InviteManager B - end - - Note over usera: A creates invitation token - usera->>+httpa: POST /generate-invite (sciencemesh) - httpa->>+gwa: GenerateInviteToken - gwa->>+ima: GenerateInviteToken - Note left of ima: store token in repo - ima-->>-gwa: return token - gwa-->>-httpa: return token - httpa-->>-usera: return token - - Note over usera,userb: A passes token to B - - Note over userb: B accepts invitation - userb->>+httpb: POST /accept-invite (sciencemesh) - httpb->>+gwb: ForwardInvite - gwb->>+imb: ForwardInvite - imb->>+httpa: POST /invite-accepted (ocm) - httpa->>+gwa: AcceptInvite - gwa->>+ima: AcceptInvite - Note left of ima: get token from repo - Note left of ima: add remote user - ima-->>-gwa: return - gwa-->>-httpa: return remote user - httpa->>-imb: return remote user - Note right of imb: add remote user - imb-->>-gwb: return - gwb-->>-httpb: return - httpb-->>-userb: return -{{< /mermaid >}} \ No newline at end of file diff --git a/docs/services/ocs/.gitignore b/docs/services/ocs/.gitignore deleted file mode 100644 index 63536ebfa2..0000000000 --- a/docs/services/ocs/.gitignore +++ /dev/null @@ -1 +0,0 @@ -grpc.md diff --git a/docs/services/ocs/configuration.md b/docs/services/ocs/configuration.md deleted file mode 100644 index cb8afa4319..0000000000 --- a/docs/services/ocs/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/ocs -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/ocs-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/ocs_configvars.md" >}} \ No newline at end of file diff --git a/docs/services/policies/configuration.md b/docs/services/policies/configuration.md deleted file mode 100644 index 25e4d9c0fa..0000000000 --- a/docs/services/policies/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/policies -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/policies-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/policies_configvars.md" >}} diff --git a/docs/services/postprocessing/configuration.md b/docs/services/postprocessing/configuration.md deleted file mode 100644 index 2e827aaa75..0000000000 --- a/docs/services/postprocessing/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/postprocessing -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/postprocessing-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/postprocessing_configvars.md" >}} diff --git a/docs/services/proxy/.gitignore b/docs/services/proxy/.gitignore deleted file mode 100644 index 63536ebfa2..0000000000 --- a/docs/services/proxy/.gitignore +++ /dev/null @@ -1 +0,0 @@ -grpc.md diff --git a/docs/services/proxy/configuration.md b/docs/services/proxy/configuration.md deleted file mode 100644 index d8502d70cc..0000000000 --- a/docs/services/proxy/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/proxy -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/proxy-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/proxy_configvars.md" >}} \ No newline at end of file diff --git a/docs/services/search/configuration.md b/docs/services/search/configuration.md deleted file mode 100644 index 1f3e17fc7d..0000000000 --- a/docs/services/search/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/search -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/search-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/search_configvars.md" >}} diff --git a/docs/services/settings/.gitignore b/docs/services/settings/.gitignore deleted file mode 100644 index 63536ebfa2..0000000000 --- a/docs/services/settings/.gitignore +++ /dev/null @@ -1 +0,0 @@ -grpc.md diff --git a/docs/services/settings/bundles.md b/docs/services/settings/bundles.md deleted file mode 100644 index 6771d4a9ee..0000000000 --- a/docs/services/settings/bundles.md +++ /dev/null @@ -1,75 +0,0 @@ ---- -title: "Settings Bundles" -date: 2020-05-04T00:00:00+00:00 -weight: 50 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/settings -geekdocFilePath: bundles.md ---- - -A **Settings Bundle** is a collection of settings, uniquely identified by the key of the -extension registering the bundle and the key of the bundle itself. Its purpose is to let -oCIS services define settings and make them available to users. They are dynamically -rendered into forms, available in the frontend. - -As of now we support five different types of settings: -- boolean -- integer -- string -- single choice list of integers or strings -- multiple choice list of integers or strings - -Each **Setting** is uniquely identified by a key within the bundle. Some attributes -depend on the chosen type of setting. Through the information provided with the -attributes of the setting, the settings frontend dynamically renders form elements, -allowing users to change their settings individually. - -## Example - -```json -{ - "identifier": { - "extension": "ocis-accounts", - "bundleKey": "profile" - }, - "displayName": "Profile", - "settings": [ - { - "settingKey": "lastname", - "displayName": "Lastname", - "description": "Input for lastname", - "stringValue": { - "placeholder": "Set lastname" - } - }, - { - "settingKey": "age", - "displayName": "Age", - "description": "Input for age", - "intValue": { - "min": "16", - "max": "200", - "step": "2", - "placeholder": "Set age" - } - }, - { - "settingKey": "timezone", - "displayName": "Timezone", - "description": "User timezone", - "singleChoiceValue": { - "options": [ - { - "stringValue": "Europe/Berlin", - "displayValue": "Europe/Berlin" - }, - { - "stringValue": "Asia/Kathmandu", - "displayValue": "Asia/Kathmandu" - } - ] - } - } - ] -} -``` diff --git a/docs/services/settings/configuration.md b/docs/services/settings/configuration.md deleted file mode 100644 index 8fb1b92b47..0000000000 --- a/docs/services/settings/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/settings -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/settings-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/settings_configvars.md" >}} \ No newline at end of file diff --git a/docs/services/settings/glossary.md b/docs/services/settings/glossary.md deleted file mode 100644 index c849b8a080..0000000000 --- a/docs/services/settings/glossary.md +++ /dev/null @@ -1,40 +0,0 @@ ---- -title: "Glossary" -date: 2020-05-04T12:35:00+01:00 -weight: 80 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/settings -geekdocFilePath: glossary.md ---- - -In the context of this extension and oCIS in general, we are using the following terminology. - -### Configuration - -- System configuration -- e.g. service host names and ports -- Changes need to be propagated to other services -- Typically modified on the CLI - -### Settings - -- Application level settings -- e.g. default language -- Can be modified at runtime without restarting the service - -### Preferences - -- User settings -- Subset of "Settings" -- e.g. preferred language of a user - -### Settings Bundle - -- Collection of related settings -- Registered by an oCIS extension - -### Settings Value - -- Manifestation of a setting for a specific user -- E.g. used for customization (at runtime) in `ocis-web` -- Can be queried and modified by other oCIS services diff --git a/docs/services/settings/values.md b/docs/services/settings/values.md deleted file mode 100644 index 53c1b16c90..0000000000 --- a/docs/services/settings/values.md +++ /dev/null @@ -1,73 +0,0 @@ ---- -title: "Settings Values" -date: 2020-05-04T00:00:00+00:00 -weight: 51 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/settings -geekdocFilePath: values.md ---- - -A **Settings Value** is the value an authenticated user has chosen for a specific setting, defined in a -*settings bundle*. - -## Identifying settings values - -A *settings value* is uniquely identified by four attributes. Three of them are coming from the definition of -the setting within it's settings bundle (see [Settings Bundles]({{< ref "bundles" >}}) -for an example). The fourth identifies the user. -- extension: Key of the extension that registered the settings bundle, -- bundleKey: Key of the settings bundle, -- settingKey: Key of the setting as defined within the bundle, -- accountUuid: The UUID of the authenticated user who has saved the setting. - -{{< hint info >}} -When requests are going through `ocis-proxy`, the accountUuid attribute can be set to the static keyword `me` -instead of using a real UUID. `ocis-proxy` will take care of minting the UUID of the authenticated user into -a JWT, providing it in the HTTP header as `x-access-token`. That UUID is then used in this service, to replace -`me` with the actual UUID of the authenticated user. -{{< /hint >}} - -## Example of stored settings values - -```json -{ - "values": { - "language": { - "identifier": { - "extension": "ocis-accounts", - "bundleKey": "profile", - "settingKey": "language", - "accountUuid": "5681371f-4a6e-43bc-8bb5-9c9237fa9c58" - }, - "listValue": { - "values": [ - { - "stringValue": "de" - } - ] - } - }, - "timezone": { - "identifier": { - "extension": "ocis-accounts", - "bundleKey": "profile", - "settingKey": "timezone", - "accountUuid": "5681371f-4a6e-43bc-8bb5-9c9237fa9c58" - }, - "listValue": { - "values": [ - { - "stringValue": "Europe/Berlin" - } - ] - } - } - } -} -``` - -## gRPC endpoints -Services can use gRPC endpoints of the `ValueService` to query and modify *settings values*. -The gRPC endpoints require the same identifier attributes as described above, so for making a request to -the `ValueService` you will have to make sure that the accountUuid of the authenticated user is available in -your service at the time of the request. diff --git a/docs/services/sharing/_index.md b/docs/services/sharing/_index.md deleted file mode 100644 index ecdc21f5f4..0000000000 --- a/docs/services/sharing/_index.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Sharing -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/sharing -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -## Abstract - -This service implements the CS3 [LinkAPI](https://cs3org.github.io/cs3apis/#cs3.sharing.link.v1beta1.LinkAPI) to manage public links as well as the [CollaborationAPI](https://cs3org.github.io/cs3apis/#cs3.sharing.collaboration.v1beta1.CollaborationAPI) to manage user and group shares. - -## Table of Contents - -{{< toc-tree >}} diff --git a/docs/services/sharing/configuration.md b/docs/services/sharing/configuration.md deleted file mode 100644 index 21f7638805..0000000000 --- a/docs/services/sharing/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/sharing -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/sharing-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/sharing_configvars.md" >}} diff --git a/docs/services/sse/configuration.md b/docs/services/sse/configuration.md deleted file mode 100644 index 902a2b5529..0000000000 --- a/docs/services/sse/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-08-08T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/sse -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/app-provider-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/app-provider_configvars.md" >}} diff --git a/docs/services/storage-publiclink/_index.md b/docs/services/storage-publiclink/_index.md deleted file mode 100644 index 1a87d00b43..0000000000 --- a/docs/services/storage-publiclink/_index.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Storage-Publiclink -date: 2022-03-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/storage-publiclink -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -## Abstract - - -## Table of Contents - -{{< toc-tree >}} diff --git a/docs/services/storage-publiclink/configuration.md b/docs/services/storage-publiclink/configuration.md deleted file mode 100644 index 9c34ac21bd..0000000000 --- a/docs/services/storage-publiclink/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/storage-publiclink -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/storage-publiclink-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/storage-publiclink_configvars.md" >}} diff --git a/docs/services/storage-shares/_index.md b/docs/services/storage-shares/_index.md deleted file mode 100644 index 223ce0f6a3..0000000000 --- a/docs/services/storage-shares/_index.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Storage-Shares -date: 2022-03-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/storage-shares -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -## Abstract - - -## Table of Contents - -{{< toc-tree >}} diff --git a/docs/services/storage-shares/configuration.md b/docs/services/storage-shares/configuration.md deleted file mode 100644 index 068af4d7a5..0000000000 --- a/docs/services/storage-shares/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/storage-shares -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/storage-shares-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/storage-shares_configvars.md" >}} diff --git a/docs/services/storage-system/configuration.md b/docs/services/storage-system/configuration.md deleted file mode 100644 index 4e58119d61..0000000000 --- a/docs/services/storage-system/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/storage-system -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/storage-system-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/storage-system_configvars.md" >}} diff --git a/docs/services/storage-users/configuration.md b/docs/services/storage-users/configuration.md deleted file mode 100644 index 156fb3fda7..0000000000 --- a/docs/services/storage-users/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/storage-users -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/storage-users-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/storage-users_configvars.md" >}} diff --git a/docs/services/thumbnails/.gitignore b/docs/services/thumbnails/.gitignore deleted file mode 100644 index 63536ebfa2..0000000000 --- a/docs/services/thumbnails/.gitignore +++ /dev/null @@ -1 +0,0 @@ -grpc.md diff --git a/docs/services/thumbnails/configuration.md b/docs/services/thumbnails/configuration.md deleted file mode 100644 index 845255d096..0000000000 --- a/docs/services/thumbnails/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/thumbnails -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/thumbnails-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/thumbnails_configvars.md" >}} \ No newline at end of file diff --git a/docs/services/userlog/configuration.md b/docs/services/userlog/configuration.md deleted file mode 100644 index 555962003c..0000000000 --- a/docs/services/userlog/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/userlog -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/userlog-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/userlog_configvars.md" >}} diff --git a/docs/services/users/_index.md b/docs/services/users/_index.md deleted file mode 100644 index 91f38a4986..0000000000 --- a/docs/services/users/_index.md +++ /dev/null @@ -1,16 +0,0 @@ ---- -title: Users -date: 2022-03-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/users -geekdocFilePath: _index.md -geekdocCollapseSection: true ---- - -## Abstract - - -## Table of Contents - -{{< toc-tree >}} diff --git a/docs/services/users/configuration.md b/docs/services/users/configuration.md deleted file mode 100644 index 1f621a58d0..0000000000 --- a/docs/services/users/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/users -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/users-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/users_configvars.md" >}} diff --git a/docs/services/web/.gitignore b/docs/services/web/.gitignore deleted file mode 100644 index 63536ebfa2..0000000000 --- a/docs/services/web/.gitignore +++ /dev/null @@ -1 +0,0 @@ -grpc.md diff --git a/docs/services/web/configuration.md b/docs/services/web/configuration.md deleted file mode 100644 index e003438719..0000000000 --- a/docs/services/web/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/web -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/web-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/web_configvars.md" >}} \ No newline at end of file diff --git a/docs/services/web/releasing.md b/docs/services/web/releasing.md deleted file mode 100644 index ac9be9f12f..0000000000 --- a/docs/services/web/releasing.md +++ /dev/null @@ -1,37 +0,0 @@ ---- -title: "Releasing" -weight: 40 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/web -geekdocFilePath: releasing.md ---- - -{{< toc >}} - -## Releasing - -The next generation Web Frontend is shipped as an oCIS Extension. The `ocis-web` extension is also embedded in the single binary and part of the `ocis server` command. - -To update this package within all the deliveries, we need to update the package in the following chain from the bottom to the top. - -### Package Hierarchy - -- [ocis](https://github.com/owncloud/ocis) - - [ocis-web](https://github.com/owncloud/ocis/tree/master/web) - - [ocis-pkg](https://github.com/owncloud/ocis/tree/master/ocis-pkg) - - [ownCloud Web](https://github.com/owncloud/web) - -#### Prerequisites - -Before updating the assets, make sure that [ownCloud Web](https://github.com/owncloud/web) has been released first -and take note of its release tag name. - -#### Updating ocis-web - -1. Create a branch `update-web-$version` in the [ocis repository](https://github.com/owncloud/ocis) -2. Change into web package folder via `cd web` -3. Inside `web/`, update the `Makefile` so that the WEB_ASSETS_VERSION variable references the currently released version of https://github.com/owncloud/web -4. Move to the changelog (`cd ../changelog/`) and add a changelog file to the `unreleased/` folder (You can copy an old web release changelog item as a template) -5. Move to the repo root (`cd ..`)and update the WEB_COMMITID in the `/.drone.env` file to the commit id from the released version (unless the existing commit id is already newer) -6. **Optional:** Test the changes locally by running `cd ocis && go run cmd/ocis/main.go server`, visiting [https://localhost:9200](https://localhost:9200) and confirming everything renders correctly -7. Commit your changes, push them and [create a PR](https://github.com/owncloud/ocis/pulls) diff --git a/docs/services/webdav/.gitignore b/docs/services/webdav/.gitignore deleted file mode 100644 index 63536ebfa2..0000000000 --- a/docs/services/webdav/.gitignore +++ /dev/null @@ -1 +0,0 @@ -grpc.md diff --git a/docs/services/webdav/configuration.md b/docs/services/webdav/configuration.md deleted file mode 100644 index 7e0f765b4e..0000000000 --- a/docs/services/webdav/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/webdav -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/webdav-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/webdav_configvars.md" >}} \ No newline at end of file diff --git a/docs/services/webfinger/configuration.md b/docs/services/webfinger/configuration.md deleted file mode 100644 index d2bcedef47..0000000000 --- a/docs/services/webfinger/configuration.md +++ /dev/null @@ -1,15 +0,0 @@ ---- -title: Service Configuration -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/owncloud/ocis -geekdocEditPath: edit/master/docs/services/webfinger -geekdocFilePath: configuration.md -geekdocCollapseSection: true ---- - -## Example YAML Config - -{{< include file="services/_includes/webfinger-config-example.yaml" language="yaml" >}} - -{{< include file="services/_includes/webfinger_configvars.md" >}} diff --git a/docs/templates/ADOC.tmpl b/docs/templates/ADOC.tmpl deleted file mode 100644 index 474649f183..0000000000 --- a/docs/templates/ADOC.tmpl +++ /dev/null @@ -1,60 +0,0 @@ -// set the attribute to true or leave empty, true without any quotes. -// if the generated adoc file is used outside tabs, it renders correctly depending on the attribute set. -// if inside, you need to also use the xxx_deprecation.adoc file. attributes can't be defined inside tabs. - -:show-deprecation: {{ .HasDeprecations }} - -ifeval::[{show-deprecation} == true] - -[#deprecation-note-{{ .Timestamp }}] -[caption=] -.Deprecation notes for the {{ .ExtensionName }} service -[width="100%",cols="~,~,~,~",options="header"] -|=== -| Deprecation Info -| Deprecation Version -| Removal Version -| Deprecation Replacement - -{{- range .Deprecations }} - -| {{ .DeprecationInfo }} -| {{ .DeprecationVersion }} -| {{ .RemovalVersion }} -| {{ .DeprecationReplacement }} -{{- end }} -|=== - -{empty} + - -endif::[] - -[caption=] -.Environment variables for the {{ .ExtensionName }} service -[width="100%",cols="~,~,~,~,~",options="header"] -|=== -| Name -| IV -| Type -| Default Value -| Description - -{{- range .Fields}} - -a| {{- range $i, $value := .EnvVars }}{{- if $i }} + -{{ end -}} -`{{- $value }}` -{{- end }} + -{{ .DeprecationLink }} -a| [subs=-attributes] -++{{.IntroductionVersion}} ++ -a| [subs=-attributes] -++{{.Type}} ++ -a| [subs=-attributes] -++{{.DefaultValue}} ++ -a| [subs=-attributes] -{{.Description}} - -{{- end }} -|=== - diff --git a/docs/templates/ADOC_deprecation.tmpl b/docs/templates/ADOC_deprecation.tmpl deleted file mode 100644 index fd340a8f0b..0000000000 --- a/docs/templates/ADOC_deprecation.tmpl +++ /dev/null @@ -1,2 +0,0 @@ -:show-deprecation: {{ .HasDeprecations }} - diff --git a/docs/templates/ADOC_extended.tmpl b/docs/templates/ADOC_extended.tmpl deleted file mode 100644 index 829570039b..0000000000 --- a/docs/templates/ADOC_extended.tmpl +++ /dev/null @@ -1,26 +0,0 @@ -// collected through docs/helpers/extendedEnv.go - -[caption=] -.Environment variables with extended scope not included in a service -[width="100%",cols="35%,10%,18%,~"",options="header"] -|=== -| Name -| Type -| Default Value -| Description -{{- range .Variables}} - -{{- if .Ignore }} - {{ continue }} -{{- end }} - -a| `{{- .Name }}` + -a| [subs=-attributes] -++{{ .Type }} ++ -a| [subs=-attributes] -++{{.DefaultValue}} ++ -a| [subs=-attributes] -++{{.Description}} ++ - -{{- end }} -|=== diff --git a/docs/templates/ADOC_global.tmpl b/docs/templates/ADOC_global.tmpl deleted file mode 100644 index 0e779a5fca..0000000000 --- a/docs/templates/ADOC_global.tmpl +++ /dev/null @@ -1,35 +0,0 @@ -// collected through docs/helpers/adoc-generator.go.tmpl - -[.landscape] -[caption=] -.Environment variables with global scope available in multiple services -[width="100%",cols="30%,~,25%,~,~,~",options="header"] -|=== -| Name -| IV -| Services -| Type -| Default Value -| Description -{{ range . }} -a| `{{ .Name }}` - -a| [subs=-attributes] -++{{ .IntroductionVersion }} ++ - -a| [subs=attributes+] -{{- range .Services}} -* xref:{s-path}/{{ . }}.adoc[{{ . }}] + -{{- end }} - -a| [subs=-attributes] -++{{ .Type }} ++ - -a| [subs=-attributes] -++{{ .DefaultValue }} ++ - -a| [subs=-attributes] -{{ .Description }} - -{{- end }} -|=== diff --git a/docs/templates/CONFIGURATION.tmpl b/docs/templates/CONFIGURATION.tmpl deleted file mode 100644 index ffa87ae79d..0000000000 --- a/docs/templates/CONFIGURATION.tmpl +++ /dev/null @@ -1,7 +0,0 @@ -## Environment Variables - -| Name | Type | Default Value | Description | -|------|------|---------------|-------------| -{{- range .}} -| {{.Name}} | {{.Type}} | {{.DefaultValue}} | {{.Description}}| -{{- end }} \ No newline at end of file diff --git a/docs/ocis/development/testing.md b/tests/README.md similarity index 96% rename from docs/ocis/development/testing.md rename to tests/README.md index aa73d2f015..219b326f0b 100644 --- a/docs/ocis/development/testing.md +++ b/tests/README.md @@ -1,13 +1,4 @@ ---- -title: "Acceptance Testing" -date: 2018-05-02T00:00:00+00:00 -weight: 20 -geekdocRepo: https://github.com/opencloud-eu/opencloud -geekdocEditPath: edit/master/docs/opencloud/development -geekdocFilePath: testing.md ---- - -{{< toc >}} +# Acceptance Testing To run tests in the test suite you have two options. You may go the easy way and just run the test suite in docker. But for some tasks you could also need to install the test suite natively, which requires a little more setup since PHP and some dependencies need to be installed. @@ -57,7 +48,7 @@ make -C tests/acceptance/docker localApiTests-apiGraph-s3ng runs the OpenCloud test suite `apiGraph` against the OpenCloud server with `s3ng` storage. -{{< hint info >}} +Note: While running the tests, OpenCloud server is started with [ocwrapper](https://github.com/opencloud-eu/opencloud/blob/master/tests/ocwrapper/README.md) (i.e. `WITH_WRAPPER=true`) by default. In order to run the tests without ocwrapper, provide `WITH_WRAPPER=false` when running the tests. For example: ```bash @@ -67,9 +58,8 @@ make -C tests/acceptance/docker test-opencloud-feature-ocis-storage ``` But some test suites that are tagged with `@env-config` require the OpenCloud server to be run with ocwrapper. So, running those tests require `WITH_WRAPPER=true` (default setting). -{{< /hint >}} -{{< hint info >}} +Note: To run the tests that require an email server (tests tagged with `@email`), you need to provide `START_EMAIL=true` while running the tests. ```bash @@ -78,9 +68,7 @@ BEHAT_FEATURE='tests/acceptance/features/apiNotification/emailNotification.featu make -C tests/acceptance/docker test-opencloud-feature-ocis-storage ``` -{{< /hint >}} - -{{< hint info >}} +Note: To run the tests that require tika service (tests tagged with `@tikaServiceNeeded`), you need to provide `START_TIKA=true` while running the tests. ```bash @@ -89,9 +77,7 @@ BEHAT_FEATURE='tests/acceptance/features/apiSearchContent/contentSearch.feature' make -C tests/acceptance/docker test-opencloud-feature-ocis-storage ``` -{{< /hint >}} - -{{< hint info >}} +Note: To run the tests that require an antivirus service (tests tagged with `@antivirus`), you need to provide the following environment variables while running the tests. ```bash @@ -103,8 +89,6 @@ BEHAT_FEATURE='tests/acceptance/features/apiAntivirus/antivirus.feature' \ make -C tests/acceptance/docker test-opencloud-feature-ocis-storage ``` -{{< /hint >}} - #### Tests Transferred From Core (prefix `coreApi`) Command `make -C tests/acceptance/docker Core-API-Tests-ocis-storage-3` runs the same tests as the `Core-API-Tests-ocis-storage-3` CI pipeline, which runs the third (out of ten) test suite groups transferred from core against the OpenCloud server with `ocis` storage. @@ -122,15 +106,13 @@ BEHAT_FEATURE='tests/acceptance/features/apiGraphUserGroup/createUser.feature' \ make -C tests/acceptance/docker test-opencloud-feature-ocis-storage ``` -{{< hint info >}} +Note: `BEHAT_FEATURE` must be pointing to a valid feature file -{{< /hint >}} And to run a single scenario in a feature, you can do: -{{< hint info >}} +Note: A specific scenario from a feature can be run by adding `:` at the end of the feature file path. For example, to run the scenario at line 26 of the feature file `apiGraphUserGroup/createUser.feature`, simply add the line number like this: `apiGraphUserGroup/createUser.feature:26`. Note that the line numbers mentioned in the examples might not always point to a scenario, so always check the line numbers before running the test. -{{< /hint >}} ```bash BEHAT_FEATURE='tests/acceptance/features/apiGraphUserGroup/createUser.feature:26' \ @@ -161,9 +143,8 @@ BEHAT_FEATURE='tests/acceptance/features/coreApiAuth/webDavAuth.feature:15' \ make -C tests/acceptance/docker test-core-feature-ocis-storage ``` -{{< hint info >}} +Note: The test suites transferred from core have `coreApi` prefixed -{{< /hint >}} ### OpenCloud Image to Be Tested (Skip Local Image Build) @@ -182,9 +163,8 @@ While a test is running or when it is finished, you can attach to the logs gener make -C tests/acceptance/docker show-test-logs ``` -{{< hint info >}} +Note: The log output is opened in `less`. You can navigate up and down with your cursors. By pressing "F" you can follow the latest line of the output. -{{< /hint >}} ### Cleanup @@ -225,9 +205,8 @@ Useful environment variables: `BEHAT_FEATURE`: to run a single feature -{{< hint info >}} +Note: A specific scenario from a feature can be run by adding `:` at the end of the feature file path. For example, to run the scenario at line 26 of the feature file `apiGraphUserGroup/createUser.feature`, simply add the line number like this: `apiGraphUserGroup/createUser.feature:26`. Note that the line numbers mentioned in the examples might not always point to a scenario, so always check the line numbers before running the test. -{{< /hint >}} > Example: > @@ -438,9 +417,8 @@ Make sure that the clamAV daemon is up and running sudo service clamav-daemon status ``` -{{< hint info >}} +Note: The commands are ubuntu specific and may differ according to your system. You can find information related to installation of clamAV in their official documentation [here](https://docs.clamav.net/manual/Installing/Packages.html). -{{< /hint>}} ##### Mac OS user @@ -486,13 +464,12 @@ OC_ADD_RUN_SERVICES="antivirus" opencloud/bin/opencloud server ``` -{{< hint info >}} +Note: The value for `ANTIVIRUS_CLAMAV_SOCKET` is an example which needs adaption according your OS. For antivirus running localy on Linux OS, use `ANTIVIRUS_CLAMAV_SOCKET= "/var/run/clamav/clamd.ctl"`. For antivirus running localy on Mac OS, use `ANTIVIRUS_CLAMAV_SOCKET= "/tmp/clamd.socket"`. For antivirus running with docker, use `ANTIVIRUS_CLAMAV_SOCKET= "tcp://host.docker.internal:3310"` -{{< /hint>}} #### Run the Acceptance Test @@ -551,11 +528,10 @@ opencloud/bin/opencloud server The second OpenCloud instance should be available at: https://localhost:10200/ -{{< hint info >}} +Note: To enable ocm in the web interface, you need to set the following envs: `OC_ENABLE_OCM="true"` `OC_ADD_RUN_SERVICES="ocm"` -{{< /hint>}} #### Run the Acceptance Test