Merge pull request #2577 from owncloud/add_machine_auth_to_secrets

document machine auth api key

deployments/examples/cs3_users_ocis/.env

@@ -21,7 +21,8 @@ OCIS_DOMAIN=
 OCIS_JWT_SECRET=
 # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
 STORAGE_TRANSFER_SECRET=
-
+# Machine auth api key secret. Must be changed in order to have a secure oCIS. Defaults to "change-me-please"
+OCIS_MACHINE_AUTH_API_KEY=
 
 ### LDAP server settings ###
 # Password of LDAP user "cn=admin,dc=owncloud,dc=com". Defaults to "admin"

deployments/examples/cs3_users_ocis/docker-compose.yml

@@ -84,6 +84,7 @@ services:
       # change default secrets
       OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
       STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
+      OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
     volumes:
       - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ./config/ocis/web-config.dist.json:/config/web-config.dist.json

deployments/examples/oc10_ocis_parallel/.env

@@ -24,6 +24,8 @@ OCIS_DOCKER_TAG=
 OCIS_JWT_SECRET=
 # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
 STORAGE_TRANSFER_SECRET=
+# Machine auth api key secret. Must be changed in order to have a secure oCIS. Defaults to "change-me-please"
+OCIS_MACHINE_AUTH_API_KEY=
 
 ### oCIS settings ###
 # oC10 version. Defaults to "latest"

deployments/examples/oc10_ocis_parallel/docker-compose.yml

@@ -115,6 +115,7 @@ services:
       # change default secrets
       OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
       STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
+      OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
     volumes:
       - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ./config/ocis/proxy-config.dist.json:/config/proxy-config.dist.json

deployments/examples/ocis_hello/.env

@@ -25,6 +25,8 @@ STORAGE_LDAP_BIND_PASSWORD=
 OCIS_JWT_SECRET=
 # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
 STORAGE_TRANSFER_SECRET=
+# Machine auth api key secret. Must be changed in order to have a secure oCIS. Defaults to "change-me-please"
+OCIS_MACHINE_AUTH_API_KEY=
 
 ### oCIS Hello settings ###
 # oCIS Hello version. Defaults to "latest"

deployments/examples/ocis_hello/docker-compose.yml

@@ -60,6 +60,7 @@ services:
       STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
       OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
       STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
+      OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
       # web ui
       WEB_UI_CONFIG: "/var/tmp/ocis/.config/web-config.json"
       # proxy

deployments/examples/ocis_keycloak/.env

@@ -27,6 +27,8 @@ STORAGE_LDAP_BIND_PASSWORD=
 OCIS_JWT_SECRET=
 # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
 STORAGE_TRANSFER_SECRET=
+# Machine auth api key secret. Must be changed in order to have a secure oCIS. Defaults to "change-me-please"
+OCIS_MACHINE_AUTH_API_KEY=
 
 ### Keycloak ###
 # Domain of Keycloak, where you can find the management and authentication frontend. Defaults to "keycloak.owncloud.test"

deployments/examples/ocis_keycloak/docker-compose.yml

@@ -69,6 +69,7 @@ services:
       STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
       OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
       STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
+      OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
     volumes:
       - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ocis-data:/var/tmp/ocis

deployments/examples/ocis_s3/.env

@@ -25,6 +25,8 @@ STORAGE_LDAP_BIND_PASSWORD=
 OCIS_JWT_SECRET=
 # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
 STORAGE_TRANSFER_SECRET=
+# Machine auth api key secret. Must be changed in order to have a secure oCIS. Defaults to "change-me-please"
+OCIS_MACHINE_AUTH_API_KEY=
 
 ### MINIO / S3 settings ###
 # Domain of MinIO where the Web UI is accessible. Defaults to "minio.owncloud.test".

deployments/examples/ocis_s3/docker-compose.yml

@@ -59,6 +59,7 @@ services:
       STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
       OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
       STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
+      OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
       # activate s3ng storage driver
       STORAGE_HOME_DRIVER: s3ng
       STORAGE_USERS_DRIVER: s3ng

deployments/examples/ocis_traefik/.env

@@ -25,6 +25,8 @@ STORAGE_LDAP_BIND_PASSWORD=
 OCIS_JWT_SECRET=
 # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
 STORAGE_TRANSFER_SECRET=
+# Machine auth api key secret. Must be changed in order to have a secure oCIS. Defaults to "change-me-please"
+OCIS_MACHINE_AUTH_API_KEY=
 
 # If you want to use debugging and tracing with this stack,
 # you need uncomment following line. Please see documentation at

deployments/examples/ocis_traefik/docker-compose.yml

@@ -59,6 +59,7 @@ services:
       STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
       OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
       STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
+      OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
     volumes:
       - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ocis-data:/var/tmp/ocis

deployments/examples/ocis_wopi/.env

@@ -25,6 +25,8 @@ STORAGE_LDAP_BIND_PASSWORD=
 OCIS_JWT_SECRET=
 # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
 STORAGE_TRANSFER_SECRET=
+# Machine auth api key secret. Must be changed in order to have a secure oCIS. Defaults to "change-me-please"
+OCIS_MACHINE_AUTH_API_KEY=
 
 ### Wopi server settings ###
 # oCIS Wopi server version. Defaults to "latest"

deployments/examples/ocis_wopi/docker-compose.yml

@@ -61,6 +61,7 @@ services:
       IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
       STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
       OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
+      OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
       STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
       # web ui
       WEB_UI_CONFIG: "/var/tmp/ocis/.config/web-config.json"
@@ -98,6 +99,7 @@ services:
       OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
       WOPISERVER_REVA_GATEWAY_ADDR: ocis:9142
       OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
+      OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
     logging:
       driver: "local"
     restart: always

docs/ocis/deployment/_index.md

@@ -42,6 +42,9 @@ You can change it by setting the `OCIS_JWT_SECRET` environment variable for oCIS
 Another is used secret for singing JWT tokens for uploads and downloads, which also needs to be changed by the user.
 You can change it by setting the `STORAGE_TRANSFER_SECRET` environment variable for oCIS to a random string.
 
+One more secret is used for machine auth, so that external applications can authenticate with an API key.
+You can change it by setting the `OCIS_MACHINE_AUTH_API_KEY` environment variable for oCIS to a random string.
+
 ### Delete demo users
 
 {{< hint info >}}

docs/ocis/deployment/oc10_ocis_parallel.md

@@ -84,6 +84,8 @@ See also [example server setup]({{< ref "preparing_server" >}})
       OCIS_JWT_SECRET=
       # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
       STORAGE_TRANSFER_SECRET=
+      # Machine auth api key secret. Must be changed in order to have a secure oCIS. Defaults to "change-me-please"
+      OCIS_MACHINE_AUTH_API_KEY=
 
       ### oCIS settings ###
       # oC10 version. Defaults to "latest"

docs/ocis/deployment/ocis_hello.md

@@ -75,6 +75,8 @@ See also [example server setup]({{< ref "preparing_server" >}})
       OCIS_JWT_SECRET=
       # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
       STORAGE_TRANSFER_SECRET=
+      # Machine auth api key secret. Must be changed in order to have a secure oCIS. Defaults to "change-me-please"
+      OCIS_MACHINE_AUTH_API_KEY=
 
       ### oCIS Hello settings ###
       # oCIS Hello version. Defaults to "latest"

docs/ocis/deployment/ocis_keycloak.md

@@ -78,6 +78,8 @@ See also [example server setup]({{< ref "preparing_server" >}})
   OCIS_JWT_SECRET=
   # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
   STORAGE_TRANSFER_SECRET=
+  # Machine auth api key secret. Must be changed in order to have a secure oCIS. Defaults to "change-me-please"
+  OCIS_MACHINE_AUTH_API_KEY=
 
   ### Keycloak ###
   # Domain of Keycloak, where you can find the management and authentication frontend. Defaults to "keycloak.owncloud.test"

docs/ocis/deployment/ocis_s3.md

@@ -77,6 +77,8 @@ See also [example server setup]({{< ref "preparing_server" >}})
       OCIS_JWT_SECRET=
       # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
       STORAGE_TRANSFER_SECRET=
+      # Machine auth api key secret. Must be changed in order to have a secure oCIS. Defaults to "change-me-please"
+      OCIS_MACHINE_AUTH_API_KEY=
 
       ### MINIO / S3 settings ###
       # Domain of MinIO where the Web UI is accessible. Defaults to "minio.owncloud.test".

docs/ocis/deployment/ocis_traefik.md

@@ -72,6 +72,8 @@ See also [example server setup]({{< ref "preparing_server" >}})
   OCIS_JWT_SECRET=
   # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
   STORAGE_TRANSFER_SECRET=
+  # Machine auth api key secret. Must be changed in order to have a secure oCIS. Defaults to "change-me-please"
+  OCIS_MACHINE_AUTH_API_KEY=
   ```
 
   You are installing oCIS on a server and Traefik will obtain valid certificates for you so please remove `INSECURE=true` or set it to `false`.

docs/ocis/deployment/ocis_wopi.md

@@ -80,6 +80,8 @@ See also [example server setup]({{< ref "preparing_server" >}})
     OCIS_JWT_SECRET=
     # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
     STORAGE_TRANSFER_SECRET=
+    # Machine auth api key secret. Must be changed in order to have a secure oCIS. Defaults to "change-me-please"
+    OCIS_MACHINE_AUTH_API_KEY=
 
     ### Wopi server settings ###
     # oCIS Wopi server version. Defaults to "latest"