diff --git a/docs/ocis/deployment/_index.md b/docs/ocis/deployment/_index.md index ab101b652e..3c3159a4e7 100644 --- a/docs/ocis/deployment/_index.md +++ b/docs/ocis/deployment/_index.md @@ -26,3 +26,29 @@ You can run ownCloud 10 and oCIS together. This allows you to use new parts of o - [ownCloud 10 setup with oCIS serving ownCloud Web and acting as OIDC provider]({{< ref "owncloud10_with_oc_web.md" >}}) - This allows you to switch between the traditional ownCloud 10 frontend and the new ownCloud Web frontend - Run ownCloud 10 and oCIS in parallel - together - Migrate users from ownCloud 10 to oCIS + + +## Secure an oCIS instance + +### Change default secrets +oCIS uses two system users which are needed for being operational: +- Reva Inter Operability Platform (bc596f3c-c955-4328-80a0-60d018b4ad57) +- Kopano IDP (820ba2a1-3f54-4538-80a4-2d73007e30bf) + +Both have simple default passwords which need to be changed. Currently, changing a password is only possible on the command line. You need to run `ocis accounts update --password ` for both users. + +The new password for the Reva Inter Operability Platform user must be made available to oCIS by using the environment variable `STORAGE_LDAP_BIND_PASSWORD`. The same applies to the new Kopano IDP user password, which needs do be made available to oCIS in `IDP_LDAP_BIND_PASSWORD`. + +Furthermore oCIS needs to share a JWT token with REVA, wich also need to be changed by the user. +You can change it by setting the `OCIS_JWT_SECRET` environment variable for oCIS to a random string. + +### Delete demo users +oCIS ships with a few demo users besides the system users: +- Admin (ddc2004c-0977-11eb-9d3f-a793888cd0f8) +- Albert Einstein (4c510ada-c86b-4815-8820-42cdf82c3d51) +- Richard Feynman (932b4540-8d16-481e-8ef4-588e4b6b151c) +- Maurice Moss (058bff95-6708-4fe5-91e4-9ea3d377588b) +- Marie Curie (f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c) + +You can view them in ownCloud Web if you log in as Admin user or list them by running `ocis accounts list`. +Before deleting all demo users mentioned above, you must create a new account for yourself and assign it to the administrator role. After doing so it is safe to delete the demo users in the web UI or with the command `ocis accounts remove `. Please do not delete the system users (see [change default secrets]({{< ref "_index.md#change-default-secrets" >}})) or oCIS will not function properly anymore. diff --git a/docs/ocis/deployment/basic-remote-setup.md b/docs/ocis/deployment/basic-remote-setup.md index b28d30f7c2..48a828206a 100644 --- a/docs/ocis/deployment/basic-remote-setup.md +++ b/docs/ocis/deployment/basic-remote-setup.md @@ -21,6 +21,10 @@ Upon first start of the oCIS fullstack server with `./bin/ocis server` it will g The `identifier-registration.yml` file will only be generated if does not exist. If you want to change certain environment variables like `OCIS_URL`, please delete this file first before doing so. Otherwise your changes will not be applied correctly and you will run into errors. {{< /hint >}} +{{< hint warning >}} +oCIS is currently in a Tech Preview state and is shipped with demo users. In order to secure your oCIS instances please follow following guide: [secure an oCIS instance]({{< ref "_index.md/#secure-an-ocis-instance" >}}) +{{< /hint >}} + For the following examples you need to have the oCIS binary in your current working directory, we assume it is named `ocis` and it needs to be marked as executable. See [Getting Started]({{< ref "../getting-started/#binaries" >}}) for where to get the binary from. ### Using automatically generated certificates diff --git a/docs/ocis/deployment/ocis_keycloak.md b/docs/ocis/deployment/ocis_keycloak.md index ea85f9fcd2..9f901d0233 100644 --- a/docs/ocis/deployment/ocis_keycloak.md +++ b/docs/ocis/deployment/ocis_keycloak.md @@ -70,6 +70,12 @@ See also [example server setup]({{< ref "preparing_server.md" >}}) OCIS_DOMAIN= # ownCloud Web openid connect client id. Defaults to "ocis-web" OCIS_OIDC_CLIENT_ID= + # IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp". + IDP_LDAP_BIND_PASSWORD= + # Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva". + STORAGE_LDAP_BIND_PASSWORD= + # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" + OCIS_JWT_SECRET= ### Keycloak ### # Domain of Keycloak, where you can find the management and authentication frontend. Defaults to "keycloak.owncloud.test" @@ -97,6 +103,8 @@ See also [example server setup]({{< ref "preparing_server.md" >}}) If you want to change the OIDC client id of th ownCloud Web frontend, you can do this by setting the name to `OCIS_OIDC_CLIENT_ID=`. + You also must override three default secrets in `IDP_LDAP_BIND_PASSWORD`, `STORAGE_LDAP_BIND_PASSWORD` and `OCIS_JWT_SECRET` in order to secure your oCIS instance. Choose some random strings eg. from the output of `openssl rand -base64 32`. For more information see [secure an oCIS instance]({{< ref "_index.md/#secure-an-ocis-instance" >}}). + Set your domain for the Keycloak administration panel and authentication endpoints to `KEYCLOAK_DOMAIN=` eg. `KEYCLOAK_DOMAIN=keycloak.owncloud.test`. Changing the used Keycloak realm can be done by setting `KEYCLOAK_REALM=`. This defaults to the oCIS realm `KEYCLOAK_REALM=oCIS`. The oCIS realm will be automatically imported on startup and includes our demo users. diff --git a/docs/ocis/deployment/ocis_traefik.md b/docs/ocis/deployment/ocis_traefik.md index 0e96a35ff9..34ccc422bf 100644 --- a/docs/ocis/deployment/ocis_traefik.md +++ b/docs/ocis/deployment/ocis_traefik.md @@ -64,6 +64,12 @@ See also [example server setup]({{< ref "preparing_server.md" >}}) OCIS_DOCKER_TAG= # Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test" OCIS_DOMAIN= + # IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp". + IDP_LDAP_BIND_PASSWORD= + # Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva". + STORAGE_LDAP_BIND_PASSWORD= + # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" + OCIS_JWT_SECRET= ``` You are installing oCIS on a server and Traefik will obtain valid certificates for you so please remove `INSECURE=true` or set it to `false`. @@ -78,6 +84,8 @@ See also [example server setup]({{< ref "preparing_server.md" >}}) Set your domain for the oCIS frontend in `OCIS_DOMAIN=`, eg. `OCIS_DOMAIN=ocis.owncloud.test`. + You also must override three default secrets in `IDP_LDAP_BIND_PASSWORD`, `STORAGE_LDAP_BIND_PASSWORD` and `OCIS_JWT_SECRET` in order to secure your oCIS instance. Choose some random strings eg. from the output of `openssl rand -base64 32`. For more information see [secure an oCIS instance]({{< ref "_index.md/#secure-an-ocis-instance" >}}). + Now you have configured everything and can save the file. * Start the docker stack diff --git a/docs/ocis/deployment/preparing_server.md b/docs/ocis/deployment/preparing_server.md index 5e6bba68e4..8bd1724c9d 100644 --- a/docs/ocis/deployment/preparing_server.md +++ b/docs/ocis/deployment/preparing_server.md @@ -1,7 +1,7 @@ --- title: "Preparing a server" date: 2020-10-12T14:04:00+01:00 -weight: 10 +weight: 100 geekdocRepo: https://github.com/owncloud/ocis geekdocEditPath: edit/master/docs/ocis/deployment geekdocFilePath: preparing_server.md