From 08047e1d83ed2271c8682eb2065549ad31673691 Mon Sep 17 00:00:00 2001 From: Willy Kloucek Date: Thu, 29 Jul 2021 16:05:25 +0200 Subject: [PATCH] document storage transfer token --- deployments/examples/cs3_users_ocis/.env | 2 ++ deployments/examples/cs3_users_ocis/docker-compose.yml | 1 + deployments/examples/ocis_hello/.env | 2 ++ deployments/examples/ocis_hello/docker-compose.yml | 1 + deployments/examples/ocis_keycloak/.env | 2 ++ deployments/examples/ocis_keycloak/docker-compose.yml | 1 + deployments/examples/ocis_s3/.env | 2 ++ deployments/examples/ocis_s3/docker-compose.yml | 1 + deployments/examples/ocis_traefik/.env | 2 ++ deployments/examples/ocis_traefik/docker-compose.yml | 1 + deployments/examples/ocis_wopi/.env | 2 ++ deployments/examples/ocis_wopi/docker-compose.yml | 1 + docs/ocis/deployment/_index.md | 3 +++ docs/ocis/deployment/ocis_hello.md | 2 ++ docs/ocis/deployment/ocis_keycloak.md | 4 +++- docs/ocis/deployment/ocis_s3.md | 2 ++ docs/ocis/deployment/ocis_traefik.md | 2 ++ docs/ocis/deployment/ocis_wopi.md | 2 ++ 18 files changed, 32 insertions(+), 1 deletion(-) diff --git a/deployments/examples/cs3_users_ocis/.env b/deployments/examples/cs3_users_ocis/.env index 4dfe61c5b0..8fcde5ab6a 100644 --- a/deployments/examples/cs3_users_ocis/.env +++ b/deployments/examples/cs3_users_ocis/.env @@ -19,6 +19,8 @@ OCIS_DOCKER_TAG= OCIS_DOMAIN= # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" OCIS_JWT_SECRET= +# JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret" +OCIS_TRANSFER_SECRET= ### LDAP server settings ### diff --git a/deployments/examples/cs3_users_ocis/docker-compose.yml b/deployments/examples/cs3_users_ocis/docker-compose.yml index 1f1e21a626..ddd48db5d4 100644 --- a/deployments/examples/cs3_users_ocis/docker-compose.yml +++ b/deployments/examples/cs3_users_ocis/docker-compose.yml @@ -76,6 +76,7 @@ services: PROXY_TLS: "false" # do not use SSL between Traefik and oCIS # change default secrets OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4} + OCIS_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret} volumes: - ./config/ocis/proxy-config.json:/config/proxy-config.json - ocis-data:/var/tmp/ocis diff --git a/deployments/examples/ocis_hello/.env b/deployments/examples/ocis_hello/.env index a973d9ced3..50f2525a61 100644 --- a/deployments/examples/ocis_hello/.env +++ b/deployments/examples/ocis_hello/.env @@ -23,6 +23,8 @@ IDP_LDAP_BIND_PASSWORD= STORAGE_LDAP_BIND_PASSWORD= # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" OCIS_JWT_SECRET= +# JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret" +OCIS_TRANSFER_SECRET= ### oCIS Hello settings ### # oCIS Hello version. Defaults to "latest" diff --git a/deployments/examples/ocis_hello/docker-compose.yml b/deployments/examples/ocis_hello/docker-compose.yml index 08cca54660..02b17b32d2 100644 --- a/deployments/examples/ocis_hello/docker-compose.yml +++ b/deployments/examples/ocis_hello/docker-compose.yml @@ -58,6 +58,7 @@ services: IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva} OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4} + OCIS_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret} # web ui WEB_UI_CONFIG: "/config/config.json" # proxy diff --git a/deployments/examples/ocis_keycloak/.env b/deployments/examples/ocis_keycloak/.env index ac08b37e20..b5c1bb02a5 100644 --- a/deployments/examples/ocis_keycloak/.env +++ b/deployments/examples/ocis_keycloak/.env @@ -25,6 +25,8 @@ IDP_LDAP_BIND_PASSWORD= STORAGE_LDAP_BIND_PASSWORD= # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" OCIS_JWT_SECRET= +# JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret" +OCIS_TRANSFER_SECRET= ### Keycloak ### # Domain of Keycloak, where you can find the managment and authentication frontend. Defaults to "keycloak.owncloud.test" diff --git a/deployments/examples/ocis_keycloak/docker-compose.yml b/deployments/examples/ocis_keycloak/docker-compose.yml index 59635a8355..608a83fbb8 100644 --- a/deployments/examples/ocis_keycloak/docker-compose.yml +++ b/deployments/examples/ocis_keycloak/docker-compose.yml @@ -67,6 +67,7 @@ services: IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva} OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4} + OCIS_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret} volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/tmp/ocis diff --git a/deployments/examples/ocis_s3/.env b/deployments/examples/ocis_s3/.env index 07a52ba528..4795b38baa 100644 --- a/deployments/examples/ocis_s3/.env +++ b/deployments/examples/ocis_s3/.env @@ -23,6 +23,8 @@ IDP_LDAP_BIND_PASSWORD= STORAGE_LDAP_BIND_PASSWORD= # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" OCIS_JWT_SECRET= +# JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret" +OCIS_TRANSFER_SECRET= ### MINIO / S3 settings ### # Domain of MinIO where the Web UI is accessible. Defaults to "minio.owncloud.test". diff --git a/deployments/examples/ocis_s3/docker-compose.yml b/deployments/examples/ocis_s3/docker-compose.yml index a5a273f088..ce320aee11 100644 --- a/deployments/examples/ocis_s3/docker-compose.yml +++ b/deployments/examples/ocis_s3/docker-compose.yml @@ -57,6 +57,7 @@ services: IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva} OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4} + OCIS_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret} # activate s3ng storage driver STORAGE_HOME_DRIVER: s3ng STORAGE_USERS_DRIVER: s3ng diff --git a/deployments/examples/ocis_traefik/.env b/deployments/examples/ocis_traefik/.env index efffa4eca4..8ad4a3ab83 100644 --- a/deployments/examples/ocis_traefik/.env +++ b/deployments/examples/ocis_traefik/.env @@ -23,6 +23,8 @@ IDP_LDAP_BIND_PASSWORD= STORAGE_LDAP_BIND_PASSWORD= # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" OCIS_JWT_SECRET= +# JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret" +OCIS_TRANSFER_SECRET= # If you want to use debugging and tracing with this stack, # you need uncomment following line. Please see documentation at diff --git a/deployments/examples/ocis_traefik/docker-compose.yml b/deployments/examples/ocis_traefik/docker-compose.yml index 43b03d2538..1c2e1ac36f 100644 --- a/deployments/examples/ocis_traefik/docker-compose.yml +++ b/deployments/examples/ocis_traefik/docker-compose.yml @@ -57,6 +57,7 @@ services: IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva} OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4} + OCIS_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret} volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/tmp/ocis diff --git a/deployments/examples/ocis_wopi/.env b/deployments/examples/ocis_wopi/.env index 9d767164a0..74546b65fc 100644 --- a/deployments/examples/ocis_wopi/.env +++ b/deployments/examples/ocis_wopi/.env @@ -23,6 +23,8 @@ IDP_LDAP_BIND_PASSWORD= STORAGE_LDAP_BIND_PASSWORD= # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" OCIS_JWT_SECRET= +# JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret" +OCIS_TRANSFER_SECRET= ### Wopi server settings ### # oCIS Wopi server version. Defaults to "latest" diff --git a/deployments/examples/ocis_wopi/docker-compose.yml b/deployments/examples/ocis_wopi/docker-compose.yml index 4e2fe61701..a87d74234e 100644 --- a/deployments/examples/ocis_wopi/docker-compose.yml +++ b/deployments/examples/ocis_wopi/docker-compose.yml @@ -60,6 +60,7 @@ services: IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva} OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4} + OCIS_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret} # web ui WEB_UI_CONFIG: "/config/config.json" # proxy diff --git a/docs/ocis/deployment/_index.md b/docs/ocis/deployment/_index.md index 8ba2edfb3d..7eb5a798a9 100644 --- a/docs/ocis/deployment/_index.md +++ b/docs/ocis/deployment/_index.md @@ -43,6 +43,9 @@ The new password for the Reva Inter Operability Platform user must be made avail Furthermore, oCIS uses a shared secret to sign JWT tokens for inter service authorization, which also needs to be changed by the user. You can change it by setting the `OCIS_JWT_SECRET` environment variable for oCIS to a random string. +Another is used secret for singing JWT tokens for uploads and downloads, which also needs to be changed by the user. +You can change it by setting the `STORAGE_TRANSFER_SECRET` environment variable for oCIS to a random string. + ### Delete demo users {{< hint info >}} diff --git a/docs/ocis/deployment/ocis_hello.md b/docs/ocis/deployment/ocis_hello.md index 2a6d5842b3..96b91a7a5d 100644 --- a/docs/ocis/deployment/ocis_hello.md +++ b/docs/ocis/deployment/ocis_hello.md @@ -73,6 +73,8 @@ See also [example server setup]({{< ref "preparing_server" >}}) STORAGE_LDAP_BIND_PASSWORD= # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" OCIS_JWT_SECRET= + # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret" + OCIS_TRANSFER_SECRET= ### oCIS Hello settings ### # oCIS Hello version. Defaults to "latest" diff --git a/docs/ocis/deployment/ocis_keycloak.md b/docs/ocis/deployment/ocis_keycloak.md index 4e373c7531..c82e8a3625 100644 --- a/docs/ocis/deployment/ocis_keycloak.md +++ b/docs/ocis/deployment/ocis_keycloak.md @@ -76,6 +76,8 @@ See also [example server setup]({{< ref "preparing_server" >}}) STORAGE_LDAP_BIND_PASSWORD= # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" OCIS_JWT_SECRET= + # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret" + OCIS_TRANSFER_SECRET= ### Keycloak ### # Domain of Keycloak, where you can find the management and authentication frontend. Defaults to "keycloak.owncloud.test" @@ -137,4 +139,4 @@ After that you're ready to start the application stack: Open https://keycloak.owncloud.test in your browser and accept the invalid certificate warning. -Open https://ocis.owncloud.test in your browser and accept the invalid certificate warning. You now can login to oCIS with the demo users. \ No newline at end of file +Open https://ocis.owncloud.test in your browser and accept the invalid certificate warning. You now can login to oCIS with the demo users. diff --git a/docs/ocis/deployment/ocis_s3.md b/docs/ocis/deployment/ocis_s3.md index ed2ffa58f9..ec736f819e 100644 --- a/docs/ocis/deployment/ocis_s3.md +++ b/docs/ocis/deployment/ocis_s3.md @@ -75,6 +75,8 @@ See also [example server setup]({{< ref "preparing_server" >}}) STORAGE_LDAP_BIND_PASSWORD= # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" OCIS_JWT_SECRET= + # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret" + OCIS_TRANSFER_SECRET= ### MINIO / S3 settings ### # Domain of MinIO where the Web UI is accessible. Defaults to "minio.owncloud.test". diff --git a/docs/ocis/deployment/ocis_traefik.md b/docs/ocis/deployment/ocis_traefik.md index f59b63ee29..0df9e84e56 100644 --- a/docs/ocis/deployment/ocis_traefik.md +++ b/docs/ocis/deployment/ocis_traefik.md @@ -70,6 +70,8 @@ See also [example server setup]({{< ref "preparing_server" >}}) STORAGE_LDAP_BIND_PASSWORD= # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" OCIS_JWT_SECRET= + # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret" + OCIS_TRANSFER_SECRET= ``` You are installing oCIS on a server and Traefik will obtain valid certificates for you so please remove `INSECURE=true` or set it to `false`. diff --git a/docs/ocis/deployment/ocis_wopi.md b/docs/ocis/deployment/ocis_wopi.md index c5ccb00fed..f81de852cd 100644 --- a/docs/ocis/deployment/ocis_wopi.md +++ b/docs/ocis/deployment/ocis_wopi.md @@ -78,6 +78,8 @@ See also [example server setup]({{< ref "preparing_server" >}}) STORAGE_LDAP_BIND_PASSWORD= # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4" OCIS_JWT_SECRET= + # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret" + OCIS_TRANSFER_SECRET= ### Wopi server settings ### # oCIS Wopi server version. Defaults to "latest"