From 0102e34d0b78b3f12b6ed8bde6ab3978ee50b0ed Mon Sep 17 00:00:00 2001 From: Michael Barz Date: Wed, 6 Apr 2022 15:16:29 +0200 Subject: [PATCH 1/4] set demo users to default off --- .drone.star | 4 ++++ accounts/pkg/config/defaults/defaultconfig.go | 2 +- idm/pkg/config/defaults/defaultconfig.go | 2 +- 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.drone.star b/.drone.star index 91e0ae70ce..3607328fe6 100644 --- a/.drone.star +++ b/.drone.star @@ -1627,6 +1627,8 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = [], depends_on = "OCIS_LOG_LEVEL": "error", "SETTINGS_DATA_PATH": "/srv/app/tmp/ocis/settings", "OCIS_INSECURE": "true", + "ACCOUNTS_DEMO_USERS_AND_GROUPS": True, # deprecated, remove after switching to LibreIDM + "IDM_CREATE_DEMO_USERS": True, } else: user = "33:33" @@ -1707,6 +1709,8 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = [], depends_on = "OCIS_MACHINE_AUTH_API_KEY": "change-me-please", "OCIS_INSECURE": "true", "PROXY_ENABLE_BASIC_AUTH": "true", + "ACCOUNTS_DEMO_USERS_AND_GROUPS": True, # deprecated, remove after switching to LibreIDM + "IDM_CREATE_DEMO_USERS": True, } # Pass in "default" accounts_hash_difficulty to not set this environment variable. diff --git a/accounts/pkg/config/defaults/defaultconfig.go b/accounts/pkg/config/defaults/defaultconfig.go index 8e8a82266f..25912cfa64 100644 --- a/accounts/pkg/config/defaults/defaultconfig.go +++ b/accounts/pkg/config/defaults/defaultconfig.go @@ -49,7 +49,7 @@ func DefaultConfig() *config.Config { JWTSecret: "Pive-Fumkiu4", }, HashDifficulty: 11, - DemoUsersAndGroups: true, + DemoUsersAndGroups: false, Repo: config.Repo{ Backend: "CS3", Disk: config.Disk{ diff --git a/idm/pkg/config/defaults/defaultconfig.go b/idm/pkg/config/defaults/defaultconfig.go index 83e1bcfee6..97bf67d427 100644 --- a/idm/pkg/config/defaults/defaultconfig.go +++ b/idm/pkg/config/defaults/defaultconfig.go @@ -21,7 +21,7 @@ func DefaultConfig() *config.Config { Service: config.Service{ Name: "idm", }, - CreateDemoUsers: true, + CreateDemoUsers: false, ServiceUserPasswords: config.ServiceUserPasswords{ IdmAdmin: "idm", Idp: "idp", From 3c2bb5222872d27bec9dc35c841cca31858b4fa6 Mon Sep 17 00:00:00 2001 From: Michael Barz Date: Sat, 9 Apr 2022 16:17:03 +0200 Subject: [PATCH 2/4] adopt demo deployment config --- deployments/examples/oc10_ocis_parallel/.env | 4 ++++ deployments/examples/oc10_ocis_parallel/docker-compose.yml | 3 +++ deployments/examples/ocis_hello/.env | 4 ++++ deployments/examples/ocis_hello/docker-compose.yml | 3 +++ deployments/examples/ocis_individual_services/.env | 4 ++++ .../examples/ocis_individual_services/docker-compose.yml | 2 ++ deployments/examples/ocis_keycloak/.env | 4 ++++ deployments/examples/ocis_keycloak/docker-compose.yml | 4 +++- deployments/examples/ocis_ldap/.env | 4 ++++ deployments/examples/ocis_ldap/docker-compose.yml | 3 +++ deployments/examples/ocis_s3/.env | 4 ++++ deployments/examples/ocis_s3/docker-compose.yml | 3 +++ deployments/examples/ocis_traefik/.env | 4 ++++ deployments/examples/ocis_traefik/docker-compose.yml | 3 +++ deployments/examples/ocis_wopi/.env | 4 ++++ deployments/examples/ocis_wopi/docker-compose.yml | 3 +++ 16 files changed, 55 insertions(+), 1 deletion(-) diff --git a/deployments/examples/oc10_ocis_parallel/.env b/deployments/examples/oc10_ocis_parallel/.env index e1acbbcd37..7ba204577c 100644 --- a/deployments/examples/oc10_ocis_parallel/.env +++ b/deployments/examples/oc10_ocis_parallel/.env @@ -2,6 +2,10 @@ # It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates. INSECURE=true +# The demo users should not be created on a production instance +# because their passwords are public +DEMO_USERS=false + ### Traefik settings ### TRAEFIK_LOG_LEVEL= # Serve Treafik dashboard. Defaults to "false". diff --git a/deployments/examples/oc10_ocis_parallel/docker-compose.yml b/deployments/examples/oc10_ocis_parallel/docker-compose.yml index 677877f5b2..cb4a503437 100644 --- a/deployments/examples/oc10_ocis_parallel/docker-compose.yml +++ b/deployments/examples/oc10_ocis_parallel/docker-compose.yml @@ -124,6 +124,9 @@ services: OCIS_INSECURE: "${INSECURE:-false}" # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect) PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}" + # demo users + ACCOUNTS_DEMO_USERS_AND_GROUPS: "${DEMO_USERS:-false}" # deprecated, remove after switching to LibreIDM + IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}" volumes: - ./config/ocis/proxy.yaml:/etc/ocis/proxy.yaml - ocis-data:/var/lib/ocis diff --git a/deployments/examples/ocis_hello/.env b/deployments/examples/ocis_hello/.env index cdd83740ef..0e70f6b66d 100644 --- a/deployments/examples/ocis_hello/.env +++ b/deployments/examples/ocis_hello/.env @@ -2,6 +2,10 @@ # It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates. INSECURE=true +# The demo users should not be created on a production instance +# because their passwords are public +DEMO_USERS=true + ### Traefik settings ### # Serve Treafik dashboard. Defaults to "false". TRAEFIK_DASHBOARD= diff --git a/deployments/examples/ocis_hello/docker-compose.yml b/deployments/examples/ocis_hello/docker-compose.yml index 9b72e1f59f..a9ff638e16 100644 --- a/deployments/examples/ocis_hello/docker-compose.yml +++ b/deployments/examples/ocis_hello/docker-compose.yml @@ -68,6 +68,9 @@ services: OCIS_INSECURE: "${INSECURE:-false}" # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect) PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}" + # demo users + ACCOUNTS_DEMO_USERS_AND_GROUPS: "${DEMO_USERS:-false}" # deprecated, remove after switching to LibreIDM + IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ./config/ocis/web-config.dist.json:/config/web-config.dist.json diff --git a/deployments/examples/ocis_individual_services/.env b/deployments/examples/ocis_individual_services/.env index df4a4d90a4..25569f9b31 100644 --- a/deployments/examples/ocis_individual_services/.env +++ b/deployments/examples/ocis_individual_services/.env @@ -2,6 +2,10 @@ # It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates. INSECURE=true +# The demo users should not be created on a production instance +# because their passwords are public +DEMO_USERS=true + ### Traefik settings ### # Serve Treafik dashboard. Defaults to "false". TRAEFIK_DASHBOARD= diff --git a/deployments/examples/ocis_individual_services/docker-compose.yml b/deployments/examples/ocis_individual_services/docker-compose.yml index 8c30ac2b2d..bdf844a7e2 100644 --- a/deployments/examples/ocis_individual_services/docker-compose.yml +++ b/deployments/examples/ocis_individual_services/docker-compose.yml @@ -134,6 +134,8 @@ services: STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva} ACCOUNTS_JWT_SECRET: ${OCIS_METADATA_JWT_SECRET:-Pive-Fumkiu4} + # demo users + ACCOUNTS_DEMO_USERS_AND_GROUPS: "${DEMO_USERS:-false}" # deprecated, remove after switching to LibreIDM volumes: - ./config/accounts/entrypoint-override.sh:/entrypoint-override.sh logging: diff --git a/deployments/examples/ocis_keycloak/.env b/deployments/examples/ocis_keycloak/.env index 64fb4117c6..a2f80cefc6 100644 --- a/deployments/examples/ocis_keycloak/.env +++ b/deployments/examples/ocis_keycloak/.env @@ -2,6 +2,10 @@ # It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates. INSECURE=true +# The demo users should not be created on a production instance +# because their passwords are public +DEMO_USERS=false + ### Traefik settings ### # Serve Treafik dashboard. Defaults to "false". TRAEFIK_DASHBOARD= diff --git a/deployments/examples/ocis_keycloak/docker-compose.yml b/deployments/examples/ocis_keycloak/docker-compose.yml index 3047684fec..c847db8016 100644 --- a/deployments/examples/ocis_keycloak/docker-compose.yml +++ b/deployments/examples/ocis_keycloak/docker-compose.yml @@ -63,7 +63,9 @@ services: OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test} OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose PROXY_TLS: "false" # do not use SSL between Traefik and oCIS - ACCOUNTS_DEMO_USERS_AND_GROUPS: "false" # don't generate demo users + # demo users + ACCOUNTS_DEMO_USERS_AND_GROUPS: "${DEMO_USERS:-false}" # deprecated, remove after switching to LibreIDM + IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}" # change default secrets IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp} STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva} diff --git a/deployments/examples/ocis_ldap/.env b/deployments/examples/ocis_ldap/.env index c998544fd8..a3eebbf4ca 100644 --- a/deployments/examples/ocis_ldap/.env +++ b/deployments/examples/ocis_ldap/.env @@ -2,6 +2,10 @@ # It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates. INSECURE=true +# The demo users should not be created on a production instance +# because their passwords are public +DEMO_USERS=true + ### Traefik settings ### # Serve Treafik dashboard. Defaults to "false". TRAEFIK_DASHBOARD= diff --git a/deployments/examples/ocis_ldap/docker-compose.yml b/deployments/examples/ocis_ldap/docker-compose.yml index 60c22c280e..18504d8e21 100644 --- a/deployments/examples/ocis_ldap/docker-compose.yml +++ b/deployments/examples/ocis_ldap/docker-compose.yml @@ -88,6 +88,9 @@ services: OCIS_INSECURE: "${INSECURE:-false}" # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect) PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}" + # demo users + ACCOUNTS_DEMO_USERS_AND_GROUPS: "${DEMO_USERS:-false}" # deprecated, remove after switching to LibreIDM + IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ./config/ocis/web-config.dist.json:/config/web-config.dist.json diff --git a/deployments/examples/ocis_s3/.env b/deployments/examples/ocis_s3/.env index b05103cfc2..b53901dc40 100644 --- a/deployments/examples/ocis_s3/.env +++ b/deployments/examples/ocis_s3/.env @@ -2,6 +2,10 @@ # It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates. INSECURE=true +# The demo users should not be created on a production instance +# because their passwords are public +DEMO_USERS=true + ### Traefik settings ### # Serve Treafik dashboard. Defaults to "false". TRAEFIK_DASHBOARD= diff --git a/deployments/examples/ocis_s3/docker-compose.yml b/deployments/examples/ocis_s3/docker-compose.yml index a3c1547243..4832efcaaa 100644 --- a/deployments/examples/ocis_s3/docker-compose.yml +++ b/deployments/examples/ocis_s3/docker-compose.yml @@ -72,6 +72,9 @@ services: OCIS_INSECURE: "${INSECURE:-false}" # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect) PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}" + # demo users + ACCOUNTS_DEMO_USERS_AND_GROUPS: "${DEMO_USERS:-false}" # deprecated, remove after switching to LibreIDM + IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/lib/ocis diff --git a/deployments/examples/ocis_traefik/.env b/deployments/examples/ocis_traefik/.env index 90b69b5f23..4012008364 100644 --- a/deployments/examples/ocis_traefik/.env +++ b/deployments/examples/ocis_traefik/.env @@ -2,6 +2,10 @@ # It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates. INSECURE=true +# The demo users should not be created on a production instance +# because their passwords are public +DEMO_USERS=true + ### Traefik settings ### # Serve Treafik dashboard. Defaults to "false". TRAEFIK_DASHBOARD= diff --git a/deployments/examples/ocis_traefik/docker-compose.yml b/deployments/examples/ocis_traefik/docker-compose.yml index 1473f48209..35fc4756cf 100644 --- a/deployments/examples/ocis_traefik/docker-compose.yml +++ b/deployments/examples/ocis_traefik/docker-compose.yml @@ -63,6 +63,9 @@ services: OCIS_INSECURE: "${INSECURE:-false}" # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect) PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}" + # demo users + ACCOUNTS_DEMO_USERS_AND_GROUPS: "${DEMO_USERS:-false}" # deprecated, remove after switching to LibreIDM + IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ocis-data:/var/lib/ocis diff --git a/deployments/examples/ocis_wopi/.env b/deployments/examples/ocis_wopi/.env index b61977b073..66cfabeb7f 100644 --- a/deployments/examples/ocis_wopi/.env +++ b/deployments/examples/ocis_wopi/.env @@ -2,6 +2,10 @@ # It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates. INSECURE=true +# The demo users should not be created on a production instance +# because their passwords are public +DEMO_USERS=true + ### Traefik settings ### # Serve Treafik dashboard. Defaults to "false". TRAEFIK_DASHBOARD= diff --git a/deployments/examples/ocis_wopi/docker-compose.yml b/deployments/examples/ocis_wopi/docker-compose.yml index d10ea28453..f1d02902fb 100644 --- a/deployments/examples/ocis_wopi/docker-compose.yml +++ b/deployments/examples/ocis_wopi/docker-compose.yml @@ -71,6 +71,9 @@ services: OCIS_INSECURE: "${INSECURE:-false}" # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect) PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}" + # demo users + ACCOUNTS_DEMO_USERS_AND_GROUPS: "${DEMO_USERS:-false}" # deprecated, remove after switching to LibreIDM + IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}" volumes: - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh - ./config/ocis/mimetypes.json:/var/tmp/ocis/app-config/mimetypes.json From b1a05c3aac8094470d061da324f7630332a8905d Mon Sep 17 00:00:00 2001 From: Michael Barz Date: Sat, 9 Apr 2022 16:32:58 +0200 Subject: [PATCH 3/4] adjust the docs --- .vscode/launch.json | 3 +++ docs/ocis/deployment/_index.md | 3 +-- docs/ocis/getting-started/_index.md | 10 +++++++--- docs/ocis/getting-started/demo-users.md | 6 +++--- 4 files changed, 14 insertions(+), 8 deletions(-) diff --git a/.vscode/launch.json b/.vscode/launch.json index 94312a3e14..405778b585 100644 --- a/.vscode/launch.json +++ b/.vscode/launch.json @@ -19,6 +19,9 @@ "PROXY_ENABLE_BASIC_AUTH": "true", // set insecure options because we don't have valid certificates in dev environments "OCIS_INSECURE": "true", + // demo users + "ACCOUNTS_DEMO_USERS_AND_GROUPS": "true", + "IDM_CREATE_DEMO_USERS": "true" // OCIS_RUN_EXTENSIONS allows to start a subset of extensions even in the supervised mode //"OCIS_RUN_EXTENSIONS": "settings,storage-metadata,glauth,graph,graph-explorer,idp,ocs,store,thumbnails,web,webdav,storage-frontend,storage-gateway,storage-userprovider,storage-groupprovider,storage-authbasic,storage-authbearer,storage-authmachine,storage-users,storage-shares,storage-public-link,storage-appprovider,storage-sharing,accounts,proxy", } diff --git a/docs/ocis/deployment/_index.md b/docs/ocis/deployment/_index.md index 29e8bb2517..d2db1b8eb9 100644 --- a/docs/ocis/deployment/_index.md +++ b/docs/ocis/deployment/_index.md @@ -50,8 +50,7 @@ You can change it by setting the `OCIS_MACHINE_AUTH_API_KEY` environment variabl {{< hint info >}} Before deleting the demo users mentioned below, you must create a new account for yourself and assign it to the administrator role. -To skip the generation of demo users in the first place, run the inital setup step with an additional environment variable. -`ACCOUNTS_DEMO_USERS_AND_GROUPS=false ./bin/ocis server` generates only the admin, and one user for IDP and Reva respectively. +By default, oCIS doesn't create any demo users. During the first startup, it generates only the admin and one user for IDP and Reva respectively. {{< /hint >}} oCIS ships with a few demo users besides the system users: diff --git a/docs/ocis/getting-started/_index.md b/docs/ocis/getting-started/_index.md index 84904501c6..534d7bde05 100644 --- a/docs/ocis/getting-started/_index.md +++ b/docs/ocis/getting-started/_index.md @@ -42,8 +42,8 @@ curl https://download.owncloud.com/ocis/ocis/stable/1.19.1/ocis-1.19.1-linux-amd # make binary executable chmod +x ocis -# run -OCIS_INSECURE=true ./ocis server +# run with demo users +OCIS_INSECURE=true ACCOUNTS_DEMO_USERS_AND_GROUPS=true ./ocis server ``` The default primary storage location is `~/.ocis` or `/var/lib/ocis` depending on the packaging format and your operating system user. You can change that value by configuration. @@ -64,13 +64,17 @@ The `latest` tag always reflects the current master branch. ```console docker pull owncloud/ocis -docker run --rm -ti -p 9200:9200 -e OCIS_INSECURE=true owncloud/ocis +docker run --rm -ti -p 9200:9200 -e OCIS_INSECURE=true -e ACCOUNTS_DEMO_USERS_AND_GROUPS=true owncloud/ocis ``` {{< hint info >}} When you're using oCIS with self-signed certificates, you need to set the environment variable `OCIS_INSECURE=true`, in order to make oCIS work. {{< /hint >}} +{{< hint warming >}} +When you're creating the [demo users]({{< ref "./demo-users" >}}) by setting `ACCOUNTS_DEMO_USERS_AND_GROUPS=true`, you need to be sure that this instance is not used in prodution because the passwords are public. +{{< /hint >}} + {{< hint warning >}} In order to persist your data, you need to mount a docker volume or create a host bind-mount at `/var/lib/ocis`, for example with: `-v /some/host/dir:/var/lib/ocis` diff --git a/docs/ocis/getting-started/demo-users.md b/docs/ocis/getting-started/demo-users.md index d5a5373a83..1865446d93 100644 --- a/docs/ocis/getting-started/demo-users.md +++ b/docs/ocis/getting-started/demo-users.md @@ -7,11 +7,11 @@ geekdocEditPath: edit/master/docs/ocis/getting-started geekdocFilePath: demo-users.md --- -As long as oCIS is released as [technology preview]({{< ref "../release_roadmap#release_roadmap" >}}) it will come with default demo users. These enable you to do quick testing and developing. +oCIS has the option to create demo users during the first startup. These enable you to do quick testing and developing. {{< hint info >}} -To skip the generation of demo users, run the inital setup step with an additional environment variable. -`ACCOUNTS_DEMO_USERS_AND_GROUPS=false ./bin/ocis server` generates only the admin, and one user for IDP and Reva respectively. +To create the demo users, run the inital setup step with an additional environment variable. +`ACCOUNTS_DEMO_USERS_AND_GROUPS=true ./bin/ocis server` will generate the demo users listed in the table below. By default, it only generates the admin and one user for IDP and Reva respectively. {{< /hint >}} Following users are available in the demo set: From 89a5d34687bef8ec182914485127823bf7fac27d Mon Sep 17 00:00:00 2001 From: Michael Barz Date: Sat, 9 Apr 2022 16:40:46 +0200 Subject: [PATCH 4/4] add changelog --- changelog/unreleased/no-demo-users.md | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 changelog/unreleased/no-demo-users.md diff --git a/changelog/unreleased/no-demo-users.md b/changelog/unreleased/no-demo-users.md new file mode 100644 index 0000000000..35b7e2b86c --- /dev/null +++ b/changelog/unreleased/no-demo-users.md @@ -0,0 +1,6 @@ +Change: Don't create demo users by default + +As we are coming closer to the first beta, we need to disable the creation of the demo users by default. + +https://github.com/owncloud/ocis/pull/3474 +https://github.com/owncloud/ocis/issues/3181