bdbba929d0
* feat: add CSP and other security related headers in the oCIS proxy service * fix: consolidate security related headers - drop middleware.Secure * fix: use github.com/DeepDiver1975/secure * fix: acceptance tests * feat: support env var replacements in csp.yaml
Graph
The graph service provides the Graph API which is a RESTful web API used to access Infinite Scale resources. It is inspired by the Microsoft Graph API and can be used by clients or other services or extensions.
Manual Filters
Using the API, you can manually filter like for users. See the Libre Graph API for examples in the developer documentation. Note that you can use and and or to refine results.
Sequence Diagram
The following image gives an overview of the scenario when a client requests to list available spaces the user has access to. To do so, the client is directed with his request automatically via the proxy service to the graph service.
Caching
The graph service can use a configured store via GRAPH_CACHE_STORE. Possible stores are:
memory: Basic in-memory store and the default.redis-sentinel: Stores data in a configured Redis Sentinel cluster.nats-js-kv: Stores data using key-value-store feature of nats jetstreamnoop: Stores nothing. Useful for testing. Not recommended in production environments.ocmem: Advanced in-memory store allowing max size. (deprecated)redis: Stores data in a configured Redis cluster. (deprecated)etcd: Stores data in a configured etcd cluster. (deprecated)nats-js: Stores data using object-store feature of nats jetstream (deprecated)
Other store types may work but are not supported currently.
Note: The service can only be scaled if not using memory store and the stores are configured identically over all instances!
Note that if you have used one of the deprecated stores, you should reconfigure to one of the supported ones as the deprecated stores will be removed in a later version.
Store specific notes:
- When using
redis-sentinel, the Redis master to use is configured via e.g.OCIS_CACHE_STORE_NODESin the form of<sentinel-host>:<sentinel-port>/<redis-master>like10.10.0.200:26379/mymaster. - When using
nats-js-kvit is recommended to setOCIS_CACHE_STORE_NODESto the same value asOCIS_EVENTS_ENDPOINT. That way the cache uses the same nats instance as the event bus. - When using the
nats-js-kvstore, it is possible to setOCIS_CACHE_DISABLE_PERSISTENCEto instruct nats to not persist cache data on disc.
Keycloak Configuration For The Personal Data Export
If Keycloak is used for authentication, GDPR regulations require to add all personal identifiable information that Keycloak has about the user to the personal data export. To do this, the following environment variables must be set:
OCIS_KEYCLOAK_BASE_PATH- The URL to the keycloak instance.OCIS_KEYCLOAK_CLIENT_ID- The client ID of the client that is used to authenticate with keycloak, this client has to be able to list users and get the credential data.OCIS_KEYCLOAK_CLIENT_SECRET- The client secret of the client that is used to authenticate with keycloak.OCIS_KEYCLOAK_CLIENT_REALM- The realm the client is defined in.OCIS_KEYCLOAK_USER_REALM- The realm the oCIS users are defined in.OCIS_KEYCLOAK_INSECURE_SKIP_VERIFY- If set to true, the TLS certificate of the keycloak instance is not verified.
For more details see the User-Triggered GDPR Report in the ocis admin documentation.
Keycloak Client Configuration
The client that is used to authenticate with keycloak has to be able to list users and get the credential data. To do this, the following roles have to be assigned to the client and they have to be about the realm that contains the oCIS users:
view-usersview-identity-providersview-realmview-clientsview-eventsview-authorization
Note that these roles are only available to assign if the client is in the master realm.