OCDAV Service Configuration
Introduction
The ocDAV service is responsible for translating ownCloud-flavored WebDAV into CS3 API calls. Note that previews (thumbnails) are provided by the WebDAV service. For more details on CS3 see the REVA and CS3 description in the Architecture and Concepts section.
Sequence Diagram
General View
A PROPFIND finds its way to a storage provider like in the image shown below. While this is a simplification to get an understanding of what needs to go where, there are several places where sharding (splitting and distributing) can happen.
Proxy-based User Routing
The Infinite Scale proxy authenticates requests and can forward requests to different backends, depending on the logged-in user or cookies. For example, multiple ocdav
services can be configured to shard users, based on username or affiliation.
Gateway-based Path or Storage Provider ID-based Routing
The CS3 gateway acts as a facade to multiple storage providers that can be configured with the storage registry.
PROPFIND Request Against Old Webdav Endpoints
This is how the old endpoint with username and a path relative to the user’s home looks like: /dav/files/{username}
To route a PROPFIND request against the old webdav endpoints like /dav/files/username
, ocdav first has to build a CS3 namespace prefix, e.g. /users/{{.Id.OpaqueId}}
to the user’s home.
Handling Legacy Global Namespace Webdav Endpoints
The reason Infinite Scale uses a path-based lookup instead of looking up the current user’s home using the user ID and a space type filter is, because there are deployments that use a global namespace at the legacy /webdav
endpoint. To support these use cases, the gateway allows looking up spaces using their mount path.
Configuration
Environment Variables
The ocdav
service is configured via the following environment variables. Read the Environment Variable Types documentation for important details.
Name | Type | Default Value | Description |
---|---|---|---|
|
bool |
false |
Activates tracing. |
|
string |
|
The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now. |
|
string |
|
The endpoint of the tracing agent. |
|
string |
|
The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. |
|
string |
|
The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'. |
|
bool |
false |
Activates pretty log output. |
|
bool |
false |
Activates colorized log output. |
|
string |
|
The path to the log file. Activates logging to this file if set. |
|
string |
127.0.0.1:9163 |
Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. |
|
string |
|
Token to secure the metrics endpoint. |
|
bool |
false |
Enables pprof, which can be used for profiling. |
|
bool |
false |
Enables zpages, which can be used for collecting and viewing in-memory traces. |
|
string |
127.0.0.1:0 |
The bind address of the HTTP service. |
|
string |
tcp |
The transport protocol of the HTTP service. |
|
string |
|
A URL path prefix for the handler. |
|
[]string |
[*] |
A comma-separated list of allowed CORS origins. See following chapter for more details: Access-Control-Allow-Origin at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin |
|
[]string |
[OPTIONS HEAD GET PUT POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH] |
A comma-separated list of allowed CORS methods. See following chapter for more details: Access-Control-Request-Method at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method |
|
[]string |
[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control] |
A blank or comma-separated list of allowed CORS headers. See following chapter for more details: Access-Control-Request-Headers at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. |
|
bool |
true |
Allow credentials for CORS.See following chapter for more details: Access-Control-Allow-Credentials at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials. |
|
string |
|
The secret to mint and validate jwt tokens. |
|
string |
com.owncloud.api.gateway |
The CS3 gateway endpoint. |
|
string |
|
TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification. |
|
string |
|
Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services. |
|
bool |
false |
Disables the loading of user’s group memberships from the reva access token. |
|
string |
/users/{{.Id.OpaqueId}} |
Jail requests to /dav/webdav into this CS3 namespace. Supports template layouting with CS3 User properties. |
|
string |
/users/{{.Id.OpaqueId}} |
Jail requests to /dav/files/{username} into this CS3 namespace. Supports template layouting with CS3 User properties. |
|
string |
/Shares |
The human readable path for the share jail. Relative to a users personal space root. Upcased intentionally. |
|
string |
https://localhost:9200 |
URL where oCIS is reachable for users. |
|
bool |
false |
Allow insecure connections to the GATEWAY service. |
|
int64 |
84300 |
Request timeout in seconds for requests from the oCDAV service to the GATEWAY service. |
|
string |
|
Machine auth API key used to validate internal requests necessary for the access to resources from other services. |
|
string |
Community |
|
|
bool |
false |
Allow the use of depth infinity in PROPFINDS. When enabled, a propfind will traverse through all subfolders. If many subfolders are expected, depth infinity can cause heavy server load and/or delayed response times. |
YAML Example
Note that the filename shown below has been chosen on purpose.
See the Configuration File Naming for details when setting up your own configuration.
# Autogenerated
# Filename: ocdav-config-example.yaml
tracing:
enabled: false
type: ""
endpoint: ""
collector: ""
log:
level: ""
pretty: false
color: false
file: ""
debug:
addr: 127.0.0.1:9163
token: ""
pprof: false
zpages: false
http:
addr: 127.0.0.1:0
protocol: tcp
prefix: ""
cors:
allow_origins:
- '*'
allow_methods:
- OPTIONS
- HEAD
- GET
- PUT
- POST
- DELETE
- MKCOL
- PROPFIND
- PROPPATCH
- MOVE
- COPY
- REPORT
- SEARCH
allow_headers:
- Origin
- Accept
- Content-Type
- Depth
- Authorization
- Ocs-Apirequest
- If-None-Match
- If-Match
- Destination
- Overwrite
- X-Request-Id
- X-Requested-With
- Tus-Resumable
- Tus-Checksum-Algorithm
- Upload-Concat
- Upload-Length
- Upload-Metadata
- Upload-Defer-Length
- Upload-Expires
- Upload-Checksum
- Upload-Offset
- X-HTTP-Method-Override
- Cache-Control
allow_credentials: true
token_manager:
jwt_secret: ""
reva:
address: com.owncloud.api.gateway
tls:
mode: ""
cacert: ""
skip_user_groups_in_token: false
webdav_namespace: /users/{{.Id.OpaqueId}}
files_namespace: /users/{{.Id.OpaqueId}}
shares_namespace: /Shares
public_url: https://localhost:9200
insecure: false
gateway_request_timeout: 84300
machine_auth_api_key: ""
allow_propfind_depth_infinity: false