Graph Service Configuration

Introduction

The Infinite Scale Graph service provides a simple graph world API which can be used by clients or other services or extensions.

Sequence Diagram

The following image gives an overview of the scenario when a client requests to list available spaces the user has access to. To do so, the client is directed with his request automatically via the proxy service to the graph service.

mermaid graph

Configuration

Environment Variables

The graph extension is configured via the following environment variables:

  • latest

  • 2.0.0

Environment variables for the graph service
Name Type Default Value Description

OCIS_TRACING_ENABLED
GRAPH_TRACING_ENABLED

bool

false

Activates tracing.

OCIS_TRACING_TYPE
GRAPH_TRACING_TYPE

string

The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now.

OCIS_TRACING_ENDPOINT
GRAPH_TRACING_ENDPOINT

string

The endpoint of the tracing agent.

OCIS_TRACING_COLLECTOR
GRAPH_TRACING_COLLECTOR

string

The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.

OCIS_LOG_LEVEL
GRAPH_LOG_LEVEL

string

The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace".

OCIS_LOG_PRETTY
GRAPH_LOG_PRETTY

bool

false

Activates pretty log output.

OCIS_LOG_COLOR
GRAPH_LOG_COLOR

bool

false

Activates colorized log output.

OCIS_LOG_FILE
GRAPH_LOG_FILE

string

The path to the log file. Activates logging to this file if set.

OCIS_CACHE_STORE_TYPE
GRAPH_CACHE_STORE_TYPE

string

The type of the cache store. Valid options are "noop", "ocmem", "etcd" and "memory"

OCIS_CACHE_STORE_ADDRESS
GRAPH_CACHE_STORE_ADDRESS

string

A comma-separated list of addresses to connect to. Only valid if the above setting is set to "etcd"

OCIS_CACHE_STORE_SIZE
GRAPH_CACHE_STORE_SIZE

int

0

Maximum number of items per table in the ocmem cache store. Other cache stores will ignore the option and can grow indefinitely.

GRAPH_DEBUG_ADDR

string

127.0.0.1:9124

Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.

GRAPH_DEBUG_TOKEN

string

Token to secure the metrics endpoint.

GRAPH_DEBUG_PPROF

bool

false

Enables pprof, which can be used for profiling.

GRAPH_DEBUG_ZPAGES

bool

false

Enables zpages, which can be used for collecting and viewing in-memory traces.

GRAPH_HTTP_ADDR

string

127.0.0.1:9120

The bind address of the HTTP service.

GRAPH_HTTP_ROOT

string

/graph

Subdirectory that serves as the root for this HTTP service.

OCIS_HTTP_TLS_ENABLED

bool

false

Activates TLS for the http based services using the server certifcate and key configured via OCIS_HTTP_TLS_CERTIFICATE and OCIS_HTTP_TLS_KEY. If OCIS_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.

OCIS_HTTP_TLS_CERTIFICATE

string

Path/File name of the TLS server certificate (in PEM format) for the http services.

OCIS_HTTP_TLS_KEY

string

Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.

REVA_GATEWAY

string

127.0.0.1:9142

The CS3 gateway endpoint.

OCIS_GRPC_CLIENT_TLS_MODE

string

TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification.

OCIS_GRPC_CLIENT_TLS_CACERT

string

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.

OCIS_JWT_SECRET
GRAPH_JWT_SECRET

string

The secret to mint and validate jwt tokens.

OCIS_GRPC_CLIENT_TLS_MODE

string

TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification.

OCIS_GRPC_CLIENT_TLS_CACERT

string

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.

OCIS_URL
GRAPH_SPACES_WEBDAV_BASE

string

https://localhost:9200

The public facing URL of WebDAV.

GRAPH_SPACES_WEBDAV_PATH

string

/dav/spaces/

The WebDAV subpath for spaces.

GRAPH_SPACES_DEFAULT_QUOTA

string

1000000000

The default quota in bytes.

GRAPH_SPACES_EXTENDED_SPACE_PROPERTIES_CACHE_TTL

int

0

Max TTL in seconds for the spaces property cache.

GRAPH_IDENTITY_BACKEND

string

ldap

The user identity backend to use. Supported backend types are 'ldap' and 'cs3'.

LDAP_URI
GRAPH_LDAP_URI

string

ldaps://localhost:9235

URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'

LDAP_CACERT
GRAPH_LDAP_CACERT

string

~/.ocis/idm/ldap.crt

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service.

LDAP_INSECURE
GRAPH_LDAP_INSECURE

bool

false

Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.

LDAP_BIND_DN
GRAPH_LDAP_BIND_DN

string

uid=libregraph,ou=sysusers,o=libregraph-idm

LDAP DN to use for simple bind authentication with the target LDAP server.

LDAP_BIND_PASSWORD
GRAPH_LDAP_BIND_PASSWORD

string

Password to use for authenticating the 'bind_dn'.

GRAPH_LDAP_SERVER_UUID

bool

false

If set to true, rely on the LDAP Server to generate a unique ID for users and groups, like when using 'entryUUID' as the user ID attribute.

GRAPH_LDAP_SERVER_USE_PASSWORD_MODIFY_EXOP

bool

true

User the Password Modify Extended Operation for updating user passwords.

GRAPH_LDAP_SERVER_WRITE_ENABLED

bool

true

Allow to create, modify and delete LDAP users via GRAPH API. This is only works when the default Schema is used.

LDAP_USER_BASE_DN
GRAPH_LDAP_USER_BASE_DN

string

ou=users,o=libregraph-idm

Search base DN for looking up LDAP users.

LDAP_USER_SCOPE
GRAPH_LDAP_USER_SCOPE

string

sub

LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.

LDAP_USER_FILTER
GRAPH_LDAP_USER_FILTER

string

LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'.

LDAP_USER_OBJECTCLASS
GRAPH_LDAP_USER_OBJECTCLASS

string

inetOrgPerson

The object class to use for users in the default user search filter ('inetOrgPerson').

LDAP_USER_SCHEMA_MAIL
GRAPH_LDAP_USER_EMAIL_ATTRIBUTE

string

mail

LDAP Attribute to use for the email address of users.

LDAP_USER_SCHEMA_DISPLAY_NAME
GRAPH_LDAP_USER_DISPLAYNAME_ATTRIBUTE

string

displayName

LDAP Attribute to use for the displayname of users.

LDAP_USER_SCHEMA_USERNAME
GRAPH_LDAP_USER_NAME_ATTRIBUTE

string

uid

LDAP Attribute to use for username of users.

LDAP_USER_SCHEMA_ID
GRAPH_LDAP_USER_UID_ATTRIBUTE

string

owncloudUUID

LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.

LDAP_GROUP_BASE_DN
GRAPH_LDAP_GROUP_BASE_DN

string

ou=groups,o=libregraph-idm

Search base DN for looking up LDAP groups.

LDAP_GROUP_SCOPE
GRAPH_LDAP_GROUP_SEARCH_SCOPE

string

sub

LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'.

LDAP_GROUP_FILTER
GRAPH_LDAP_GROUP_FILTER

string

LDAP filter to add to the default filters for group searches.

LDAP_GROUP_OBJECTCLASS
GRAPH_LDAP_GROUP_OBJECTCLASS

string

groupOfNames

The object class to use for groups in the default group search filter ('groupOfNames').

LDAP_GROUP_SCHEMA_GROUPNAME
GRAPH_LDAP_GROUP_NAME_ATTRIBUTE

string

cn

LDAP Attribute to use for the name of groups.

LDAP_GROUP_SCHEMA_ID
GRAPH_LDAP_GROUP_ID_ATTRIBUTE

string

owncloudUUID

LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.

GRAPH_EVENTS_ENDPOINT

string

127.0.0.1:9233

The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events.

GRAPH_EVENTS_CLUSTER

string

ocis-cluster

The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.

OCIS_INSECURE
GRAPH_EVENTS_TLS_INSECURE

bool

false

Whether to verify the server TLS certificates.

GRAPH_EVENTS_TLS_ROOT_CA_CERTIFICATE

string

The root CA certificate used to validate the server’s TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false.

OCIS_EVENTS_ENABLE_TLS
GRAPH_EVENTS_ENABLE_TLS

bool

false

Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services..

Environment variables for the graph service
Name Type Default Value Description

OCIS_TRACING_ENABLED
GRAPH_TRACING_ENABLED

bool

false

Activates tracing.

OCIS_TRACING_TYPE
GRAPH_TRACING_TYPE

string

The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now.

OCIS_TRACING_ENDPOINT
GRAPH_TRACING_ENDPOINT

string

The endpoint of the tracing agent.

OCIS_TRACING_COLLECTOR
GRAPH_TRACING_COLLECTOR

string

The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.

OCIS_LOG_LEVEL
GRAPH_LOG_LEVEL

string

The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace".

OCIS_LOG_PRETTY
GRAPH_LOG_PRETTY

bool

false

Activates pretty log output.

OCIS_LOG_COLOR
GRAPH_LOG_COLOR

bool

false

Activates colorized log output.

OCIS_LOG_FILE
GRAPH_LOG_FILE

string

The path to the log file. Activates logging to this file if set.

OCIS_CACHE_STORE_TYPE
GRAPH_CACHE_STORE_TYPE

string

The type of the cache store. Valid options are "noop", "ocmem", "etcd" and "memory"

OCIS_CACHE_STORE_ADDRESS
GRAPH_CACHE_STORE_ADDRESS

string

A comma-separated list of addresses to connect to. Only valid if the above setting is set to "etcd"

OCIS_CACHE_STORE_SIZE
GRAPH_CACHE_STORE_SIZE

int

0

Maximum number of items per table in the ocmem cache store. Other cache stores will ignore the option and can grow indefinitely.

GRAPH_DEBUG_ADDR

string

127.0.0.1:9124

Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.

GRAPH_DEBUG_TOKEN

string

Token to secure the metrics endpoint.

GRAPH_DEBUG_PPROF

bool

false

Enables pprof, which can be used for profiling.

GRAPH_DEBUG_ZPAGES

bool

false

Enables zpages, which can be used for collecting and viewing in-memory traces.

GRAPH_HTTP_ADDR

string

127.0.0.1:9120

The bind address of the HTTP service.

GRAPH_HTTP_ROOT

string

/graph

Subdirectory that serves as the root for this HTTP service.

OCIS_HTTP_TLS_ENABLED

bool

false

Activates TLS for the http based services using the server certifcate and key configured via OCIS_HTTP_TLS_CERTIFICATE and OCIS_HTTP_TLS_KEY. If OCIS_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.

OCIS_HTTP_TLS_CERTIFICATE

string

Path/File name of the TLS server certificate (in PEM format) for the http services.

OCIS_HTTP_TLS_KEY

string

Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.

REVA_GATEWAY

string

127.0.0.1:9142

The CS3 gateway endpoint.

OCIS_GRPC_CLIENT_TLS_MODE

string

TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification.

OCIS_GRPC_CLIENT_TLS_CACERT

string

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.

OCIS_JWT_SECRET
GRAPH_JWT_SECRET

string

The secret to mint and validate jwt tokens.

OCIS_GRPC_CLIENT_TLS_MODE

string

TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification.

OCIS_GRPC_CLIENT_TLS_CACERT

string

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.

OCIS_URL
GRAPH_SPACES_WEBDAV_BASE

string

https://localhost:9200

The public facing URL of WebDAV.

GRAPH_SPACES_WEBDAV_PATH

string

/dav/spaces/

The WebDAV subpath for spaces.

GRAPH_SPACES_DEFAULT_QUOTA

string

1000000000

The default quota in bytes.

GRAPH_SPACES_EXTENDED_SPACE_PROPERTIES_CACHE_TTL

int

0

Max TTL in seconds for the spaces property cache.

GRAPH_IDENTITY_BACKEND

string

ldap

The user identity backend to use. Supported backend types are 'ldap' and 'cs3'.

LDAP_URI
GRAPH_LDAP_URI

string

ldaps://localhost:9235

URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://'

LDAP_CACERT
GRAPH_LDAP_CACERT

string

~/.ocis/idm/ldap.crt

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service.

LDAP_INSECURE
GRAPH_LDAP_INSECURE

bool

false

Disable TLS certificate validation for the LDAP connections. Do not set this in production environments.

LDAP_BIND_DN
GRAPH_LDAP_BIND_DN

string

uid=libregraph,ou=sysusers,o=libregraph-idm

LDAP DN to use for simple bind authentication with the target LDAP server.

LDAP_BIND_PASSWORD
GRAPH_LDAP_BIND_PASSWORD

string

Password to use for authenticating the 'bind_dn'.

GRAPH_LDAP_SERVER_UUID

bool

false

If set to true, rely on the LDAP Server to generate a unique ID for users and groups, like when using 'entryUUID' as the user ID attribute.

GRAPH_LDAP_SERVER_USE_PASSWORD_MODIFY_EXOP

bool

true

User the Password Modify Extended Operation for updating user passwords.

GRAPH_LDAP_SERVER_WRITE_ENABLED

bool

true

Allow to create, modify and delete LDAP users via GRAPH API. This is only works when the default Schema is used.

LDAP_USER_BASE_DN
GRAPH_LDAP_USER_BASE_DN

string

ou=users,o=libregraph-idm

Search base DN for looking up LDAP users.

LDAP_USER_SCOPE
GRAPH_LDAP_USER_SCOPE

string

sub

LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'.

LDAP_USER_FILTER
GRAPH_LDAP_USER_FILTER

string

LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'.

LDAP_USER_OBJECTCLASS
GRAPH_LDAP_USER_OBJECTCLASS

string

inetOrgPerson

The object class to use for users in the default user search filter ('inetOrgPerson').

LDAP_USER_SCHEMA_MAIL
GRAPH_LDAP_USER_EMAIL_ATTRIBUTE

string

mail

LDAP Attribute to use for the email address of users.

LDAP_USER_SCHEMA_DISPLAY_NAME
GRAPH_LDAP_USER_DISPLAYNAME_ATTRIBUTE

string

displayName

LDAP Attribute to use for the displayname of users.

LDAP_USER_SCHEMA_USERNAME
GRAPH_LDAP_USER_NAME_ATTRIBUTE

string

uid

LDAP Attribute to use for username of users.

LDAP_USER_SCHEMA_ID
GRAPH_LDAP_USER_UID_ATTRIBUTE

string

owncloudUUID

LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID.

LDAP_GROUP_BASE_DN
GRAPH_LDAP_GROUP_BASE_DN

string

ou=groups,o=libregraph-idm

Search base DN for looking up LDAP groups.

LDAP_GROUP_SCOPE
GRAPH_LDAP_GROUP_SEARCH_SCOPE

string

sub

LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'.

LDAP_GROUP_FILTER
GRAPH_LDAP_GROUP_FILTER

string

LDAP filter to add to the default filters for group searches.

LDAP_GROUP_OBJECTCLASS
GRAPH_LDAP_GROUP_OBJECTCLASS

string

groupOfNames

The object class to use for groups in the default group search filter ('groupOfNames').

LDAP_GROUP_SCHEMA_GROUPNAME
GRAPH_LDAP_GROUP_NAME_ATTRIBUTE

string

cn

LDAP Attribute to use for the name of groups.

LDAP_GROUP_SCHEMA_ID
GRAPH_LDAP_GROUP_ID_ATTRIBUTE

string

owncloudUUID

LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID.

GRAPH_EVENTS_ENDPOINT

string

127.0.0.1:9233

The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events.

GRAPH_EVENTS_CLUSTER

string

ocis-cluster

The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.

OCIS_INSECURE
GRAPH_EVENTS_TLS_INSECURE

bool

false

Whether to verify the server TLS certificates.

GRAPH_EVENTS_TLS_ROOT_CA_CERTIFICATE

string

The root CA certificate used to validate the server’s TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false.

OCIS_EVENTS_ENABLE_TLS
GRAPH_EVENTS_ENABLE_TLS

bool

false

Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services..

YAML Example

  • latest

  • 2.0.0

# Autogenerated
# Filename: graph-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
cache_store:
  type: ""
  address: ""
  size: 0
debug:
  addr: 127.0.0.1:9124
  token: ""
  pprof: false
  zpages: false
http:
  addr: 127.0.0.1:9120
  root: /graph
  tls:
    enabled: false
    cert: ""
    key: ""
reva:
  address: 127.0.0.1:9142
  tls:
    mode: ""
    cacert: ""
token_manager:
  jwt_secret: ""
grpc_client_tls:
  mode: ""
  cacert: ""
spaces:
  webdav_base: https://localhost:9200
  webdav_path: /dav/spaces/
  default_quota: "1000000000"
  extended_space_properties_cache_ttl: 0
identity:
  backend: ldap
  ldap:
    uri: ldaps://localhost:9235
    cacert: ~/.ocis/idm/ldap.crt
    insecure: false
    bind_dn: uid=libregraph,ou=sysusers,o=libregraph-idm
    bind_password: ""
    use_server_uuid: false
    use_password_modify_exop: true
    write_enabled: true
    user_base_dn: ou=users,o=libregraph-idm
    user_search_scope: sub
    user_filter: ""
    user_objectclass: inetOrgPerson
    user_mail_attribute: mail
    user_displayname_attribute: displayName
    user_name_attribute: uid
    user_id_attribute: owncloudUUID
    group_base_dn: ou=groups,o=libregraph-idm
    group_search_scope: sub
    group_filter: ""
    group_objectclass: groupOfNames
    group_name_attribute: cn
    group_id_attribute: owncloudUUID
events:
  endpoint: 127.0.0.1:9233
  cluster: ocis-cluster
  tls_insecure: false
  tls_root_ca_certificate: ""
  enable_tls: false
# Autogenerated
# Filename: graph-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
cache_store:
  type: ""
  address: ""
  size: 0
debug:
  addr: 127.0.0.1:9124
  token: ""
  pprof: false
  zpages: false
http:
  addr: 127.0.0.1:9120
  root: /graph
  tls:
    enabled: false
    cert: ""
    key: ""
reva:
  address: 127.0.0.1:9142
  tls:
    mode: ""
    cacert: ""
token_manager:
  jwt_secret: ""
grpc_client_tls:
  mode: ""
  cacert: ""
spaces:
  webdav_base: https://localhost:9200
  webdav_path: /dav/spaces/
  default_quota: "1000000000"
  extended_space_properties_cache_ttl: 0
identity:
  backend: ldap
  ldap:
    uri: ldaps://localhost:9235
    cacert: ~/.ocis/idm/ldap.crt
    insecure: false
    bind_dn: uid=libregraph,ou=sysusers,o=libregraph-idm
    bind_password: ""
    use_server_uuid: false
    use_password_modify_exop: true
    write_enabled: true
    user_base_dn: ou=users,o=libregraph-idm
    user_search_scope: sub
    user_filter: ""
    user_objectclass: inetOrgPerson
    user_mail_attribute: mail
    user_displayname_attribute: displayName
    user_name_attribute: uid
    user_id_attribute: owncloudUUID
    group_base_dn: ou=groups,o=libregraph-idm
    group_search_scope: sub
    group_filter: ""
    group_objectclass: groupOfNames
    group_name_attribute: cn
    group_id_attribute: owncloudUUID
events:
  endpoint: 127.0.0.1:9233
  cluster: ocis-cluster
  tls_insecure: false
  tls_root_ca_certificate: ""
  enable_tls: false