Graph Service Configuration
Introduction
The Infinite Scale Graph service provides a simple graph world API which can be used by clients or other services or extensions.
Manual Filters
Using the API, you can manually filter like for users. See the Libre Graph API for examples in the developer documentation. Note that you can use and and or to refine results.
Sequence Diagram
The following image gives an overview of the scenario when a client requests to list available spaces the user has access to. To do so, the client is directed with his request automatically via the proxy service to the graph service.
Configuration
Environment Variables
The graph service is configured via the following environment variables:
| Name | Type | Default Value | Description |
|---|---|---|---|
|
bool |
false |
Activates tracing. |
|
string |
|
The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now. |
|
string |
|
The endpoint of the tracing agent. |
|
string |
|
The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. |
|
string |
|
The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace". |
|
bool |
false |
Activates pretty log output. |
|
bool |
false |
Activates colorized log output. |
|
string |
|
The path to the log file. Activates logging to this file if set. |
|
string |
memory |
The type of the cache store. Supported values are: 'memory', 'ocmem', 'etcd', 'redis', 'redis-sentinel', 'nats-js', 'noop'. See the text description for details. |
|
[]string |
[] |
A comma-separated list of nodes to connect to. This has no effect when 'in-memory' stores are configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. |
|
string |
graph |
The database name the configured store should use. |
|
string |
roles |
The database table the store should use. |
|
Duration |
336h0m0s |
Time to live for cache records in the graph. The duration can be set as number followed by a unit identifier like s, m or h. Defaults to '336h' (2 weeks). |
|
int |
0 |
The maximum quantity of items in the store. Only applies when store type 'ocmem' is configured. Defaults to 512. |
|
string |
127.0.0.1:9124 |
Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. |
|
string |
|
Token to secure the metrics endpoint. |
|
bool |
false |
Enables pprof, which can be used for profiling. |
|
bool |
false |
Enables zpages, which can be used for collecting and viewing in-memory traces. |
|
string |
127.0.0.1:9120 |
The bind address of the HTTP service. |
|
string |
/graph |
Subdirectory that serves as the root for this HTTP service. |
|
bool |
false |
Activates TLS for the http based services using the server certifcate and key configured via OCIS_HTTP_TLS_CERTIFICATE and OCIS_HTTP_TLS_KEY. If OCIS_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true. |
|
string |
|
Path/File name of the TLS server certificate (in PEM format) for the http services. |
|
string |
|
Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services. |
|
string |
|
An optional API bearer token |
|
int |
20 |
The amount of group members allowed to be added with a single patch request. |
|
string |
default |
Option to allow legacy usernames. Supported options are 'default' and 'none'. |
|
bool |
true |
Whether to assign newly created users the default role 'User'. Set this to 'false' if you want to assign roles manually, or if the role assignment should happen at first login. Set this to 'true' (the default) to assign the role 'User' when creating a new user. |
|
string |
127.0.0.1:9142 |
The CS3 gateway endpoint. |
|
string |
|
TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification. |
|
string |
|
Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services. |
|
string |
|
The secret to mint and validate jwt tokens. |
|
string |
|
The ocis application id shown in the graph. All app roles are tied to this. |
|
string |
ownCloud Infinite Scale |
The oCIS application name |
|
string |
https://localhost:9200 |
The public facing URL of WebDAV. |
|
string |
/dav/spaces/ |
The WebDAV subpath for spaces. |
|
string |
1000000000 |
The default quota in bytes. |
|
int |
0 |
Max TTL in seconds for the spaces property cache. |
|
int |
1800000000000 |
Max TTL in seconds for the spaces users cache. |
|
int |
1800000000000 |
Max TTL in seconds for the spaces groups cache. |
|
string |
ldap |
The user identity backend to use. Supported backend types are 'ldap' and 'cs3'. |
|
string |
ldaps://localhost:9235 |
URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://' |
|
string |
~/.ocis/idm/ldap.crt |
Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not definied, the root directory derives from $OCIS_BASE_DATA_PATH:/idm. |
|
bool |
false |
Disable TLS certificate validation for the LDAP connections. Do not set this in production environments. |
|
string |
uid=libregraph,ou=sysusers,o=libregraph-idm |
LDAP DN to use for simple bind authentication with the target LDAP server. |
|
string |
|
Password to use for authenticating the 'bind_dn'. |
|
bool |
false |
If set to true, rely on the LDAP Server to generate a unique ID for users and groups, like when using 'entryUUID' as the user ID attribute. |
|
bool |
true |
User the Password Modify Extended Operation for updating user passwords. |
|
bool |
true |
Allow to create, modify and delete LDAP users via GRAPH API. This is only works when the default Schema is used. |
|
bool |
false |
Signals that the server has the refint plugin enabled, which makes some actions not needed. |
|
string |
ou=users,o=libregraph-idm |
Search base DN for looking up LDAP users. |
|
string |
sub |
LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'. |
|
string |
|
LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'. |
|
string |
inetOrgPerson |
The object class to use for users in the default user search filter ('inetOrgPerson'). |
|
string |
LDAP Attribute to use for the email address of users. |
|
|
string |
displayName |
LDAP Attribute to use for the displayname of users. |
|
string |
uid |
LDAP Attribute to use for username of users. |
|
string |
owncloudUUID |
LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID. |
|
string |
ownCloudUserType |
LDAP Attribute to distinguish between 'Member' and 'Guest' users. Default is 'ownCloudUserType'. |
|
string |
ownCloudUserEnabled |
LDAP Attribute to use as a flag telling if the user is enabled or disabled. |
|
string |
attribute |
An option to control the behavior for disabling users. Supported options are 'none', 'attribute' and 'group'. If set to 'group', disabling a user via API will add the user to the configured group for disabled users, if set to 'attribute' this will be done in the ldap user entry, if set to 'none' the disable request is not processed. Default is 'attribute'. |
|
string |
cn=DisabledUsersGroup,ou=groups,o=libregraph-idm |
The distinguished name of the group to which added users will be classified as disabled when 'disable_user_mechanism' is set to 'group'. |
|
string |
ou=groups,o=libregraph-idm |
Search base DN for looking up LDAP groups. |
|
string |
sub |
LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'. |
|
string |
|
LDAP filter to add to the default filters for group searches. |
|
string |
groupOfNames |
The object class to use for groups in the default group search filter ('groupOfNames'). |
|
string |
cn |
LDAP Attribute to use for the name of groups. |
|
string |
owncloudUUID |
LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID. |
|
bool |
false |
Enable LDAP support for managing education related resources |
|
string |
|
Search base DN for looking up LDAP schools. |
|
string |
|
LDAP search scope to use when looking up schools. Supported scopes are 'base', 'one' and 'sub'. |
|
string |
|
LDAP filter to add to the default filters for school searches. |
|
string |
|
The object class to use for schools in the default school search filter. |
|
string |
|
LDAP Attribute to use for the name of a school. |
|
string |
|
LDAP Attribute to use for the number of a school. |
|
string |
|
LDAP Attribute to use as the unique id for schools. This should be a stable globally unique ID like a UUID. |
|
string |
127.0.0.1:9233 |
The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events. |
|
string |
ocis-cluster |
The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. |
|
bool |
false |
Whether to verify the server TLS certificates. |
|
string |
|
The root CA certificate used to validate the server’s TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false. |
|
bool |
false |
Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.. |
| Name | Type | Default Value | Description |
|---|---|---|---|
|
bool |
false |
Activates tracing. |
|
string |
|
The type of tracing. Defaults to "", which is the same as "jaeger". Allowed tracing types are "jaeger" and "" as of now. |
|
string |
|
The endpoint of the tracing agent. |
|
string |
|
The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset. |
|
string |
|
The log level. Valid values are: "panic", "fatal", "error", "warn", "info", "debug", "trace". |
|
bool |
false |
Activates pretty log output. |
|
bool |
false |
Activates colorized log output. |
|
string |
|
The path to the log file. Activates logging to this file if set. |
|
string |
|
The type of the cache store. Valid options are "noop", "ocmem", "etcd" and "memory" |
|
string |
|
A comma-separated list of addresses to connect to. Only valid if the above setting is set to "etcd" |
|
int |
0 |
Maximum number of items per table in the ocmem cache store. Other cache stores will ignore the option and can grow indefinitely. |
|
string |
127.0.0.1:9124 |
Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed. |
|
string |
|
Token to secure the metrics endpoint. |
|
bool |
false |
Enables pprof, which can be used for profiling. |
|
bool |
false |
Enables zpages, which can be used for collecting and viewing in-memory traces. |
|
string |
127.0.0.1:9120 |
The bind address of the HTTP service. |
|
string |
/graph |
Subdirectory that serves as the root for this HTTP service. |
|
bool |
false |
Activates TLS for the http based services using the server certifcate and key configured via OCIS_HTTP_TLS_CERTIFICATE and OCIS_HTTP_TLS_KEY. If OCIS_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true. |
|
string |
|
Path/File name of the TLS server certificate (in PEM format) for the http services. |
|
string |
|
Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services. |
|
string |
127.0.0.1:9142 |
The CS3 gateway endpoint. |
|
string |
|
TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification. |
|
string |
|
Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services. |
|
string |
|
The secret to mint and validate jwt tokens. |
|
string |
|
TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows to use transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server ceritificate verification. |
|
string |
|
Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services. |
|
string |
https://localhost:9200 |
The public facing URL of WebDAV. |
|
string |
/dav/spaces/ |
The WebDAV subpath for spaces. |
|
string |
1000000000 |
The default quota in bytes. |
|
int |
0 |
Max TTL in seconds for the spaces property cache. |
|
string |
ldap |
The user identity backend to use. Supported backend types are 'ldap' and 'cs3'. |
|
string |
ldaps://localhost:9235 |
URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://' |
|
string |
~/.ocis/idm/ldap.crt |
Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not definied, the root directory derives from $OCIS_BASE_DATA_PATH:/idm. |
|
bool |
false |
Disable TLS certificate validation for the LDAP connections. Do not set this in production environments. |
|
string |
uid=libregraph,ou=sysusers,o=libregraph-idm |
LDAP DN to use for simple bind authentication with the target LDAP server. |
|
string |
|
Password to use for authenticating the 'bind_dn'. |
|
bool |
false |
If set to true, rely on the LDAP Server to generate a unique ID for users and groups, like when using 'entryUUID' as the user ID attribute. |
|
bool |
true |
User the Password Modify Extended Operation for updating user passwords. |
|
bool |
true |
Allow to create, modify and delete LDAP users via GRAPH API. This is only works when the default Schema is used. |
|
string |
ou=users,o=libregraph-idm |
Search base DN for looking up LDAP users. |
|
string |
sub |
LDAP search scope to use when looking up users. Supported scopes are 'base', 'one' and 'sub'. |
|
string |
|
LDAP filter to add to the default filters for user search like '(objectclass=ownCloud)'. |
|
string |
inetOrgPerson |
The object class to use for users in the default user search filter ('inetOrgPerson'). |
|
string |
LDAP Attribute to use for the email address of users. |
|
|
string |
displayName |
LDAP Attribute to use for the displayname of users. |
|
string |
uid |
LDAP Attribute to use for username of users. |
|
string |
owncloudUUID |
LDAP Attribute to use as the unique ID for users. This should be a stable globally unique ID like a UUID. |
|
string |
ou=groups,o=libregraph-idm |
Search base DN for looking up LDAP groups. |
|
string |
sub |
LDAP search scope to use when looking up groups. Supported scopes are 'base', 'one' and 'sub'. |
|
string |
|
LDAP filter to add to the default filters for group searches. |
|
string |
groupOfNames |
The object class to use for groups in the default group search filter ('groupOfNames'). |
|
string |
cn |
LDAP Attribute to use for the name of groups. |
|
string |
owncloudUUID |
LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID. |
|
string |
127.0.0.1:9233 |
The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Set to a empty string to disable emitting events. |
|
string |
ocis-cluster |
The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. |
|
bool |
false |
Whether to verify the server TLS certificates. |
|
string |
|
The root CA certificate used to validate the server’s TLS certificate. If provided GRAPH_EVENTS_TLS_INSECURE will be seen as false. |
|
bool |
false |
Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.. |
YAML Example
Note that the filename shown below has been chosen on purpose.
See the Configuration File Naming for details when setting up your own configuration.
# Autogenerated
# Filename: graph-config-example.yaml
tracing:
enabled: false
type: ""
endpoint: ""
collector: ""
log:
level: ""
pretty: false
color: false
file: ""
cache:
store: memory
nodes: []
database: graph
table: roles
ttl: 336h0m0s
size: 0
debug:
addr: 127.0.0.1:9124
token: ""
pprof: false
zpages: false
http:
addr: 127.0.0.1:9120
root: /graph
tls:
enabled: false
cert: ""
key: ""
apitoken: ""
api:
group_members_patch_limit: 20
graph_username_match: default
graph_assign_default_user_role: true
reva:
address: 127.0.0.1:9142
tls:
mode: ""
cacert: ""
token_manager:
jwt_secret: ""
grpc_client_tls: null
application:
id: ""
displayname: ownCloud Infinite Scale
spaces:
webdav_base: https://localhost:9200
webdav_path: /dav/spaces/
default_quota: "1000000000"
extended_space_properties_cache_ttl: 0
users_cache_ttl: 1800000000000
groups_cache_ttl: 1800000000000
identity:
backend: ldap
ldap:
uri: ldaps://localhost:9235
cacert: ~/.ocis/idm/ldap.crt
insecure: false
bind_dn: uid=libregraph,ou=sysusers,o=libregraph-idm
bind_password: ""
use_server_uuid: false
use_password_modify_exop: true
write_enabled: true
refint_enabled: false
user_base_dn: ou=users,o=libregraph-idm
user_search_scope: sub
user_filter: ""
user_objectclass: inetOrgPerson
user_mail_attribute: mail
user_displayname_attribute: displayName
user_name_attribute: uid
user_id_attribute: owncloudUUID
user_type_attribute: ownCloudUserType
user_enabled_attribute: ownCloudUserEnabled
disable_user_mechanism: attribute
ldap_disabled_users_group_dn: cn=DisabledUsersGroup,ou=groups,o=libregraph-idm
group_base_dn: ou=groups,o=libregraph-idm
group_search_scope: sub
group_filter: ""
group_objectclass: groupOfNames
group_name_attribute: cn
group_id_attribute: owncloudUUID
education_resources_enabled: false
educationconfig:
school_base_dn: ""
school_search_scope: ""
school_filter: ""
school_objectclass: ""
school_name_attribute: ""
school_number_attribute: ""
school_id_attribute: ""
events:
endpoint: 127.0.0.1:9233
cluster: ocis-cluster
tls_insecure: false
tls_root_ca_certificate: ""
enable_tls: false# Autogenerated
# Filename: graph-config-example.yaml
tracing:
enabled: false
type: ""
endpoint: ""
collector: ""
log:
level: ""
pretty: false
color: false
file: ""
cache_store:
type: ""
address: ""
size: 0
debug:
addr: 127.0.0.1:9124
token: ""
pprof: false
zpages: false
http:
addr: 127.0.0.1:9120
root: /graph
tls:
enabled: false
cert: ""
key: ""
reva:
address: 127.0.0.1:9142
tls:
mode: ""
cacert: ""
token_manager:
jwt_secret: ""
grpc_client_tls:
mode: ""
cacert: ""
spaces:
webdav_base: https://localhost:9200
webdav_path: /dav/spaces/
default_quota: "1000000000"
extended_space_properties_cache_ttl: 0
identity:
backend: ldap
ldap:
uri: ldaps://localhost:9235
cacert: ~/.ocis/idm/ldap.crt
insecure: false
bind_dn: uid=libregraph,ou=sysusers,o=libregraph-idm
bind_password: ""
use_server_uuid: false
use_password_modify_exop: true
write_enabled: true
user_base_dn: ou=users,o=libregraph-idm
user_search_scope: sub
user_filter: ""
user_objectclass: inetOrgPerson
user_mail_attribute: mail
user_displayname_attribute: displayName
user_name_attribute: uid
user_id_attribute: owncloudUUID
group_base_dn: ou=groups,o=libregraph-idm
group_search_scope: sub
group_filter: ""
group_objectclass: groupOfNames
group_name_attribute: cn
group_id_attribute: owncloudUUID
events:
endpoint: 127.0.0.1:9233
cluster: ocis-cluster
tls_insecure: false
tls_root_ca_certificate: ""
enable_tls: false