OCM Configuration

Introduction

The Infinite Scale OCM service provides federated sharing functionality based on the ScienceMesh and OCM HTTP APIs.

Overview:

  • ScienceMesh is the Federated Science Cloud Mesh that connects existing and heterogeneous sites in a transparent way. It provides a managed white list of trusted federated sites.

  • The Open Cloud Mesh Protocol provides the disovery and use of the RESTful API endpoints, request and response headers, possible response codes, request and response formats, hypermedia controls, error handling etc. Using this protocol, consumers do not need to accept a share, the shared resource will be available to them immediately.

Both API’s have their roots in CERN where providing resources to trusted partners in an easy way is a key for their daily scientific work.

Default Values

  • OCM listens on port 9280 by default.

Trust Between Instances

For security reasons and data protection, invitations are limited to trusted instances only. These have to be defined by the administrator before setting up any federation.

The OCM service implements an invitation workflow for trusted instances when creating federated shares.

The list of trusted instances is managed via a configuration file. The only supported backend is currently json, which stores the list of trusted instances in a json file on disk.

Example for a providers.json file:

[
    {
        "name": "Example",
        "full_name": "Example provider",
        "organization": "ownCloud",
        "domain": "example.com",
        "homepage": "https://example.com",
        "services": [
            {
                "endpoint": {
                    "type": {
                        "name": "OCM",
                        "description": "example.com Open Cloud Mesh API"
                    },
                    "name": "example.com - OCM API",
                    "path": "https://example.com/ocm/",
                    "is_monitored": true
                },
                "api_version": "0.0.1",
                "host": "example.com:port"
            }
        ]
    },
]

Note that there is no limit to adding multiple trusted providers.

Invitation Workflow

Before sharing a resource with a remote user, this user has to be invited by the sharer.

In order to do so, a request is sent to the ScienceMesh API. The generated token is passed on to the receiver, who will then accept the invitation. As a result, remote users will be added on both sides.

The data backend for the workflow, not the data itself, is configurable. The only supported backend is currently json which stores the data in a json file on disk.

Creating Shares

OCM Shares are currently created using the OCS API, just like regular shares.

The data backend for the workflow, not the data itself, is configurable. The only currently supported backend is json which stores the data in a json file on disk.

Configuration

Environment Variables

The ocm service is configured via the following environment variables. Read the Environment Variable Types documentation for important details.

  • master

Environment variables for the ocm service
Name Type Default Value Description

OCIS_TRACING_ENABLED
OCM_TRACING_ENABLED

bool

false

Activates tracing.

OCIS_TRACING_TYPE
OCM_TRACING_TYPE

string

The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.

OCIS_TRACING_ENDPOINT
OCM_TRACING_ENDPOINT

string

The endpoint of the tracing agent.

OCIS_TRACING_COLLECTOR
OCM_TRACING_COLLECTOR

string

The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.

OCIS_LOG_LEVEL
OCM_LOG_LEVEL

string

The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.

OCIS_LOG_PRETTY
OCM_LOG_PRETTY

bool

false

Activates pretty log output.

OCIS_LOG_COLOR
OCM_LOG_COLOR

bool

false

Activates colorized log output.

OCIS_LOG_FILE
OCM_LOG_FILE

string

The path to the log file. Activates logging to this file if set.

OCM_DEBUG_ADDR

string

127.0.0.1:9281

Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.

OCM_DEBUG_TOKEN

string

Token to secure the metrics endpoint.

OCM_DEBUG_PPROF

bool

false

Enables pprof, which can be used for profiling.

OCM_DEBUG_ZPAGES

bool

false

Enables zpages, which can be used for collecting and viewing in-memory traces.

OCM_HTTP_ADDR

string

127.0.0.1:9280

The bind address of the HTTP service.

OCM_HTTP_PROTOCOL

string

tcp

The transport protocol of the HTTP service.

OCM_HTTP_PREFIX

string

The path prefix where OCM can be accessed (defaults to /).

OCIS_CORS_ALLOW_ORIGINS
OCM_CORS_ALLOW_ORIGINS

[]string

[https://localhost:9200]

A list of allowed CORS origins. See following chapter for more details: Access-Control-Allow-Origin at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.

OCIS_CORS_ALLOW_METHODS
OCM_CORS_ALLOW_METHODS

[]string

[OPTIONS HEAD GET PUT POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH]

A list of allowed CORS methods. See following chapter for more details: Access-Control-Request-Method at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.

OCIS_CORS_ALLOW_HEADERS
OCM_CORS_ALLOW_HEADERS

[]string

[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override Cache-Control]

A list of allowed CORS headers. See following chapter for more details: Access-Control-Request-Headers at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.

OCIS_CORS_ALLOW_CREDENTIALS
OCM_CORS_ALLOW_CREDENTIALS

bool

false

Allow credentials for CORS.See following chapter for more details: Access-Control-Allow-Credentials at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.

OCM_GRPC_ADDR

string

127.0.0.1:9282

The bind address of the GRPC service.

OCM_GRPC_PROTOCOL

string

The transport protocol of the GRPC service.

OCIS_SERVICE_ACCOUNT_ID
OCM_SERVICE_ACCOUNT_ID

string

The ID of the service account the service should use. See the 'auth-service' service description for more details.

OCIS_SERVICE_ACCOUNT_SECRET
OCM_SERVICE_ACCOUNT_SECRET

string

The service account secret.

OCIS_REVA_GATEWAY

string

com.owncloud.api.gateway

The CS3 gateway endpoint.

OCIS_GRPC_CLIENT_TLS_MODE

string

TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.

OCIS_GRPC_CLIENT_TLS_CACERT

string

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.

OCM_OCMD_PREFIX

string

ocm

URL path prefix for the OCMD service. Note that the string must not start with '/'.

OCM_OCMD_EXPOSE_RECIPIENT_DISPLAY_NAME

bool

false

Expose the display name of OCM share recipients.

OCM_SCIENCEMESH_PREFIX

string

sciencemesh

URL path prefix for the ScienceMesh service. Note that the string must not start with '/'.

OCM_MESH_DIRECTORY_URL

string

URL of the mesh directory service.

OCM_OCM_INVITE_MANAGER_DRIVER

string

json

Driver to be used to persist OCM invites. Supported value is only 'json'.

OCM_OCM_INVITE_MANAGER_JSON_FILE

string

/var/lib/ocis/storage/ocm/ocminvites.json

Path to the JSON file where OCM invite data will be stored. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/storage.

OCM_OCM_INVITE_MANAGER_INSECURE

bool

false

Disable TLS certificate validation for the OCM connections. Do not set this in production environments.

SHARING_OCM_PROVIDER_AUTHORIZER_DRIVER

string

json

Driver to be used to persist ocm invites. Supported value is only 'json'.

OCM_OCM_PROVIDER_AUTHORIZER_PROVIDERS_FILE

string

/var/lib/ocis/storage/ocm/ocmproviders.json

Path to the JSON file where ocm invite data will be stored. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/storage.

OCM_OCM_PROVIDER_AUTHORIZER_VERIFY_REQUEST_HOSTNAME

bool

false

Verify the hostname of the incoming request against the hostname of the OCM provider.

OCM_OCM_SHARE_PROVIDER_DRIVER

string

json

Driver to be used for the OCM share provider. Supported value is only 'json'.

OCM_OCM_SHAREPROVIDER_JSON_FILE

string

/var/lib/ocis/storage/ocm/ocmshares.json

Path to the JSON file where OCM share data will be stored. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/storage.

OCM_OCM_SHARE_PROVIDER_INSECURE

bool

false

Disable TLS certificate validation for the OCM connections. Do not set this in production environments.

OCM_WEBAPP_TEMPLATE

string

Template for the webapp url.

OCM_OCM_CORE_DRIVER

string

json

Driver to be used for the OCM core. Supported value is only 'json'.

OCM_OCM_CORE_JSON_FILE

string

/var/lib/ocis/storage/ocm/ocmshares.json

Path to the JSON file where OCM share data will be stored. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH:/storage.

OCM_OCM_STORAGE_PROVIDER_INSECURE

bool

false

Disable TLS certificate validation for the OCM connections. Do not set this in production environments.

OCM_OCM_STORAGE_PROVIDER_STORAGE_ROOT

string

/var/lib/ocis/storage/ocm

Directory where the ocm storage provider persists its data like tus upload info files.

YAML Example

  • master

# Autogenerated
# Filename: ocm-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9281
  token: ""
  pprof: false
  zpages: false
http:
  addr: 127.0.0.1:9280
  protocol: tcp
  prefix: ""
  cors:
    allow_origins:
    - https://localhost:9200
    allow_methods:
    - OPTIONS
    - HEAD
    - GET
    - PUT
    - POST
    - DELETE
    - MKCOL
    - PROPFIND
    - PROPPATCH
    - MOVE
    - COPY
    - REPORT
    - SEARCH
    allow_headers:
    - Origin
    - Accept
    - Content-Type
    - Depth
    - Authorization
    - Ocs-Apirequest
    - If-None-Match
    - If-Match
    - Destination
    - Overwrite
    - X-Request-Id
    - X-Requested-With
    - Tus-Resumable
    - Tus-Checksum-Algorithm
    - Upload-Concat
    - Upload-Length
    - Upload-Metadata
    - Upload-Defer-Length
    - Upload-Expires
    - Upload-Checksum
    - Upload-Offset
    - X-HTTP-Method-Override
    - Cache-Control
    allow_credentials: false
middleware:
  auth:
    credentials_by_user_agent: {}
grpc:
  addr: 127.0.0.1:9282
  tls: null
  protocol: ""
grpc_client_tls: null
service_account:
  service_account_id: ""
  service_account_secret: ""
reva:
  address: com.owncloud.api.gateway
  tls:
    mode: ""
    cacert: ""
ocmd:
  prefix: ocm
  expose_recipient_display_name: false
sciencemesh:
  prefix: sciencemesh
  science_mesh_directory_url: ""
ocm_invite_manager:
  driver: json
  drivers:
    json:
      file: /var/lib/ocis/storage/ocm/ocminvites.json
  insecure: false
ocm_provider_authorizer_driver: json
ocm_provider_authorizer_drivers:
  json:
    providers: /var/lib/ocis/storage/ocm/ocmproviders.json
    verify_request_hostname: false
ocm_share_provider:
  driver: json
  drivers:
    json:
      file: /var/lib/ocis/storage/ocm/ocmshares.json
  insecure: false
  webapp_template: ""
ocm_core:
  driver: json
  drivers:
    json:
      file: /var/lib/ocis/storage/ocm/ocmshares.json
ocm_storage_provider:
  insecure: false
  storage_root: /var/lib/ocis/storage/ocm