Settings Service Configuration

Table of Contents

Introduction
Default Values
Settings Managed
Settings Management
Settings Usage
Service Accounts
Translations
- Translation Rules
- Default Language
Default Language
Custom Roles
Caching
Event Bus Configuration
Configuration
- Environment Variables
- YAML Example

Introduction

The Infinite Scale Settings service provides functionality for other services to register new settings as well as storing and retrieving the respective settings' values.

Default Values

Settings listens on port 9190 by default.

Settings Managed

The settings service is currently used for managing the:

users' profile settings like the language and the email notification settings,
possible user roles and their respective permissions,
assignment of roles to users.

As an example, user profile settings that can be changed in the Web UI must be persistent.

The settings service supports two different backends for persisting the data. The backend can be set via the SETTINGS_STORE_TYPE environment variable. Supported values are:

metadata: The default. This backend persists the settings data via the storage-system service.
filesystem: This backend persists the settings data in a directory on the local filesystem. The directory can be configured with SETTINGS_DATA_PATH. This backend is not suitable for running multiple intances of the settings service in a scale-out deployment and should be therefore considered deprecated.

Settings Management

Infinite Scale services can register settings bundles with the settings service.

Settings Usage

Services can set or query Infinite Scale setting values of a user from settings bundles.

Service Accounts

The settings service needs to know the IDs of service accounts but it doesn’t need their secrets. Currently only one service account can be configured which has the admin role. This can be set with the SETTINGS_SERVICE_ACCOUNT_ID_ADMIN envvar, but it will also pick up the global OCIS_SERVICE_ACCOUNT_ID envvar. Also see the auth-service service description for additional details.

Translations

The settings service has embedded translations sourced via transifex to provide a basic set of translated languages. These embedded translations are available for all deployment scenarios. In addition, the service supports custom translations, though it is currently not possible to just add custom translations to embedded ones. If custom translations are configured, the embedded ones are not used. To configure custom translations, the SETTINGS_TRANSLATION_PATH environment variable needs to point to a base folder that will contain the translation files. This path must be available from all instances of the userlog service, a shared storage is recommended. Translation files must be of type .po or .mo. For each language, the filename needs to be settings.po (or settings.mo) and stored in a folder structure defining the language code. In general the path/name pattern for a translation file needs to be:

{SETTINGS_TRANSLATION_PATH}/{language-code}/LC_MESSAGES/settings.po

The language code pattern is composed of language[_territory] where language is the base language and _territory is optional and defines a country.

For example, for the language de, one needs to place the corresponding translation files to

{SETTINGS_TRANSLATION_PATH}/de/LC_MESSAGES/settings.po

For the time being, the embedded ownCloud Web frontend only supports the main language code but does not handle any territory. When strings are available in the language code language_territory, the web frontend does not see it as it only requests language. In consequence, any translations made must exist in the requested language to avoid a fallback to the default.

Translation Rules

If a requested language code is not available, the service tries to fall back to the base language if available. For example, if the requested language-code de_DE is not available, the service tries to fall back to translations in the de folder.
If the base language de is also not available, the service falls back to the system’s default English (en), which is the source of the texts provided by the code.

Default Language

The default language can be defined via the OCIS_DEFAULT_LANGUAGE environment variable. See the settings service for a detailed description.

Default Language

The default language can be defined via the OCIS_DEFAULT_LANGUAGE environment variable. If this variable is not defined, English will be used as default. The value has the ISO 639-1 format ("de", "en", etc.) and is limited to the list of supported languages. This setting can be used to set the default language for notification and invitation emails.

The OCIS_DEFAULT_LANGUAGE setting impacts the notification and userlog services and the WebUI. Note that translations must exist for all named components to be presented correctly.

If OCIS_DEFAULT_LANGUAGE is not set, the expected behavior is:
- The notification and userlog services and the Web UI use English by default, until a user sets another language in the Web UI via Account Language.
- If a user sets another language in the Web UI in Account Language, then the notification and userlog services and Web UI use the language defined by the user. If no translation is found, it falls back to English.
If OCIS_DEFAULT_LANGUAGE is set, the expected behavior is:
- The notification and userlog services and the Web UI use OCIS_DEFAULT_LANGUAGE by default, until a user sets another language in the Web UI via Account Language.
- If a user sets another language in the Web UI in Account Language, the notification and userlog services and Web UI use the language defined by the user. If no translation is found, it falls back to OCIS_DEFAULT_LANGUAGE and then to English.

Custom Roles

It is possible to replace the default Infinite Scale roles (admin, user) with custom roles that contain custom permissions. One can set SETTINGS_BUNDLES_PATH to the path of a json file containing the new role definition.

Role Example (shortned):

[
    {
        "id": "38071a68-456a-4553-846a-fa67bf5596cc", // ID of the role. Recommendation is to use a random uuidv4. But any unique string will do.
        "name": "user-light",                         // Internal name of the role. This is used by the system to identify the role. Any string will do here, but it should be unique among the other roles.
        "type": "TYPE_ROLE",                          // Always use `TYPE_ROLE`
        "extension": "ocis-roles",                    // Always use `ocis-roles`
        "displayName": "User Light",                  // DisplayName of the role used in webui
        "settings": [
        ],                                            // Permissions attached to the role. See Details below.
        "resource": {
            "type": "TYPE_SYSTEM"                     // Always use `TYPE_SYSTEM`
        }
    }
]

To create custom roles:

Copy the role example to a json file.
Change id, name, and displayName according your requirements.
Copy the desired permissions from the user-all-permissions example to the settings array of the role.
Set the SETTINGS_BUNDLE_PATH environment variable to the path/json-file and (re)start Infinite Scale.

See the full Custom Roles json example in the developer documentation for more details.

Caching

When using SETTINGS_STORE_TYPE=metadata, the settings service caches the results of queries against the storage backend to provide faster responses. The content of this cache is independent of the cache used in the storage-system service as it caches directory listing and settings content stored in files.

The settings service can use a configured store via the global OCIS_CACHE_STORE environment variable.

Note that for each global environment variable, an independent service-based one might be available additionally. For precedences see Environment Variable Notes. Check the configuration section below. Supported stores are:

Store Type Description

Store Type	Description
`memory`	Basic in-memory store. Will not survive a restart. Usually the default for caches. See the store environment variable for which one is used.
`nats-js-kv`	Stores data using key-value-store feature of NATS JetStream. Usually the default for stores, see the store environment variable for which one is used.
`redis-sentinel`	Stores data in a configured Redis Sentinel cluster.
`noop`	Stores nothing. Useful for testing. Not recommended in production environments.

memory

Basic in-memory store. Will not survive a restart.
Usually the default for caches. See the store environment variable for which one is used.

nats-js-kv

Stores data using key-value-store feature of NATS JetStream.
Usually the default for stores, see the store environment variable for which one is used.

redis-sentinel

Stores data in a configured Redis Sentinel cluster.

noop

Stores nothing. Useful for testing. Not recommended in production environments.

The settings service can only be scaled if not using the memory store and the stores are configured identically over all instances!

If you have used one of the deprecated stores of a former version, you should reconfigure to use one of the supported ones as the deprecated stores will be removed in a later version.

Store specific notes

When using redis-sentinel:
The Redis master to use is configured via e.g. OCIS_CACHE_STORE_NODES in the form of <sentinel-host>:<sentinel-port>/<redis-master> like 10.10.0.200:26379/mymaster.
When using nats-js-kv:
- It is recommended to set OCIS_CACHE_STORE_NODES to the same value as OCIS_EVENTS_ENDPOINT. That way the cache uses the same nats instance as the event bus. See the Event Bus Configuration for more details.
- Authentication can be added, if configured, via OCIS_CACHE_AUTH_USERNAME and OCIS_CACHE_AUTH_PASSWORD.
- It is possible to set OCIS_CACHE_DISABLE_PERSISTENCE to instruct nats to not persist cache data on disc.

Event Bus Configuration

The Infinite Scale event bus can be configured by a set of environment variables.

In case of an orchestrated installation like with Docker or Kubernetes, the event bus must be an external service for scalability like a Redis Sentinel cluster or a key-value-store NATS JetStream. Both named stores are supported and also used in Caching and Persistence. The store used is not part of the Infinite Scale installation and must be separately provided and configured.
Note that from a configuration point of view, caching and persistence are independent of the event bus configuration.

Note that for each global environment variable, a service-based one might be available additionally. For precedences see Environment Variable Notes. Check the configuration section below.

Without the aim of completeness, see the list of environment variables to configure the event bus:

Envvar Description

Envvar	Description
`OCIS_EVENTS_ENDPOINT`	The address of the event system.
`OCIS_EVENTS_CLUSTER`	The clusterID of the event system. Mandatory when using NATS as event system.
`OCIS_EVENTS_ENABLE_TLS`	Enable TLS for the connection to the events broker.
`OCIS_INSECURE`	Whether to verify the server TLS certificates.
`OCIS_EVENTS_AUTH_USERNAME`	The username to authenticate with the events broker.
`OCIS_EVENTS_AUTH_PASSWORD`	The password to authenticate with the events broker.

OCIS_EVENTS_ENDPOINT

The address of the event system.

OCIS_EVENTS_CLUSTER

The clusterID of the event system. Mandatory when using NATS as event system.

OCIS_EVENTS_ENABLE_TLS

Enable TLS for the connection to the events broker.

OCIS_INSECURE

Whether to verify the server TLS certificates.

OCIS_EVENTS_AUTH_USERNAME

The username to authenticate with the events broker.

OCIS_EVENTS_AUTH_PASSWORD

The password to authenticate with the events broker.

Configuration

Environment Variables

The settings service is configured via the following environment variables. Read the Environment Variable Types documentation for important details. Column IV shows with which release the environment variable has been introduced.

master + Rolling 7.1.2

Environment variables for the settings service
Name	IV	Type	Default Value	Description
`OCIS_TRACING_ENABLED` `SETTINGS_TRACING_ENABLED`	pre5.0	bool	false	Activates tracing.
`OCIS_TRACING_TYPE` `SETTINGS_TRACING_TYPE`	pre5.0	string		The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.
`OCIS_TRACING_ENDPOINT` `SETTINGS_TRACING_ENDPOINT`	pre5.0	string		The endpoint of the tracing agent.
`OCIS_TRACING_COLLECTOR` `SETTINGS_TRACING_COLLECTOR`	pre5.0	string		The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.
`OCIS_LOG_LEVEL` `SETTINGS_LOG_LEVEL`	pre5.0	string		The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.
`OCIS_LOG_PRETTY` `SETTINGS_LOG_PRETTY`	pre5.0	bool	false	Activates pretty log output.
`OCIS_LOG_COLOR` `SETTINGS_LOG_COLOR`	pre5.0	bool	false	Activates colorized log output.
`OCIS_LOG_FILE` `SETTINGS_LOG_FILE`	pre5.0	string		The path to the log file. Activates logging to this file if set.
`SETTINGS_DEBUG_ADDR`	pre5.0	string	127.0.0.1:9194	Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.
`SETTINGS_DEBUG_TOKEN`	pre5.0	string		Token to secure the metrics endpoint.
`SETTINGS_DEBUG_PPROF`	pre5.0	bool	false	Enables pprof, which can be used for profiling.
`SETTINGS_DEBUG_ZPAGES`	pre5.0	bool	false	Enables zpages, which can be used for collecting and viewing in-memory traces.
`SETTINGS_HTTP_ADDR`	pre5.0	string	127.0.0.1:9190	The bind address of the HTTP service.
`OCIS_HTTP_TLS_ENABLED`	pre5.0	bool	false	Activates TLS for the http based services using the server certifcate and key configured via OCIS_HTTP_TLS_CERTIFICATE and OCIS_HTTP_TLS_KEY. If OCIS_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.
`OCIS_HTTP_TLS_CERTIFICATE`	pre5.0	string		Path/File name of the TLS server certificate (in PEM format) for the http services.
`OCIS_HTTP_TLS_KEY`	pre5.0	string		Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.
`SETTINGS_HTTP_ROOT`	pre5.0	string	/	Subdirectory that serves as the root for this HTTP service.
`OCIS_CORS_ALLOW_ORIGINS` `SETTINGS_CORS_ALLOW_ORIGINS`	pre5.0	[]string	[*]	A list of allowed CORS origins. See following chapter for more details: Access-Control-Allow-Origin at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.
`OCIS_CORS_ALLOW_METHODS` `SETTINGS_CORS_ALLOW_METHODS`	pre5.0	[]string	[GET POST PUT PATCH DELETE OPTIONS]	A list of allowed CORS methods. See following chapter for more details: Access-Control-Request-Method at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.
`OCIS_CORS_ALLOW_HEADERS` `SETTINGS_CORS_ALLOW_HEADERS`	pre5.0	[]string	[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id]	A list of allowed CORS headers. See following chapter for more details: Access-Control-Request-Headers at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.
`OCIS_CORS_ALLOW_CREDENTIALS` `SETTINGS_CORS_ALLOW_CREDENTIALS`	pre5.0	bool	true	Allow credentials for CORS.See following chapter for more details: Access-Control-Allow-Credentials at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.
`SETTINGS_GRPC_ADDR`	pre5.0	string	127.0.0.1:9191	The bind address of the GRPC service.
`SETTINGS_STORAGE_GATEWAY_GRPC_ADDR` `STORAGE_GATEWAY_GRPC_ADDR`	pre5.0	string	com.owncloud.api.storage-system	GRPC address of the STORAGE-SYSTEM service.
`SETTINGS_STORAGE_GRPC_ADDR` `STORAGE_GRPC_ADDR`	pre5.0	string	com.owncloud.api.storage-system	GRPC address of the STORAGE-SYSTEM service.
`OCIS_SYSTEM_USER_ID` `SETTINGS_SYSTEM_USER_ID`	pre5.0	string		ID of the oCIS STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.
`OCIS_SYSTEM_USER_IDP` `SETTINGS_SYSTEM_USER_IDP`	pre5.0	string	internal	IDP of the oCIS STORAGE-SYSTEM system user.
`OCIS_SYSTEM_USER_API_KEY`	pre5.0	string		API key for the STORAGE-SYSTEM system user.
`OCIS_CACHE_STORE` `SETTINGS_CACHE_STORE`	pre5.0	string	memory	The type of the cache store. Supported values are: 'memory', 'redis-sentinel', 'nats-js-kv', 'noop'. See the text description for details.
`OCIS_CACHE_STORE_NODES` `SETTINGS_CACHE_STORE_NODES`	pre5.0	[]string	[127.0.0.1:9233]	A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.
`OCIS_CACHE_DATABASE`	pre5.0	string	settings-cache	The database name the configured store should use.
`SETTINGS_FILE_CACHE_TABLE`	pre5.0	string	settings_files	The database table the store should use for the file cache.
`SETTINGS_DIRECTORY_CACHE_TABLE`	pre5.0	string	settings_dirs	The database table the store should use for the directory cache.
`OCIS_CACHE_TTL` `SETTINGS_CACHE_TTL`	pre5.0	Duration	10m0s	Default time to live for entries in the cache. Only applied when access tokens has no expiration. See the Environment Variable Types description for more details.
`OCIS_CACHE_DISABLE_PERSISTENCE` `SETTINGS_CACHE_DISABLE_PERSISTENCE`	5.0	bool	false	Disables persistence of the cache. Only applies when store type 'nats-js-kv' is configured. Defaults to false.
`OCIS_CACHE_AUTH_USERNAME` `SETTINGS_CACHE_AUTH_USERNAME`	5.0	string		The username to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.
`OCIS_CACHE_AUTH_PASSWORD` `SETTINGS_CACHE_AUTH_PASSWORD`	5.0	string		The password to authenticate with the cache. Only applies when store type 'nats-js-kv' is configured.
`SETTINGS_BUNDLES_PATH`	pre5.0	string		The path to a JSON file with a list of bundles. If not defined, the default bundles will be loaded.
`OCIS_ADMIN_USER_ID` `SETTINGS_ADMIN_USER_ID`	pre5.0	string		ID of the user that should receive admin privileges. Consider that the UUID can be encoded in some LDAP deployment configurations like in .ldif files. These need to be decoded beforehand.
`OCIS_JWT_SECRET` `SETTINGS_JWT_SECRET`	pre5.0	string		The secret to mint and validate jwt tokens.
`SETTINGS_SETUP_DEFAULT_ASSIGNMENTS` `IDM_CREATE_DEMO_USERS`	pre5.0	bool	false	The default role assignments the demo users should be setup.
`SETTINGS_SERVICE_ACCOUNT_IDS` `OCIS_SERVICE_ACCOUNT_ID`	5.0	[]string	[service-user-id]	The list of all service account IDs. These will be assigned the hidden 'service-account' role. Note: When using 'OCIS_SERVICE_ACCOUNT_ID' this will contain only one value while 'SETTINGS_SERVICE_ACCOUNT_IDS' can have multiple. See the 'auth-service' service description for more details about service accounts.
`OCIS_DEFAULT_LANGUAGE`	5.0	string		The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.
`OCIS_TRANSLATION_PATH` `SETTINGS_TRANSLATION_PATH`	7.1	string		(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.

YAML Example

Note the file shown below must be renamed and placed in the correct folder according to the Configuration File Naming conventions to be effective.
See the Notes for Environment Variables if you want to use environment variables in the yaml file.

master + Rolling 7.1.2

# Autogenerated
# Filename: settings-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9194
  token: ""
  pprof: false
  zpages: false
http:
  addr: 127.0.0.1:9190
  tls:
    enabled: false
    cert: ""
    key: ""
  root: /
  cors:
    allow_origins:
    - '*'
    allow_methods:
    - GET
    - POST
    - PUT
    - PATCH
    - DELETE
    - OPTIONS
    allow_headers:
    - Authorization
    - Origin
    - Content-Type
    - Accept
    - X-Requested-With
    - X-Request-Id
    allow_credentials: true
grpc:
  addr: 127.0.0.1:9191
  tls: null
grpc_client_tls: null
metadata_config:
  gateway_addr: com.owncloud.api.storage-system
  storage_addr: com.owncloud.api.storage-system
  system_user_id: ""
  system_user_idp: internal
  system_user_api_key: ""
  cache:
    store: memory
    addresses:
    - 127.0.0.1:9233
    database: settings-cache
    files_table: settings_files
    directories_table: settings_dirs
    ttl: 10m0s
    disable_persistence: false
    username: ""
    password: ""
bundles_path: ""
admin_user_id: ""
token_manager:
  jwt_secret: ""
set_default_assignments: false
service_account_ids:
- service-user-id
default_language: ""
translation_path: ""