Sharing Service Configuration

Introduction

The Infinite Scale Sharing service

Default Values

  • Sharing listens on port 9150 by default.

Passwords

For details on password management see the Passwords documentation.

Event Bus Configuration

The Infinite Scale event bus can be configured by a set of environment variables.

  • If you are using a binary installation as described in Minimal Bare Metal Deployment or Bare Metal with systemd, the address of the event bus OCIS_EVENTS_ENDPOINT is predefined as localhost address without the need for further configuration, but changeable on demand.

  • In case of an orchestrated installation like with Docker or Kubernetes, the event bus must be an external service for scalability like a Redis Sentinel cluster or a key-value-store NATS JetStream. Both named stores are supported and also used in Caching and Persistence. The store used is not part of the Infinite Scale installation and must be separately provided and configured.

  • Note that from a configuration point of view, caching and persistence are independent of the event bus configuration.

Note that for each global environment variable, a service-based one might be available additionally. For precedences see Environment Variable Notes. Check the configuration section below.

Without the aim of completeness, see the list of environment variables to configure the event bus:

Envvar Description

OCIS_EVENTS_ENDPOINT

The address of the event system.

OCIS_EVENTS_CLUSTER

The clusterID of the event system. Mandatory when using NATS as event system.

OCIS_EVENTS_ENABLE_TLS

Enable TLS for the connection to the events broker.

OCIS_INSECURE

Whether to verify the server TLS certificates.

OCIS_EVENTS_AUTH_USERNAME

The username to authenticate with the events broker.

OCIS_EVENTS_AUTH_PASSWORD

The password to authenticate with the events broker.

Configuration

Environment Variables

The sharing service is configured via the following environment variables. Read the Environment Variable Types documentation for important details. Column IV shows with which release the environment variable has been introduced.

  • master + Rolling 6.6.1

Environment variables for the sharing service
Name IV Type Default Value Description

OCIS_TRACING_ENABLED
SHARING_TRACING_ENABLED

pre5.0

bool

false

Activates tracing.

OCIS_TRACING_TYPE
SHARING_TRACING_TYPE

pre5.0

string

The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.

OCIS_TRACING_ENDPOINT
SHARING_TRACING_ENDPOINT

pre5.0

string

The endpoint of the tracing agent.

OCIS_TRACING_COLLECTOR
SHARING_TRACING_COLLECTOR

pre5.0

string

The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.

OCIS_LOG_LEVEL
SHARING_LOG_LEVEL

pre5.0

string

The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.

OCIS_LOG_PRETTY
SHARING_LOG_PRETTY

pre5.0

bool

false

Activates pretty log output.

OCIS_LOG_COLOR
SHARING_LOG_COLOR

pre5.0

bool

false

Activates colorized log output.

OCIS_LOG_FILE
SHARING_LOG_FILE

pre5.0

string

The path to the log file. Activates logging to this file if set.

SHARING_DEBUG_ADDR

pre5.0

string

127.0.0.1:9151

Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.

SHARING_DEBUG_TOKEN

pre5.0

string

Token to secure the metrics endpoint.

SHARING_DEBUG_PPROF

pre5.0

bool

false

Enables pprof, which can be used for profiling.

SHARING_DEBUG_ZPAGES

pre5.0

bool

false

Enables zpages, which can be used for collecting and viewing in-memory traces.

SHARING_GRPC_ADDR

pre5.0

string

127.0.0.1:9150

The bind address of the GRPC service.

OCIS_GRPC_PROTOCOL
SHARING_GRPC_PROTOCOL

pre5.0

string

tcp

The transport protocol of the GRPC service.

OCIS_JWT_SECRET
SHARING_JWT_SECRET

pre5.0

string

The secret to mint and validate jwt tokens.

OCIS_REVA_GATEWAY

pre5.0

string

com.owncloud.api.gateway

The CS3 gateway endpoint.

OCIS_GRPC_CLIENT_TLS_MODE

pre5.0

string

TLS mode for grpc connection to the go-micro based grpc services. Possible values are 'off', 'insecure' and 'on'. 'off': disables transport security for the clients. 'insecure' allows using transport security, but disables certificate verification (to be used with the autogenerated self-signed certificates). 'on' enables transport security, including server certificate verification.

OCIS_GRPC_CLIENT_TLS_CACERT

pre5.0

string

Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the go-micro based grpc services.

OCIS_EVENTS_ENDPOINT
SHARING_EVENTS_ENDPOINT

pre5.0

string

127.0.0.1:9233

The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.

OCIS_EVENTS_CLUSTER
SHARING_EVENTS_CLUSTER

pre5.0

string

ocis-cluster

The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.

OCIS_INSECURE
SHARING_EVENTS_TLS_INSECURE

pre5.0

bool

false

Whether to verify the server TLS certificates.

OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE
SHARING_EVENTS_TLS_ROOT_CA_CERTIFICATE

pre5.0

string

The root CA certificate used to validate the server’s TLS certificate. If provided SHARING_EVENTS_TLS_INSECURE will be seen as false.

OCIS_EVENTS_ENABLE_TLS
SHARING_EVENTS_ENABLE_TLS

pre5.0

bool

false

Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.

OCIS_EVENTS_AUTH_USERNAME
SHARING_EVENTS_AUTH_USERNAME

5.0

string

Username for the events broker.

OCIS_EVENTS_AUTH_PASSWORD
SHARING_EVENTS_AUTH_PASSWORD

5.0

string

Password for the events broker.

SHARING_SKIP_USER_GROUPS_IN_TOKEN

pre5.0

bool

false

Disables the loading of user’s group memberships from the reva access token.

SHARING_USER_DRIVER

pre5.0

string

jsoncs3

Driver to be used to persist shares. Supported values are 'jsoncs3', 'json', 'cs3' (deprecated) and 'owncloudsql'.

SHARING_USER_JSONCS3_PROVIDER_ADDR

pre5.0

string

com.owncloud.api.storage-system

GRPC address of the STORAGE-SYSTEM service.

OCIS_SYSTEM_USER_ID
SHARING_USER_JSONCS3_SYSTEM_USER_ID

pre5.0

string

ID of the oCIS STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.

OCIS_SYSTEM_USER_IDP
SHARING_USER_JSONCS3_SYSTEM_USER_IDP

pre5.0

string

internal

IDP of the oCIS STORAGE-SYSTEM system user.

OCIS_SYSTEM_USER_API_KEY
SHARING_USER_JSONCS3_SYSTEM_USER_API_KEY

pre5.0

string

API key for the STORAGE-SYSTEM system user.

SHARING_USER_JSONCS3_CACHE_TTL

pre5.0

int

0

TTL for the internal caches in seconds.

OCIS_MAX_CONCURRENCY
SHARING_USER_JSONCS3_MAX_CONCURRENCY

7.0.0

int

1

Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.

SHARING_USER_JSON_FILE

pre5.0

string

/var/lib/ocis/storage/shares.json

Path to the JSON file where shares will be persisted. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/storage.

SHARING_USER_CS3_PROVIDER_ADDR

pre5.0

string

com.owncloud.api.storage-system

GRPC address of the STORAGE-SYSTEM service.

OCIS_SYSTEM_USER_ID
SHARING_USER_CS3_SYSTEM_USER_ID

pre5.0

string

ID of the oCIS STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.

OCIS_SYSTEM_USER_IDP
SHARING_USER_CS3_SYSTEM_USER_IDP

pre5.0

string

internal

IDP of the oCIS STORAGE-SYSTEM system user.

OCIS_SYSTEM_USER_API_KEY
SHARING_USER_CS3_SYSTEM_USER_API_KEY

pre5.0

string

API key for the STORAGE-SYSTEM system user.

SHARING_USER_OWNCLOUDSQL_DB_USERNAME

pre5.0

string

owncloud

Username for the database.

SHARING_USER_OWNCLOUDSQL_DB_PASSWORD

pre5.0

string

Password for the database.

SHARING_USER_OWNCLOUDSQL_DB_HOST

pre5.0

string

mysql

Hostname or IP of the database server.

SHARING_USER_OWNCLOUDSQL_DB_PORT

pre5.0

int

3306

Port that the database server is listening on.

SHARING_USER_OWNCLOUDSQL_DB_NAME

pre5.0

string

owncloud

Name of the database to be used.

SHARING_USER_OWNCLOUDSQL_USER_STORAGE_MOUNT_ID

pre5.0

string

Mount ID of the ownCloudSQL users storage for mapping ownCloud 10 shares.

SHARING_PUBLIC_DRIVER

pre5.0

string

jsoncs3

Driver to be used to persist public shares. Supported values are 'jsoncs3', 'json' and 'cs3' (deprecated).

SHARING_PUBLIC_JSON_FILE

pre5.0

string

/var/lib/ocis/storage/publicshares.json

Path to the JSON file where public share meta-data will be stored. This JSON file contains the information about public shares that have been created. If not defined, the root directory derives from $OCIS_BASE_DATA_PATH/storage.

SHARING_PUBLIC_JSONCS3_PROVIDER_ADDR

pre5.0

string

com.owncloud.api.storage-system

GRPC address of the STORAGE-SYSTEM service.

OCIS_SYSTEM_USER_ID
SHARING_PUBLIC_JSONCS3_SYSTEM_USER_ID

pre5.0

string

ID of the oCIS STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.

OCIS_SYSTEM_USER_IDP
SHARING_PUBLIC_JSONCS3_SYSTEM_USER_IDP

pre5.0

string

internal

IDP of the oCIS STORAGE-SYSTEM system user.

OCIS_SYSTEM_USER_API_KEY
SHARING_PUBLIC_JSONCS3_SYSTEM_USER_API_KEY

pre5.0

string

API key for the STORAGE-SYSTEM system user.

SHARING_PUBLIC_CS3_PROVIDER_ADDR

pre5.0

string

com.owncloud.api.storage-system

GRPC address of the STORAGE-SYSTEM service.

OCIS_SYSTEM_USER_ID
SHARING_PUBLIC_CS3_SYSTEM_USER_ID

pre5.0

string

ID of the oCIS STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format.

OCIS_SYSTEM_USER_IDP
SHARING_PUBLIC_CS3_SYSTEM_USER_IDP

pre5.0

string

internal

IDP of the oCIS STORAGE-SYSTEM system user.

OCIS_SYSTEM_USER_API_KEY
SHARING_PUBLIC_CS3_SYSTEM_USER_API_KEY

pre5.0

string

API key for the STORAGE-SYSTEM system user.

OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD
SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD

5.0

bool

false

Set this to true if you want to enforce passwords on Uploader, Editor or Contributor shares. If not using the global OCIS_SHARING_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD, you must define the FRONTEND_OCS_PUBLIC_WRITEABLE_SHARE_MUST_HAVE_PASSWORD (deprecated) in the frontend service.

OCIS_SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD
SHARING_PUBLIC_SHARE_MUST_HAVE_PASSWORD

5.0

bool

true

Set this to true if you want to enforce passwords on all public shares.

OCIS_PASSWORD_POLICY_DISABLED
SHARING_PASSWORD_POLICY_DISABLED

5.0

bool

false

Disable the password policy. Defaults to false if not set.

OCIS_PASSWORD_POLICY_MIN_CHARACTERS
SHARING_PASSWORD_POLICY_MIN_CHARACTERS

5.0

int

8

Define the minimum password length. Defaults to 8 if not set.

OCIS_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS
SHARING_PASSWORD_POLICY_MIN_LOWERCASE_CHARACTERS

5.0

int

1

Define the minimum number of uppercase letters. Defaults to 1 if not set.

OCIS_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS
SHARING_PASSWORD_POLICY_MIN_UPPERCASE_CHARACTERS

5.0

int

1

Define the minimum number of lowercase letters. Defaults to 1 if not set.

OCIS_PASSWORD_POLICY_MIN_DIGITS
SHARING_PASSWORD_POLICY_MIN_DIGITS

5.0

int

1

Define the minimum number of digits. Defaults to 1 if not set.

OCIS_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS
SHARING_PASSWORD_POLICY_MIN_SPECIAL_CHARACTERS

5.0

int

1

Define the minimum number of characters from the special characters list to be present. Defaults to 1 if not set.

OCIS_PASSWORD_POLICY_BANNED_PASSWORDS_LIST
SHARING_PASSWORD_POLICY_BANNED_PASSWORDS_LIST

5.0

string

Path to the 'banned passwords list' file. This only impacts public link password validation. See the documentation for more details.

YAML Example

  • master + Rolling 6.6.1

# Autogenerated
# Filename: sharing-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9151
  token: ""
  pprof: false
  zpages: false
grpc:
  addr: 127.0.0.1:9150
  tls: null
  protocol: tcp
token_manager:
  jwt_secret: ""
reva:
  address: com.owncloud.api.gateway
  tls:
    mode: ""
    cacert: ""
events:
  endpoint: 127.0.0.1:9233
  cluster: ocis-cluster
  tls_insecure: false
  tls_root_ca_cert_path: ""
  enable_tls: false
  auth_username: ""
  auth_password: ""
skip_user_groups_in_token: false
user_sharing_driver: jsoncs3
user_sharing_drivers:
  jsoncs3:
    provider_addr: com.owncloud.api.storage-system
    system_user_id: ""
    system_user_idp: internal
    system_user_api_key: ""
    cache_ttl: 0
    max_concurrency: 1
  json:
    file: /var/lib/ocis/storage/shares.json
  cs3:
    provider_addr: com.owncloud.api.storage-system
    system_user_id: ""
    system_user_idp: internal
    system_user_api_key: ""
  owncloudsql:
    db_username: owncloud
    db_password: ""
    db_host: mysql
    db_port: 3306
    db_name: owncloud
    user_storage_mount_id: ""
public_sharing_driver: jsoncs3
public_sharing_drivers:
  json:
    file: /var/lib/ocis/storage/publicshares.json
  jsoncs3:
    provider_addr: com.owncloud.api.storage-system
    system_user_id: ""
    system_user_idp: internal
    system_user_api_key: ""
  cs3:
    provider_addr: com.owncloud.api.storage-system
    system_user_id: ""
    system_user_idp: internal
    system_user_api_key: ""
public_sharing_writeableshare_must_have_password: false
public_sharing_share_must_have_password: true
enable_expired_shares_cleanup: true
password_policy:
  min_characters: 8
  min_lowercase_characters: 1
  min_uppercase_characters: 1
  min_digits: 1
  min_special_characters: 1
  banned_passwords_list: ""