Userlog Service Configuration

Table of Contents

Introduction
Default Values
The Log Service Ecosystem
Prerequisites
Configuring Events
Retrieving
Subscribing
Posting
- Authentication
- Deprovisioning
Deleting
Translations
- Translation Rules
- Default Language
Storing
Event Bus Configuration
Configuration
- Environment Variables
- YAML Example

Introduction

The Infinite Scale userlog service is a mediator between the eventhistory service and clients who want to be informed about user-related events. It provides an API to retrieve those.

Default Values

The userlog service listens on port 9210 by default.

The Log Service Ecosystem

Log services like the activitylog, clientlog, sse and userlog are responsible for composing notifications for a certain audience.

Log services and their tasks
activitylog ¹	This service stores events per resource. These can be retrieved to show item activities.
clientlog	This service composes machine-readable messages, so clients can act without the need to query the server.
eventhistory	This service stores events and allows other services to retrieve them via an event ID.
sse	This service is only responsible for sending these messages. It does not care about their form or language.
userlog ²	This service translates and adjusts messages to be human-readable.

Log services and their tasks

activitylog ¹

This service stores events per resource. These can be retrieved to show item activities.

clientlog

This service composes machine-readable messages, so clients can act without the need to query the server.

eventhistory

This service stores events and allows other services to retrieve them via an event ID.

sse

This service is only responsible for sending these messages. It does not care about their form or language.

userlog ²

This service translates and adjusts messages to be human-readable.

Services may depend on each other:

The activitylog service requires the eventhistory service.
The userlog service is configured by default to use both the eventhistory and sse service. It can be configured to use both, the one, or the other.

Prerequisites

Running the userlog service without running the eventhistory service is not possible.

Configuring Events

Currently, the configuration which user-related events are of interest is hard-coded and cannot be changed.

Retrieving

The userlog service provides an API to retrieve configured events. For now, this API is mostly following the ownCloud Server notification GET API.

Subscribing

The userlog service provides an /sse (Server-Sent Events) endpoint to be informed by the server when an event happens. See What is Server-Sent Events for a simple introduction and examples to server-sent events. The sse endpoint will respect language changes of the user without needing to reconnect. Note that SSE have the limitation of six open connections per browser which can be reached if one has opened various tabs of the Web UI pointing to the same Infinite Scale instance.

Posting

The userlog service is able to store global messages that will be displayed in the Web UI to all users. If a user deletes the message in the Web UI, it reappears on reload. Global messages use the endpoint /ocs/v2.php/apps/notifications/api/v1/notifications/global and are activated by sending a POST request. Note that sending another POST request of the same type overwrites the previous one. For the time being, only the type deprovision is supported.

Authentication

POST and DELETE endpoints provide notifications to all users. Therefore only certain users can configure them. Two authentication methods for this endpoint are provided:

Users with the admin role can always access these endpoints.
Additionally, a static secret via the USERLOG_GLOBAL_NOTIFICATIONS_SECRET can be defined to enable access for users knowing this secret, which has to be sent with the header containing the request.

Deprovisioning

Deprovision messages announce a deprovision text including a deprovision date of the instance to all users. With this message, users get informed that the instance will be shut down and deprovisioned and no further access to their data is possible past the given date. This implies that users must download their data before the given date. The text shown to users refers to this information. Note that the task to deprovision the instance does not depend on the message. The text of the message can be translated according to the translation settings, see section Translations. The endpoint only expects a deprovision_date parameter in the POST request body as the final text is assembled automatically. The string hast to be in RFC3339 format, however, this format can be changed by using deprovision_date_format. See the go time formating for more details.

Also see the GRAPH_LDAP_SCHOOL_TERMINATION_MIN_GRACE_DAYS environment variable for an additional configuration parameter.

Deleting

To delete events for an user, use a DELETE request to:
https://<your-ocis-instance>/ocs/v2.php/apps/notifications/api/v1/notification
containing the IDs to delete.
Sending a DELETE request to the global endpoint:
https://<your-ocis-instance>/ocs/v2.php/apps/notifications/api/v1/notifications/global
to remove a global message is a restricted action, see the Authentication section for more details.

Translations

The userlog service has embedded translations sourced via transifex to provide a basic set of translated languages. These embedded translations are available for all deployment scenarios. In addition, the service supports custom translations, though it is currently not possible to just add custom translations to embedded ones. If custom translations are configured, the embedded ones are not used. To configure custom translations, the USERLOG_TRANSLATION_PATH environment variable needs to point to a base folder that will contain the translation files. This path must be available from all instances of the userlog service, a shared storage is recommended. Translation files must be of type .po or .mo. For each language, the filename needs to be userlog.po (or userlog.mo) and stored in a folder structure defining the language code. In general the path/name pattern for a translation file needs to be:

{USERLOG_TRANSLATION_PATH}/{language-code}/LC_MESSAGES/userlog.po

The language code pattern is composed of language[_territory] where language is the base language and _territory is optional and defines a country.

For example, for the language de, one needs to place the corresponding translation files to

{USERLOG_TRANSLATION_PATH}/de/LC_MESSAGES/userlog.po

For the time being, the embedded ownCloud Web frontend only supports the main language code but does not handle any territory. When strings are available in the language code language_territory, the web frontend does not see it as it only requests language. In consequence, any translations made must exist in the requested language to avoid a fallback to the default.

Translation Rules

If a requested language code is not available, the service tries to fall back to the base language if available. For example, if the requested language-code de_DE is not available, the service tries to fall back to translations in the de folder.
If the base language de is also not available, the service falls back to the system’s default English (en), which is the source of the texts provided by the code.

Default Language

The default language can be defined via the OCIS_DEFAULT_LANGUAGE environment variable. See the settings service for a detailed description.

Storing

The userlog service can use a configured store via the global OCIS_PERSISTENT_STORE environment variable.

Note that for each global environment variable, an independent service-based one might be available additionally. For precedences see Environment Variable Notes. Check the configuration section below. Supported stores are:

Store Type Description

Store Type	Description
`memory`	Basic in-memory store. Will not survive a restart. Usually the default for caches. See the store environment variable for which one is used.
`nats-js-kv`	Stores data using key-value-store feature of NATS JetStream. Usually the default for stores, see the store environment variable for which one is used.
`redis-sentinel`	Stores data in a configured Redis Sentinel cluster.
`noop`	Stores nothing. Useful for testing. Not recommended in production environments.

memory

Basic in-memory store. Will not survive a restart.
Usually the default for caches. See the store environment variable for which one is used.

nats-js-kv

Stores data using key-value-store feature of NATS JetStream.
Usually the default for stores, see the store environment variable for which one is used.

redis-sentinel

Stores data in a configured Redis Sentinel cluster.

noop

Stores nothing. Useful for testing. Not recommended in production environments.

The userlog service can only be scaled if not using the memory store and the stores are configured identically over all instances!

If you have used one of the deprecated stores of a former version, you should reconfigure to use one of the supported ones as the deprecated stores will be removed in a later version.

Store specific notes

When using redis-sentinel:
The Redis master to use is configured via e.g. OCIS_PERSISTENT_STORE_NODES in the form of <sentinel-host>:<sentinel-port>/<redis-master> like 10.10.0.200:26379/mymaster.
When using nats-js-kv:
- It is recommended to set OCIS_PERSISTENT_STORE_NODES to the same value as OCIS_EVENTS_ENDPOINT. That way the cache uses the same nats instance as the event bus. See the Event Bus Configuration for more details.
- Authentication can be added, if configured, via OCIS_CACHE_AUTH_USERNAME and OCIS_CACHE_AUTH_PASSWORD.
- It is possible to set OCIS_CACHE_DISABLE_PERSISTENCE to instruct nats to not persist cache data on disc.

Event Bus Configuration

The Infinite Scale event bus can be configured by a set of environment variables.

In case of an orchestrated installation like with Docker or Kubernetes, the event bus must be an external service for scalability like a Redis Sentinel cluster or a key-value-store NATS JetStream. Both named stores are supported and also used in Caching and Persistence. The store used is not part of the Infinite Scale installation and must be separately provided and configured.
Note that from a configuration point of view, caching and persistence are independent of the event bus configuration.

Note that for each global environment variable, a service-based one might be available additionally. For precedences see Environment Variable Notes. Check the configuration section below.

Without the aim of completeness, see the list of environment variables to configure the event bus:

Envvar Description

Envvar	Description
`OCIS_EVENTS_ENDPOINT`	The address of the event system.
`OCIS_EVENTS_CLUSTER`	The clusterID of the event system. Mandatory when using NATS as event system.
`OCIS_EVENTS_ENABLE_TLS`	Enable TLS for the connection to the events broker.
`OCIS_INSECURE`	Whether to verify the server TLS certificates.
`OCIS_EVENTS_AUTH_USERNAME`	The username to authenticate with the events broker.
`OCIS_EVENTS_AUTH_PASSWORD`	The password to authenticate with the events broker.

OCIS_EVENTS_ENDPOINT

The address of the event system.

OCIS_EVENTS_CLUSTER

The clusterID of the event system. Mandatory when using NATS as event system.

OCIS_EVENTS_ENABLE_TLS

Enable TLS for the connection to the events broker.

OCIS_INSECURE

Whether to verify the server TLS certificates.

OCIS_EVENTS_AUTH_USERNAME

The username to authenticate with the events broker.

OCIS_EVENTS_AUTH_PASSWORD

The password to authenticate with the events broker.

Configuration

Environment Variables

The userlog service is configured via the following environment variables. Read the Environment Variable Types documentation for important details. Column IV shows with which release the environment variable has been introduced.

master + Rolling 7.1.2

Environment variables for the userlog service
Name	IV	Type	Default Value	Description
`OCIS_TRACING_ENABLED` `USERLOG_TRACING_ENABLED`	pre5.0	bool	false	Activates tracing.
`OCIS_TRACING_TYPE` `USERLOG_TRACING_TYPE`	pre5.0	string		The type of tracing. Defaults to '', which is the same as 'jaeger'. Allowed tracing types are 'jaeger' and '' as of now.
`OCIS_TRACING_ENDPOINT` `USERLOG_TRACING_ENDPOINT`	pre5.0	string		The endpoint of the tracing agent.
`OCIS_TRACING_COLLECTOR` `USERLOG_TRACING_COLLECTOR`	pre5.0	string		The HTTP endpoint for sending spans directly to a collector, i.e. http://jaeger-collector:14268/api/traces. Only used if the tracing endpoint is unset.
`OCIS_LOG_LEVEL` `USERLOG_LOG_LEVEL`	pre5.0	string		The log level. Valid values are: 'panic', 'fatal', 'error', 'warn', 'info', 'debug', 'trace'.
`OCIS_LOG_PRETTY` `USERLOG_LOG_PRETTY`	pre5.0	bool	false	Activates pretty log output.
`OCIS_LOG_COLOR` `USERLOG_LOG_COLOR`	pre5.0	bool	false	Activates colorized log output.
`OCIS_LOG_FILE` `USERLOG_LOG_FILE`	pre5.0	string		The path to the log file. Activates logging to this file if set.
`USERLOG_DEBUG_ADDR`	pre5.0	string	127.0.0.1:9214	Bind address of the debug server, where metrics, health, config and debug endpoints will be exposed.
`USERLOG_DEBUG_TOKEN`	pre5.0	string		Token to secure the metrics endpoint.
`USERLOG_DEBUG_PPROF`	pre5.0	bool	false	Enables pprof, which can be used for profiling.
`USERLOG_DEBUG_ZPAGES`	pre5.0	bool	false	Enables zpages, which can be used for collecting and viewing in-memory traces.
`USERLOG_HTTP_ADDR`	pre5.0	string	127.0.0.1:9210	The bind address of the HTTP service.
`USERLOG_HTTP_ROOT`	pre5.0	string	/	Subdirectory that serves as the root for this HTTP service.
`OCIS_CORS_ALLOW_ORIGINS` `USERLOG_CORS_ALLOW_ORIGINS`	pre5.0	[]string	[*]	A list of allowed CORS origins. See following chapter for more details: Access-Control-Allow-Origin at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin. See the Environment Variable Types description for more details.
`OCIS_CORS_ALLOW_METHODS` `USERLOG_CORS_ALLOW_METHODS`	pre5.0	[]string	[GET]	A list of allowed CORS methods. See following chapter for more details: Access-Control-Request-Method at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method. See the Environment Variable Types description for more details.
`OCIS_CORS_ALLOW_HEADERS` `USERLOG_CORS_ALLOW_HEADERS`	pre5.0	[]string	[Authorization Origin Content-Type Accept X-Requested-With X-Request-Id Ocs-Apirequest]	A list of allowed CORS headers. See following chapter for more details: Access-Control-Request-Headers at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. See the Environment Variable Types description for more details.
`OCIS_CORS_ALLOW_CREDENTIALS` `USERLOG_CORS_ALLOW_CREDENTIALS`	pre5.0	bool	true	Allow credentials for CORS.See following chapter for more details: Access-Control-Allow-Credentials at https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Credentials.
`OCIS_HTTP_TLS_ENABLED`	pre5.0	bool	false	Activates TLS for the http based services using the server certifcate and key configured via OCIS_HTTP_TLS_CERTIFICATE and OCIS_HTTP_TLS_KEY. If OCIS_HTTP_TLS_CERTIFICATE is not set a temporary server certificate is generated - to be used with PROXY_INSECURE_BACKEND=true.
`OCIS_HTTP_TLS_CERTIFICATE`	pre5.0	string		Path/File name of the TLS server certificate (in PEM format) for the http services.
`OCIS_HTTP_TLS_KEY`	pre5.0	string		Path/File name for the TLS certificate key (in PEM format) for the server certificate to use for the http services.
`OCIS_JWT_SECRET` `USERLOG_JWT_SECRET`	pre5.0	string		The secret to mint and validate jwt tokens.
`OCIS_REVA_GATEWAY`	pre5.0	string	com.owncloud.api.gateway	CS3 gateway used to look up user metadata
`OCIS_TRANSLATION_PATH` `USERLOG_TRANSLATION_PATH`	pre5.0	string		(optional) Set this to a path with custom translations to overwrite the builtin translations. Note that file and folder naming rules apply, see the documentation for more details.
`OCIS_DEFAULT_LANGUAGE`	5.0	string		The default language used by services and the WebUI. If not defined, English will be used as default. See the documentation for more details.
`OCIS_EVENTS_ENDPOINT` `USERLOG_EVENTS_ENDPOINT`	pre5.0	string	127.0.0.1:9233	The address of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture.
`OCIS_EVENTS_CLUSTER` `USERLOG_EVENTS_CLUSTER`	pre5.0	string	ocis-cluster	The clusterID of the event system. The event system is the message queuing service. It is used as message broker for the microservice architecture. Mandatory when using NATS as event system.
`OCIS_INSECURE` `USERLOG_EVENTS_TLS_INSECURE`	pre5.0	bool	false	Whether to verify the server TLS certificates.
`OCIS_EVENTS_TLS_ROOT_CA_CERTIFICATE` `USERLOG_EVENTS_TLS_ROOT_CA_CERTIFICATE`	pre5.0	string		The root CA certificate used to validate the server’s TLS certificate. If provided NOTIFICATIONS_EVENTS_TLS_INSECURE will be seen as false.
`OCIS_EVENTS_ENABLE_TLS` `USERLOG_EVENTS_ENABLE_TLS`	pre5.0	bool	false	Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.
`OCIS_EVENTS_AUTH_USERNAME` `USERLOG_EVENTS_AUTH_USERNAME`	5.0	string		The username to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.
`OCIS_EVENTS_AUTH_PASSWORD` `USERLOG_EVENTS_AUTH_PASSWORD`	5.0	string		The password to authenticate with the events broker. The events broker is the ocis service which receives and delivers events between the services.
`OCIS_MAX_CONCURRENCY` `USERLOG_MAX_CONCURRENCY`	7.0.0	int	1	Maximum number of concurrent go-routines. Higher values can potentially get work done faster but will also cause more load on the system. Values of 0 or below will be ignored and the default value will be used.
`OCIS_PERSISTENT_STORE` `USERLOG_STORE`	pre5.0	string	memory	The type of the store. Supported values are: 'memory', 'nats-js-kv', 'redis-sentinel', 'noop'. See the text description for details.
`OCIS_PERSISTENT_STORE_NODES` `USERLOG_STORE_NODES`	pre5.0	[]string	[]	A list of nodes to access the configured store. This has no effect when 'memory' store is configured. Note that the behaviour how nodes are used is dependent on the library of the configured store. See the Environment Variable Types description for more details.
`USERLOG_STORE_DATABASE`	pre5.0	string	userlog	The database name the configured store should use.
`USERLOG_STORE_TABLE`	pre5.0	string	events	The database table the store should use.
`OCIS_PERSISTENT_STORE_TTL` `USERLOG_STORE_TTL`	pre5.0	Duration	336h0m0s	Time to live for events in the store. Defaults to '336h' (2 weeks). See the Environment Variable Types description for more details.
`OCIS_PERSISTENT_STORE_AUTH_USERNAME` `USERLOG_STORE_AUTH_USERNAME`	5.0	string		The username to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.
`OCIS_PERSISTENT_STORE_AUTH_PASSWORD` `USERLOG_STORE_AUTH_PASSWORD`	5.0	string		The password to authenticate with the store. Only applies when store type 'nats-js-kv' is configured.
`OCIS_DISABLE_SSE,USERLOG_DISABLE_SSE`	pre5.0	bool	false	Disables server-sent events (sse). When disabled, clients will no longer receive sse notifications.
`USERLOG_GLOBAL_NOTIFICATIONS_SECRET`	pre5.0	string		The secret to secure the global notifications endpoint. Only system admins and users knowing that secret can call the global notifications POST/DELETE endpoints.
`OCIS_SERVICE_ACCOUNT_ID` `USERLOG_SERVICE_ACCOUNT_ID`	5.0	string		The ID of the service account the service should use. See the 'auth-service' service description for more details.
`OCIS_SERVICE_ACCOUNT_SECRET` `USERLOG_SERVICE_ACCOUNT_SECRET`	5.0	string		The service account secret.

YAML Example

Note the file shown below must be renamed and placed in the correct folder according to the Configuration File Naming conventions to be effective.
See the Notes for Environment Variables if you want to use environment variables in the yaml file.

master + Rolling 7.1.2

# Autogenerated
# Filename: userlog-config-example.yaml

tracing:
  enabled: false
  type: ""
  endpoint: ""
  collector: ""
log:
  level: ""
  pretty: false
  color: false
  file: ""
debug:
  addr: 127.0.0.1:9214
  token: ""
  pprof: false
  zpages: false
http:
  addr: 127.0.0.1:9210
  root: /
  cors:
    allow_origins:
    - '*'
    allow_methods:
    - GET
    allow_headers:
    - Authorization
    - Origin
    - Content-Type
    - Accept
    - X-Requested-With
    - X-Request-Id
    - Ocs-Apirequest
    allow_credentials: true
  tls:
    enabled: false
    cert: ""
    key: ""
grpc_client_tls: null
token_manager:
  jwt_secret: ""
reva_gateway: com.owncloud.api.gateway
translation_path: ""
default_language: ""
events:
  endpoint: 127.0.0.1:9233
  cluster: ocis-cluster
  tls_insecure: false
  tls_root_ca_certificate: ""
  enable_tls: false
  username: ""
  password: ""
max_concurrency: 1
persistence:
  store: memory
  nodes: []
  database: userlog
  table: events
  ttl: 336h0m0s
  username: ""
  password: ""
disable_sse: false
global_notifications_secret: ""
service_account:
  service_account_id: ""
  service_account_secret: ""