From 05543a5ecf3c4a2f707b8bed040bc26582f999c4 Mon Sep 17 00:00:00 2001 From: Ralf Haferkamp Date: Tue, 21 Feb 2023 11:32:18 +0000 Subject: [PATCH] commit 1dab0f7a54fed67a27aacecb1d79f731059a3d38 Author: Ralf Haferkamp Date: Thu Feb 16 10:50:16 2023 +0100 graph: Improve appRoleAssignemts filters This should improve the processing of filters for appRoleAssignments a bit when combining them with other filters. We try to avoid reading the full user list if possible. And delay the processing of an appRoleAssignments filter so we can apply it on a subset of user. E.g. a filter: `appRoleAssignments/any(m:m/appRoleId eq 71881883-1768-46bd-a24d-a356a2afdf7f) and memberOf/any(m:m/id eq 509a9dcd-bb37-4f4f-a01a-19dca27d9cfa)` Will be reordered to first process the memberOf filter (which can be executed without reading the full user list) and only apply the appRoleAssignments filter on the resultset of the memberOf filter. --- helpers/extended_vars.yaml | 4 +- .../_includes/adoc/global_configvars.adoc | 40 +++++++++---------- 2 files changed, 22 insertions(+), 22 deletions(-) diff --git a/helpers/extended_vars.yaml b/helpers/extended_vars.yaml index 2f7b8583510..a6728235dc1 100644 --- a/helpers/extended_vars.yaml +++ b/helpers/extended_vars.yaml @@ -33,7 +33,7 @@ variables: description: "" do_ignore: true - rawname: MICRO_LOG_LEVEL - path: ocis-pkg/log/log.go:35 + path: ocis-pkg/log/log.go:31 foundincode: true name: MICRO_LOG_LEVEL type: "" @@ -41,7 +41,7 @@ variables: description: "" do_ignore: false - rawname: MICRO_LOG_LEVEL - path: ocis-pkg/log/log.go:31 + path: ocis-pkg/log/log.go:35 foundincode: true name: MICRO_LOG_LEVEL type: "" diff --git a/services/_includes/adoc/global_configvars.adoc b/services/_includes/adoc/global_configvars.adoc index 7837cfc4a55..c17dffb0597 100644 --- a/services/_includes/adoc/global_configvars.adoc +++ b/services/_includes/adoc/global_configvars.adoc @@ -41,7 +41,7 @@ a| [subs=-attributes] ++string ++ a| [subs=-attributes] -++uid=reva,ou=sysusers,o=libregraph-idm ++ +++uid=idp,ou=sysusers,o=libregraph-idm ++ a| [subs=-attributes] LDAP DN to use for simple bind authentication with the target LDAP server. @@ -80,7 +80,7 @@ a| [subs=-attributes] ++~/.ocis/idm/ldap.crt ++ a| [subs=-attributes] -Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not definied, the root directory derives from $OCIS_BASE_DATA_PATH:/idm. +Path/File name for the root CA certificate (in PEM format) used to validate TLS server certificates of the LDAP service. If not definied, the root directory derives from $OCIS_BASE_DATA_PATH:/idp. a| `LDAP_GROUP_BASE_DN` @@ -131,7 +131,7 @@ a| [subs=-attributes] ++groupOfNames ++ a| [subs=-attributes] -The object class to use for groups in the default group search filter ('groupOfNames'). +The object class to use for groups in the default group search filter ('groupOfNames'). a| `LDAP_GROUP_SCHEMA_DISPLAYNAME` @@ -178,7 +178,7 @@ a| [subs=-attributes] ++string ++ a| [subs=-attributes] -++ownclouduuid ++ +++owncloudUUID ++ a| [subs=-attributes] LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID. @@ -282,7 +282,7 @@ a| [subs=-attributes] ++ldaps://localhost:9235 ++ a| [subs=-attributes] -URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://' +Url of the LDAP service to use as IDP. a| `LDAP_USER_BASE_DN` @@ -336,7 +336,7 @@ a| [subs=-attributes] ++inetOrgPerson ++ a| [subs=-attributes] -The object class to use for users in the default user search filter ('inetOrgPerson'). +LDAP User ObjectClass like 'inetOrgPerson'. a| `LDAP_USER_SCHEMA_DISPLAYNAME` @@ -367,10 +367,10 @@ a| [subs=-attributes] ++string ++ a| [subs=-attributes] -++ownclouduuid ++ +++uid ++ a| [subs=-attributes] -LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID. +LDAP User uuid attribute like 'uid'. a| `LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` @@ -404,7 +404,7 @@ a| [subs=-attributes] ++mail ++ a| [subs=-attributes] -LDAP Attribute to use for the email address of users. +LDAP User email attribute like 'mail'. a| `LDAP_USER_SCHEMA_USERNAME` @@ -419,10 +419,10 @@ a| [subs=-attributes] ++string ++ a| [subs=-attributes] -++uid ++ +++displayName ++ a| [subs=-attributes] -LDAP Attribute to use for username of users. +LDAP User name attribute like 'displayName'. a| `LDAP_USER_SCOPE` @@ -538,7 +538,7 @@ a| [subs=-attributes] ++[]string ++ a| [subs=-attributes] -++[Authorization Origin Content-Type Accept X-Requested-With] ++ +++[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override] ++ a| [subs=-attributes] A comma-separated list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. @@ -556,7 +556,7 @@ a| [subs=-attributes] ++[]string ++ a| [subs=-attributes] -++[GET POST PUT PATCH DELETE OPTIONS] ++ +++[OPTIONS HEAD GET PUT POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH] ++ a| [subs=-attributes] A comma-separated list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method @@ -598,7 +598,7 @@ a| [subs=-attributes] ++false ++ a| [subs=-attributes] -Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services. +Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.. a| `OCIS_GRPC_CLIENT_TLS_CACERT` @@ -1086,7 +1086,7 @@ a| [subs=-attributes] ++ ++ a| [subs=-attributes] -Machine auth API key used to validate internal requests necessary for the access to resources from other services. +The machine auth API key used to validate internal requests necessary to access resources from other services. a| `OCIS_OIDC_ISSUER` @@ -1107,7 +1107,7 @@ a| [subs=-attributes] ++https://localhost:9200 ++ a| [subs=-attributes] -The identity provider value to set in the group IDs of the CS3 group objects for groups returned by this group provider. +The OIDC issuer URL to use. a| `OCIS_SYSTEM_USER_API_KEY` @@ -1145,7 +1145,7 @@ a| [subs=-attributes] ++ ++ a| [subs=-attributes] -ID of the oCIS STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format. +ID of the oCIS storage-system system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format. a| `OCIS_SYSTEM_USER_IDP` @@ -1351,10 +1351,10 @@ a| [subs=-attributes] ++string ++ a| [subs=-attributes] -++https://127.0.0.1:9200 ++ +++https://localhost:9200/ ++ a| [subs=-attributes] -URL, where oCIS is reachable for users. +Base url to navigate back from the app the containing folder in the file list. a| `REVA_GATEWAY` @@ -1404,7 +1404,7 @@ a| [subs=-attributes] ++ ++ a| [subs=-attributes] -The storage transfer secret. +Transfer secret for signing file up- and download requests. a| `STORAGE_USERS_OCIS_ASYNC_UPLOADS`