From 5ffc415a7ba2baa132fd6902031624c894f08c20 Mon Sep 17 00:00:00 2001 From: kobergj Date: Thu, 26 Jan 2023 14:24:43 +0000 Subject: [PATCH] commit ebd55eb765e8782393d6df7eca8527bdcc77f9a2 Merge: aa12a60d1 ab4d8c395 Author: kobergj Date: Thu Jan 26 15:23:19 2023 +0100 Merge pull request #5457 from kobergj/PostprocessingConfiguration Better Configuration for Postprocessing Service --- .../_includes/adoc/global_configvars.adoc | 48 +++++++++---------- .../adoc/postprocessing_configvars.adoc | 20 ++++++-- .../postprocessing-config-example.yaml | 1 + .../_includes/postprocessing_configvars.md | 3 +- 4 files changed, 44 insertions(+), 28 deletions(-) diff --git a/services/_includes/adoc/global_configvars.adoc b/services/_includes/adoc/global_configvars.adoc index 294b1380a78..94d991203c0 100644 --- a/services/_includes/adoc/global_configvars.adoc +++ b/services/_includes/adoc/global_configvars.adoc @@ -26,7 +26,7 @@ a| [subs=-attributes] ++false ++ a| [subs=-attributes] -The default role assignments the demo users should be setup. +Flag to enable or disable the creation of the demo users. a| `LDAP_BIND_DN` @@ -41,7 +41,7 @@ a| [subs=-attributes] ++string ++ a| [subs=-attributes] -++uid=reva,ou=sysusers,o=libregraph-idm ++ +++uid=idp,ou=sysusers,o=libregraph-idm ++ a| [subs=-attributes] LDAP DN to use for simple bind authentication with the target LDAP server. @@ -131,7 +131,7 @@ a| [subs=-attributes] ++groupOfNames ++ a| [subs=-attributes] -The object class to use for groups in the default group search filter ('groupOfNames'). +The object class to use for groups in the default group search filter ('groupOfNames'). a| `LDAP_GROUP_SCHEMA_DISPLAYNAME` @@ -178,7 +178,7 @@ a| [subs=-attributes] ++string ++ a| [subs=-attributes] -++ownclouduuid ++ +++owncloudUUID ++ a| [subs=-attributes] LDAP Attribute to use as the unique id for groups. This should be a stable globally unique ID like a UUID. @@ -282,7 +282,7 @@ a| [subs=-attributes] ++ldaps://localhost:9235 ++ a| [subs=-attributes] -URI of the LDAP Server to connect to. Supported URI schemes are 'ldaps://' and 'ldap://' +Url of the LDAP service to use as IDP. a| `LDAP_USER_BASE_DN` @@ -336,7 +336,7 @@ a| [subs=-attributes] ++inetOrgPerson ++ a| [subs=-attributes] -The object class to use for users in the default user search filter ('inetOrgPerson'). +LDAP User ObjectClass like 'inetOrgPerson'. a| `LDAP_USER_SCHEMA_DISPLAYNAME` @@ -367,10 +367,10 @@ a| [subs=-attributes] ++string ++ a| [subs=-attributes] -++ownclouduuid ++ +++uid ++ a| [subs=-attributes] -LDAP Attribute to use as the unique id for users. This should be a stable globally unique id like a UUID. +LDAP User uuid attribute like 'uid'. a| `LDAP_USER_SCHEMA_ID_IS_OCTETSTRING` @@ -386,7 +386,7 @@ a| [subs=-attributes] ++false ++ a| [subs=-attributes] -Set this to true if the defined 'id' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user id's. +Set this to true if the defined 'id' attribute for users is of the 'OCTETSTRING' syntax. This is e.g. required when using the 'objectGUID' attribute of Active Directory for the user ID's. a| `LDAP_USER_SCHEMA_MAIL` @@ -404,7 +404,7 @@ a| [subs=-attributes] ++mail ++ a| [subs=-attributes] -LDAP Attribute to use for the email address of users. +LDAP User email attribute like 'mail'. a| `LDAP_USER_SCHEMA_USERNAME` @@ -419,10 +419,10 @@ a| [subs=-attributes] ++string ++ a| [subs=-attributes] -++uid ++ +++displayName ++ a| [subs=-attributes] -LDAP Attribute to use for username of users. +LDAP User name attribute like 'displayName'. a| `LDAP_USER_SCOPE` @@ -466,13 +466,13 @@ a| [subs=attributes+] * xref:{s-path}/storage-users.adoc[storage-users] + a| [subs=-attributes] -++string ++ +++[]string ++ a| [subs=-attributes] -++ ++ +++[] ++ a| [subs=-attributes] -A comma-separated list of addresses to connect to. Only valid if the above setting is set to "etcd" +Node addresses to use for the cache store. a| `OCIS_CACHE_STORE_SIZE` @@ -501,10 +501,10 @@ a| [subs=-attributes] ++string ++ a| [subs=-attributes] -++ ++ +++memory ++ a| [subs=-attributes] -The type of the cache store. Valid options are "noop", "ocmem", "etcd" and "memory" +Store implementation for the cache. Valid values are "memory" (default), "redis", and "etcd". a| `OCIS_CORS_ALLOW_CREDENTIALS` @@ -535,7 +535,7 @@ a| [subs=-attributes] ++[]string ++ a| [subs=-attributes] -++[Authorization Origin Content-Type Accept X-Requested-With] ++ +++[Origin Accept Content-Type Depth Authorization Ocs-Apirequest If-None-Match If-Match Destination Overwrite X-Request-Id X-Requested-With Tus-Resumable Tus-Checksum-Algorithm Upload-Concat Upload-Length Upload-Metadata Upload-Defer-Length Upload-Expires Upload-Checksum Upload-Offset X-HTTP-Method-Override] ++ a| [subs=-attributes] A comma-separated list of allowed CORS headers. See following chapter for more details: *Access-Control-Request-Headers* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Headers. @@ -552,7 +552,7 @@ a| [subs=-attributes] ++[]string ++ a| [subs=-attributes] -++[GET POST PUT PATCH DELETE OPTIONS] ++ +++[OPTIONS HEAD GET PUT POST DELETE MKCOL PROPFIND PROPPATCH MOVE COPY REPORT SEARCH] ++ a| [subs=-attributes] A comma-separated list of allowed CORS methods. See following chapter for more details: *Access-Control-Request-Method* at \https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Request-Method @@ -849,7 +849,7 @@ a| [subs=-attributes] ++false ++ a| [subs=-attributes] -Whether the ocis server should skip the client certificate verification during the TLS handshake. +Allow insecure connections to the OIDC issuer. a| `OCIS_JWT_SECRET` @@ -1073,7 +1073,7 @@ a| [subs=-attributes] ++ ++ a| [subs=-attributes] -Machine auth API key used to validate internal requests necessary for the access to resources from other services. +The machine auth API key used to validate internal requests necessary to access resources from other services. a| `OCIS_OIDC_ISSUER` @@ -1093,7 +1093,7 @@ a| [subs=-attributes] ++https://localhost:9200 ++ a| [subs=-attributes] -The identity provider value to set in the group IDs of the CS3 group objects for groups returned by this group provider. +URL of the OIDC issuer. It defaults to URL of the builtin IDP. a| `OCIS_SYSTEM_USER_API_KEY` @@ -1131,7 +1131,7 @@ a| [subs=-attributes] ++ ++ a| [subs=-attributes] -ID of the oCIS STORAGE-SYSTEM system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format. +ID of the oCIS storage-system system user. Admins need to set the ID for the STORAGE-SYSTEM system user in this config option which is then used to reference the user. Any reasonable long string is possible, preferably this would be an UUIDv4 format. a| `OCIS_SYSTEM_USER_IDP` @@ -1334,7 +1334,7 @@ a| [subs=-attributes] ++https://localhost:9200 ++ a| [subs=-attributes] -The identity provider value to set in the group IDs of the CS3 group objects for groups returned by this group provider. +URL of the OIDC issuer. It defaults to URL of the builtin IDP. a| `REVA_GATEWAY` diff --git a/services/_includes/adoc/postprocessing_configvars.adoc b/services/_includes/adoc/postprocessing_configvars.adoc index 0b1c0ab9f8d..fc7dd298308 100644 --- a/services/_includes/adoc/postprocessing_configvars.adoc +++ b/services/_includes/adoc/postprocessing_configvars.adoc @@ -1,6 +1,6 @@ // set the attribute to true or leave empty, true without any quotes. -:show-deprecation: false +:show-deprecation: true ifeval::[{show-deprecation} == true] @@ -12,6 +12,11 @@ ifeval::[{show-deprecation} == true] | Deprecation Version | Removal Version | Deprecation Replacment + +| POSTPROCESSING_VIRUSSCAN is not longer necessary and is replaced by POSTPROCESSING_STEPS which also holds information about the order of steps +| master +| master +| POSTPROCESSING_STEPS |=== endif::[] @@ -112,8 +117,17 @@ a| [subs=-attributes] a| [subs=-attributes] Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services. -a|`POSTPROCESSING_VIRUSSCAN` + +a|`POSTPROCESSING_STEPS` + +a| [subs=-attributes] +++[]string ++ +a| [subs=-attributes] +++[] ++ +a| [subs=-attributes] +A comma separated list of postprocessing steps, processed in order of their appearance. Currently supported values by the system are: 'virusscan' and 'delay'. Custom steps are allowed. See the documentation for instructions. + +a|`POSTPROCESSING_VIRUSSCAN` + +xref:deprecation-note[Deprecation Note] a| [subs=-attributes] ++bool ++ a| [subs=-attributes] @@ -128,6 +142,6 @@ a| [subs=-attributes] a| [subs=-attributes] ++0s ++ a| [subs=-attributes] -After uploading a file but before making it available for download, a delay step can be added. Intended for developing purposes only. The duration can be set as number followed by a unit identifier like s, m or h. +After uploading a file but before making it available for download, a delay step can be added. Intended for developing purposes only. The duration can be set as number followed by a unit identifier like s, m or h. If a duration is set but the keyword 'delay' is not explicitely added to 'POSTPROCESSING_STEPS', the delay step will be processed as last step. In such a case, a log entry will be written on service startup to remind the admin about that situation. |=== diff --git a/services/_includes/postprocessing-config-example.yaml b/services/_includes/postprocessing-config-example.yaml index 9311ee8c034..25258cd2cf3 100644 --- a/services/_includes/postprocessing-config-example.yaml +++ b/services/_includes/postprocessing-config-example.yaml @@ -13,5 +13,6 @@ postprocessing: tls_insecure: false tls_root_ca_certificate: "" enable_tls: false + steps: [] virusscan: false delayprocessing: 0s diff --git a/services/_includes/postprocessing_configvars.md b/services/_includes/postprocessing_configvars.md index d40af6244eb..07860c5465f 100644 --- a/services/_includes/postprocessing_configvars.md +++ b/services/_includes/postprocessing_configvars.md @@ -11,5 +11,6 @@ | OCIS_INSECURE
POSTPROCESSING_EVENTS_TLS_INSECURE | bool | false | Whether the ocis server should skip the client certificate verification during the TLS handshake.| | POSTPROCESSING_EVENTS_TLS_ROOT_CA_CERTIFICATE | string | | The root CA certificate used to validate the server's TLS certificate. If provided POSTPROCESSING_EVENTS_TLS_INSECURE will be seen as false.| | OCIS_EVENTS_ENABLE_TLS
POSTPROCESSING_EVENTS_ENABLE_TLS | bool | false | Enable TLS for the connection to the events broker. The events broker is the ocis service which receives and delivers events between the services.| +| POSTPROCESSING_STEPS | []string | [] | A comma separated list of postprocessing steps, processed in order of their appearance. Currently supported values by the system are: 'virusscan' and 'delay'. Custom steps are allowed. See the documentation for instructions.| | POSTPROCESSING_VIRUSSCAN | bool | false | After uploading a file but before making it available for download, virus scanning the file can be enabled. Needs as prerequisite the antivirus service to be enabled and configured.| -| POSTPROCESSING_DELAY | Duration | 0s | After uploading a file but before making it available for download, a delay step can be added. Intended for developing purposes only. The duration can be set as number followed by a unit identifier like s, m or h.| \ No newline at end of file +| POSTPROCESSING_DELAY | Duration | 0s | After uploading a file but before making it available for download, a delay step can be added. Intended for developing purposes only. The duration can be set as number followed by a unit identifier like s, m or h. If a duration is set but the keyword 'delay' is not explicitely added to 'POSTPROCESSING_STEPS', the delay step will be processed as last step. In such a case, a log entry will be written on service startup to remind the admin about that situation.| \ No newline at end of file