Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[full-ci] ocis init & remove default secrets #3551

Merged
merged 68 commits into from
May 2, 2022
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
68 commits
Select commit Hold shift + click to select a range
c9c329b
initial skel for subcommand
dragonchaser Apr 14, 2022
8d81e39
refactor yaml labels, add overwrite protection
dragonchaser Apr 19, 2022
3956108
add password generator
dragonchaser Apr 20, 2022
88cf3ee
handle insecure flag
dragonchaser Apr 20, 2022
f7a8449
add missing extensions
dragonchaser Apr 20, 2022
0d45dc8
Merge remote-tracking branch 'origin/master' into ocis-init
dragonchaser Apr 20, 2022
699f929
Merge remote-tracking branch 'origin/master' into ocis-init
dragonchaser Apr 22, 2022
acf75af
Move Tokenmanager to shared.Commons
dragonchaser Apr 22, 2022
a4d7696
Move machine-auth-api-key to shared.Commons
dragonchaser Apr 26, 2022
58a24e6
Move reva transfer secret to shared.Commons
dragonchaser Apr 26, 2022
fb5ca00
Merge remote-tracking branch 'origin/master' into ocis-init
dragonchaser Apr 26, 2022
d106c87
[WIP] adapt storage changes
dragonchaser Apr 27, 2022
c5d0791
add password generator
dragonchaser Apr 27, 2022
48a6978
move TokenManager back to extension config
wkloucek Apr 27, 2022
9095b11
load reva gateway and token manager from common config
wkloucek Apr 27, 2022
b3f5576
use common transfer secrets
wkloucek Apr 27, 2022
f74d1e2
use machine auth secret from common config
wkloucek Apr 27, 2022
a261fc8
cleanup
wkloucek Apr 27, 2022
5b572b3
initialize insecure options
wkloucek Apr 27, 2022
a37126f
Merge branch 'master' into ocis-init
wkloucek Apr 27, 2022
4043f18
set generate ldap secrets
wkloucek Apr 27, 2022
31656e1
remove TODOs
wkloucek Apr 28, 2022
4a9b31f
fix machineauth to right machine auth api key
wkloucek Apr 28, 2022
83f75bf
fix ginko testsuite
wkloucek Apr 28, 2022
5c159ee
Merge branch 'master' into ocis-init
wkloucek Apr 28, 2022
df53c2a
fix graph tests
wkloucek Apr 28, 2022
3054875
move config validation into a separate function
wkloucek Apr 28, 2022
fb6a8ff
add backup of config on force overwrite
dragonchaser Apr 28, 2022
aba2ee0
fix build
wkloucek Apr 28, 2022
ab254b0
remove all "omitempty" from config structs to bring back full configu…
wkloucek Apr 28, 2022
b515d7f
fix typo and hide supervised
wkloucek Apr 28, 2022
1b2cc6d
revert empty yaml tags
wkloucek Apr 28, 2022
3a9ba10
fix and restructure ocis-pkg config parser
wkloucek Apr 28, 2022
5a6c44a
move config generator to own structures, to avoid having to fork the …
dragonchaser Apr 28, 2022
83b94cf
log parsing errors to stdout
wkloucek Apr 28, 2022
0330b43
unclutter ocis init code
dragonchaser Apr 28, 2022
ed1c459
Merge branch 'ocis-init' of github.com:owncloud/ocis into ocis-init
dragonchaser Apr 28, 2022
4e531ca
fix ocis startup with debugging config / environment variables only
wkloucek Apr 28, 2022
20f916c
run `ocis init` in CI
wkloucek Apr 28, 2022
9860f79
revert go.mod changes
wkloucek Apr 28, 2022
9e31bc0
revert Web json config struct omitempty tags
wkloucek Apr 28, 2022
2525414
fix .drone.star formatting
wkloucek Apr 28, 2022
e582b60
fix startup with `ocis init`
wkloucek Apr 28, 2022
afa8ca8
use FullDefaultConfig in example config generator and remove leftover
wkloucek Apr 28, 2022
703a333
fix settings machine auth api key
wkloucek Apr 29, 2022
293dbac
remove underscores from variable names and use yaml tags instead
wkloucek Apr 29, 2022
1c2a67f
fix machine auth api key for frontend
wkloucek Apr 29, 2022
767845d
fix force overwrite bug
dragonchaser Apr 29, 2022
622218e
add changelog
wkloucek Apr 29, 2022
d86a86a
update documentation
wkloucek Apr 29, 2022
72688b3
move generic secret errors to shared, fix edgecase in cli flags
dragonchaser Apr 29, 2022
7b5d705
add more documentation
wkloucek Apr 29, 2022
bc6cd91
[WIP] add missing secret checks
dragonchaser Apr 29, 2022
9971867
Merge branch 'ocis-init' of github.com:owncloud/ocis into ocis-init
dragonchaser Apr 29, 2022
4ff313b
check for more secrets need to be set
wkloucek Apr 29, 2022
1b68e85
simplify secure an ocis instance section
wkloucek Apr 29, 2022
19e8937
Merge branch 'master' into ocis-init
wkloucek Apr 29, 2022
59c9641
beautify error messages
dragonchaser Apr 29, 2022
c47e433
allow override of admin password wit ocis init
dragonchaser Apr 29, 2022
d0506cf
fix the traefik deployment example
wkloucek Apr 29, 2022
feda972
add idm admin password variable to init command
wkloucek Apr 29, 2022
4fdd317
only mount config volume for initialization
wkloucek Apr 29, 2022
1cdb81b
add fixes from review
wkloucek Apr 29, 2022
6474d46
nitpicks and typo
butonic Apr 29, 2022
89a9a14
Update extensions/storage-shares/pkg/config/parser/parse.go
butonic Apr 29, 2022
4c53707
omit extension name in ParseConfig doc
butonic Apr 29, 2022
9d8072c
try to make lint happy
butonic Apr 29, 2022
f9dcf37
Merge branch 'master' into ocis-init
wkloucek May 2, 2022
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .bingo/Variables.mk
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Auto generated binary variables helper managed by https://github.com/bwplotka/bingo v0.5.2. DO NOT EDIT.
# Auto generated binary variables helper managed by https://github.com/bwplotka/bingo v0.6. DO NOT EDIT.
# All tools are designed to be build inside $GOBIN.
BINGO_DIR := $(dir $(lastword $(MAKEFILE_LIST)))
GOPATH ?= $(shell go env GOPATH)
Expand Down
2 changes: 1 addition & 1 deletion .bingo/variables.env
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
# Auto generated binary variables helper managed by https://github.com/bwplotka/bingo v0.5.2. DO NOT EDIT.
# Auto generated binary variables helper managed by https://github.com/bwplotka/bingo v0.6. DO NOT EDIT.
# All tools are designed to be build inside $GOBIN.
# Those variables will work only until 'bingo get' was invoked, or if tools were installed via Makefile's Variables.mk.
GOBIN=${GOBIN:=$(go env GOBIN)}
Expand Down
17 changes: 5 additions & 12 deletions .drone.star
Original file line number Diff line number Diff line change
Expand Up @@ -1680,6 +1680,7 @@ def ocisServerWithAccounts(storage, accounts_hash_difficulty = 4, volumes = [],
"detach": True,
"environment": environment,
"commands": [
"ocis/bin/ocis init --insecure true",
"ocis/bin/ocis server",
],
"volumes": volumes,
Expand All @@ -1700,8 +1701,7 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = [], depends_on =
user = "0:0"
environment = {
"OCIS_URL": "https://ocis-server:9200",
"GATEWAY_GRPC_ADDR": "0.0.0.0:9142",
"STORAGE_HOME_DRIVER": "%s" % (storage),
"GATEWAY_GRPC_ADDR": "0.0.0.0:9142", # cs3api-validator needs the cs3api gatway exposed
"STORAGE_USERS_DRIVER": "%s" % (storage),
"STORAGE_USERS_DRIVER_LOCAL_ROOT": "/srv/app/tmp/ocis/local/root",
"STORAGE_USERS_DRIVER_OCIS_ROOT": "/srv/app/tmp/ocis/storage/users",
Expand All @@ -1712,8 +1712,8 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = [], depends_on =
"IDP_IDENTIFIER_REGISTRATION_CONF": "/drone/src/tests/config/drone/identifier-registration.yml",
"OCIS_LOG_LEVEL": "error",
"SETTINGS_DATA_PATH": "/srv/app/tmp/ocis/settings",
"OCIS_INSECURE": "true",
"IDM_CREATE_DEMO_USERS": True,
"IDM_ADMIN_PASSWORD": "admin", # override the random admin password from `ocis init`
}
wait_for_ocis = {
"name": "wait-for-ocis-server",
Expand Down Expand Up @@ -1782,24 +1782,16 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = [], depends_on =
"SHARING_USER_SQL_HOST": "oc10-db",
"SHARING_USER_SQL_PORT": 3306,
"SHARING_USER_SQL_NAME": "owncloud",
# ownCloud storage readonly
# TODO: conflict with OWNCLOUDSQL -> https://github.com/owncloud/ocis/issues/2303
"OCIS_STORAGE_READ_ONLY": "false",
# General oCIS config
# OCIS_RUN_EXTENSIONS specifies to start all extensions except glauth, idp and accounts. These are replaced by external services
"OCIS_RUN_EXTENSIONS": "settings,storage-metadata,graph,graph-explorer,ocs,store,thumbnails,web,webdav,storage-frontend,storage-gateway,storage-userprovider,storage-groupprovider,storage-authbasic,storage-authbearer,storage-authmachine,storage-users,storage-shares,storage-public-link,storage-appprovider,storage-sharing,proxy,nats,ocdav",
"OCIS_LOG_LEVEL": "info",
"OCIS_URL": OCIS_URL,
"PROXY_TLS": "true",
"OCIS_BASE_DATA_PATH": "/mnt/data/ocis",
"OCIS_CONFIG_DIR": "/etc/ocis",
# change default secrets
"OCIS_JWT_SECRET": "Pive-Fumkiu4",
"STORAGE_TRANSFER_SECRET": "replace-me-with-a-transfer-secret",
"OCIS_MACHINE_AUTH_API_KEY": "change-me-please",
"OCIS_INSECURE": "true",
"PROXY_ENABLE_BASIC_AUTH": "true",
"IDM_CREATE_DEMO_USERS": True,
"IDM_ADMIN_PASSWORD": "admin", # override the random admin password from `ocis init`
}
wait_for_ocis = {
"name": "wait-for-ocis-server",
Expand All @@ -1825,6 +1817,7 @@ def ocisServer(storage, accounts_hash_difficulty = 4, volumes = [], depends_on =
"environment": environment,
"user": user,
"commands": [
"ocis/bin/ocis init --insecure true",
"ocis/bin/ocis server",
],
"volumes": volumes,
Expand Down
20 changes: 18 additions & 2 deletions .vscode/launch.json
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,25 @@
"PROXY_ENABLE_BASIC_AUTH": "true",
// set insecure options because we don't have valid certificates in dev environments
"OCIS_INSECURE": "true",
// set some hardcoded secrets
butonic marked this conversation as resolved.
Show resolved Hide resolved
"OCIS_JWT_SECRET": "some-ocis-jwt-secret",
"STORAGE_TRANSFER_SECRET": "some-ocis-transfer-secret",
"OCIS_MACHINE_AUTH_API_KEY": "some-ocis-machine-auth-api-key",
// idm ldap
"IDM_SVC_PASSWORD": "some-ldap-idm-password",
"GRAPH_LDAP_BIND_PASSWORD": "some-ldap-idm-password",
// reva ldap
"IDM_REVASVC_PASSWORD": "some-ldap-reva-password",
"GROUPS_LDAP_BIND_PASSWORD": "some-ldap-reva-password",
"USERS_LDAP_BIND_PASSWORD": "some-ldap-reva-password",
"AUTH_BASIC_LDAP_BIND_PASSWORD": "some-ldap-reva-password",
// idp ldap
"IDM_IDPSVC_PASSWORD": "some-ldap-idp-password",
"IDP_LDAP_BIND_PASSWORD": "some-ldap-idp-password",
// admin user default password
"IDM_ADMIN_PASSWORD": "admin",
// demo users
"ACCOUNTS_DEMO_USERS_AND_GROUPS": "true",
"IDM_CREATE_DEMO_USERS": "true"
"IDM_CREATE_DEMO_USERS": "true",
// OCIS_RUN_EXTENSIONS allows to start a subset of extensions even in the supervised mode
//"OCIS_RUN_EXTENSIONS": "settings,storage-metadata,glauth,graph,graph-explorer,idp,ocs,store,thumbnails,web,webdav,storage-frontend,storage-gateway,storage-userprovider,storage-groupprovider,storage-authbasic,storage-authbearer,storage-authmachine,storage-users,storage-shares,storage-public-link,storage-appprovider,storage-sharing,accounts,proxy,ocdav",
}
Expand Down
10 changes: 10 additions & 0 deletions changelog/unreleased/change-ocis-init.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
Change: Introduce `ocis init` and remove all default secrets

We've removed all default secrets. This means you can't start oCIS any longer
without setting these via environment variable or configuration file.

In order to make this easy for you, we introduced a new command: `ocis init`.
You can run this command before starting oCIS with `ocis server` and it will
bootstrap you a configuration file for a secure oCIS instance.

https://github.com/owncloud/ocis/pull/3551
19 changes: 5 additions & 14 deletions deployments/examples/ocis_traefik/.env
Original file line number Diff line number Diff line change
Expand Up @@ -2,10 +2,6 @@
# It skips certificate validation for various parts of oCIS and is needed if you use self signed certificates.
INSECURE=true

# The demo users should not be created on a production instance
# because their passwords are public
DEMO_USERS=true

### Traefik settings ###
# Serve Traefik dashboard. Defaults to "false".
TRAEFIK_DASHBOARD=
Expand All @@ -21,16 +17,11 @@ TRAEFIK_ACME_MAIL=
OCIS_DOCKER_TAG=
# Domain of oCIS, where you can find the frontend. Defaults to "ocis.owncloud.test"
OCIS_DOMAIN=
# IDP LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "idp".
IDP_LDAP_BIND_PASSWORD=
# Storage LDAP bind password. Must be changed in order to have a secure oCIS. Defaults to "reva".
STORAGE_LDAP_BIND_PASSWORD=
# JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
OCIS_JWT_SECRET=
# JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
STORAGE_TRANSFER_SECRET=
# Machine auth api key secret. Must be changed in order to have a secure oCIS. Defaults to "change-me-please"
OCIS_MACHINE_AUTH_API_KEY=
# oCIS admin user password. Defaults to "admin".
ADMIN_PASSWORD=
# The demo users should not be created on a production instance
# because their passwords are public. Defaults to "false".
DEMO_USERS=

# If you want to use debugging and tracing with this stack,
# you need uncomment following line. Please see documentation at
Expand Down
Original file line number Diff line number Diff line change
@@ -1,24 +1,5 @@
#!/bin/sh

set -e

ocis server&
sleep 10

echo "##################################################"
echo "change default secrets:"

# IDP
IDP_USER_UUID=$(ocis accounts list | grep "| Kopano IDP " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o)
echo " IDP user UUID: $IDP_USER_UUID"
ocis accounts update --password $IDP_LDAP_BIND_PASSWORD $IDP_USER_UUID

# REVA
REVA_USER_UUID=$(ocis accounts list | grep " | Reva Inter " | egrep '[0-9a-f]{8}-([0-9a-f]{4}-){3}[0-9a-f]{12}' -o)
echo " Reva user UUID: $REVA_USER_UUID"
ocis accounts update --password $STORAGE_LDAP_BIND_PASSWORD $REVA_USER_UUID

echo "default secrets changed"
echo "##################################################"

wait # wait for oCIS to exit
ocis init || true # will only initialize once
ocis server
12 changes: 5 additions & 7 deletions deployments/examples/ocis_traefik/docker-compose.yml
Original file line number Diff line number Diff line change
Expand Up @@ -53,21 +53,17 @@ services:
OCIS_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
OCIS_LOG_LEVEL: ${OCIS_LOG_LEVEL:-error} # make oCIS less verbose
PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
# change default secrets
IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
STORAGE_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
OCIS_MACHINE_AUTH_API_KEY: ${OCIS_MACHINE_AUTH_API_KEY:-change-me-please}
# INSECURE: needed if oCIS / Traefik is using self generated certificates
OCIS_INSECURE: "${INSECURE:-false}"
# basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
# admin user password
IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file
# demo users
ACCOUNTS_DEMO_USERS_AND_GROUPS: "${DEMO_USERS:-false}" # deprecated, remove after switching to LibreIDM
IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
volumes:
- ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
- ocis-config:/etc/ocis
- ocis-data:/var/lib/ocis
labels:
- "traefik.enable=true"
Expand All @@ -82,7 +78,9 @@ services:

volumes:
certs:
ocis-config:
ocis-data:


networks:
ocis-net:
16 changes: 9 additions & 7 deletions docs/extensions/accounts/tests.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,10 @@ Make sure you've cloned the [web frontend repo](https://github.com/owncloud/web/
{{< hint info >}}
For now, an IDP configuration file gets generated once and will fail upon changing the oCIS url as done below. To avoid any clashes, remove this file before starting the tests:

```
```bash
rm ~/.ocis/idp/identifier-registration.yaml
```

{{< /hint >}}

### In the web repo
Expand All @@ -30,7 +31,7 @@ rm ~/.ocis/idp/identifier-registration.yaml

Install dependencies and bundle the frontend with a watcher by running

```
```bash
yarn && yarn build:w
```

Expand All @@ -40,7 +41,7 @@ If you skip the step above, the currently bundled frontend from the oCIS binary

Start the necessary acceptance test services by using Docker (Compose):

```
```bash
docker compose up selenium middleware-ocis vnc
```

Expand All @@ -50,21 +51,22 @@ docker compose up selenium middleware-ocis vnc

Navigate into the accounts service via `cd ../accounts/` and install dependencies and build the bundled accounts UI with a watcher by running

```
```bash
yarn && yarn watch
```

#### Start oCIS from binary

Navigate into the oCIS directory inside the oCIS repository and build the oCIS binary by running

```
```bash
make clean build
```

Then, start oCIS from the binary via

```
```bash
./bin/ocis init
OCIS_URL=https://host.docker.internal:9200 OCIS_INSECURE=true PROXY_ENABLE_BASIC_AUTH=true WEB_UI_CONFIG=../../web/dev/docker/ocis.web.config.json ./bin/ocis server
```

Expand All @@ -78,6 +80,6 @@ If you want visual feedback on the test run, visit http://host.docker.internal:6

Navigate into the accounts service via `cd ../accounts/` and start the acceptance tests by running

```
```bash
SERVER_HOST=https://host.docker.internal:9200 BACKEND_HOST=https://host.docker.internal:9200 RUN_ON_OCIS=true NODE_TLS_REJECT_UNAUTHORIZED=0 WEB_PATH=../../web WEB_UI_CONFIG=../../web/tests/drone/config-ocis.json MIDDLEWARE_HOST=http://host.docker.internal:3000 ./ui/tests/run-acceptance-test.sh ./ui/tests/acceptance/features/
```
16 changes: 9 additions & 7 deletions docs/extensions/settings/tests.md
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,10 @@ Make sure you've cloned the [web frontend repo](https://github.com/owncloud/web/
{{< hint info >}}
For now, an IDP configuration file gets generated once and will fail upon changing the oCIS url as done below. To avoid any clashes, remove this file before starting the tests:

```
```bash
rm ~/.ocis/idp/identifier-registration.yaml
```

{{< /hint >}}

### In the web repo
Expand All @@ -30,7 +31,7 @@ rm ~/.ocis/idp/identifier-registration.yaml

Install dependencies and bundle the frontend with a watcher by running

```
```bash
yarn && yarn build:w
```

Expand All @@ -40,7 +41,7 @@ If you skip the step above, the currently bundled frontend from the oCIS binary

Start the necessary acceptance test services by using Docker (Compose):

```
```bash
docker compose up selenium middleware-ocis vnc
```

Expand All @@ -50,21 +51,22 @@ docker compose up selenium middleware-ocis vnc

Navigate into the settings service via `cd ../settings/` and install dependencies and build the bundled settings UI with a watcher by running

```
```bash
yarn && yarn watch
```

#### Start oCIS from binary

Navigate into the oCIS directory inside the oCIS repository and build the oCIS binary by running

```
```bash
make clean build
```

Then, start oCIS from the binary via

```
```bash
ocis init
OCIS_URL=https://host.docker.internal:9200 OCIS_INSECURE=true PROXY_ENABLE_BASIC_AUTH=true WEB_UI_CONFIG=../../web/dev/docker/ocis.web.config.json ./bin/ocis server
```

Expand All @@ -78,6 +80,6 @@ If you want visual feedback on the test run, visit http://host.docker.internal:6

Navigate into the settings service via `cd ../settings/` and start the acceptance tests by running

```
```bash
SERVER_HOST=https://host.docker.internal:9200 BACKEND_HOST=https://host.docker.internal:9200 RUN_ON_OCIS=true NODE_TLS_REJECT_UNAUTHORIZED=0 WEB_PATH=../../web WEB_UI_CONFIG=../../web/tests/drone/config-ocis.json MIDDLEWARE_HOST=http://host.docker.internal:3000 ./ui/tests/run-acceptance-test.sh ./ui/tests/acceptance/features/
```
5 changes: 1 addition & 4 deletions docs/helpers/example-config-generator.go.tmpl
Original file line number Diff line number Diff line change
Expand Up @@ -22,9 +22,7 @@ func main() {
{{- range $key, $value := .}}
replacer.Replace("{{$value}}"): func() string {
fmt.Println("Generating example YAML config for {{ $value -}}")
c := pkg{{$key}}.DefaultConfig()
pkg{{$key}}.EnsureDefaults(c)
pkg{{$key}}.Sanitize(c)
c := pkg{{$key}}.FullDefaultConfig()
yml, err := yaml.Marshal(c)
if err != nil {
log.Fatalf("Marshalling yaml for pkg0 failed: %s\n", err)
Expand All @@ -50,4 +48,3 @@ func main() {
}
}
}

37 changes: 3 additions & 34 deletions docs/ocis/deployment/_index.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,38 +27,7 @@ oCIS deployments are super simple, yet there are many configurations possible fo

## Secure an oCIS instance

### Change default secrets
oCIS uses two system users which are needed for being operational:
- Reva Inter Operability Platform (bc596f3c-c955-4328-80a0-60d018b4ad57)
- Kopano IDP (820ba2a1-3f54-4538-80a4-2d73007e30bf)
oCIS no longer has any default secrets in versions later than oCIS 1.20.0. Therefore you're no
longer able to start oCIS without generating / setting all needed secrets.

Both have simple default passwords which need to be changed. Currently, changing a password is only possible on the command line. You need to run `ocis accounts update --password <new-password> <id>` for both users.

The new password for the Reva Inter Operability Platform user must be made available to oCIS by using the environment variable `STORAGE_LDAP_BIND_PASSWORD`. The same applies to the new Kopano IDP user password, which needs to be made available to oCIS in `IDP_LDAP_BIND_PASSWORD`.

Furthermore, oCIS uses a shared secret to sign JWT tokens for inter service authorization, which also needs to be changed by the user.
You can change it by setting the `OCIS_JWT_SECRET` environment variable for oCIS to a random string.

Another is used secret for singing JWT tokens for uploads and downloads, which also needs to be changed by the user.
You can change it by setting the `STORAGE_TRANSFER_SECRET` environment variable for oCIS to a random string.

One more secret is used for machine auth, so that external applications can authenticate with an API key.
You can change it by setting the `OCIS_MACHINE_AUTH_API_KEY` environment variable for oCIS to a random string.

### Delete demo users

{{< hint info >}}
Before deleting the demo users mentioned below, you must create a new account for yourself and assign it to the administrator role.

By default, oCIS doesn't create any demo users. During the first startup, it generates only the admin and one user for IDP and Reva respectively.
{{< /hint >}}

oCIS ships with a few demo users besides the system users:
- Admin (ddc2004c-0977-11eb-9d3f-a793888cd0f8)
- Albert Einstein (4c510ada-c86b-4815-8820-42cdf82c3d51)
- Richard Feynman (932b4540-8d16-481e-8ef4-588e4b6b151c)
- Maurice Moss (058bff95-6708-4fe5-91e4-9ea3d377588b)
- Marie Curie (f7fbf8c8-139b-4376-b307-cf0a8c2d0d9c)

You can view them in ownCloud Web if you log in as Admin user or list them by running `ocis accounts list`.
After adding your own user it is safe to delete the demo users in the web UI or with the command `ocis accounts remove <id>`. Please do not delete the system users (see [change default secrets]({{< ref "./#change-default-secrets" >}})) or oCIS will not function properly anymore.
The recommended way is to use `ocis init` for that. It will generate a secure config file for you.
Loading