Merge pull request #2335 from owncloud/document_transfer_secret

[docs-only] document storage transfer token

deployments/examples/cs3_users_ocis/.env

@@ -19,6 +19,8 @@ OCIS_DOCKER_TAG=
 OCIS_DOMAIN=
 # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
 OCIS_JWT_SECRET=
+# JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
+OCIS_TRANSFER_SECRET=
 
 
 ### LDAP server settings ###

deployments/examples/cs3_users_ocis/docker-compose.yml

@@ -77,6 +77,7 @@ services:
       PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
       # change default secrets
       OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
+      OCIS_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
     volumes:
       - ./config/ocis/proxy-config.json:/config/proxy-config.json
       - ocis-data:/var/tmp/ocis

deployments/examples/ocis_hello/.env

@@ -23,6 +23,8 @@ IDP_LDAP_BIND_PASSWORD=
 STORAGE_LDAP_BIND_PASSWORD=
 # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
 OCIS_JWT_SECRET=
+# JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
+OCIS_TRANSFER_SECRET=
 
 ### oCIS Hello settings ###
 # oCIS Hello version. Defaults to "latest"

deployments/examples/ocis_hello/docker-compose.yml

@@ -59,6 +59,7 @@ services:
       IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
       STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
       OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
+      OCIS_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
       # web ui
       WEB_UI_CONFIG: "/config/config.json"
       # proxy

deployments/examples/ocis_keycloak/.env

@@ -25,6 +25,8 @@ IDP_LDAP_BIND_PASSWORD=
 STORAGE_LDAP_BIND_PASSWORD=
 # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
 OCIS_JWT_SECRET=
+# JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
+OCIS_TRANSFER_SECRET=
 
 ### Keycloak ###
 # Domain of Keycloak, where you can find the managment and authentication frontend. Defaults to "keycloak.owncloud.test"

deployments/examples/ocis_keycloak/docker-compose.yml

@@ -68,6 +68,7 @@ services:
       IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
       STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
       OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
+      OCIS_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
     volumes:
       - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ocis-data:/var/tmp/ocis

deployments/examples/ocis_s3/.env

@@ -23,6 +23,8 @@ IDP_LDAP_BIND_PASSWORD=
 STORAGE_LDAP_BIND_PASSWORD=
 # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
 OCIS_JWT_SECRET=
+# JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
+OCIS_TRANSFER_SECRET=
 
 ### MINIO / S3 settings ###
 # Domain of MinIO where the Web UI is accessible. Defaults to "minio.owncloud.test".

deployments/examples/ocis_s3/docker-compose.yml

@@ -58,6 +58,7 @@ services:
       IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
       STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
       OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
+      OCIS_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
       # activate s3ng storage driver
       STORAGE_HOME_DRIVER: s3ng
       STORAGE_USERS_DRIVER: s3ng

deployments/examples/ocis_traefik/.env

@@ -23,6 +23,8 @@ IDP_LDAP_BIND_PASSWORD=
 STORAGE_LDAP_BIND_PASSWORD=
 # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
 OCIS_JWT_SECRET=
+# JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
+OCIS_TRANSFER_SECRET=
 
 # If you want to use debugging and tracing with this stack,
 # you need uncomment following line. Please see documentation at

deployments/examples/ocis_traefik/docker-compose.yml

@@ -58,6 +58,7 @@ services:
       IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
       STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
       OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
+      OCIS_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
     volumes:
       - ./config/ocis/entrypoint-override.sh:/entrypoint-override.sh
       - ocis-data:/var/tmp/ocis

deployments/examples/ocis_wopi/.env

@@ -23,6 +23,8 @@ IDP_LDAP_BIND_PASSWORD=
 STORAGE_LDAP_BIND_PASSWORD=
 # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
 OCIS_JWT_SECRET=
+# JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
+OCIS_TRANSFER_SECRET=
 
 ### Wopi server settings ###
 # oCIS Wopi server version. Defaults to "latest"

deployments/examples/ocis_wopi/docker-compose.yml

@@ -61,6 +61,7 @@ services:
       IDP_LDAP_BIND_PASSWORD: ${IDP_LDAP_BIND_PASSWORD:-idp}
       STORAGE_LDAP_BIND_PASSWORD: ${STORAGE_LDAP_BIND_PASSWORD:-reva}
       OCIS_JWT_SECRET: ${OCIS_JWT_SECRET:-Pive-Fumkiu4}
+      OCIS_TRANSFER_SECRET: ${STORAGE_TRANSFER_SECRET:-replace-me-with-a-transfer-secret}
       # web ui
       WEB_UI_CONFIG: "/config/config.json"
       # proxy

docs/ocis/deployment/_index.md

@@ -36,6 +36,9 @@ The new password for the Reva Inter Operability Platform user must be made avail
 Furthermore, oCIS uses a shared secret to sign JWT tokens for inter service authorization, which also needs to be changed by the user.
 You can change it by setting the `OCIS_JWT_SECRET` environment variable for oCIS to a random string.
 
+Another is used secret for singing JWT tokens for uploads and downloads, which also needs to be changed by the user.
+You can change it by setting the `STORAGE_TRANSFER_SECRET` environment variable for oCIS to a random string.
+
 ### Delete demo users
 
 {{< hint info >}}

docs/ocis/deployment/ocis_hello.md

@@ -73,6 +73,8 @@ See also [example server setup]({{< ref "preparing_server" >}})
       STORAGE_LDAP_BIND_PASSWORD=
       # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
       OCIS_JWT_SECRET=
+      # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
+      OCIS_TRANSFER_SECRET=
 
       ### oCIS Hello settings ###
       # oCIS Hello version. Defaults to "latest"

docs/ocis/deployment/ocis_keycloak.md

@@ -76,6 +76,8 @@ See also [example server setup]({{< ref "preparing_server" >}})
   STORAGE_LDAP_BIND_PASSWORD=
   # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
   OCIS_JWT_SECRET=
+  # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
+  OCIS_TRANSFER_SECRET=
 
   ### Keycloak ###
   # Domain of Keycloak, where you can find the management and authentication frontend. Defaults to "keycloak.owncloud.test"
@@ -137,4 +139,4 @@ After that you're ready to start the application stack:
 
 Open https://keycloak.owncloud.test in your browser and accept the invalid certificate warning.
 
-Open https://ocis.owncloud.test in your browser and accept the invalid certificate warning. You now can login to oCIS with the demo users.
+Open https://ocis.owncloud.test in your browser and accept the invalid certificate warning. You now can login to oCIS with the demo users.

docs/ocis/deployment/ocis_s3.md

@@ -75,6 +75,8 @@ See also [example server setup]({{< ref "preparing_server" >}})
       STORAGE_LDAP_BIND_PASSWORD=
       # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
       OCIS_JWT_SECRET=
+      # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
+      OCIS_TRANSFER_SECRET=
 
       ### MINIO / S3 settings ###
       # Domain of MinIO where the Web UI is accessible. Defaults to "minio.owncloud.test".

docs/ocis/deployment/ocis_traefik.md

@@ -70,6 +70,8 @@ See also [example server setup]({{< ref "preparing_server" >}})
   STORAGE_LDAP_BIND_PASSWORD=
   # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
   OCIS_JWT_SECRET=
+  # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
+  OCIS_TRANSFER_SECRET=
   ```
 
   You are installing oCIS on a server and Traefik will obtain valid certificates for you so please remove `INSECURE=true` or set it to `false`.

docs/ocis/deployment/ocis_wopi.md

@@ -78,6 +78,8 @@ See also [example server setup]({{< ref "preparing_server" >}})
     STORAGE_LDAP_BIND_PASSWORD=
     # JWT secret which is used for the storage provider. Must be changed in order to have a secure oCIS. Defaults to "Pive-Fumkiu4"
     OCIS_JWT_SECRET=
+    # JWT secret which is used for uploads to create transfer tokens. Must be changed in order to have a secure oCIS. Defaults to "replace-me-with-a-transfer-secret"
+    OCIS_TRANSFER_SECRET=
 
     ### Wopi server settings ###
     # oCIS Wopi server version. Defaults to "latest"