OCS Service
The ocs service (open collaboration services) serves one purpose: it has an endpoint for signing keys which the web frontend accesses when uploading data.
Signing-Keys Endpoint
The ocs service contains an endpoint /cloud/user/signing-key on which a user can GET a signing key. Note, this functionality might be deprecated or moved in the future.
Signing-Keys Store
To authenticate presigned URLs the proxy service needs to read the signing keys from a store that is populated by the ocs service.
Possible stores that can be configured via OCS_PRESIGNEDURL_SIGNING_KEYS_STORE are:
nats-js-kv: Stores data using key-value-store feature of nats jetstreamredis-sentinel: Stores data in a configured Redis Sentinel cluster.ocisstoreservice: Stores data in the legacy ocis store service. Requires settingOCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODEStocom.owncloud.api.store.
The memory store cannot be used as it does not share the memory from the ocs service signing key memory store, even in a single process.
Make sure to configure the same store in the proxy service.
Store specific notes:
- When using
redis-sentinel, the Redis master to use is configured via e.g.OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODESin the form of<sentinel-host>:<sentinel-port>/<redis-master>like10.10.0.200:26379/mymaster. - When using
nats-js-kvit is recommended to setPROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODESto the same value asOCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES. That way the proxy uses the same nats instance as the ocs service. - When using
ocisstoreservicetheOCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODESmust be set to the service namecom.owncloud.api.store. It does not support TTL and stores the presigning keys indefinitely. Also, the store service needs to be started.