Skip to main content

General Information

Abstract

The ocs service (open collaboration services) serves one purpose: it has an endpoint for signing keys which the web frontend accesses when uploading data.

Table of Contents

Signing-Keys Endpoint

The ocs service contains an endpoint /cloud/user/signing-key on which a user can GET a signing key. Note, this functionality might be deprecated or moved in the future.

Signing-Keys Store

To authenticate presigned URLs the proxy service needs to read the signing keys from a store that is populated by the ocs service. Possible stores that can be configured via OCS_PRESIGNEDURL_SIGNING_KEYS_STORE are:

  • nats-js-kv: Stores data using key-value-store feature of nats jetstream
  • redis-sentinel: Stores data in a configured Redis Sentinel cluster.
  • opencloudstoreservice: Stores data in the legacy OpenCloud store service. Requires setting OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES to eu.opencloud.api.store.

The memory store cannot be used as it does not share the memory from the ocs service signing key memory store, even in a single process.

Make sure to configure the same store in the proxy service.

Store specific notes:

  • When using redis-sentinel, the Redis master to use is configured via e.g. OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES in the form of <sentinel-host>:<sentinel-port>/<redis-master> like 10.10.0.200:26379/mymaster.
  • When using nats-js-kv it is recommended to set PROXY_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES to the same value as OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES. That way the proxy uses the same nats instance as the ocs service.
  • When using opencloudstoreservice the OCS_PRESIGNEDURL_SIGNING_KEYS_STORE_NODES must be set to the service name eu.opencloud.api.store. It does not support TTL and stores the presigning keys indefinitely. Also, the store service needs to be started.