Ocis & onlyoffice - PermissionDenied

sp0tif · March 15, 2023, 2:21pm

Hello,

i use the daily Version of ocis with onlyoffice (docker).

But i can’t use onlyoffice to open a word document.

in the logfile is following line:

{"level":"warn","service":"gateway","pkg":"rgrpc","traceid":"00000000000000000000000000000000","error":"error parsing token: token contains an invalid number of segments","time":"2023-03-15T15:07:05.125331188+01:00","message":"access token is invalid"}
{"level":"error","service":"gateway","pkg":"rgrpc","traceid":"00000000000000000000000000000000","user-agent":"grpc-go/1.53.0","from":"tcp://127.0.0.1:36440","uri":"/cs3.storage.registry.v1beta1.RegistryAPI/ListStorageProviders","start":"15/Mar/2023:15:07:05 +0100","end":"15/Mar/2023:15:07:05 +0100","time_ns":178704,"code":"PermissionDenied","time":"2023-03-15T15:07:05.125486858+01:00","message":"unary"}

which token is the problem?

docker-compose ps

Name                             Command               State                                         Ports                                       
----------------------------------------------------------------------------------------------------------------------------------------------------------------
ocis_ocis-appprovider-onlyoffice_1   /bin/sh /entrypoint-overri ...   Up      9200/tcp                                                                          
ocis_ocis_1                          /bin/sh -c ocis init || tr ...   Up      9200/tcp                                                                          
ocis_onlyoffice_1                    /app/ds/run-document-server.sh   Up      443/tcp, 80/tcp                                                                   
ocis_tika_1                          /bin/sh -c exec java -cp " ...   Up      9998/tcp                                                                          
ocis_wopiserver_1                    /bin/sh /entrypoint-overri ...   Up                                                                                        
traefik_web                          /entrypoint.sh traefik           Up      192.168.x.x:443->443/tcp, 192.168.x.x:80->80/tcp, 192.168.x.x:8080->8080/tcp

docker-compose.yml

---
version: "3.9"

services:
  ocis:
    image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
    user: root
    networks:
      - "traefik-nw"
    logging:
      driver: json-file
      options:
        max-file: '10' # good
        max-size: 50m
    environment:
      TZ: Europe/Berlin
    entrypoint:
      - /bin/sh
    command: ["-c", "ocis init || true; ocis server"]
    environment:
      OCIS_EVENTS_ENABLE_TLS: "false"
      OCIS_URL: "https://${OCIS_DOMAIN:-ocis.owncloud.test}"
      OCIS_LOG_LEVEL: "${OCIS_LOG_LEVEL:-error}" # make oCIS less verbose
      OCIS_LOG_FILE: "/etc/ocis/ocis.log"
      OCIS_JWT_SECRET: "${WOPI_JWT_SECRET:-LoremIpsum567fhrthzghdf}"
      OCIS_MACHINE_AUTH_API_KEY: "API_KEY"
      PROXY_TLS: "false" # do not use SSL between Traefik and oCIS
      GATEWAY_GRPC_ADDR: 0.0.0.0:9142 # make the REVA gateway accessible to the app drivers
      OCIS_INSECURE: "${INSECURE:-false}"
      # basic auth (not recommended, but needed for eg. WebDav clients that do not support OpenID Connect)
      PROXY_ENABLE_BASIC_AUTH: "${PROXY_ENABLE_BASIC_AUTH:-false}"
      # admin user password
      IDM_ADMIN_PASSWORD: "${ADMIN_PASSWORD:-admin}" # this overrides the admin password from the configuration file
      # demo users
      IDM_CREATE_DEMO_USERS: "${DEMO_USERS:-false}"
      NOTIFICATIONS_SMTP_HOST: "192.168.x.x"
      NOTIFICATIONS_SMTP_PORT: "25"
      NOTIFICATIONS_SMTP_SENDER: "oCIS <noreply@DOMAIN>"
      NOTIFICATIONS_SMTP_ENCRYPTION: "tls"
      NOTIFICATIONS_SMTP_INSECURE: "false" # the mail catcher uses self signed certificates
      # fulltext search
      SEARCH_EXTRACTOR_TYPE: tika
      SEARCH_EXTRACTOR_TIKA_TIKA_URL: http://tika:9998
    volumes:
      - "./ocis-config:/etc/ocis"
      - "./ocis-data:/var/lib/ocis"
      - "/etc/ssl/certs:/etc/ssl/certs:ro"
      - "/usr/share/ca-certificates:/usr/share/ca-certificates:ro"
      - "/usr/local/share/ca-certificates:/usr/local/share/ca-certificates:ro"
      - "/etc/localtime:/etc/localtime:ro"
      - "/etc/timezone:/etc/timezone:ro"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.ocis.entrypoints=http"
      - "traefik.http.routers.ocis.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`,`DOMAIN1`)"
      - "traefik.http.routers.ocis.service=ocis"
      - "traefik.http.services.ocis.loadbalancer.server.port=9200"      # Traefik dem Proxy-Netzwerk hinzufügen.
      - "traefik.http.routers.ocis-ssl.entrypoints=https"
      - "traefik.http.routers.ocis-ssl.rule=Host(`${OCIS_DOMAIN:-ocis.owncloud.test}`,`DOMAIN1`)"
      - "traefik.http.routers.ocis-ssl.tls=true"
      - "traefik.http.routers.ocis-ssl.service=ocis-ssl"
      - "traefik.http.services.ocis-ssl.loadbalancer.server.port=9200" 
      - "traefik.docker.network=traefik-nw"
    restart: always

  traefik:
    image: traefik:latest
    container_name: traefik_web
    restart: always
    ports:
      - "192.168.x.x:80:80"
      - "192.168.x.x:443:443"
      - "192.168.x.x:8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "./data/conf/traefik.yml:/etc/traefik/traefik.yml:ro"
      - "./data/conf/dynamic:/etc/traefik/dynamic:ro"
      - "/etc/ssl/certs:/etc/ssl/certs:ro"
      - "/usr/share/ca-certificates:/usr/share/ca-certificates:ro"
      - "/usr/local/share/ca-certificates:/usr/local/share/ca-certificates:ro"
      - "./certs:/etc/traefik/certs:ro"
      - "/etc/localtime:/etc/localtime:ro"
      - "/etc/timezone:/etc/timezone:ro"
    logging:
      driver: json-file
      options:
        max-file: '10' # good
        max-size: 50m
    environment:
      - "TZ=Europe/Berlin"
    labels:
      - "com.centurylinklabs.watchtower.enable=true"
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=https"
      - "traefik.http.routers.traefik.rule=Host(`traefik.DOMAIN1`)"
      - "traefik.http.routers.traefik.tls=true"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.services.traefik.loadbalancer.server.port=80"
      - "traefik.http.services.traefik.loadbalancer.sticky.cookie.httpOnly=true"
      - "traefik.http.services.traefik.loadbalancer.sticky.cookie.secure=true"
      - "traefik.docker.network=traefik-nw"
    networks:   
      - "traefik-nw"
    security_opt:
      - no-new-privileges:true
    hostname: traefik

  ocis-appprovider-onlyoffice:
    image: owncloud/ocis:${OCIS_DOCKER_TAG:-latest}
    networks:
      - "traefik-nw"
    user: "0" # needed for apk add in entrypoint script
    entrypoint:
      - /bin/sh
      - /entrypoint-override.sh
    #command: app-provider server
    environment:
      REVA_GATEWAY: ${REVA_GATEWAY:-ocis:9142}
      APP_PROVIDER_GRPC_ADDR: 0.0.0.0:9164
      APP_PROVIDER_EXTERNAL_ADDR: ocis-appprovider-onlyoffice:9164
      APP_PROVIDER_JWT_SECRET: "${WOPI_JWT_SECRET:-LoremIpsum567fhrthzghdf}"
      APP_PROVIDER_DRIVER: wopi
      APP_PROVIDER_WOPI_APP_NAME: OnlyOffice
      APP_PROVIDER_WOPI_APP_ICON_URI: https://${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}/web-apps/apps/documenteditor/main/resources/img/favicon.ico
      APP_PROVIDER_WOPI_APP_URL: https://${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}
      APP_PROVIDER_WOPI_INSECURE: "${INSECURE:-false}"
      APP_PROVIDER_WOPI_WOPI_SERVER_EXTERNAL_URL: https://${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}
      APP_PROVIDER_WOPI_WOPI_SERVER_IOP_SECRET: "${WOPI_JWT_SECRET:-LoremIpsum567fhrthzghdf}"
      APP_PROVIDER_WOPI_FOLDER_URL_BASE_URL: https://${OCIS_DOMAIN:-ocis.owncloud.test}
    volumes:
      - "./config/ocis-appprovider-onlyoffice/entrypoint-override.sh:/entrypoint-override.sh"
      - "ocis-config:/etc/ocis"
    logging:
      driver: json-file
      options:
        max-file: '10' # good
        max-size: 50m
    restart: always
    depends_on:
      - onlyoffice

  wopiserver:
    image: cs3org/wopiserver:${WOPISERVER_DOCKER_TAG:-v9.4.0}
    networks:   
      - "traefik-nw"
    entrypoint:
      - /bin/sh
      - /entrypoint-override.sh
    environment:
      WOPISERVER_INSECURE: "${INSECURE:-false}"
      WOPISECRET: "${WOPI_JWT_SECRET:-LoremIpsum567fhrthzghdf}"
      WOPISERVER_DOMAIN: "${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}"
    volumes:
      - "./config/wopiserver/entrypoint-override.sh:/entrypoint-override.sh"
      - "./config/wopiserver/wopiserver.conf.dist:/etc/wopi/wopiserver.conf.dist"
      - "wopi-recovery:/var/spool/wopirecovery"
      - "/etc/ssl/certs:/etc/ssl/certs:ro"
      - "/usr/share/ca-certificates:/usr/share/ca-certificates:ro"
      - "/usr/local/share/ca-certificates:/usr/local/share/ca-certificates:ro"
      - "/etc/localtime:/etc/localtime:ro"
      - "/etc/timezone:/etc/timezone:ro"
    labels:
      - "traefik.enable=true" 
      - "traefik.http.routers.wopiserver.entrypoints=https"
      - "traefik.http.routers.wopiserver.rule=Host(`${WOPISERVER_DOMAIN:-wopiserver.owncloud.test}`)"
      - "traefik.http.routers.wopiserver.tls.certresolver=http"
      - "traefik.http.routers.wopiserver.service=wopiserver"
      - "traefik.http.services.wopiserver.loadbalancer.server.port=8880"
      # Traefik dem Proxy-Netzwerk hinzufügen.
      - "traefik.docker.network=traefik-nw"
    logging:
      driver: json-file
      options:
        max-file: '10' # good
        max-size: 50m
    restart: always

  onlyoffice:
    image: onlyoffice/documentserver:7.3.0
    networks:
      - "traefik-nw"
    environment:
      WOPI_ENABLED: "true"
      USE_UNAUTHORIZED_STORAGE: "${INSECURE:-false}" # self signed certificates
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.onlyoffice.entrypoints=https"
      - "traefik.http.routers.onlyoffice.rule=Host(`${ONLYOFFICE_DOMAIN:-onlyoffice.owncloud.test}`)"
      - "traefik.http.routers.onlyoffice.tls.certresolver=http"
      - "traefik.http.routers.onlyoffice.service=onlyoffice"
      - "traefik.http.services.onlyoffice.loadbalancer.server.port=80"
      - "traefik.http.middlewares.onlyoffice.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.onlyoffice.middlewares=onlyoffice"
      - "traefik.docker.network=traefik-nw"
    logging:
      driver: json-file
      options:  
        max-file: '10' # good
        max-size: 50m
    restart: always

  tika:
    image: ${TIKA_IMAGE:-apache/tika:latest-full}
    networks:
      - "traefik-nw"
    logging:
      driver: json-file
      options:
        max-file: '10' # good
        max-size: 50m
    restart: always

volumes:
  ocis-config:
  ocis-data:
  wopi-recovery:

networks:
  traefik-nw:
    name: traefik-nw
    external: true

dragotin · March 20, 2023, 10:15am

Not sure, but the other error message “Permission denied” would worry me more. Maybe you do not get a token at all?

My advise would be to check the file permissions of all the volumes you use.

system · June 18, 2023, 10:15am

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.