Proxy Service: automatic quota assignment debugging

thommie · February 18, 2025, 5:58pm

I try to get the automatic quota assignment working on ocis 5.0.9. Without success yet by using the docs from Proxy Service Configuration

Environment: ocis 5.0.9, IDP: Keycloak 26.
ocis runs “dockerized” in an LXC container

Task: New users are created in the IDP and autoprovisioned into ocis (PROXY_AUTOPROVISION_ACCOUNTS=true). They get the role “user” and shall have an initial quota of 5 mb. The roles are assigned from OIDC in the ocis.env:

PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
PROXY_ROLE_ASSIGNMENT_OIDC_CLAIM: "roles"

proxy.yaml:

role_assignment:
  driver: oidc
    oidc_role_mapper:
      role_claim: roles
      role_mapping:
        - role_name: admin
          claim_value: myAdminRole
        - role_name: spaceadmin   
          claim_value: mySpaceAdminRole
        - role_name: user
          claim_value: myUserRole 
        - role_name: guest
          claim_value: myGuestRole 
role_quotas:
  admin: 100MB
  guest: 0MB
  spaceadmin: 100MB
  user: 5MB

A user which has the role “myUserRole” in OIDC/Keycloak is created with role “User” in ocis. But the quota still has “no restriction”

Can someone help me debugging this?

kobergj · February 21, 2025, 9:36am

I think the configuration is slightly off. You need to use the RoleIDs, not the Role Names for the assignment. In a vanilla ocis, the roleID for the User Role would be “d7beeea8-8ff4-406b-8fb6-ab2dd81e6b11” for example.
Check other IDs here: ocis/services/settings/pkg/store/defaults/defaults.go at stable-5.0 · owncloud/ocis · GitHub

thommie · February 21, 2025, 10:50am

Ah, ok, thanks for that info! - I will have a try. Then the docs at https://doc.owncloud.com/ are not in sync with the code ?

kobergj · February 24, 2025, 8:06am

No - they are in sync. But you linked the oc10 docu. Infinite Scale Docu is here: Proxy Service Configuration