Owncloud Architecture Overview Providing Access to Data Where It Lives

ownCloud Architecture Overview Providing Access to Data Where It Lives

Your IT landscape is complex, and often lets you leverage your existing infrastructure able to manage proprietary information and inherited. You have storage systems, ser- without duplicating or moving data. Further, business risk; leveraging existing data vers, private cloud management tools, log you are looking to regain control while enab- management, security and governance tools managers, backup tools, and many more ling collaboration and on-the-go productivity and processes. Whether in SharePoint, on a solutions already deployed in the enterprise. that is demanded by your workforce. Windows network drive or in cloud storage, You don’t want to add another silo to enable users have a single interface from which secure file sharing for your employees, but ownCloud provides Universal File Access they can access, sync and share files on any you also don’t want your corporate confiden- through a common file access layer regard- device, anytime, from anywhere – all com- tial information being passed around in con- less of where the data lives – in applica- pletely managed, secured and controlled by sumer-grade applications across multiple tions, object stores, on-premise storage or in IT as seen in figure 1. devices. You are looking for an answer that the cloud. Data is kept where it is while IT is

Figure 1: ownCloud has a single interface from wich users can access, sync and share files on any device, anytime, from anywhere.

Solution Architecture Overview

The core of the ownCloud solution is the using popular tools like Splunk®. The server exceptional flexibility and control. The server ownCloud server. Unlike consumergrade file provides a secure web interface through also manages and secures API access to sharing services, ownCloud‘s server enables which administrators control all of ownCloud, while providing the internal pro- IT to protect and manage files within the ownCloud‘s resources, allowing authorized cessing engine needed to deliver high per- ownCloud environment – from file storage to users to enable and disable features, set formance file sharing services. user provisioning and data processing. policies, create backups and manage users. ownCloud monitors and logs all data access Advanced features for enterprise directory The ownCloud server stores user files in events for downstream auditing and analysis integration and file “firewalls” give admins standard file system formats and can use 2

PROTECT CONTROL AND MANAGE ACCESS Your Storage Your Server User Devices Primary metering monitoring central control Secondary

Hybrid cloud

LDAP/AD Virus Scan Versions Your App

Encryption File Firewall SAML …

INTEGRATE AND EXTEND

Figure 2: ownCloud Solution Architecture

most enterprise file systems. If you can and plug-in applications. Features such as Server Architecture mount the file system on your server, the online text editor, virus scanner, file ver- ownCloud can use it. Further, ownCloud can sioning and server-side encryption are inclu- Overview also use S3 and Swift based object stores or ded in the ownCloud core. Enterprise fea- compliant gateways – ownCloud is filesys- tures such as enhanced logging and audit At its core, ownCloud is a PHP web applica- tem and storage agnostic. ownCloud can plug-ins, File Firewall, SAML authentication tion running on top of IIS or Apache on Win- leverage storage that is physically located in and Jive Software® integration are available dows or Linux. This PHP application mana- your data center or “virtually mounted” in the ownCloud Enterprise Edition. ges every aspect of ownCloud, from user third-party storage. Thus, ownCloud enables ownCloud customers have integrated a wide management to plug-ins, file sharing and you to protect your files as you would any variety of new functionality into ownCloud, storage. Attached to the PHP application is a other data asset in your infrastructure. from video streaming to contact and calen- database where ownCloud stores user infor- ownCloud works seamlessly with all of your dar syncing, custom authentication mecha- mation, user-shared file details, plug-in existing tools and utilities, from standard nisms, and API-based storage. In short, application states, and the ownCloud file backups and intrusion detection, to log unlike proprietary alternatives, ownCloud cache (a performance accelerator). managers and Data Loss Prevention (DLP) can be easily extended to do far more than ownCloud accesses the database through an solutions. ownCloud can also activate the basic file sync and share. abstraction layer, enabling support for included encryption module to provide an Oracle, MySQL, SQL Server, and PostgreSQL. added layer of encryption at rest for user While ownCloud provides the ability to Complete webserver logging is provided via files. access, control and protect data in the enter- webserver logs, and user and system logs prise, ownCloud also delivers the consumer are provided in a separate ownCloud log, or ownCloud applications applications make grade experience users expect on desktops, can be directed to a syslog file. integration with your existing technology laptops, tablets and mobile phones. Intui- stack a breeze. Enabled through the server tive interfaces guide end-users through a To enable a broad range of storage alternati- control panel, integration plugins provide wide range of file sharing activities, and ves, ownCloud also abstracts the storage functionality such as Active Directory (AD) administrator efficiency is aided through tier. As a result, ownCloud can leverage just and Lightweight Directory Access Protocol wizards, management tools and monitoring about any storage protocol that can be (LDAP) integration for user account provisio- and logging capabilities. ownCloud also pro- mounted on your ownCloud server – from ning, authentication and even quota vides the ability for standard WebDAV clients CIFS, NFS and GFS2, to clustered file systems management. SAML iDPs can also be used to access ownCloud files, enabling users to like Red Hat Storage, IBM elastic storage, for authentication within ownCloud. For cus- continue to use standards-based producti- and even object stores like Swift and S3. tom integrations, ownCloud can be easily vity tools to interoperate seamlessly with Other storage resources can also be moun- extended using mobile libraries, open APIs ownCloud. ted on the system using optional plug in 3

CORE SERVER

Logging Metering API Reporting Provisioning API primary

Swift, S3, NFS, GFS, GFS2,XFS, ZFS, processing engine HTTPs Red Hat Storage, PHP GPFS, etc.

WebDAV Storage abstraction Storage secondary

Sharing API Capability API Application API Branding CIFS, WebDAV, FTPs,Swift, S3, Dropbox, Google,Sharepoint, Windows Network Drive, Jive, ownCloud, etc. Your Apps

Figure 3: ownCloud Server Architecture applications, such as SharePoint, Windows • External provisioning – provides the ability also access enabled applications through network drives, Jive, Windows Home Directo- to add and remove users remotely, and the web portal, such as the activity stream, ries, (s)FTP, WebDAV, another ownCloud enables admins to query metering text editor and image preview, file and folder instance and even external cloud storage information about ownCloud storage usage sharing, SharePoint document libraries, Win- services such as S3, Swift, Google Drive and and quota. dows network drives, Jive, rollback of previ- Dropbox if desired. User configurations can ous versions and much more. The ownCloud include dynamically allocated storage driven • Sharing – provides the ability for external web interface is compatible with Firefox, by user directory entries – enabling data segre- apps, such as the ownCloud mobile app, to Safari, Chrome and Internet Explorer on Win- gation and multitenant style deployments. share files from remote devices. dows, Mac OS and Linux machines. ownCloud includes a variety of open APIs for • Branding – a simplified mechanism for integrating with other systems. These include: branding ownCloud servers, and through ownBrander, to brand desktop clients to Deployment Scenario • Activity – provides an RSS feed to deliver all match your corporate look and feel. activities associated with a user‘s files, With the ownCloud solution and server such as sharing activity, updated, renamed, In addition to delivering the core of architectures outlined in figure 2, this paper deleted and removed files ownCloud, the ownCloud server also inclu- now examines how ownCloud is deployed on des the ownCloud web interface, which pro- site, how it is integrated with the storage tier • Applications – the most powerful API, vides a control center for configuring, mana- and existing infrastructure tools, and the fle- enabling customers to expand ownCloud ging and monitoring the system. The ownC- xibility provided by ownCloud's APIs. This out of the box, to integrate with existing loud portal also gives end users tools for understanding is facilitated by a brief review infrastructure and systems, and to create controlling access to their files and folders. of how ownCloud is typically deployed in new plug-in applications. Examples of this Employees are set up in the system as users, production environments. API in use include the custom authentica- administrators, or both. Administrators can tion back ends, music and video streaming add, enable, and disable ownCloud features In production, ownCloud is most often applications, a URL shortener app and an through the settings menu; they can add deployed as an n-tier load balanced web image preview application. and remove users and groups; and they can application running in a data center or manage various ownCloud settings and managed cloud infrastructure. ownCloud can • Capability – offers information about the administrative tasks (migration and backup, be deployed to physical, virtual, or private installed ownCloud capabilities, so that for example). Users access the web interface cloud servers using native binaries or a vir- ownCloud and third party applications can to browse and manage their files, and to set tual appliance footprint. There is always a query for the enabled features and plug-in granular permissions on files and folders load balancer on the front-end of the deploy- applications. shared with others on the system. Users can ment connected to at least two web servers. LOAD BALANCER & WEB SERVER DATABASE CLUSTER STORAGE

Data Node

primary secondary MgMT Node optional

Data Node

Figure 4: Common ownCloud Deployment Architecture

The ownCloud web servers host the PHP path, and all ownCloud storage is immedia- folder of user content to the Jive REST API. code, and are most often deployed on tely changed to that path. Each user gets a For the other folders on the server, Apache over Linux, though IIS and Apache directory, and all versions, folders and files ownCloud retains a file system mount. In on Windows are also supported. All of the are stored in that location. other installations, ownCloud‘s built-in web servers are then connected to a data- External Fileystem plug-in leverages a mix of base (frequently a clustered MySQL data- In larger installations, it may be necessary to APIs, providing system admins the flexibility base instance) for user information, inclu- create more than one storage location for an to connect openStack Swift, S3,CIFS, FTPs, ding the virtualized file cache, user and ownCloud instance. Perhaps policy requires WebDAV and other storage systems in addi- group meta data, shared file lists, and sto- high performance, fully redundant storage tion to the existing file system storage. rage required by enabled ownCloud apps. for one group, and less expensive storage The web servers are also all connected to for another group. In this situation, it is pos- Ultimately, administrators must decide shared backend storage, often a clustered sible to leverage ownCloud‘s built in integra- which storage system(s) to use, how to con- filesystem. With this configuration, ownC- tion with LDAP or Active Directory servers to figure user access, and whether or not to mix loud can be scaled up easily to meet load dynamically assign a storage path to each and match storage to optimize existing infra- requirements, while providing whatever red- user. The LDAP/AD plug-in is further descri- structure, security policies, and end-user undancy and backup requirements are nee- bed below, but once connected, the storage requirements. ownCloud provides the ded to achieve system availability path attribute can be inherited, and users mechanisms to optimize the use of on-site, objectives. can be directed to two or more storage paths cloud or hybrid storage, giving admins con- based on these entries. Simply mount the trol of corporate data, while still providing storage devices on the server in the the capabilities that users demand. desired mount point, such as /data/high- On-Site Storage endstorage1 and /data/lowendstorage2, and user files and versions will be saved to For nearly all deployment scenarios, connec- the specified path. Infrastructure ting ownCloud to back-end storage is as sim- ple as mounting on-site storage on the ser- Occasionally ownCloud needs to connect to Integration ver, such as mount point /data/storage REST API-based storage. In some cases, API- device. Nearly all storage devices and file accessed storage replaces the mounted file The most common infrastructure integ- systems – from direct attached NTFS to clus- system described above, and in some cases ration request is to connect ownCloud to an ter systems like Red Hat Storage – have well it augments the storage. ownCloud can enterprise directory, or other standard tested, high-performance Linux drivers that handle either scenario through the use of authentication mechanisms. ownCloud pro- make this easy. Object stores can also be plug-in applications. For example, ownCloud vides out-of-the-box integration with LDAP, mounted through ownCloud configuration provides a plug-in application that mounts AD and SAML 2.0. Administrators simply files. Once the storage device is mounted in Jive as a backend storage location via Jive enable the ownCloud AD / LDAP or SAML the desired location, the ownCloud configu- Rest APIs. When enabled, the plug-in appli- plug-in application, configure the server ration file is edited with the storage device cation redirects POSIX commands for one addresses, protocols and filters, and users are authenticated against the appropriate Lists (ACLs) and local policies are preserved service. With the appropriate settings, user and files are synced automatically in both group memberships, quotas and even, as directions. Selective sync allows users to seen in figure 4, storage paths can be cen- sync only the most relevant files which are trally managed and applied to ownCloud. all accessible through the ownCloud inter- The first time a user logs into ownCloud with face and, subsequently, on any device. a user name and password, ownCloud provi- sions the user and they are off and running. Administrators can also enable custom attri- As an n-Tier web application, ownCloud inte- butes, such as custom display names and grates into most corporate web farms. Intru- avatars to make it easier for users to find sion detection systems, network manage- each other when sharing documents. All cor- ment tools and firewalls simply leverage porate policies governing the account, such existing ports and SSL certificates. Backup as failed login account lockout, are still systems take server and database backups managed out of the corporate directory, with as with any other web application, and user ownCloud enforcing the result. experience systems wrap around the existing ownCloud application. For unique requi- Beyond LDAP/AD integration, ownCloud rements, the ownCloud API’s and mobile lib- offers a wide range of other integration capa- raries provide extensive flexibility. All of this bilities. For example, it is possible to leve- gets managed with enterprise tools, in an rage the user provisioning API to provision enterprise data center, to enterprise poli- new users via an external automation ser- cies, putting IT back in control of corporate vice. In some very large deployment scena- data, while providing end users the plea- rios, it is far more efficient to provision new sing, productive interfaces they demand. users in this manner than to use an enterprise directory. The provisioning API can also Conclusion be used to report on user activity, shared file information, and to disable user accounts. ownCloud is open by nature and designed The WebDAV API can be used to provide to integrate with existing infrastructure, authenticated access to ownCloud files and management and security tools. A compre- folders based on user account information, a hensive set of APIs and native integrations popular feature among tablet users. WebDAV enable anytime, anywhere access to all your support also allows desktop users to data, wherever it resides. browse ownCloud folders using familiar file explorer tools in Windows, Mac and Linux. For More Information Copyright 2014 ownCloud All Rights Reserved. While most deployed customers limit them- ownCloud and the ownCloud Logo are registe- selves to LDAP/AD integration and WebDAV Please visit www.owncloud.com for a wealth red trademarks of ownCloud, Inc.in the United States and/or other countries. access, ownCloud APIs offer the flexibility to of information about ownCloud, links to integrate as needed into existing download the software, and detailed pro- environments. duct documentation. ownCloud, Inc. ownCloud also provides mechanisms for 57 Bedford Street creating plug-in applications to integrate Suite 102 with existing systems. One common Lexington, MA 02420 use case is the custom authentication United States mechanism. While ownCloud supports LDAP and AD integration and SAML 2.0, several www.owncloud.com/contact custom user authentication and authoriza- phone: +1 (877) 394-2030 tion plug-ins have been created, from token to user name and password-based plug-ins. www.owncloud.com Others integrations have included log managers, Data Loss Prevention (DLP) tools, Mobile Device Management (MDM) tools and anti-virus mechanisms, to name a few. @ownCloud facebook.com/owncloud ownCloud also offers integrations with gplus.is/owncloud SharePoint, Windows network drives as well linkedin.com/company/owncloud as other ownCloud instances. Access Control