Hi,
I am new to the geoserver security, and I was following this recipe: How to Implement Basic Security in Geoserver
All went well, but what I noticed is that when logged-in as the ‘user_admin’ who had Admin as the Access mode and “role_admin” as the Role for a particular Workspace, I wasn’t able to create a new store in another Workspace (as expected) but I was able to drop a store belonging to another Workspace, and that worried me. Should I take other steps to prevent this behaviour?
I’m on geoserver 2.26.0
Best regards,
Louis
When you log in as user_admin, you will only have access to the stores within your own workspace. You will not be able to access or delete stores or layers from other workspaces, ensuring that those resources remain secure.
If you’re experiencing difficulties, it’s possible that not all steps have been followed correctly. To help you understand the process better, please watch the video linked below:
https://www.youtube.com/watch?v=KCTGZJ2Trvw&list=PL_ITaxp1Ob4sZE7iJwjQT0KPSfP7kJNs9 
Hi,
I watched the video, checked my configuration and made a new one using the same names (so you won’t get confused), but I encountered the same.
user_admin can see other workspaces and other workspace’s sources and delete themWe are on an existing geoserver (it’s in Dutch), so it’s not brand new as in the video.
Hopefully you can share some good ideas because I’don’t know what I’m doing wrong.
(part 1 because I’m only allowed to post 1 embedded image)
- From the “Users, Groups, Roles” menu, create a new role (e.g. ‘r_test’).
- From the “Users, Groups, Roles” menu, create a new user (e.g. ‘test’).
- From the “Roles taken from active role service” section, assign the ‘r_test’ role to the ‘test’ user by selecting it from the list.
- From the “Data” menu, select ‘Add new rule’, then select ‘tiger’ for the workspace, ‘*’ for the layer and groups, and set the ‘Admin’ for the access mode.
- Finally, In the Roles section, select ‘r_test’ from the list of available roles and press the Save button.
Following these steps will effectively create a new role (‘r_test’), a new user (‘test’), assign the role to the user, and establish a new access rule granting administrative access to the specified workspace and layers for that role.
Hi,
I really appreciate your help, en followed the steps you provided!
I found out that it all depends on the value of the Catalog Mode.
In our case it was set on Challenge, and I was able to see other Workspaces and their Stores, and even delete them logged-on as user ‘test’. (I granted the role r_test as admin to workspace testomgeving, but as you see I was able to delete a Store belonging to Workspace testomgeving****2)
When Catalog Mode = Hide or Mixed, I only saw the Workspace and Store which I configured to be admin of.
Challenge works not as expected, but I can proceed now.
Thanks for all!
Regards,
Louis
That is odd, unexpected are you in position to provide a fix?
Hi,
I think I can’t.
I have no direct server-access and I need to consult a technical administrator for that kind of things.
What are your thoughts?
regards, Louis
It was a question if you had acccess to Java developer to fix, or budget to hire one of the service providers.
Before you move on please report the bug (for the development team know about it).
Thank you