Geofence seems not to fetch derived roles when matching the rules

Hi, we have just installed Geoserver ver 2.26.2 together with Geofence Server (geoserver-2.26.2-geofence-server-plugin.zip).
We had an old version of Geoserver before (2.14.2). So actually I just replaced the jar-files in the webapps/geoserver/WEB-INF/lib.
But now when we are running our Geoserver I noticed that Geofence is not using the derived roles from the usergroups.
It seems like Geoserver do know about the derived roles when I go to the “Edit User”-menu in the Geoserver web-app.
There is at least a list of Derived Roles at the bottom of this page that is correct, but this list also contains a null value (could that be a problem?).

We are running java 17 on linux.
One more thing to mention is that I had to add the jar-files
hibernate-spatial-postgis-1.1.3.2.jar
postgis-jdbc-2.3.0.jar
to the webapps/geoserver/WEB-INF/lib directory. If I didn’t I could’nt edit the geofence-rules.

I have tried to google this problem, but the only thing I found was an issue from 2016.
I probably have forgotten something in the configuration, but I’m not sure what and I have tried to go through all configuration in the data-catalogue.
I’m running out of ideas here…Is there anybody else that have problem with Geofence not using derived roles?

Regards
Nils

Hi Nils,

can you pls turn on debug logging and find out which are the groups that GeoFence finds?

In the log you should find lines like these:

Request details:

Requesting access for RuleFilter[user:"YOUR_USER"+ role:ANY inst:name+:default-gs ip:"192.168.x.y"+ serv:"WMS"+ req:"GETMAP"+ sub:ANY ws:"YOUR_WS"+ layer:"YOUR_LAYER"+]
Filter RuleFilter[user:"YOUR_USER"+ role:DEFAULT inst:name+:default-gs ip:"192.168.x.y"+ serv:"WMS"+ req:"GETMAP"+ sub:ANY ws:"YOUR_WS"+ layer:"YOUR_LAYER"+] is matching the following Rules:

Rules matching for each group the user belongs to (null group returns the default rules, which is the authorization for the unauthenticated user):

 -     Role:null
 -     Role:null ---> Matched rule 1
 -     Role:null ---> Matched rule 2
 -     Role:null ---> ...
 -     Role:GROUP1
 -     Role:GROUP1---> Matched rule 1
 -     Role:GROUP1---> Matched rule 2
 -     Role:GROUP1---> ...
 -     Role:GROUP2
 -     Role:GROUP2---> Matched rule 1
 -     Role:GROUP2---> Matched rule 2
 -     Role:GROUP2---> ...

Outcome for every single group:

Filter RuleFilter[user:"YOUR_USER"+ role:DEFAULT inst:name+:default-gs ip:"192.168.x.y"+ serv:"WMS"+ req:"GETMAP"+ sub:ANY ws:"YOUR_WS"+ layer:"YOUR_LAYER"+] on role null has access AccessInfoInternal[grant:xxx]
Filter RuleFilter[user:"YOUR_USER"+ role:DEFAULT inst:name+:default-gs ip:"192.168.x.y"+ serv:"WMS"+ req:"GETMAP"+ sub:ANY ws:"YOUR_WS"+ layer:"YOUR_LAYER"+] on role GROUP1 has access AccessInfoInternal[grant:xxx]
Filter RuleFilter[user:"YOUR_USER"+ role:DEFAULT inst:name+:default-gs ip:"192.168.x.y"+ serv:"WMS"+ req:"GETMAP"+ sub:ANY ws:"YOUR_WS"+ layer:"YOUR_LAYER"+] on role GROUP2 has access AccessInfoInternal[grant:xxx]

The resulting authorization created by the merging of all the previous privs:

Returning AccessInfo[grant:ALLOW admin:false] for RuleFilter[user:"YOUR_USER"+ role:DEFAULT inst:name+:default-gs ip:"192.168.x.y"+ serv:"WMS"+ req:"GETMAP"+ sub:ANY ws:"YOUR_WS"+ layer:"YOUR_LAYER"+]

Pls check that the set of the groups found by GeoFence is the list you expect.

Cheers,
Emanuele

Hi, thanks for your reply. I got the fault solved now. The problem was that I was migrating from an old version of Geoserver and I kept much of the configuration from the old version.
So instead I installed and configured all from scratch and now everything is working fine.
Thanks for your time and support!
Regards
Nils

1 Like