Geofence seems not to fetch derived roles when matching the rules

GeoServer GeoServer User
,
1

Hi, we have just installed Geoserver ver 2.26.2 together with Geofence Server (geoserver-2.26.2-geofence-server-plugin.zip).
We had an old version of Geoserver before (2.14.2). So actually I just replaced the jar-files in the webapps/geoserver/WEB-INF/lib.
But now when we are running our Geoserver I noticed that Geofence is not using the derived roles from the usergroups.
It seems like Geoserver do know about the derived roles when I go to the “Edit User”-menu in the Geoserver web-app.
There is at least a list of Derived Roles at the bottom of this page that is correct, but this list also contains a null value (could that be a problem?).

We are running java 17 on linux.
One more thing to mention is that I had to add the jar-files
hibernate-spatial-postgis-1.1.3.2.jar
postgis-jdbc-2.3.0.jar
to the webapps/geoserver/WEB-INF/lib directory. If I didn’t I could’nt edit the geofence-rules.

I have tried to google this problem, but the only thing I found was an issue from 2016.
I probably have forgotten something in the configuration, but I’m not sure what and I have tried to go through all configuration in the data-catalogue.
I’m running out of ideas here…Is there anybody else that have problem with Geofence not using derived roles?

Regards
Nils

2

Hi Nils,

can you pls turn on debug logging and find out which are the groups that GeoFence finds?

In the log you should find lines like these:

Request details:

Requesting access for RuleFilter[user:"YOUR_USER"+ role:ANY inst:name+:default-gs ip:"192.168.x.y"+ serv:"WMS"+ req:"GETMAP"+ sub:ANY ws:"YOUR_WS"+ layer:"YOUR_LAYER"+]
Filter RuleFilter[user:"YOUR_USER"+ role:DEFAULT inst:name+:default-gs ip:"192.168.x.y"+ serv:"WMS"+ req:"GETMAP"+ sub:ANY ws:"YOUR_WS"+ layer:"YOUR_LAYER"+] is matching the following Rules:

Rules matching for each group the user belongs to (null group returns the default rules, which is the authorization for the unauthenticated user):

 -     Role:null
 -     Role:null ---> Matched rule 1
 -     Role:null ---> Matched rule 2
 -     Role:null ---> ...
 -     Role:GROUP1
 -     Role:GROUP1---> Matched rule 1
 -     Role:GROUP1---> Matched rule 2
 -     Role:GROUP1---> ...
 -     Role:GROUP2
 -     Role:GROUP2---> Matched rule 1
 -     Role:GROUP2---> Matched rule 2
 -     Role:GROUP2---> ...

Outcome for every single group:

Filter RuleFilter[user:"YOUR_USER"+ role:DEFAULT inst:name+:default-gs ip:"192.168.x.y"+ serv:"WMS"+ req:"GETMAP"+ sub:ANY ws:"YOUR_WS"+ layer:"YOUR_LAYER"+] on role null has access AccessInfoInternal[grant:xxx]
Filter RuleFilter[user:"YOUR_USER"+ role:DEFAULT inst:name+:default-gs ip:"192.168.x.y"+ serv:"WMS"+ req:"GETMAP"+ sub:ANY ws:"YOUR_WS"+ layer:"YOUR_LAYER"+] on role GROUP1 has access AccessInfoInternal[grant:xxx]
Filter RuleFilter[user:"YOUR_USER"+ role:DEFAULT inst:name+:default-gs ip:"192.168.x.y"+ serv:"WMS"+ req:"GETMAP"+ sub:ANY ws:"YOUR_WS"+ layer:"YOUR_LAYER"+] on role GROUP2 has access AccessInfoInternal[grant:xxx]

The resulting authorization created by the merging of all the previous privs:

Returning AccessInfo[grant:ALLOW admin:false] for RuleFilter[user:"YOUR_USER"+ role:DEFAULT inst:name+:default-gs ip:"192.168.x.y"+ serv:"WMS"+ req:"GETMAP"+ sub:ANY ws:"YOUR_WS"+ layer:"YOUR_LAYER"+]

Pls check that the set of the groups found by GeoFence is the list you expect.

Cheers,
Emanuele

3

Hi, thanks for your reply. I got the fault solved now. The problem was that I was migrating from an old version of Geoserver and I kept much of the configuration from the old version.
So instead I installed and configured all from scratch and now everything is working fine.
Thanks for your time and support!
Regards
Nils

1 Like