Hi,
I was doing some testing for the JWT Headers SSO module, and noticed a problem when accessing the REST API.
I’ve tracked this down to the roles “ADMIN” vs role “ROLE_ADMINISTRATOR”.
I believe (could be wrong) that the WEB uses the role “ROLE_ADMINISTRATOR”, but the REST API uses the role “ADMIN”.
This seems to be setup in - https://github.com/geoserver/geoserver/blob/main/data/release/security/rest.properties
When I add “ADMIN” to my roles, the REST API allows me access.
I am a bit confused on this - what is the difference between these roles and should admin users have both these roles (“ADMIN” and “ROLE_ADMINISTRATOR”)?
Thanks,
jive
May 7, 2024, 2:48am
2
Thinking that this may be by design?
Admin gets full access, … including by default the rest api.
Role Admin is used to unlock some of the data admin screens in the user interface ( and can be set on a workspace or layer level. )
Admin is required for the more advanced user interface screens like global settings.
It may be that some of the REST API endpoints could be configured allow Role Admin access?
···
–
Hi,
Here are my notes after the PMC meeting.
After talking in the PMC meeting, a full-admin should have two roles;
This is how the standard geoserver “admin” user is configured (“release” data dir).
See the PMC meeting notes as well. No action for a while because this is “opening a can of worms.”
I will put a PR for the jwt-headers so it handles these multiple-roles better.
CF:https://github.com/geoserver/geoserver/blob/main/data/release/security/rest.properties
https://github.com/geoserver/geoserver/blob/a634daa9f243c818e1e7ae8ea3504f803676aa19/src/main/src/main/java/org/geoserver/security/impl/GeoServerRole.java#L21
https://github.com/geoserver/geoserver/blob/6e9e25c0c7cdda9ada9f33f8255130d3afc76801/src/main/src/main/java/org/geoserver/security/impl/AbstractGeoServerSecurityService.java#L25
https://github.com/geoserver/geoserver/blob/fb441eefa631a2f66b31b62c6811e44517493b2c/src/main/src/main/java/org/geoserver/security/GeoServerSecurityManager.java#L2047
Thanks,
On Mon, May 6, 2024 at 5:23 PM David Blasby <david.blasby@anonymised.com > wrote:
Hi,
I was doing some testing for the JWT Headers SSO module, and noticed a problem when accessing the REST API.
I’ve tracked this down to the roles “ADMIN” vs role “ROLE_ADMINISTRATOR”.
I believe (could be wrong) that the WEB uses the role “ROLE_ADMINISTRATOR”, but the REST API uses the role “ADMIN”.
This seems to be setup in - https://github.com/geoserver/geoserver/blob/main/data/release/security/rest.properties
When I add “ADMIN” to my roles, the REST API allows me access.
I am a bit confused on this - what is the difference between these roles and should admin users have both these roles (“ADMIN” and “ROLE_ADMINISTRATOR”)?
Thanks,
jive
May 8, 2024, 8:42pm
4
Hi David,
I created a ticket GEOS-11389 to continue the discussion, but perhaps this should go on the “technical debt” wiki page.
···
–