GeoTools / GeoServer PMC meeting - 2024-05-07### Attending- David Blasby

• Peter Smythe

• Jody Garnett

• Andrea Aime

Actions from prior meeting:

• [DONE] Jody: Make a PR for GSIP 224

• [DONE] Peter: Make a similar proposal for GeoTools

• [DONE] Jody: Make a Proposal for geoserver-users transition to discourse

Agenda:

• GSIP-224 - Individual contributor clarification

• GSIP-223 - Community module graduation, amending generality rule

• GSIP-222 - Promote Raster Attribute Table module to extension

• GSIP-225 - Migrate geoserver-users from SourceForge to discourse

• https://github.com/geotools/geotools/wiki/Individual-contributor-clarification

• Security roles internals

• Record of meeting minutes

Actions:

• Jody: Make a ticket about GROUP_ADMIN not having permission to create a new user (GEOS-10938)

• Jody: Make a ticket on clean up of admin roles and constants (GEOS-11389)

• Jody: Open a ticket to refine Demo Page Javascript rewrite (GEOS-11390)

GSIP-224 - Individual contributor clarification

https://github.com/geoserver/geoserver/wiki/GSIP-224

• Is this done? yes

GSIP-223 - Community module graduation, amending generality rule

https://github.com/geoserver/geoserver/wiki/GSIP-223

No PR, Jody made a PR? Can we merge …

• https://github.com/geoserver/geoserver/pull/7603 done

• Does this need backport? Probably not since we only publish from main …

GSIP-222 - Promote Raster Attribute Table module to extension

https://github.com/geoserver/geoserver/wiki/GSIP-222

What is the status?

• Proposal was not completed by the time the release window…

• Not sure if this is merged can we check? Yes …

• 2.25 and main!

• Updated Proposals page to indicate this is complete

GSIP-225 - Migrate geoserver-users from SourceForge to discourse

https://github.com/geoserver/geoserver/wiki/GSIP-225

• Proposal was made, and approved

What happens next:

• user list to discourse is a go, we will wait on SAC for the change

• Expected some kind of PR for the website to provide instructions

• Then notify users of the change

• Proposal has shutting down the SF list after 1 month, and migrate any additional messages over

See proposal for details …

Encouragement from mastodon: https://fosstodon.org/@geoserver/112367510772585467

GeoTools proposal for individual contributors

https://github.com/geotools/geotools/wiki/Individual-contributor-clarification

50% response rate …

• Torben is away so assume +0

• No objections

• Likely to pass on May 9th

Could probably safely start the PR

Security roles internals

Email questions

• Hard to talk about due to naming “role_admin” “admin” “role_administrator”

• Sometimes objects, sometimes strings

ROLE_ADMINISTRATOR

• This is for the user interface, it unlocks the data admin console screens

ADMINISTRATOR

• This is the “root” kind of access, often used for the REST API

• Unlocks all the admin console for all the screens

GROUP_ADMIN

• Unlocks the security admin console screens

The rest.properties is parsed:

• The constants from GeoServerRole.java define the role objects

GeoServerRole ADMIN_ROLE = new GeoServerRole(“ROLE_ADMINISTRATOR”);

GeoServerRole GROUP_ADMIN_ROLE = new GeoServerRole(“ROLE_GROUP_ADMIN”);

GeoServerRole AUTHENTICATED_ROLE = new GeoServerRole(“ROLE_AUTHENTICATED”);

GeoServerRole ANY_ROLE = new GeoServerRole(“*”);

GeoServerRole ANONYMOUS_ROLE = new GeoServerRole(“ROLE_ANONYMOUS”);

The https://github.com/geoserver/geoserver/blob/main/data/release/security/rest.properties file is parsed:

/**;GET=ADMIN

/**;POST,DELETE,PUT=ADMIN

Parsed by AbstractGeoServerSecurityService.java:

• Has its own contents …

String DEFAULT_NAME = “default”;

String DEFAULT_LOCAL_ADMIN_ROLE = “ADMIN”;

String DEFAULT_LOCAL_GROUP_ADMIN_ROLE = “GROUP_ADMIN”;

XML Role Service allows you to nominate (for a role service):

• Allows you to grant the internal administrator role to a role defined externally (like LDAP)

• Allows you to grant the internal group administrator role to a role defined externally (like LDAP)

• Does not have a group admin role; makes sense since they are not using the internal screens to manage users…

Trying out on empty data directory:

• Defining a test role with workspace admin access worked as expected, data screens unlocked

• Experimenting showed that GROUP_ADMIN did not behave as expected; it unlocked the security screen - but we did not have permission to add new users.

• Action: Make a ticket about GROUP_ADMIN not having permission to create a new user
  https://osgeo-org.atlassian.net/browse/GEOS-10938

This shows an incomplete migration from GeoServer 2.1 to GeoServer 2.2:

• It would be difficult to clean up, as the constants have become intermixed with the defaults in the data directory …

• Andrea is trying with an empty data directory; to see what defaults are baked into the the application: → ADMIN, while ROLE_ADMIN is nowhere to be found

Ideas for a cleanup:

• Many places in the code use either one or the other role (some smart ones, both)

• Centralize the check that verifies both in a prominent place

• Deprecate one of the two constants, make sure every admin check goes for the new method checking both

• Remove the old one from the default geoserver data directory

• Action: Make a ticket on clean up of admin roles and constants GEOS-11389

Record of meeting minutes

Sent to email list for later reference

Also transparency as PSC.

Chit chat

Should we remove the Demo Requests page?

• Not sure how often it is used for training (its original purpose)

• Can it be rewritten in Javascript? Yes if we have a Javascript developer.

  Action: Open a ticket to refine Demo Page Javascript rewrite GEOS-11390