Hey David,
I think Christian is going to have to weigh in here but yes, as it stands right now it seems the authentication provider has the responsibility of adding both the “psuedo” ROLE_ADMINISTATOR and whatever the active role service has the admin role.
Looking at how this happens with the default authentication privider, the chain is basically this.
- UsernamePasswordAuthetnication provider authenticates by looking up the user in the local xml user group database
- XMLuserGroupService loads the user, and calculates the assigned role
- XMLuserGroupService delegates to the RoleCalculator class to basically check for the local admin role, and when present addes in the pseudo role as well
So I guess authentication providers could/should make use of RoleCalculator to do the same. It would however be nice if this was more explicit.
An alternative for the geonode security plugin could be to implement a custom user group service rather than a custom authentication provider… or perhaps both.
On Wed, Jun 27, 2012 at 4:43 PM, David Winslow <dwinslow@anonymised.com> wrote:
Hi all, I’m looking into bringing GeoNode’s security extensions in line with the changes merged last week. Prior to the changes, GeoNode simply assigned ROLE_ADMINISTRATOR to users with admin privileges - but afterward this seems insufficient for a user to make changes in the REST API. When I spoke with Justin, he recommended using the following code to dynamically retrieve the administrative role from the current role service.
GeoServerSecurityManager manager = GeoServerExtensions.bean(GeoServerSecurityManager.class);
GeoServerRoleService roleService = manager.getActiveRoleService();
GeoServerRole effectiveAdmin = roleService.getAdminRole();
This didn’t quite do the trick and, after some digging, we ended up giving admin users both this effectiveAdminRole and GeoServerRole.ADMIN_ROLE. A debugger shows that this is what’s happening in the default configuration as well - if you log in as administrator in the default GeoServer configuration on trunk, you’ll be a user with both “ADMIN” (the default admin role for the default service) and “ROLE_ADMINISTRATOR” (the reserved system role.) I guess this means that AuthenticationProviders are responsible for the “mapping” between ADMIN_ROLE and the local admin role mentioned in http://jira.codehaus.org/browse/GEOS-5101 ? Is that appropriate/intended?
–
David Winslow
OpenGeo - http://opengeo.org/
Live Security Virtual Conference
Exclusive live event will cover all the ways today’s security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
–
Justin Deoliveira
OpenGeo - http://opengeo.org
Enterprise support for open source geospatial.