We have a requirement that geoserver allow or disallow insert/update/delete specifically (on certain layers) rather than just transactions in general. I’m studying the code and developing a plan to enhance geofence in this respect. We’re using an external geofence.

I can see that the RuleReaderService.getAccessInfo() is a key interface. In all likelihood the member will not receive info in the RuleFilter that tells it whether there are insert/update/delete requests in the transaction, since that would involve forward scanning all the XML to find (or not) such tags. I’m wondering if it would be appropriate to somehow potentially return an AccessInfo that for example says to the caller, “ALLOW, but only allow update (not insert/delete)”. Then in the downstream code that executes the transaction, that code would need to be modified to receive flags that tell it which operations (insert/update/delete) are permitted and throw exceptions if it finds any that are not.

There will be other details to manage such as the geofence GUI but this is what I’m thinking at a big picture level.

Any comments from developers with geofence background are appreciated. If I can reasonably manage it I’ll do this as a contribution to the genfence product rather than just my own custom code. I’m pretty new to geoserver and geofence and learning my way around the code.

Thanks, Walter Stovall

Byers Engineering Company

Hi Walter,

I guess the study should be done the other way round:
how does geoserver deal with insert/update/delete authorization?
There is any interface in geoserver to set up such auth info?
Once this interface is found (or implemented) in the most possible generic
way, we can start thinking about how to implement a solution in geofence.

On geofence, we may use layer_details to store some more info about the layer.
Note that at the moment we have auth on attribute access (hidden/read only/
read+write), that is a behavior that more or less resembles your use case.
So some info may be added in that class about insert/update/delete
authorization.

   Cheers,
   Emanuele

Alle 13:14:23 di Thursday 5 November 2015, Walter Stovall ha scritto:

We have a requirement that geoserver allow or disallow insert/update/delete
specifically (on certain layers) rather than just transactions in general.
I'm studying the code and developing a plan to enhance geofence in this
respect. We're using an external geofence.

I can see that the RuleReaderService.getAccessInfo() is a key interface.
In all likelihood the member will not receive info in the RuleFilter that
tells it whether there are insert/update/delete requests in the
transaction, since that would involve forward scanning all the XML to find
(or not) such tags. I'm wondering if it would be appropriate to somehow
potentially return an AccessInfo that for example says to the caller,
"ALLOW, but only allow update (not insert/delete)". Then in the
downstream code that executes the transaction, that code would need to be
modified to receive flags that tell it which operations
(insert/update/delete) are permitted and throw exceptions if it finds any
that are not.

There will be other details to manage such as the geofence GUI but this is
what I'm thinking at a big picture level.

Any comments from developers with geofence background are appreciated. If
I can reasonably manage it I'll do this as a contribution to the genfence
product rather than just my own custom code. I'm pretty new to geoserver
and geofence and learning my way around the code.

Thanks, Walter Stovall
Byers Engineering Company

--

GeoServer Professional Services from the experts!
Visit http://goo.gl/NWWaa2 for more information.

Ing. Emanuele Tajariol
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 380 2116282

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

-------------------------------------------------------