[Geoserver-devel] [JIRA] (GEOS-11072) Catalog Mode CHALLENGE and Data security rules, more access that expected

Karsten D. created an issue

GeoServer / BugGEOS-11072

Catalog Mode CHALLENGE and Data security rules, more access that expected

Issue Type:

BugBug

Affects Versions:

2.22.3

Assignee:

Unassigned

Components:

Security

Created:

13/Jul/23 10:06 AM

Environment:

Windows 2019

Tomcat 9.0.73
Geoserver 2.22.3

Priority:

MediumMedium

Reporter:

Karsten D.

Hello

I wanted to test a user setup, where one user will have admin control over one Workspace, but it seems like the user gets more access to edit than I expected.

The setup is as follows:

Catalog Mode = CHALLENGE (This is because we want to show alle possible services and layers in our capability document)

User: TEST

Role: ROLE_TEST

Workspace that the user may edit and setup: Test

Data security rule is “Test.*.a” for “ROLE_TEST”

There is only the workspace, there is no datastore or anything added to it.

When this is setup, and I log on with the user TEST, I am able to edit all current Workspaces, stores and layers on the Geoserver, in some degree, way more than the Data security rule should give the user access to, how can this be?

If I set the Catalog Mode to “mixed” or “hide”, I see what is expected to be administrated by this user, the workspace.

It seems Odd that the user have access to edit part of other workspaces, stores and layers this was not given access to in the Data Security.

Do I misunderstand the functionality?

Best regards

Karsten

Add Comment

Add Comment

Get Jira notifications on your phone! Download the Jira Cloud app for Android or iOS


This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100231-sha1:2991753)

Atlassian logo