|
|
Alessio Fabiani created an issue |
|
Issue Type: |
|
|---|---|
|
Affects Versions: |
2.10-RC1, 2.9.2 |
|
Assignee: |
|
|
Components: |
Community modules |
|
Created: |
05/Oct/16 4:42 PM |
|
Priority: |
|
|
Reporter: |
The new security integration requires the development of a GeoServerRoleService that will fetch the roles of a user from GeoNode itself. This proposal is generic enough so that implementors others than GeoNode could implement the same interface to provide the same information to GeoServer.
GeoNode does not offer an API to extract such information, thus it will have to be developed. However, the implementation of a GeoServerRoleService is not simply about returning the list of roles for a user, it requires instead the implementation of a larger set of methods, some optional, some mandatory.
Here is a listing of significant methods that might require calls to GeoNode (based on the LDAP role service, which similarly has to make network calls to work):
|
Method |
Mandatory |
|---|---|
|
getUserNamesForRole(roleName) |
? (implemented in LDAP, but I don’t see actual users of this method besides a utility method that nobody uses) |
|
getRolesForUser(user) |
Y |
|
getRolesForGroup(group) |
|
|
getRoles() |
Y (used by the UI) |
|
getParentRole(role) |
|
|
getAdminRole() |
Y |
|
getGroupAdminRole() |
Y |
|
getRoleCount() |
Y (does not seem to be used much, we can trivially implement it from getRoles() |
From the above we could have the following REST API to talk to
…/roles
Returns the full list of roles (no paging required, we assume it’s small). Example response:
{{
{“roles”:[“r1”,“r2”,“r3”]}
}}
…/adminrole
Return the role of the administrator (yes, just one, it’s strange…):
{{
{“adminRole”:[“root”]}
}}
…/users//roles
Returns the list of roles for a particular user. Example response:
{{
{“roles”:[“r1”,“r2”]}
}}
Configurable API
The GeoServerRoleService talking to a remote service could have the following config parameters:
- Base URL for the remote service
- Configurable URLs for the various calls
- JSON paths to the properties that contain the list of roles, and the one admin role
Code location
Where should we put this new class? I’m tempted to put it in authkey, it makes a nice pair with the authkey REST key mapper.
Securing API access
In terms of security, GeoNode will limit the ability to perform requests by IP address, it’s otherwise going to be open.
|
|
|
This message was sent by Atlassian JIRA (v1000.383.2#100014-sha1:783d425) |
|
|