[Geoserver-devel] Match webui workspace admin functionality in the REST API

Hey all,

The mentioning of unmatched webui/rest functionality for URL checks in the other thread reminded me I wanted to bring up this topic too.

Thing is, ResourceAccessManager (default, geofence, geoserver-acl) allows defining if a user is a workspace administrator. If so, the webui will allow him to administer them, limiting the listed catalog objects accordingly.

But the matching functionality is not available through the REST API. It would make sense, IMHO, that if a user has admin rights to a workspace, it can administer it both through the webui and the rest api, allowing access to the following paths:

/rest/workspaces/ (limiting the visibility to the adminable workspaces)
/rest/workspaces/
/rest/workspaces//**
/rest/resource/workspaces/ (limiting the visibility to the adminable workspaces)
/rest/resource/workspaces//**

This can be implemented with an additional, ResourceAcessManager-backed AccessDecisionVoter in GeoServerSecurityInterceptorFilter, so that instead of fully overriding the security/rest.properties config file, it’d complement it.

Does this make sense?

···

camptocamp
INNOVATIVE SOLUTIONS
BY OPEN SOURCE EXPERTS

Gabriel Roldán
Geospatial Developer

Nice timing Gabe,

I actually ran into this disconnect last week also (testing the geocat bridge plugin which uses the REST API). It would be nice to provide access for automation limited to specific workspaces.

···

Jody Garnett

camptocamp
INNOVATIVE SOLUTIONS
BY OPEN SOURCE EXPERTS

Gabriel Roldán
Geospatial Developer

Okay, I’ll create a ticket then.

Given we can implement without breaking API I guess a GSIP wouldn’t be necessary?

Questions to Geofence experts:

An AdminRule’s grant type can be ADMIN or USER.
The semantics for ADMIN are pretty clear, but I’m having trouble determining if USER has any practical implications.
May it be that an AdminRule with USER grant should give read-only access to the workspace and its nested objects?

Also, thinking forward about this proposal, I’m wondering what’d be the right way to handle AdminRule and Rule collisions in terms of data access.
Let’s say a user has ADMIN rights to a workspace, but the data-access Rules don’t let him see that workspace.

  • Does it mean the user can admin (and hence see) the workspace and its nested objects for admin purposes, but can’t do any service requests? (GetMap, etc)
  • Should the workspace ADMIN rule override the data access rules and let him also access the workspace/layers?
···

camptocamp
INNOVATIVE SOLUTIONS
BY OPEN SOURCE EXPERTS

Gabriel Roldán
Geospatial Developer

Jody Garnett

camptocamp
INNOVATIVE SOLUTIONS
BY OPEN SOURCE EXPERTS

Gabriel Roldán
Geospatial Developer

https://osgeo-org.atlassian.net/browse/GEOS-11421

···

camptocamp
INNOVATIVE SOLUTIONS
BY OPEN SOURCE EXPERTS

Gabriel Roldán
Geospatial Developer

camptocamp
INNOVATIVE SOLUTIONS
BY OPEN SOURCE EXPERTS

Gabriel Roldán
Geospatial Developer

Jody Garnett

camptocamp
INNOVATIVE SOLUTIONS
BY OPEN SOURCE EXPERTS

Gabriel Roldán
Geospatial Developer