On Tue, Jan 20, 2015 at 3:53 PM, Niels Charlier <niels@anonymised.com> wrote:
Hello Group,
There has been a request to allow a basic combination of layer and
service security in the integrated geoserver security subsystem.
I have made a proposal to that end:
https://github.com/geoserver/geoserver/wiki/GSIP-125---Layer-with-Service-Security
I'm very concerned about the suggested syntax and the mixing rules
interpretations,
the current design is significantly simpler and should not be broken.
The current rules use a simple "most specific rule wins" approach, which
can and
should be maintained.
The syntax should be:
workspace.layer[.service.request].r/w/a
The r/w/a should be maintained as knowing the request service and request
tells
you if the action is read/write/admin only in the common cases, but won't
work
for WPS processes, which can do pretty much all three operations inside.
So if someone writes something like this:
topp.states.r=ROLE_RESTRICTED
topp.states.wms.GetCapabilities.r=*
topp.states.wms.GetMap.r=*
It would mean that reading the topp:states layer is normally not allowed,
unless
one is using WMS GetCapabilities/GetMap.
It is also to be stressed in the proposal that the * cannot be placed
randomly,
if one starts with * everything after it must be a * too, as the
authorization subsystem
is hierarchical (see SecureTreeNode), it would not be able to match a rule
such as:
*.states.wms.GetMap.r=ROLE_WHATHEVER
This is the reason why we want to push GeoFence as a extension module,
with a possible future as a core module with a relationship with GeoServer
similar to the one with GeoWebCache (embedded by default, but usable
also outside), the IPTables paradigm used there might be harder
to parse for some (it is for me), but allows more general matches
to be expressed, there is no hierarchy restriction
Cheers
Andrea
PS: the proposal should say something about the GUI modifications too.
--
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.
-------------------------------------------------------