Hi,
it turns out the layer group security proposal at https://github.com/geoserver/geoserver/wiki/GSIP-152
improves the situation vs layer group security, it still fails to address some use cases.
The use case in particular would be to have certain layers that are only accessible via an
opaque layer group, but not by themselves, for certain users (fixed basemap approach)
while for other users they are actually available via other other layer groups exposing them.
I’ve been thinking about it and the simplest approach I can think to also match this requirement
is to introduce a new type of layer group that would be an opaque container… it would be useful
both in non secured environments, and paired with security:
- When used without security, it would implicitly make the layers contained in it non advertised, as they would not appear anymore in the capabilities document (unlike the existing SINGLE mode, which acts as an alias but still leaves layers visible top level in the caps document). This is a common situation that we missed a handy setup for (right now one has to go and make each and every layer non advertised by hand). Mind, this does not replace “non advertised”, there are other legit uses of it, like a top level layer that is the result of a computation and might be available only temporarily.
- When used with security, it would allow expansion of the layer from the group in GetMap, but not allow access to the layer directly
In order to implement the latter the ResourceAccessManager interface would be extended with a method
that takes a layer group and returns the layers the RAM wants to allow access to, instead of having
SecureCatalogImpl just loop the contained layers one by one in isolation and authorize them directly.
The new method would of course have a default implementation to make sure the interface is not broken.
Two questions:
- Is there any objection?
- Should I make a separate GSIP for this?
Cheers
Andrea
···
==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.