Hi,
as part of our batch of WPS improvements we also are proposing a way to
secure WPS processes on a user by user basis.
Basically, we want and equivalent of the data security, but for processes.
We can see two ways of handling this:
- extending service security
- handling it more like data security
The current service security subsystem is arguably not well developed,
it does what it can at the OWS generic level, applying security checks
just checking service, request and output format, which are the bits
we can identify without having a knowledge of the protocol itself.
At the WPS level we don’t care about securing the requests themselves,
but to secure the processes themselves, which in WPS view, are
the contents of the service.
When a process is not available for a user, it should not show up in the
capabilites document, and should not be usable in the other WPS calls.
Also, while now we are just looking at making the process visible or not,
just like in data security we might want to have customizable per user
process limits, something like limiting the amount of GML/WKT a certain classes
of users can send to a certain process.
This is why I see the data security a better fit, concept wise, for the
WPS security, and I’m proposing an interface that mimicks the ResourceAccessManager
one:
public interface ProcessAccessManager {
/**
- Returns the access limits for a whole process namespace
*/
ProcessAccessLimits getAccessLimits(Authentication user, String namespace);
/**
- Returns the access limits for a single process
*/
ProcessAccessLimits getAccessLimits(Authentication user, Name process);
}
where ProcessAccessLimits would be, for the moment at least:
public class ProcessAccessLimits extents AccessLimits {
private boolean allowed;
public ProcessAccessLimits(CatalogMode mode, boolean allowed) {
super(mode);
this.allowed = allowed;
}
public boolean isAllowed() {
return allowed;
}
}
But in the future could be extended to add more limitations.
The default implementation of the ProcessAccessManager would be based on property files just like data access, using rules such as:
mode=CHALLENGE
geo.*=role1,role2
gs.import=ROLE_ADMINISTRATOR
…
The application of the rules would then use a new ProcessFilter implementation will be registered in the application context, that scans the application context for a ProcessAccessManager implementation, and if not found, builds a DefaultProcessAccessManager instance based on the property files described above.
In case the request is a GetCapabilities one, and a process/factory is in CHALLENGE mode, the code would list the processes anyways, but it would trigger a authentication request in case the current user is not authorized, and any other call is made to the WPS.
HIDE would simply hide the processes and pretend they are not there, MIXED will hide them from the capabilities, but would allow their usage in other calls if the caller has enough rights, triggering the authentication request otherwise.
The proposed approach keeps external security systems on a level playing field, allowing to build custom WPS security, and should give us space to grow in the future.
Now, this has some overlap with our current ability to turn on and off processes in WPS.
Here we have two possible approaches:
- Keep both in line, as one is geared towards what you make available, and the other to whom
- Migrate the old on/off approach to a security one, and when the old metadata is found, turn it into a security rule, by creating a file looking something ilke:
geo.buffer=*
geo.intersects=ROLE_UNAUTHORIZED
…
And then change the current user interface to work against the property files, and allow the specification or role lists on a per process basis, instead of a simple on/off checkbox.
I’m leaning towards the second, what do you think?
Also, WPS is a extension module, do you think this is worth a proposal?
Cheers
Andrea
–
==
GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.
==
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.