[Geoserver-devel] Securing WPS processes

Hi,
as part of our batch of WPS improvements we also are proposing a way to
secure WPS processes on a user by user basis.

Basically, we want and equivalent of the data security, but for processes.
We can see two ways of handling this:

  • extending service security
  • handling it more like data security

The current service security subsystem is arguably not well developed,
it does what it can at the OWS generic level, applying security checks
just checking service, request and output format, which are the bits
we can identify without having a knowledge of the protocol itself.

At the WPS level we don’t care about securing the requests themselves,
but to secure the processes themselves, which in WPS view, are
the contents of the service.
When a process is not available for a user, it should not show up in the
capabilites document, and should not be usable in the other WPS calls.

Also, while now we are just looking at making the process visible or not,
just like in data security we might want to have customizable per user
process limits, something like limiting the amount of GML/WKT a certain classes
of users can send to a certain process.

This is why I see the data security a better fit, concept wise, for the
WPS security, and I’m proposing an interface that mimicks the ResourceAccessManager
one:

public interface ProcessAccessManager {

/**

  • Returns the access limits for a whole process namespace

*/

ProcessAccessLimits getAccessLimits(Authentication user, String namespace);

/**

  • Returns the access limits for a single process

*/

ProcessAccessLimits getAccessLimits(Authentication user, Name process);

}

where ProcessAccessLimits would be, for the moment at least:

public class ProcessAccessLimits extents AccessLimits {

private boolean allowed;

public ProcessAccessLimits(CatalogMode mode, boolean allowed) {

super(mode);

this.allowed = allowed;

}

public boolean isAllowed() {

return allowed;

}

}

But in the future could be extended to add more limitations.

The default implementation of the ProcessAccessManager would be based on property files just like data access, using rules such as:

mode=CHALLENGE
geo.*=role1,role2
gs.import=ROLE_ADMINISTRATOR

The application of the rules would then use a new ProcessFilter implementation will be registered in the application context, that scans the application context for a ProcessAccessManager implementation, and if not found, builds a DefaultProcessAccessManager instance based on the property files described above.

In case the request is a GetCapabilities one, and a process/factory is in CHALLENGE mode, the code would list the processes anyways, but it would trigger a authentication request in case the current user is not authorized, and any other call is made to the WPS.

HIDE would simply hide the processes and pretend they are not there, MIXED will hide them from the capabilities, but would allow their usage in other calls if the caller has enough rights, triggering the authentication request otherwise.

The proposed approach keeps external security systems on a level playing field, allowing to build custom WPS security, and should give us space to grow in the future.

Now, this has some overlap with our current ability to turn on and off processes in WPS.
Here we have two possible approaches:

  • Keep both in line, as one is geared towards what you make available, and the other to whom
  • Migrate the old on/off approach to a security one, and when the old metadata is found, turn it into a security rule, by creating a file looking something ilke:
    geo.buffer=*
    geo.intersects=ROLE_UNAUTHORIZED

    And then change the current user interface to work against the property files, and allow the specification or role lists on a per process basis, instead of a simple on/off checkbox.
    I’m leaning towards the second, what do you think?

Also, WPS is a extension module, do you think this is worth a proposal?

Cheers
Andrea

==

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


On Thu, Oct 23, 2014 at 11:08 AM, Andrea Aime <andrea.aime@anonymised.com>
wrote:

And then change the current user interface to work against the property
files, and allow the specification or role lists on a per process basis,
instead of a simple on/off checkbox.
I'm leaning towards the second, what do you think?

As a possible interesting alternative, we can forget about the property
file, and work off the existing on/off process configuration,
which is based on the following interface:

public interface ProcessGroupInfo extends Info, Cloneable {

    /**
     * The process factory class (only means to identify it)
     */
    public Class<? extends ProcessFactory> getFactoryClass();

    /**
     * Sets the process factory class
     *
     * @param factoryClass
     */
    public void setFactoryClass(Class<? extends ProcessFactory>
factoryClass);

    /**
     * True if the factory is enabled, false otherwise
     *
     * @return
     */
    public boolean isEnabled();

    /**
     * Enables/disables the factory
     *
     * @param enabled
     */
    public void setEnabled(boolean enabled);

    /**
     * The list of processes generated by this factory that needs to be
filtered out (disabled)
     *
     * @return
     */
    public List<Name> getFilteredProcesses();

    /**
     * The metadata map, can contain any sort of information that non core
plugins might use to
     * handle information related to this factory
     *
     * @return
     */
    MetadataMap getMetadata();

    /**
     * Creares a copy of this class
     * @return
     */
    ProcessGroupInfo clone();

}

In order to maintain backwards compatibility we could extend it so that: t
has a list of roles that can access it (when enabled).
And then the list of process names being filtered could be replaced by a
list of ProcessInfo beans (something that Justin
was pushing for when we discussed the ability to turn on and off processes)
that do contain, for the time being,
a on/off flag, and a list of roles that can access them, but could be
expanded later to also contain process limits.

It builds on what we have, and keeps this configuration integrated with the
main WPS config, making it
also readily available for REST usage.

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------

I do remember bringing up the idea of making processes a first class citizen in the catalog. Basically come up with a ProcessInfo and extends ResourceInfo and then be able to use data security to apply access rules to them. Is that what you’re talking about here? I am thinking maybe not?

···

On Thu, Oct 23, 2014 at 3:53 AM, Andrea Aime <andrea.aime@anonymised.com> wrote:



Geoserver-devel mailing list
Geoserver-devel@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Justin Deoliveira
VP Engineering | Boundless
jdeolive@anonymised.com
@boundlessgeo

On Thu, Oct 23, 2014 at 11:08 AM, Andrea Aime <andrea.aime@anonymised.com> wrote:

And then change the current user interface to work against the property files, and allow the specification or role lists on a per process basis, instead of a simple on/off checkbox.
I’m leaning towards the second, what do you think?

As a possible interesting alternative, we can forget about the property file, and work off the existing on/off process configuration,
which is based on the following interface:

public interface ProcessGroupInfo extends Info, Cloneable {

/**

  • The process factory class (only means to identify it)
    */
    public Class<? extends ProcessFactory> getFactoryClass();

/**

  • Sets the process factory class
  • @param factoryClass
    */
    public void setFactoryClass(Class<? extends ProcessFactory> factoryClass);

/**

  • True if the factory is enabled, false otherwise
  • @return
    */
    public boolean isEnabled();

/**

  • Enables/disables the factory
  • @param enabled
    */
    public void setEnabled(boolean enabled);

/**

  • The list of processes generated by this factory that needs to be filtered out (disabled)
  • @return
    */
    public List getFilteredProcesses();

/**

  • The metadata map, can contain any sort of information that non core plugins might use to
  • handle information related to this factory
  • @return
    */
    MetadataMap getMetadata();

/**

  • Creares a copy of this class
  • @return
    */
    ProcessGroupInfo clone();

}

In order to maintain backwards compatibility we could extend it so that: t has a list of roles that can access it (when enabled).
And then the list of process names being filtered could be replaced by a list of ProcessInfo beans (something that Justin
was pushing for when we discussed the ability to turn on and off processes) that do contain, for the time being,
a on/off flag, and a list of roles that can access them, but could be expanded later to also contain process limits.

It builds on what we have, and keeps this configuration integrated with the main WPS config, making it
also readily available for REST usage.

Cheers

Andrea

==

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

==

Ing. Andrea Aime

@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

AVVERTENZE AI SENSI DEL D.Lgs. 196/2003

Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy’s New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.


On Fri, Oct 24, 2014 at 3:47 PM, Justin Deoliveira <
jdeolive@anonymised.com> wrote:

I do remember bringing up the idea of making processes a first class
citizen in the catalog. Basically come up with a ProcessInfo and extends
ResourceInfo and then be able to use data security to apply access rules to
them. Is that what you're talking about here? I am thinking maybe not?

Oh no, not going to those extent, that would require a major amount of
extra work.
Just want to store these ProcessInfo objects, that contain information
about how to limit access to the process and its inputs,
inside WPSInfo (well, inside ProcessFactoryInfo, that is already in the
metadata map)

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------

Also, WPS is a extension module, do you think this is worth a proposal?

Yep, I view extensions as managed as part of GeoServer (they are optional
in the sense that they are not required as part of every install, but they
are critical for much a portion of our user base).

Jody