Hi,
I’m doing a few tests with a GeoServer 2.5.x and noticed that if I setup a workspace
specific admin the UI gets limited to a specific workspace just fine, but I’m getting
403s when trying to user the Rest API from the same user.

Shouldn’t the REST api work as well, but limit operations to the contents of
the workspace the user can admin?

Cheers
Andrea

On Mon, Nov 17, 2014 at 10:52 AM, Andrea Aime <andrea.aime@anonymised.com>
wrote:

Hi,
I'm doing a few tests with a GeoServer 2.5.x and noticed that if I setup a
workspace
specific admin the UI gets limited to a specific workspace just fine, but
I'm getting
403s when trying to user the Rest API from the same user.

Shouldn't the REST api work as well, but limit operations to the contents
of
the workspace the user can admin?

So it seems one needs to go in security/rest.properties, and add a new role,
let's call it REST_ADMIN, to the various access rules:

/**;GET=ADMIN,REST_ADMIN
/**;POST,DELETE,PUT=ADMIN,REST_ADMIN

And then go and associate this new roles to the workspace specific admin(s).

As far as I can see, this results in that user being able to access the
REST api,
and only mess with whatever is in their workspace.

There is however some differences compared to the UI, the global settings
are still visible via the REST api, and their configuration is editable!
Also global services are visible, haven't tried editing their config though.

Ugh.. this sounds like a bug.
But anyways, wanted to ask if this is how the rest access for workspace
admins
was meant to work.

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------

On Mon, Nov 17, 2014 at 3:16 AM, Andrea Aime <andrea.aime@anonymised.com>
wrote:

On Mon, Nov 17, 2014 at 10:52 AM, Andrea Aime <
andrea.aime@anonymised.com> wrote:

Hi,
I'm doing a few tests with a GeoServer 2.5.x and noticed that if I setup
a workspace
specific admin the UI gets limited to a specific workspace just fine, but
I'm getting
403s when trying to user the Rest API from the same user.

Shouldn't the REST api work as well, but limit operations to the contents
of
the workspace the user can admin?

So it seems one needs to go in security/rest.properties, and add a new
role,
let's call it REST_ADMIN, to the various access rules:

/**;GET=ADMIN,REST_ADMIN
/**;POST,DELETE,PUT=ADMIN,REST_ADMIN

And then go and associate this new roles to the workspace specific
admin(s).

As far as I can see, this results in that user being able to access the
REST api,
and only mess with whatever is in their workspace.

There is however some differences compared to the UI, the global settings
are still visible via the REST api, and their configuration is editable!
Also global services are visible, haven't tried editing their config
though.

Ugh.. this sounds like a bug.
But anyways, wanted to ask if this is how the rest access for workspace
admins
was meant to work.

No, any access outside of the workspace is not intended. To be honest the
way we do security of restful services should probably be revisited. It was
implemented before the big security refactor and could probably be done in
a more sensible way.

Cheers
Andrea

--

GeoServer Professional Services from the experts! Visit
http://goo.gl/NWWaa2 for more information.

Ing. Andrea Aime
@geowolf
Technical Lead

GeoSolutions S.A.S.
Via Poggio alle Viti 1187
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549

http://www.geo-solutions.it
http://twitter.com/geosolutions_it

*AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*

Le informazioni contenute in questo messaggio di posta elettronica e/o
nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
loro utilizzo è consentito esclusivamente al destinatario del messaggio,
per le finalità indicate nel messaggio stesso. Qualora riceviate questo
messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
darcene notizia via e-mail e di procedere alla distruzione del messaggio
stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso,
divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od
utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.

The information in this message and/or attachments, is intended solely for
the attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act
(Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection
Code).Any use not in accord with its purpose, any disclosure, reproduction,
copying, distribution, or either dissemination, either whole or partial, is
strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact
immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender
does not give any warranty or accept liability as the content, accuracy or
completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of
e-mail transmission, viruses, etc.

-------------------------------------------------------

------------------------------------------------------------------------------
Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server
from Actuate! Instantly Supercharge Your Business Reports and Dashboards
with Interactivity, Sharing, Native Excel Exports, App Integration & more
Get technology previously reserved for billion-dollar corporations, FREE

http://pubads.g.doubleclick.net/gampad/clk?id=157005751&iu=/4140/ostg.clktrk
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

--
Justin Deoliveira
VP Engineering | Boundless <http://boundlessgeo.com/&gt;
jdeolive@anonymised.com
@boundlessgeo <http://twitter.com/boundlessgeo/&gt;