On 01/20/15 11:47, Landry Breuil wrote:
On 01/20/15 10:03, Landry Breuil wrote:
Hi,
currently using gs 2.3.2 with catalog in CHALLENGE mode, i can list the
workspaces via the geoserver REST API and all are shown. My goal is to
allow non-privileged users to POST layers & styles into a workspace on
which they have write access, which works fine in the setup i have now,
with *.*.a=ROLE_AUTHENTICATED + mode=CHALLENGE.
I'm planning a migration to gs 2.5.4 + geofence (coming from
https://github.com/georchestra/geoserver /
https://github.com/georchestra/geofence), and in this setup it doesnt
seem possible to list all workspaces via REST as a non-admin user. Note
that this is lagging a bit behind 'upstream' geoserver/geofence, and
doesnt have the geofence admin page in geoserver web UI.
Some questions:
- does geofence automatically switch the catalog to mode=HIDDEN ?
- according to
https://github.com/geosolutions-it/geofence/wiki/First-steps, geofence
should allow non-privileged users to see data in workspaces via the
geoserver web interface, i suppose the same dataset is shown via the
geoserver REST API ?
I've done some testing with
http://build.geo-solutions.it/geofence/nightly/latest/geofence.war and
http://build.geo-solutions.it/geofence/nightly/latest/2.5.x/geoserver.war,
following https://github.com/geosolutions-it/geofence/wiki/First-steps -
a 'tiger' user can indeed only see the layer previews he's granted
access on via the geoserver web interface, but the same user doesnt see
'his' workspaces/layers via REST.
$curl -u tiger:tiger http://localhost:8080/geoserver/rest/layers.xml
<layers/>
This is with rest.properties containing:
/**;GET=ROLE_AUTHENTICATED
/**;POST,DELETE,PUT=ADMIN
If i try to explicitely access a workspace the user is supposed to have
access on, there's a traceback in geoserver.log which seems to refer to
http://jira.codehaus.org/browse/GEOS-5069.
$curl -u tiger:tiger
http://localhost:8080/geoserver/rest/workspaces/topp.xml
No such workspace: topp
2015-01-20 11:41:42,527 ERROR [geoserver.rest] - No such workspace: topp
2015-01-20 11:41:42,527 ERROR [geoserver.rest] -
org.geoserver.rest.RestletException
at
org.geoserver.catalog.rest.WorkspaceFinder.findTarget(WorkspaceFinder.java:33)
at org.restlet.Finder.handle(Finder.java:268)
at
org.geoserver.rest.BeanDelegatingRestlet.handle(BeanDelegatingRestlet.java:37)
at org.restlet.Filter.doHandle(Filter.java:105)
at org.restlet.Filter.handle(Filter.java:134)
at org.restlet.Router.handle(Router.java:444)
at org.geoserver.rest.RESTDispatcher$1.handle(RESTDispatcher.java:204)
at
com.noelios.restlet.ext.servlet.ServletConverter.service(ServletConverter.java:129)
at
org.geoserver.rest.RESTDispatcher.handleRequestInternal(RESTDispatcher.java:86)
Can anyone else reproduce this issue, and try to explain why this fails
this way ? Is there some additional configuration to do in the
authentication filters ? Or is it a problem with geofence itself ? Note
that when calling REST urls, geofence doesnt seem queried at all, i dont
see anything logged.
I've posted more followup in https://github.com/georchestra/georchestra/issues/887, but after adding some debugging logging calls to src/main/src/main/java/org/geoserver/security/SecureCatalogImpl.java it seems to me that checkAccess() in filterWorkspaces() is the call denying my user to see all workspaces:
With this diff: https://gist.github.com/landryb/3c64f83030f387558d59
Here's what i get with a non-privileged user which has access when geofence is not enabled:
[geoserver.security] - testing geor_loc for principal testeditor
[geoserver.security] - nope, denied
[geoserver.security] - testing wmsproxy for principal testeditor
[geoserver.security] - nope, denied
And here's what i get with an admin.
[geoserver.security] - testing geor_loc for principal testadmin
[geoserver.security] - testing wmsproxy for principal testadmin
So, geofence is acting somewhere around here... at least i know the codepath used.
--
Landry Breuil
Mouton a 5 pattes du CRAIG