Here is the image for rules.
···
Lähettäjä: Jussila Ville [mailto:ville.jussila@…7074…]
Lähetetty: 17. elokuuta 2016 11:07
Vastaanottaja: ‘nuno.oliveira@…1107…’ <nuno.oliveira@…1107…>; ‘geoserver-users@lists.sourceforge.net’ geoserver-users@lists.sourceforge.net
Aihe: Re: [Geoserver-users] Geofence - LayerGroups
Hi Nuno,
Thanks again your answer. I understood the LIMIT rules behavior as you commented and I have only standalone plugin installed. But still unfortunately I’m not able to see raster map which data store is WorldImage. Unfortunately in your GIF there wasn’t any rules – only picture of Geofence admin GUI, Rules sheet open and “No data to display” text.
I hope you can see the attached pictures. I have these six rules. Bottommost denies access to whole service. Fifth, fourth and third rule gives access to different workspaces according to the roles. With first and second rule – the user is member of the role “helsinki” – I want to limit the layers “Hulevesikartta” and “Kiinteistokartta” to be seen only in the area
SRID=0;MULTIPOLYGON (((24.94601815481079 60.133969115637946, 24.945974007763702 60.160895510936726, 25 60.160906522783534, 25 60.13398011556427, 24.94601815481079 60.133969115637946)))
Hulevesikartta is PostGIS based layer and Kiinteistokartta uses WorldImage datastorage. First layer is published with limitation without any problem. For second layer I only get blank image. Layers outside these two rules for that user are published normally.
Best regards
Ville Jussila
Lähettäjä: Nuno Oliveira [mailto:nuno.oliveira@…1107…]
Lähetetty: 15. elokuuta 2016 15:36
Vastaanottaja: Jussila Ville <ville.jussila@…7074…>; geoserver-users@lists.sourceforge.net
Aihe: Re: VS: [Geoserver-users] Geofence - LayerGroups
Hi,
LIMIT rules only provide “limitations”, others rules will be responsible to ALLOW or DENY the access to a specific resource.
Let’s say that we have a LIMIT rule that only allow the current user to see a part of the map, if there is no other rule that
allows the user to access the map the user will get an empty map (since he is not allowed to access the resource).
On the other hand, if there is a rule that allows the current user to access the map the user will able to request the map but
will only be able to see the map content allowed by the LIMIT rule.
I made a few tests using GeoServer Master and GeoFence Master (using GeoFence stand alone) and I was able to define with
success limit rules for vectors and rasters. Note that when using GeoFence stand alone only the plugin “geofence” should be
installed (i.e. the plugin “geofence-server” should not be present).
In the GIF I send with this mail I define a rule allowing every user to do everything and a limit rule that will limit the map
content with a geometry. Note that security rules apply to all users except the admin user (he will always able to see everything).
The rules order is important, if GeoFence match against a LIMIT rules we will keep on until a rule that allow or disallow the current user
is found, if no rules allowing or disallowing a user is found by default the user will not be able to access the resource. So limit rules
should appear before the rule allowing or disallowing the user.
I perform some tests using GeoServer packed data (for vector data the layer “topp:states” and for raster
data the layer “nurc:Img_Sample”) and everything went fine.
I hope this helps.
Regards,
Nuno Oliveira
Le vendredi 12 août 2016 à 10:43 +0000, Jussila Ville a écrit :
Hi,
Thanks for your answer Nuno. Yes, your notes correlates with my tests. I share your opinion about how Geofence should work. On DENY mode all layers and Layer groups should not be listed. When ALLOWing something only that should be listed.
I tested again the LIMIT rule. Now I was able to get only limited area for layer using postgis as a data store. Found this info https://github.com/geoserver/geofence/wiki/Main-concepts how this LIMITing works.
Action
The Action specifies the outcome of the rule, if matched (by the filter) and selected (according to priority).
The two main actions are ALLOW and DENY. If one of these actions is encountered, the outcome is straightforward.
There’s also the LIMIT action. Limit ing rules add constraints to the final outcome, if it’s an ALLOWaction. Constraints can be area constraints or access mode constraints.
In order to make it clearer, here is a skeleton of the rule selection mechanism:
-
Given a filter, read all matching rules;
-
Reading the rules in the proper priority order, check:
-
if the action is limit, collect the constraints in this rule and go on examining the next rules
-
if the action is deny, the request is not authorized.
-
if the action is allow, the request is authorized; the collected constraints, if any, shall be merged and applied.
But with these helps I was not able to publish any raster image, I only get blank image.
Regards
Ville Jussila
Lähettäjä: Nuno Oliveira [mailto:nuno.oliveira@…1107…]
Lähetetty: 12. elokuuta 2016 2:13
Vastaanottaja: Jussila Ville <ville.jussila@…7074…>; geoserver-users@lists.sourceforge.net
Aihe: Re: [Geoserver-users] Geofence - LayerGroups
Hi,
Regarding layer groups doubts, GeoFence doesn’t handle layers groups it will only control access to the layers that are part of a layer group.
This means that layers groups regardless of any data rule defined in GeoFence will always show up in the listed layers and capabilities documents.
However, GeoFence will control the access to the layers that are part of the layer group. For example, if we have a layer group made of three layers
(layerA, layerB and layerC) and the current user only has read access to layers B and C when the user try to visualize the group layer he will only
see data from layers B and C but no data from layer A. Does this correlate with your tests ?
I cannot really tell if this is the intended behavior or is just a missing feature. In my opinion if all the layers that are part of a certain layer group are
not visible the layer group should not be listed and if at least one layer of the layer group is visible the layer group should be listed. Maybe one of the
developers of GeoFence can join this discussion and provide a better feedback.
Regarding the area limit rule, the area limit restriction should work the same way for rasters and vectors. When defining a area limit rule we are
saying that when an user matches that rule he will only be able to access the defined area (a geometry filter will be applied). Sorry but I don’t
understand what you mean by “Rule is successfully saved but without map output.”.
Choosing between the embedded version and stand alone version will depend on your needs. As you say the stand alone version provide more
possibilities to configure the data rules (filter by IP, attributes access, etc …). The embedded version will already be synchronized with the
GeoServer instance, although you may want to configure a backed database for production environments or you will need to do it anyway
for cluster environments. Behind the scenes the code used is the same, the embedded version UI just doens’t give you all the possibilities
to configure data rules.
I hope this help.
Regards,
Nuno Oliveira
Le mercredi 10 août 2016 à 07:35 +0000, Jussila Ville a écrit :
Hi,
I’m running Geoserver 2.9.0 with embedded Jetty from Windows installer.
I have searched information about this topic and tested this by myself for a while without any success. Is it possible to control LayerGroups with GeoFence? I have tried both embedded and standalone versions without satisfying result, layerGroups are still visible with client. Connection between Geoserver and Geofence works fine. Notes below are from using Standalone version.
I have workspace “city” in Geoserver where I have built layers and layergroups. Layergroups are pointed to that “city”-workspace. The Layergroups are built with mode Single, Named tree and Container tree depending on its usage and some of them are nested. I have found this kind of behavior when limiting access with Geofence
Geofence: DENY everything on all workspace or DENY everything on “city” workspace
- Only layergroups are visible but not accessible.
Geofence: ALLOW everything on all workspace or on “city” workspace for certain role
-
Layergroups and layers are visible and accessible for user with certain role.
-
Layergroups which are built with Single mode appears in correct Container tree Layergroup and also at the end of the list layers for user with certain role.
-
User without certain role for “city” workspaces layergroups are visible but not accessible.
Geofence: ALLOW one layer on “city” workspace for one user
How does LIMIT parameter works for raster layers? Or for vector layers as well. I tried to define an area to be published from one certain raster layer. I used this Allowed Area parameter at Layer Limits
SRID=4326;MULTIPOLYGON (((24.94601815481079 60.133969115637946, 24.945974007763702 60.160895510936726, 25 60.160906522783534, 25 60.13398011556427, 24.94601815481079 60.133969115637946)))
Rule is successfully saved but without map output.
At the moment which version should be used, embedded or Standalone version? I found more parameters from LIMIT on Standalone which I think prefers to our purposes more.
Thanks for your answer
Best Regards
Ville Jussila
Cadastral Surveyor
City of Helsinki / Real Estate Department
City Survey Division / GIS office
puh. +358 9 310 31825 tai +358 40 350 9770
ville.jussila@…7074…, www.hel.fi/kv
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. [http://sdm.link/zohodev2dev](http://sdm.link/zohodev2dev)
_______________________________________________
Geoserver-users mailing list
[Geoserver-users@lists.sourceforge.net](mailto:Geoserver-users@lists.sourceforge.net)
[https://lists.sourceforge.net/lists/listinfo/geoserver-users](https://lists.sourceforge.net/lists/listinfo/geoserver-users)
--
==
GeoServer Professional Services from the experts!
Visit [http://goo.gl/it488V](http://goo.gl/it488V) for more information.
==
Nuno Miguel Carvalho Oliveira
@nmcoliveira
Software Engineer
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 333 8128928
[http://www.geo-solutions.it](http://www.geo-solutions.it)
[http://twitter.com/geosolutions_it](http://twitter.com/geosolutions_it)
-------------------------------------------------------
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono
da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate
nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e
-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo
anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for the attention and use of
the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree
June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying,
distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender does not give any warranty or accept liability as the content,
accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which
arise as a result of e-mail transmission, viruses, etc.
--
==
GeoServer Professional Services from the experts!
Visit [http://goo.gl/it488V](http://goo.gl/it488V) for more information.
==
Nuno Miguel Carvalho Oliveira
@nmcoliveira
Software Engineer
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 333 8128928
[http://www.geo-solutions.it](http://www.geo-solutions.it)
[http://twitter.com/geosolutions_it](http://twitter.com/geosolutions_it)
-------------------------------------------------------
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono
da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate
nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e
-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo
anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for the attention and use of
the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree
June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying,
distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender does not give any warranty or accept liability as the content,
accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which
arise as a result of e-mail transmission, viruses, etc.
