[Geoserver-users] How to give rights to one layer from secured workspace?

Hi all,

I have a workspace with restricted access:

hasici.*.r=ROLE_HASICI
hasici.*.w=ROLE_HASICI
hasici.*.a=ROLE_HASICI

And I have one layer in the workspace, that should be accessible to more people then the others:

hasici.pest.r=ROLE_HASICI,ROLE_PEST

Then I have a user, who does have ROLE_PEST assigned, and does not have the ROLE_HASICI assigned. I assume he should be able to see the layer pest. He logs into geoserver web, and he can see the layer 'hasici:pest' in the 'Layer Preview' list as expected. But when he clicks the 'OpenLayers' link, 404 is shown. The layer can be seen by the users who have the ROLE_HASICI assigned.

Am I missing something? How this should be configured?

Thank you very much for your advice,

Michal

layer_preview.log (3.64 KB)

Hi Michal,
I’m not really involved in the geoserver security module, but I think the problem could be in some conflict between “layer security” and “service security”: if I’m not wrong “layer preview” use WMS service.

http://docs.geoserver.org/2.3.2/user/security/layer.html

ciao
Michele

···

On Wed, Jul 3, 2013 at 7:03 PM, <sredl@anonymised.com> wrote:

Hi all,

I have a workspace with restricted access:

hasici..r=ROLE_HASICI
hasici.
.w=ROLE_HASICI
hasici.*.a=ROLE_HASICI

And I have one layer in the workspace, that should be accessible to more people then the others:

hasici.pest.r=ROLE_HASICI,ROLE_PEST

Then I have a user, who does have ROLE_PEST assigned, and does not have the ROLE_HASICI assigned. I assume he should be able to see the layer pest. He logs into geoserver web, and he can see the layer ‘hasici:pest’ in the ‘Layer Preview’ list as expected. But when he clicks the ‘OpenLayers’ link, 404 is shown. The layer can be seen by the users who have the ROLE_HASICI assigned.

Am I missing something? How this should be configured?

Thank you very much for your advice,

Michal

This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev


Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Hi Michele,

thank you for your answer. No, I am not using service security at all. Of course I do ask for the layer through OWS (and that is what I want to do in the map application as well), but I don't use the service security to configure it. The file service.properties is present, but contains comments only.

The think is, when I try to restrict the access to one particular layer more, (only to people who have the access to the whole ws and have some additional rights) it works, but when I try to give the access to one particular layer to more people, who don't have rights to the whole ws, it fails. The layer is shown in the available preview list, but 404 is returned.

Kind regards,

Michal

Dne 04.07.2013 09:12, Michele Beneventi napsal:

Hi Michal,
I'm not really involved in the geoserver security module, but I think
the problem could be in some conflict between "layer security" and
"service security": if I'm not wrong "layer preview" use WMS service.

http://docs.geoserver.org/2.3.2/user/security/layer.html [3]

ciao
Michele

On Wed, Jul 3, 2013 at 7:03 PM, <sredl@anonymised.com> wrote:

Hi all,

I have a workspace with restricted access:

hasici.*.r=ROLE_HASICI
hasici.*.w=ROLE_HASICI
hasici.*.a=ROLE_HASICI

And I have one layer in the workspace, that should be accessible to more people then the others:

hasici.pest.r=ROLE_HASICI,ROLE_PEST

Then I have a user, who does have ROLE_PEST assigned, and does not have the ROLE_HASICI assigned. I assume he should be able to see the layer pest. He logs into geoserver web, and he can see the layer 'hasici:pest' in the 'Layer Preview' list as expected. But when he clicks the 'OpenLayers' link, 404 is shown. The layer can be seen by the users who have the ROLE_HASICI assigned.

Am I missing something? How this should be configured?

Thank you very much for your advice,

Michal

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev [1]
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users [2]

Links:
------
[1] http://p.sf.net/sfu/windows-dev2dev
[2] https://lists.sourceforge.net/lists/listinfo/geoserver-users
[3] http://docs.geoserver.org/2.3.2/user/security/layer.html

Hi all,

the only way I see that works is to unsecure the whole workspace and secure every layer instead:

#hasici.*.r=ROLE_HASICI
#hasici.*.w=ROLE_HASICI
hasici.*.a=ROLE_HASICI

hasici.pest.r=ROLE_HASICI, ROLE_PEST
hasici.pest.w=ROLE_HASICI
hasici.chemicals.r=ROLE_HASICI
hasici.chemicals.w=ROLE_HASICI
...

This way I can secure all the layers of the workspace and meanwhile give the access rights to one layer to more people. I don't like it very much though, as it adds a lot of config lines and also, if accidentally one layer of the workspace is forgotten, it is left unsecured.

Is this the only solution that should work? If I uncomment the first two lines and secure the workspace, then a user with the ROLE_PEST and without the ROLE_HASICI gets 404 when requesting the layer...

Using GeoServer 2.3.2.

Kind regards,

Michal

Dne 04.07.2013 10:03, sredl@anonymised.com napsal:

Hi Michele,

thank you for your answer. No, I am not using service security at all.
Of course I do ask for the layer through OWS (and that is what I want to
do in the map application as well), but I don't use the service security
to configure it. The file service.properties is present, but contains
comments only.

The think is, when I try to restrict the access to one particular layer
more, (only to people who have the access to the whole ws and have some
additional rights) it works, but when I try to give the access to one
particular layer to more people, who don't have rights to the whole ws,
it fails. The layer is shown in the available preview list, but 404 is
returned.

Kind regards,

Michal

Dne 04.07.2013 09:12, Michele Beneventi napsal:

Hi Michal,
I'm not really involved in the geoserver security module, but I think
the problem could be in some conflict between "layer security" and
"service security": if I'm not wrong "layer preview" use WMS service.

http://docs.geoserver.org/2.3.2/user/security/layer.html [3]

ciao
Michele

On Wed, Jul 3, 2013 at 7:03 PM, <sredl@anonymised.com> wrote:

Hi all,

I have a workspace with restricted access:

hasici.*.r=ROLE_HASICI
hasici.*.w=ROLE_HASICI
hasici.*.a=ROLE_HASICI

And I have one layer in the workspace, that should be accessible to
more people then the others:

hasici.pest.r=ROLE_HASICI,ROLE_PEST

Then I have a user, who does have ROLE_PEST assigned, and does not
have the ROLE_HASICI assigned. I assume he should be able to see the
layer pest. He logs into geoserver web, and he can see the layer
'hasici:pest' in the 'Layer Preview' list as expected. But when he
clicks the 'OpenLayers' link, 404 is shown. The layer can be seen by
the users who have the ROLE_HASICI assigned.

Am I missing something? How this should be configured?

Thank you very much for your advice,

Michal

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev [1]
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users [2]

Links:
------
[1] http://p.sf.net/sfu/windows-dev2dev
[2] https://lists.sourceforge.net/lists/listinfo/geoserver-users
[3] http://docs.geoserver.org/2.3.2/user/security/layer.html

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Hi all,

the following configuration does not allow a user with ROLE_2 only to read the layer1 from workspace ws:

  ws.*.r=ROLE_1
  ws.*.w=ROLE_1
  ws.*.a=ROLE_1

  ws.layer1.r=ROLE_1,ROLE_2

Is it a bug or is it an expected behaviour?

Kind regards,

Michal

Dne 04.07.2013 17:56, sredl@anonymised.com napsal:

Hi all,

the only way I see that works is to unsecure the whole workspace and
secure every layer instead:

#hasici.*.r=ROLE_HASICI
#hasici.*.w=ROLE_HASICI
hasici.*.a=ROLE_HASICI

hasici.pest.r=ROLE_HASICI, ROLE_PEST
hasici.pest.w=ROLE_HASICI
hasici.chemicals.r=ROLE_HASICI
hasici.chemicals.w=ROLE_HASICI
...

This way I can secure all the layers of the workspace and meanwhile
give the access rights to one layer to more people. I don't like it
very much though, as it adds a lot of config lines and also, if
accidentally one layer of the workspace is forgotten, it is left
unsecured.

Is this the only solution that should work? If I uncomment the first
two lines and secure the workspace, then a user with the ROLE_PEST and
without the ROLE_HASICI gets 404 when requesting the layer...

Using GeoServer 2.3.2.

Kind regards,

Michal

Dne 04.07.2013 10:03, sredl@anonymised.com napsal:

Hi Michele,

thank you for your answer. No, I am not using service security at all.
Of course I do ask for the layer through OWS (and that is what I want to
do in the map application as well), but I don't use the service security
to configure it. The file service.properties is present, but contains
comments only.

The think is, when I try to restrict the access to one particular layer
more, (only to people who have the access to the whole ws and have some
additional rights) it works, but when I try to give the access to one
particular layer to more people, who don't have rights to the whole ws,
it fails. The layer is shown in the available preview list, but 404 is
returned.

Kind regards,

Michal

Dne 04.07.2013 09:12, Michele Beneventi napsal:

Hi Michal,
I'm not really involved in the geoserver security module, but I think
the problem could be in some conflict between "layer security" and
"service security": if I'm not wrong "layer preview" use WMS service.

http://docs.geoserver.org/2.3.2/user/security/layer.html [3]

ciao
Michele

On Wed, Jul 3, 2013 at 7:03 PM, <sredl@anonymised.com> wrote:

Hi all,

I have a workspace with restricted access:

hasici.*.r=ROLE_HASICI
hasici.*.w=ROLE_HASICI
hasici.*.a=ROLE_HASICI

And I have one layer in the workspace, that should be accessible to
more people then the others:

hasici.pest.r=ROLE_HASICI,ROLE_PEST

Then I have a user, who does have ROLE_PEST assigned, and does not
have the ROLE_HASICI assigned. I assume he should be able to see the
layer pest. He logs into geoserver web, and he can see the layer
'hasici:pest' in the 'Layer Preview' list as expected. But when he
clicks the 'OpenLayers' link, 404 is shown. The layer can be seen by
the users who have the ROLE_HASICI assigned.

Am I missing something? How this should be configured?

Thank you very much for your advice,

Michal

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev [1]
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users [2]

Links:
------
[1] http://p.sf.net/sfu/windows-dev2dev
[2] https://lists.sourceforge.net/lists/listinfo/geoserver-users
[3] http://docs.geoserver.org/2.3.2/user/security/layer.html

------------------------------------------------------------------------------
This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Hi Michal,

I don’t know answer about your question but I tried the following:

···

On Tue, Jul 9, 2013 at 11:12 AM, <sredl@anonymised.com> wrote:

Hi all,

the following configuration does not allow a user with ROLE_2 only to
read the layer1 from workspace ws:

ws..r=ROLE_1
ws.
.w=ROLE_1
ws.*.a=ROLE_1

ws.layer1.r=ROLE_1,ROLE_2

Is it a bug or is it an expected behaviour?

Kind regards,

Michal

Dne 04.07.2013 17:56, sredl@anonymised.com napsal:

Hi all,

the only way I see that works is to unsecure the whole workspace and
secure every layer instead:

#hasici..r=ROLE_HASICI
#hasici.
.w=ROLE_HASICI
hasici.*.a=ROLE_HASICI

hasici.pest.r=ROLE_HASICI, ROLE_PEST
hasici.pest.w=ROLE_HASICI
hasici.chemicals.r=ROLE_HASICI
hasici.chemicals.w=ROLE_HASICI

This way I can secure all the layers of the workspace and meanwhile
give the access rights to one layer to more people. I don’t like it
very much though, as it adds a lot of config lines and also, if
accidentally one layer of the workspace is forgotten, it is left
unsecured.

Is this the only solution that should work? If I uncomment the first
two lines and secure the workspace, then a user with the ROLE_PEST
and
without the ROLE_HASICI gets 404 when requesting the layer…

Using GeoServer 2.3.2.

Kind regards,

Michal

Dne 04.07.2013 10:03, sredl@anonymised.com0… napsal:

Hi Michele,

thank you for your answer. No, I am not using service security at
all.
Of course I do ask for the layer through OWS (and that is what I
want to
do in the map application as well), but I don’t use the service
security
to configure it. The file service.properties is present, but
contains
comments only.

The think is, when I try to restrict the access to one particular
layer
more, (only to people who have the access to the whole ws and have
some
additional rights) it works, but when I try to give the access to
one
particular layer to more people, who don’t have rights to the whole
ws,
it fails. The layer is shown in the available preview list, but 404
is
returned.

Kind regards,

Michal

Dne 04.07.2013 09:12, Michele Beneventi napsal:

Hi Michal,
I’m not really involved in the geoserver security module, but I
think
the problem could be in some conflict between “layer security” and
“service security”: if I’m not wrong “layer preview” use WMS
service.

http://docs.geoserver.org/2.3.2/user/security/layer.html [3]

ciao
Michele

On Wed, Jul 3, 2013 at 7:03 PM, <sredl@anonymised.com> wrote:

Hi all,

I have a workspace with restricted access:

hasici..r=ROLE_HASICI
hasici.
.w=ROLE_HASICI
hasici.*.a=ROLE_HASICI

And I have one layer in the workspace, that should be accessible
to
more people then the others:

hasici.pest.r=ROLE_HASICI,ROLE_PEST

Then I have a user, who does have ROLE_PEST assigned, and does not
have the ROLE_HASICI assigned. I assume he should be able to see
the
layer pest. He logs into geoserver web, and he can see the layer
‘hasici:pest’ in the ‘Layer Preview’ list as expected. But when he
clicks the ‘OpenLayers’ link, 404 is shown. The layer can be seen
by
the users who have the ROLE_HASICI assigned.

Am I missing something? How this should be configured?

Thank you very much for your advice,

Michal


This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev [1]


Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users [2]

Links:

[1] http://p.sf.net/sfu/windows-dev2dev
[2] https://lists.sourceforge.net/lists/listinfo/geoserver-users
[3] http://docs.geoserver.org/2.3.2/user/security/layer.html


This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev


Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users


See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk


Geoserver-users mailing list
Geoserver-users@anonymised.comsts.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Hi Michelle, all, yes and no:

Yes, thanks a lot, the suggested workaround works, switching the catalogue mode to "challenge" helps.

No, this workaround is unfortunately not suitable. We use the "hide" mode. We need to hide the layers that the user does not have access to from the capabilities document, it would create a mess in our map client.

Should I lodge a bug?

To repeat shortly the story:

The layer1 is secured:

ws.layer1.r=ROLE_READ_L1

but cannot be seen by user who DOES HAVE the ROLE_READ_L1 if

   ws.*.r=OTHER _ROLE

or

   *.*.r=OTHER_ROLE

is set.

It does appear in the LayerPreview list, but requesting the map results in 404.

GeoServer 2.3.2 and 2.3.3. Log attached.

Kind Regards,

Michal

Dne 2013-07-09 11:55, Michele Beneventi napsal:

Hi Michal,

I don't know answer about your question but I tried the following:

-----
ws.*.r=ROLE_1
ws.*.w=ROLE_1
ws.*.a=ROLE_1

ws.layer1.r=ROLE_2

with catalogue mode turned to "challenge"
-----

as a result I got that ROLE_2 can see all the catalogues layers, but
it can access (Read) only layer1.

could it be a workaround?

Regards
Michele

On Tue, Jul 9, 2013 at 11:12 AM, <sredl@anonymised.com> wrote:

Hi all,

the following configuration does not allow a user with ROLE_2 only
to
read the layer1 from workspace ws:

ws.*.r=ROLE_1
ws.*.w=ROLE_1
ws.*.a=ROLE_1

ws.layer1.r=ROLE_1,ROLE_2

Is it a bug or is it an expected behaviour?

Kind regards,

Michal

Dne 04.07.2013 17:56, sredl@anonymised.com napsal:

Hi all,

the only way I see that works is to unsecure the whole workspace

and

secure every layer instead:

#hasici.*.r=ROLE_HASICI
#hasici.*.w=ROLE_HASICI
hasici.*.a=ROLE_HASICI

hasici.pest.r=ROLE_HASICI, ROLE_PEST
hasici.pest.w=ROLE_HASICI
hasici.chemicals.r=ROLE_HASICI
hasici.chemicals.w=ROLE_HASICI
...

This way I can secure all the layers of the workspace and

meanwhile

give the access rights to one layer to more people. I don't like

it

very much though, as it adds a lot of config lines and also, if
accidentally one layer of the workspace is forgotten, it is left
unsecured.

Is this the only solution that should work? If I uncomment the

first

two lines and secure the workspace, then a user with the

ROLE_PEST

and
without the ROLE_HASICI gets 404 when requesting the layer...

Using GeoServer 2.3.2.

Kind regards,

Michal

Dne 04.07.2013 10:03, sredl@anonymised.com napsal:

Hi Michele,

thank you for your answer. No, I am not using service security

at

all.
Of course I do ask for the layer through OWS (and that is what I
want to
do in the map application as well), but I don't use the service
security
to configure it. The file service.properties is present, but
contains
comments only.

The think is, when I try to restrict the access to one

particular

layer
more, (only to people who have the access to the whole ws and

have

some
additional rights) it works, but when I try to give the access

to

one
particular layer to more people, who don't have rights to the

whole

ws,
it fails. The layer is shown in the available preview list, but

404

is
returned.

Kind regards,

Michal

Dne 04.07.2013 09:12, Michele Beneventi napsal:

Hi Michal,
I'm not really involved in the geoserver security module, but I
think
the problem could be in some conflict between "layer security"

and

"service security": if I'm not wrong "layer preview" use WMS
service.

http://docs.geoserver.org/2.3.2/user/security/layer.html [1]

[3]

ciao
Michele

On Wed, Jul 3, 2013 at 7:03 PM, <sredl@anonymised.com> wrote:

Hi all,

I have a workspace with restricted access:

hasici.*.r=ROLE_HASICI
hasici.*.w=ROLE_HASICI
hasici.*.a=ROLE_HASICI

And I have one layer in the workspace, that should be

accessible

to
more people then the others:

hasici.pest.r=ROLE_HASICI,ROLE_PEST

Then I have a user, who does have ROLE_PEST assigned, and does

not

have the ROLE_HASICI assigned. I assume he should be able to

see

the
layer pest. He logs into geoserver web, and he can see the

layer

'hasici:pest' in the 'Layer Preview' list as expected. But

when he

clicks the 'OpenLayers' link, 404 is shown. The layer can be

seen

by
the users who have the ROLE_HASICI assigned.

Am I missing something? How this should be configured?

Thank you very much for your advice,

Michal

------------------------------------------------------------------------------

This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev [2] [1]
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

[3] [2]

Links:
------
[1] http://p.sf.net/sfu/windows-dev2dev [2]
[2]

https://lists.sourceforge.net/lists/listinfo/geoserver-users [3]

[3] http://docs.geoserver.org/2.3.2/user/security/layer.html

[1]

------------------------------------------------------------------------------

This SF.net email is sponsored by Windows:

Build for Windows Store.

http://p.sf.net/sfu/windows-dev2dev [2]
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users [3]

------------------------------------------------------------------------------

See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from
AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!

http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk

[4]

_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users [3]

Links:
------
[1] http://docs.geoserver.org/2.3.2/user/security/layer.html
[2] http://p.sf.net/sfu/windows-dev2dev
[3] https://lists.sourceforge.net/lists/listinfo/geoserver-users
[4]
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&amp;iu=/4140/ostg.clktrk

security log (3.75 KB)