I’ve been looking at the security in GeoServer and I know this is quite a complex area. I can see that you can assign users / roles the ADMIN permission in both the out of the box GeoServer and also within the GeoFence extension but this always seems to be tied to a workspace.
Is there a way to give a user admin rights to manage users without giving them instant access to all the other functions in the admin UI?
I’d like to make it so that some users can assign other users to roles / groups but pretty much limit their access to just that. So for example I don’t want them to be able to switch on and off the WMS service or change the logging profile but I do want them to be able to assign “Jeff” to see “highways data”.
At present I’m thinking the only way of doing it would be to create a very simple UI and point it at the REST endpoints as I can’t see that it is possible in the normal UI or documentation but I thought I’d ask in case anyone else has ever tried it?
I will carry on searching and thank you for the recent updates to deal with CVE issues. I know people put a lot of effort in to the project and I know I am really grateful for this amazing product being available open source!
I’ve been looking at the security in GeoServer and I know this is quite a complex area. I can see that you can assign users / roles the ADMIN permission in both the out of the box GeoServer and also within the GeoFence extension but this always seems to be tied to a workspace.
Is there a way to give a user admin rights to manage users without giving them instant access to all the other functions in the admin UI?
I’m not sure if it’s possible within GeoServer, maybe with GeoFence? But we (Astun) have recently done something similar using and external LDAP service and KeyCloak which handles the user management outside of GeoServer which should allow you to do what you want. I’ve submitted a talk about this for FOSS4G and am planning on writing it up as a blog post when I get some spare time.
I will make sure to read the blog post when it is out
Paul
···
From: Ian Turton <ijturton@…84…> Sent: 23 February 2023 10:33 To: Paul Wittle <paul.wittle@…9945…> Cc:geoserver-users@lists.sourceforge.net Subject: Re: [Geoserver-users] Question about administrative access
I’ve been looking at the security in GeoServer and I know this is quite a complex area. I can see that you can assign users / roles the ADMIN permission in both the out of the box GeoServer and also within the GeoFence extension but this always seems to be tied to a workspace.
Is there a way to give a user admin rights to manage users without giving them instant access to all the other functions in the admin UI?
I’m not sure if it’s possible within GeoServer, maybe with GeoFence? But we (Astun) have recently done something similar using and external LDAP service and KeyCloak which handles the user management outside of GeoServer which should allow you to do what you want. I’ve submitted a talk about this for FOSS4G and am planning on writing it up as a blog post when I get some spare time.
That is interesting but oddly not working for me in my current use case which is strange. If I give a user ADMIN and GROUP_ADMIN it all works nicely but if I give a user GROUP_ADMIN and then a specific role granting admin to a particular workspace they are not able to log in at all.
I suspect it is something to do with my lack of understanding of the GeoFence permissions and I’m going on some training in the future I hope so probably just me doing something wrong but good to know the user case has been investigated.
Paul
···
From: Jody Garnett <jody.garnett@…84…> Sent: 23 February 2023 14:31 To: Paul Wittle <paul.wittle@…9945…> Cc:geoserver-users@lists.sourceforge.net Subject: Re: [Geoserver-users] Question about administrative access
Yes, this of the GROUP_ADMIN role. Specifically created for “team leads” to many the team members with access to their workspace.
Also note you can grant admin permission to a workspace or layer. This allows users ability to manage data publication in that workspace or layer.
REST API has its own permissions if you would like to provide access to scripts or tools like GeoCat bridge for remote management.
I’ve been looking at the security in GeoServer and I know this is quite a complex area. I can see that you can assign users / roles the ADMIN permission in both the out of the box GeoServer and also within the GeoFence extension but this always seems to be tied to a workspace.
Is there a way to give a user admin rights to manage users without giving them instant access to all the other functions in the admin UI?
I’d like to make it so that some users can assign other users to roles / groups but pretty much limit their access to just that. So for example I don’t want them to be able to switch on and off the WMS service or change the logging profile but I do want them to be able to assign “Jeff” to see “highways data”.
At present I’m thinking the only way of doing it would be to create a very simple UI and point it at the REST endpoints as I can’t see that it is possible in the normal UI or documentation but I thought I’d ask in case anyone else has ever tried it?
I will carry on searching and thank you for the recent updates to deal with CVE issues. I know people put a lot of effort in to the project and I know I am really grateful for this amazing product being available open source!
Cheers,
Paul
This e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. It may contain unclassified but sensitive or protectively marked material and should be handled accordingly. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately. All traffic may be subject to recording and/or monitoring in accordance with relevant legislation. Any views expressed in this message are those of the individual sender, except where the sender specifies and with authority, states them to be the views of Dorset Council. Dorset Council does not accept service of documents by fax or other electronic means. Virus checking: Whilst all reasonable steps have been taken to ensure that this electronic communication and its attachments whether encoded, encrypted or otherwise supplied are free from computer viruses, Dorset Council accepts no liability in respect of any loss, cost, damage or expense suffered as a result of accessing this message or any of its attachments. For information on how Dorset Council processes your information, please see www.dorsetcouncil.gov.uk/data-protection
Geoserver-users mailing list
Please make sure you read the following two resources before posting to this list: