[Geoserver-users] Question about administrative access

Morning,

I’ve been looking at the security in GeoServer and I know this is quite a complex area. I can see that you can assign users / roles the ADMIN permission in both the out of the box GeoServer and also within the GeoFence extension but this always seems to be tied to a workspace.

Is there a way to give a user admin rights to manage users without giving them instant access to all the other functions in the admin UI?

I’d like to make it so that some users can assign other users to roles / groups but pretty much limit their access to just that. So for example I don’t want them to be able to switch on and off the WMS service or change the logging profile but I do want them to be able to assign “Jeff” to see “highways data”.

At present I’m thinking the only way of doing it would be to create a very simple UI and point it at the REST endpoints as I can’t see that it is possible in the normal UI or documentation but I thought I’d ask in case anyone else has ever tried it?

I will carry on searching and thank you for the recent updates to deal with CVE issues. I know people put a lot of effort in to the project and I know I am really grateful for this amazing product being available open source!

Cheers,

Paul

On Thu, 23 Feb 2023 at 09:54, Paul Wittle via Geoserver-users <geoserver-users@lists.sourceforge.net> wrote:

Morning,

I’ve been looking at the security in GeoServer and I know this is quite a complex area. I can see that you can assign users / roles the ADMIN permission in both the out of the box GeoServer and also within the GeoFence extension but this always seems to be tied to a workspace.

Is there a way to give a user admin rights to manage users without giving them instant access to all the other functions in the admin UI?

I’m not sure if it’s possible within GeoServer, maybe with GeoFence? But we (Astun) have recently done something similar using and external LDAP service and KeyCloak which handles the user management outside of GeoServer which should allow you to do what you want. I’ve submitted a talk about this for FOSS4G and am planning on writing it up as a blog post when I get some spare time.

Ian

Thanks for that Ian,

I will make sure to read the blog post when it is out :blush:

Paul

···

From: Ian Turton <ijturton@…84…>
Sent: 23 February 2023 10:33
To: Paul Wittle <paul.wittle@…9945…>
Cc: geoserver-users@lists.sourceforge.net
Subject: Re: [Geoserver-users] Question about administrative access

On Thu, 23 Feb 2023 at 09:54, Paul Wittle via Geoserver-users <geoserver-users@lists.sourceforge.net> wrote:

Morning,

I’ve been looking at the security in GeoServer and I know this is quite a complex area. I can see that you can assign users / roles the ADMIN permission in both the out of the box GeoServer and also within the GeoFence extension but this always seems to be tied to a workspace.

Is there a way to give a user admin rights to manage users without giving them instant access to all the other functions in the admin UI?

I’m not sure if it’s possible within GeoServer, maybe with GeoFence? But we (Astun) have recently done something similar using and external LDAP service and KeyCloak which handles the user management outside of GeoServer which should allow you to do what you want. I’ve submitted a talk about this for FOSS4G and am planning on writing it up as a blog post when I get some spare time.

Ian

Yes, this of the GROUP_ADMIN role. Specifically created for “team leads” to many the team members with access to their workspace.

Also note you can grant admin permission to a workspace or layer. This allows users ability to manage data publication in that workspace or layer.

REST API has its own permissions if you would like to provide access to scripts or tools like GeoCat bridge for remote management.

···


Jody Garnett

Hi Jody,

That is interesting but oddly not working for me in my current use case which is strange. If I give a user ADMIN and GROUP_ADMIN it all works nicely but if I give a user GROUP_ADMIN and then a specific role granting admin to a particular workspace they are not able to log in at all.

I suspect it is something to do with my lack of understanding of the GeoFence permissions and I’m going on some training in the future I hope so probably just me doing something wrong but good to know the user case has been investigated.

Paul

···

From: Jody Garnett <jody.garnett@…84…>
Sent: 23 February 2023 14:31
To: Paul Wittle <paul.wittle@…9945…>
Cc: geoserver-users@lists.sourceforge.net
Subject: Re: [Geoserver-users] Question about administrative access

Yes, this of the GROUP_ADMIN role. Specifically created for “team leads” to many the team members with access to their workspace.

Also note you can grant admin permission to a workspace or layer. This allows users ability to manage data publication in that workspace or layer.

REST API has its own permissions if you would like to provide access to scripts or tools like GeoCat bridge for remote management.

On Thu, Feb 23, 2023 at 1:54 AM Paul Wittle via Geoserver-users <geoserver-users@lists.sourceforge.net> wrote:

Morning,

I’ve been looking at the security in GeoServer and I know this is quite a complex area. I can see that you can assign users / roles the ADMIN permission in both the out of the box GeoServer and also within the GeoFence extension but this always seems to be tied to a workspace.

Is there a way to give a user admin rights to manage users without giving them instant access to all the other functions in the admin UI?

I’d like to make it so that some users can assign other users to roles / groups but pretty much limit their access to just that. So for example I don’t want them to be able to switch on and off the WMS service or change the logging profile but I do want them to be able to assign “Jeff” to see “highways data”.

At present I’m thinking the only way of doing it would be to create a very simple UI and point it at the REST endpoints as I can’t see that it is possible in the normal UI or documentation but I thought I’d ask in case anyone else has ever tried it?

I will carry on searching and thank you for the recent updates to deal with CVE issues. I know people put a lot of effort in to the project and I know I am really grateful for this amazing product being available open source!

Cheers,

Paul

This e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed. It may contain unclassified but sensitive or protectively marked material and should be handled accordingly. Unless you are the named addressee (or authorised to receive it for the addressee) you may not copy or use it, or disclose it to anyone else. If you have received this transmission in error please notify the sender immediately. All traffic may be subject to recording and/or monitoring in accordance with relevant legislation. Any views expressed in this message are those of the individual sender, except where the sender specifies and with authority, states them to be the views of Dorset Council. Dorset Council does not accept service of documents by fax or other electronic means. Virus checking: Whilst all reasonable steps have been taken to ensure that this electronic communication and its attachments whether encoded, encrypted or otherwise supplied are free from computer viruses, Dorset Council accepts no liability in respect of any loss, cost, damage or expense suffered as a result of accessing this message or any of its attachments. For information on how Dorset Council processes your information, please see www.dorsetcouncil.gov.uk/data-protection


Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer

Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users

Jody Garnett

I am not sure how this works with GeoFence (which offers much more control/complexity).

Please try with just a plain GeoServer.

Please note that there are two separate things:

  1. Granting a user GROUP_ADMIN allows the use of the user administration screen in geoserver web admin console thing
  2. Granting a user r/w/a access for a workspace grants ability to use the data management pages in the web admin console

Granting a user ADMIN access unlocks everything …

···


Jody Garnett