[Geoserver-users] Question about geoserver user configuration and REST API

Dear all,

I have a server installed with OpenGeo 4.02 (geoserver 2.4) on a windows 8 server.
I want to use this server for labs with my undergraduate students in geomatics.
The goal we wish to achieve is that each student has a user geoserver which to publish their data in a workspace and do it with the OpenGeo QGis plugin.

I’ve been testing different configurations and is only possible if users have the ADMIN ROLE. I tried to change the rest.properties file in security folder with geoserver ROLE AUTHENTICATED and is not possible.

The problem of allocating ADMIN ROLE users (students) is that they have the control of user management from the web and leave the server unprotected .

Is there any way for users to connect with OpenGeo GQis complement to geoserver, to download the catalog and publish data etc. … without that users ADMIN?

Best regards,
Miguel A. Manso

Hi Miguel

I fear this is not possible. You would need something like ROLE_WORSPACE_AMDIN with a role parameter specifying the workspace name.

The security subsystem allows role parameters like ROLE_WORSPACE_AMDIN(workspace=). For the users, you can add profile attributes like

student1(workspace=wsstudent1).

During authentication, user student1 will get the role ROLE_WORSPACE_AMDIN(workspace=wsstudent1).

The missing part is the access control logic restricting admin access to a specific user.

Cheers
Christian

Hi Christian

Ok, I understand it's complicated. Thank you.

Another possibility might be to restrict access to web management interface geoserver a given set of IP addresses.
Could restrict the Jetty included in OpenGeo boundless access the web interface to a limited set of IP addresses?

Regards,

Miguel A. Manso

El 06/04/2014 10:59, Christian Mueller escribió:

Hi Miguel

I fear this is not possible. You would need something like ROLE_WORSPACE_AMDIN with a role parameter specifying the workspace name.

The security subsystem allows role parameters like ROLE_WORSPACE_AMDIN(workspace=<empty or default workspace>). For the users, you can add profile attributes like

student1(workspace=wsstudent1).

During authentication, user student1 will get the role ROLE_WORSPACE_AMDIN(workspace=wsstudent1).

The missing part is the access control logic restricting admin access to a specific user.

Cheers
Christian

On Sun, Apr 6, 2014 at 10:17 AM, Miguel-Angel Manso-Callejo (UPM) <m.manso@anonymised.com <mailto:m.manso@anonymised.com>> wrote:

    Dear all,

    I have a server installed with OpenGeo 4.02 (geoserver 2.4) on a
    windows 8 server.
    I want to use this server for labs with my undergraduate students
    in geomatics.
    The goal we wish to achieve is that each student has a user
    geoserver which to publish their data in a workspace and do it
    with the OpenGeo QGisplugin.

    I've been testing different configurations and is only possible if
    users have the ADMIN ROLE. I tried to change the rest.properties
    file in security folder with geoserver ROLE AUTHENTICATED and is
    not possible.

    The problem of allocating ADMIN ROLE users (students) is that they
    have the control of user management from the web and leave the
    server unprotected .

    Is there any way for users to connect with OpenGeo GQis complement
    to geoserver, to download the catalog and publish data etc. ..
    without that users ADMIN?

    Best regards,
    Miguel A. Manso

    ------------------------------------------------------------------------------

    _______________________________________________
    Geoserver-users mailing list
    Geoserver-users@lists.sourceforge.net
    <mailto:Geoserver-users@lists.sourceforge.net>
    https://lists.sourceforge.net/lists/listinfo/geoserver-users

--
DI Christian Mueller MSc (GIS), MSc (IT-Security)
OSS Open Source Solutions GmbH

I do not use jetty, but I think tomcat 7 gives you the possibility. Look here

http://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#Remote_Address_Filter

Cheers
Christian