GeoServer

Allow per-workspace service security rule

Details

  • Type: Improvement Improvement
  • Status: Closed Closed
  • Priority: Major Major
  • Resolution: Not A Bug
  • Affects Version/s: 2.1.3
  • Fix Version/s: 2.1.3
  • Component/s: Security
  • Labels:
    None
  • Environment:
    Linux Debian Squeeze
  • Number of attachments :
    0

Description

I know it's stated on http://docs.geoserver.org/stable/en/user/security/layer.html that layer security and service security, but i was wondering if it'd be possible to have per-workspace (not even per-layer) service ACL.

My usecase is simple : i want two workspaces for two different targets :

  • one public workspace where the published data is available freely to anyone via WMS/WFS/WCS
  • one 'private' workspace where the user need to login (http auth) to access WMS/WFS/WCS

As it is now, i didnt find a way to implement that in GeoServer itself. You either allow full access to a service on all workspaces, or restrict services on all workspaces to a role via http auth.

I can still put the http auth on my frontend reverse proxy (my users are in a LDAP), but it'd be nice to have that directly integrated in GeoServer.

How hard would it be to implement that ? After all it's "just" adding a workspace key to service acls (or a service key to data acls..) in the UI and in the access backend. Would it be a wanted feature, or against GeoServer's design ?

Sorry if this bug report is a duplicate, didnt find a similar subject in the open issues.

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Andrea Aime added a comment -

Layer level security allows to setup a per workspace authentication. Use the "CHALLENGE" catalog mode and a security rule like myprivateworkspace.*=MY_SECRET_ROLE

Show
Andrea Aime added a comment - Layer level security allows to setup a per workspace authentication. Use the "CHALLENGE" catalog mode and a security rule like myprivateworkspace.*=MY_SECRET_ROLE
Hide
Permalink
Landry Breuil added a comment -

You're right, that works (tried with QGIS). That wasn't totally obvious from the documentation. If i get it right (and from basic testing it seems to be that), the 'mixed' catalog mode also trigger a 401 on the GetCapabilities & other requests ? Ie, hide all the workspace behind an authentification.

From my POV, resolving the issue.

Show
Landry Breuil added a comment - You're right, that works (tried with QGIS). That wasn't totally obvious from the documentation. If i get it right (and from basic testing it seems to be that), the 'mixed' catalog mode also trigger a 401 on the GetCapabilities & other requests ? Ie, hide all the workspace behind an authentification. From my POV, resolving the issue.
Hide
Permalink
Andrea Aime added a comment -

No, the mixed mode hides the layers in GetCapabilities and challenges only if you directly access a layer, it's meant for people sharing a direct link to the OL preview of that layer or a KML extraction

Show
Andrea Aime added a comment - No, the mixed mode hides the layers in GetCapabilities and challenges only if you directly access a layer, it's meant for people sharing a direct link to the OL preview of that layer or a KML extraction
Hide
Permalink
Andrea Aime added a comment -

Switching all issues that have been in "resolved" state for more than one month without further comments to "closed" status

Show
Andrea Aime added a comment - Switching all issues that have been in "resolved" state for more than one month without further comments to "closed" status

People

  • Assignee:
    Andrea Aime
    Reporter:
    Landry Breuil
Vote (0)
Watch (2)

Dates

  • Created:
    Updated:
    Resolved: