-
Notifications
You must be signed in to change notification settings - Fork 1
GSIP 152
Andrea Aime
This proposal is for GeoServer 2.11-beta, with intention to backport to 2.10.x after the cooldown period.
- Under Discussion
- In Progress
- Completed
- Rejected
- Deferred
GeoServer own ResourceAccessManager interface already supports security layer groups, however no officially supported security implementation deals with them and the semantics of groups configured in tree mode is not well defined.
This proposal aims at adding support for layer groups in GeoServer default "layer security" subsystem, by extending the current security syntax, and properly define relationships between the security of a layer group and the one of its underlying layers.
The current data access security is defined in a property file based on the following syntax:
workspace.layer.permission=role[,role2,...]
Layer groups can occur both at the global and workspace level, so the syntax will be extended as follows:
globalGroupName.permission=role[,role2,...]
workspace.layerGroupName.permission=role[,role2,...]
The first definition uses a new structure, thus poses no backwards compatibility issue. The second one, used for workspace specific groups, has the same structure as the old one, causing potential issues with layers given the same name as layer groups. However, the situation is quickly solved as the same problem arises when issuing a GetMap, in which the layer is always preferred. The same approach will be used in security rules, in case of conflict the reference will point to the layer.
Layer groups come in two main types, single, which is a shortcut to a layer list with no visible structure to the users, and the various *tree modes, that visibly contain the layers in the capabilities document.
Security wise, the following rules will apply (if and only if the current service is WMS):
- Denying access to a single group will have no consequences on the contained layers, which will continue to be available
- Denying access to a tree group will cause all nested layers and groups to be denied as well
- The above rule does not apply to layers that are still available from a separate layer group whose access is not denied (as multiple layer groups can contain the same layer or nested group)
The above rules will be implemented in DefaultResourceAccessManager.
Layer groups are a construct specific to WMS, as such, their security will not influence access to feature types and coverages from WFS and WCS. In case denying access to the layers is desired also on other protocols, rules specific to the layers will also have to be setup.
The proposal is fully backwards compatible.
Project Steering Committee:
- Alessio Fabiani:
- Andrea Aime:
- Ben Caradoc-Davies:
- Brad Hards:
- Christian Mueller:
- Ian Turton:
- Jody Garnett:
- Jukka Rahkonen:
- Kevin Smith:
- Simone Giannecchini:
©2020 Open Source Geospatial Foundation