Skip to content

GSIP 121

jodygarnett edited this page Dec 12, 2014 · 1 revision

GSIP 121 - WPS process security

Overview

Proposed By

Andrea Aime

Assigned to Release

GeoServer 2.7.0

State

  • Under Discussion
  • In Progress
  • Completed
  • Rejected
  • Deferred

Motivation

Nowadays WPS processes are either available to all the users, or are completely turned off. Service level security cannot cover process availability either, as it's based on the least common denominators for all OGC protocols (service, request, output format).

This proposal aims at making certain processes available to selected set of users instead, using the usual role based authorization.

Pluggable WPS security interface

Processes make up the content of a WPS service, they are listed in the capabilities document and can be then used in DescribeProcess and Execute calls. Also, similarly to layers, it is possible to think of a process availability not only in terms of ability to execute it, but also in terms of how big the inputs can be, how long the process can be left executing, and so on.

Even if the current proposal will limit itself to making the processes available, or not, the following interface, mimicking the ResourceAccessManager and returning an object that can be expanded, in the future, to cover limitations other than the mere process availability:

public interface ProcessAccessManager {

   /**
    * Returns the access limits for a whole process namespace
    */
   ProcessAccessLimits getAccessLimits(Authentication user, String namespace);

   /**
    * Returns the access limits for a single process
    */
   ProcessAccessLimits getAccessLimits(Authentication user, Name process);
}

public class ProcessAccessLimits extents AccessLimits {
   private boolean allowed;
   
   public ProcessAccessLimits(CatalogMode mode, boolean allowed) {
        super(mode);
        this.allowed = allowed;
    }

    public boolean isAllowed() {
        return allowed;
    }
}

The security subsystem will be implemented as a ProcessFilter that will hide certain processes/factories and will also take into account the HIDE/CHALLENGE/MIXED catalog modes:

  • in HIDE mode the processes not available to the current user will simply be removed, denying their existance to the clients
  • in CHALLENGE mode all the processes will be available in the GetCapabilities output, but a authentication request will be raised if a secured process is requested via DescribeProcess or Execute by a user that does not have sufficient access rights
  • in MIXED mode the secured processes will be hidden from the GetCapabilities document, but a authentication request will be raised if a secured process is requested anyways via DescribeProcess or Execute by a user that does not have sufficient access rights

The ProcessFilter will search for a implementation of ProcessAccessManager in the Spring application context, and if none is found, a default one based on the internal GeoServer configuration will be used.

Configuration and GUI

Currently the process availability is configured in the WPS page and stored in the WPSInfo metadata map as the ProcessGroupInfo bean:

public interface ProcessGroupInfo extends Info, Cloneable {

    /**
     * The process factory class (only means to identify it)
     */
    public Class<? extends ProcessFactory> getFactoryClass();

    /**
     * Sets the process factory class
     * 
     * @param factoryClass
     */
    public void setFactoryClass(Class<? extends ProcessFactory> factoryClass);

    /**
     * True if the factory is enabled, false otherwise
     * 
     * @return
     */
    public boolean isEnabled();

    /**
     * Enables/disables the factory
     * 
     * @param enabled
     */
    public void setEnabled(boolean enabled);

    /**
     * The list of processes generated by this factory that needs to be filtered out (disabled)
     * 
     * @return
     */
    public List<Name> getFilteredProcesses();

    /**
     * The metadata map, can contain any sort of information that non core plugins might use to
     * handle information related to this factory
     * 
     * @return
     */
    MetadataMap getMetadata();
    
    /**
     * Creares a copy of this class
     * @return
     */
    ProcessGroupInfo clone();

}

We propose the following changes to this bean:

  • A list of roles that can access the factory will be attached to the group (by default, "*" will be used to signify "all users")
  • The "filtered processes" list will be replaced by a list of ProcessAccessInfo beans:
public class ProcessAccessInfo extends Info, Cloneable {
  
   boolean isEnabled();

   List<String> getRoles();
}

User interface wise the current list of process groups available at the end of the WPS page will be moved into a Processes page under Security, and table based editing of roles will be added to the existing GUI.

Process access table

The role editor will provide auto-completion to ease correct entering of values, without disallowing quick copy and paste of role lists from one process definition to the other

Feedback

Backwards Compatibility

The previous configuration will be automatically migrated to the new one, this new configuration will likely not be readable by older version of GeoServer.

Voting

Project Steering Committee:

  • Alessio Fabiani +1
  • Andrea Aime +1
  • Ben Caradoc-Davies
  • Christian Mueller +1
  • Gabriel Roldán
  • Jody Garnett +1
  • Jukka Rahkonen +1
  • Justin Deoliveira
  • Phil Scadden +1
  • Simone Giannecchini +0

Links

Clone this wiki locally