GSIP 121
Andrea Aime
GeoServer 2.7.0
- Under Discussion
- In Progress
- Completed
- Rejected
- Deferred
Nowadays WPS processes are either available to all the users, or are completely turned off. Service level security cannot cover process availability either, as it's based on the least common denominators for all OGC protocols (service, request, output format).
This proposal aims at making certain processes available to selected set of users instead, using the usual role based authorization.
Processes make up the content of a WPS service, they are listed in the capabilities document and can be then used in DescribeProcess
and Execute calls.
Also, similarly to layers, it is possible to think of a process availability not only in terms of ability to execute it, but also in terms of how big the inputs can be, how long the process can be left executing, and so on.
Even if the current proposal will limit itself to making the processes available, or not, the following interface, mimicking the ResourceAccessManager
and returning an object that can be expanded, in the future, to cover limitations other than the mere process availability:
public interface ProcessAccessManager {
/**
* Returns the access limits for a whole process namespace
*/
ProcessAccessLimits getAccessLimits(Authentication user, String namespace);
/**
* Returns the access limits for a single process
*/
ProcessAccessLimits getAccessLimits(Authentication user, Name process);
}
public class ProcessAccessLimits extents AccessLimits {
private boolean allowed;
public ProcessAccessLimits(CatalogMode mode, boolean allowed) {
super(mode);
this.allowed = allowed;
}
public boolean isAllowed() {
return allowed;
}
}
The security subsystem will be implemented as a ProcessFilter
that will hide certain processes/factories and will also take into account the HIDE/CHALLENGE/MIXED catalog modes:
- in HIDE mode the processes not available to the current user will simply be removed, denying their existance to the clients
- in CHALLENGE mode all the processes will be available in the
GetCapabilities
output, but a authentication request will be raised if a secured process is requested viaDescribeProcess
orExecute
by a user that does not have sufficient access rights - in MIXED mode the secured processes will be hidden from the
GetCapabilities
document, but a authentication request will be raised if a secured process is requested anyways viaDescribeProcess
orExecute
by a user that does not have sufficient access rights
The ProcessFilter
will search for a implementation of ProcessAccessManager
in the Spring application context, and if none is found, a default one based on the internal GeoServer configuration will be used.
Currently the process availability is configured in the WPS page and stored in the WPSInfo metadata map as the ProcessGroupInfo
bean:
public interface ProcessGroupInfo extends Info, Cloneable {
/**
* The process factory class (only means to identify it)
*/
public Class<? extends ProcessFactory> getFactoryClass();
/**
* Sets the process factory class
*
* @param factoryClass
*/
public void setFactoryClass(Class<? extends ProcessFactory> factoryClass);
/**
* True if the factory is enabled, false otherwise
*
* @return
*/
public boolean isEnabled();
/**
* Enables/disables the factory
*
* @param enabled
*/
public void setEnabled(boolean enabled);
/**
* The list of processes generated by this factory that needs to be filtered out (disabled)
*
* @return
*/
public List<Name> getFilteredProcesses();
/**
* The metadata map, can contain any sort of information that non core plugins might use to
* handle information related to this factory
*
* @return
*/
MetadataMap getMetadata();
/**
* Creares a copy of this class
* @return
*/
ProcessGroupInfo clone();
}
We propose the following changes to this bean:
- A list of roles that can access the factory will be attached to the group (by default, "*" will be used to signify "all users")
- The "filtered processes" list will be replaced by a list of
ProcessAccessInfo
beans:
public class ProcessAccessInfo extends Info, Cloneable {
boolean isEnabled();
List<String> getRoles();
}
User interface wise the current list of process groups available at the end of the WPS page will be moved into a Processes page under Security, and table based editing of roles will be added to the existing GUI.
The role editor will provide auto-completion to ease correct entering of values, without disallowing quick copy and paste of role lists from one process definition to the other
The previous configuration will be automatically migrated to the new one, this new configuration will likely not be readable by older version of GeoServer.
Project Steering Committee:
- Alessio Fabiani +1
- Andrea Aime +1
- Ben Caradoc-Davies
- Christian Mueller +1
- Gabriel Roldán
- Jody Garnett +1
- Jukka Rahkonen +1
- Justin Deoliveira
- Phil Scadden +1
- Simone Giannecchini +0
©2022 Open Source Geospatial Foundation