GSIP 217
Camptocamp is offering a new member for the GeoServer echosystem: GeoServer ACL.
GeoServer ACL is an advanced authorization system for GeoServer,
Open Source, and born as a fork
of GeoFence, with a narrower scope, and a somewhat
different deployment target, technology and architectural approach.
Whilst GeoFence was born as a standalone service, it grew into an embedded engine.
GeoSever ACL consists of an independent application service that manages access rules, and a GeoServer plugin that requests authorization limits on a per-request basis.
Its primary focus is to serve tenths of GeoServer instances (both vanilla and GeoServer Cloud
pods), with the least possible memory and runtime overhead on the client side, and hence
it implements the Authorization process (RuleReaderService's responsibility in GeoFence)
at the server side.
All communications between the client plugin and the server is performed through GeoServer ACL's REST API, which follows an API-first approach, by defining the API through an OpenAPI 3 specification document.
GeoServer ACL is not an authentication provider. It's an authorization manager that will use the authenticated user credentials, whether they come from Basic HTTP, OAuth2/OpenID Connect, or whatever authentication mechanism GeoServer is using, to resolve the access rules that apply to each particular request.
Gabriel Roldan (Camptocamp)
This proposal is for GeoServer 2.24.x, with backport of the plugin community module to 2.23.x
- Under Discussion
- In Progress
- Completed
- Rejected
- Deferred
With the rejection of GSIP 216 - GeoFence 4.0.x, came the counter-proposal to fork GeoFence.
This seemed like a good way to move forward and hence we're making this proposal.
The fork is ready, and is to be distributed as a standalone application, separate from GeoServer.
The project scope is narrower than GeoFence's, and focuses on a standalone application that can be used by both GeoServer and GeoServer Cloud, as an authorization provider based on the same Rule concepts as GeoFence, but without any authentication provider capability.
Hence the project is called GeoServer ACL (as in Access Control List).
- To create a new GitHub repository under the GeoSever GitHub organization, called
geoserver-acl, with Gabriel Roldan as one of the administrators among the GeoServer PSC members themselves. - To create a GeoServer Community Module for a plugin that integrates GeoServer with the GeoServer ACL service.
- For the PSC to assist in allowing the
geoserver/geoserver-aclproject to publish maven artifacts to Nexus, so that its libraries can be used by the GeoServer plugin. - To transfer ownership of the new GeoServer ACL project to OsGeo, via a Software Grant and Corporate Contributor License Agreement, as it was previously done for the GeoServer Cloud project as of GSIP 201 - Cloud Native GeoServer Project Donation.
GeoServer ACL will have its own release cycle, using Semantic Versioning, with major versions tracking the REST API version, minor versions for improvements, and patch versions for bug fixes.
The major part of the GeoServer plugin will be in GeoServer's ACL codebase, which will allow to run end to end integration tests for any change, and against several GeoServer versions, so that, for example, we can be sure the plugin's version 1.0 is compatible with GeoServer's main branch, the development and stable versions.
The GeoServer community module for the plugin, will only need to be an empty jar, or a very minimal one with some configuration related classes, and will depend on a specific version of GeoServer ACL's plugin.
For example, the dependencies would be:
gs-acl-plugin:2.24-SNAPSHOT -> gs-acl-geoserver-integration:1.1.0
gs-acl-plugin:2.23.0 -> gs-acl-geoserver-integration:1.0.0
gs-acl-plugin:2.22.2 -> gs-acl-geoserver-integration:1.0.0
Backwards Compatibility is not a concern since this is a new project and a new community module
Project Steering Committee:
- Alessio Fabiani: +0
- Andrea Aime: +1
- Ian Turton: +1
- Jody Garnett: +1
- Jukka Rahkonen: +1
- Kevin Smith: +0
- Simone Giannecchini: +0
- Torben Barsballe: +1
- Nuno Oliveira: +1
©2022 Open Source Geospatial Foundation