Hi, I've tried to reproduce this using a local QGIS 2.18 (that's what I have handy) but could not reproduce, I can edit without problems. More notes inline.
On Sat, Nov 19, 2016 at 5:15 PM, Cliff Patterson <[email protected]> wrote: > I am unable to secure my Geoserver installation and grant read and/or > write access to different roles. On the most basic level, I would like to > have a VIEWER and an EDITOR role that I can apply to different workspaces. > Along with this, I would like to control how each role accesses WFS -- > readers should be able to view (getFeature) while editors should be able to > edit in QGIS (transaction). > > After a thorough read of the Geoserver manual, I still cannot get > multi-user access to work as expected. All users, regardless of data access > rules, cannot access WFS layers once the following rules are in place. > > Note that I am using a fresh install of Geoserver version 2.10.0 on an > Ubuntu Server version 16.04 running Apache2 and Tomcat7. > > Steps taken: > > 1) Create workspace called "test" > Create a Postgis store using admin credentials (just for testing, not > production) > > 2) Publish a single layer. > > 3) Create two roles: EDITORS and VIEWER > > 3) Create two users: test_editor and test_viewer. Give test_editor the > EDITORS role and test_viewer the VIEWER role. > > 4) Set up data security as follows: > > *.*.r * *.*.w * test.*.r VIEWER,EDITORS test.*.w EDITORS > This makes sense. > 5) Create the following service rules: > > *.* * wfs.* EDITORS > This does not, it implies only EDITORS can actually access WFS. > Launch QGIS 2.16.3 and add the WFS 1.0.0 service capabilities (e.g. > http://myserverip:8080/geoserver/ows?service=wfs&version=1.0.0&request= > GetCapabilities) AND the test_viewer or test_editor login credentials. > > Results: > > With the test_editor credentials, the expected result would be the ability > to edit and save the layer, and with the test_viewer credentials the user > should be able to simply view the WFS layers in QGIS without the ability to > edit. However, trying to get capabilities causes a popup error in QGIS: > "Unexpected end of file". QGIS error log reads: > Download of capabilities failed: Error downloading http://myserverip:8080/ > geoserver/ows?version=1.0.0&&SERVICE=WFS&REQUEST= > GetCapabilities&VERSION=1.0.0 - server replied: Forbidden > Nope, viewers won't have access with the service rules above. However I can use and write if I access using someone with EDITORS role. I got once a unexpected end of file error, but it turned out I was typing the wrong password. > Geoserver log reads: > > 2016-11-17 13:59:22,480 WARN [wicket.Localizer] - Tried to retrieve a > localized string for a component that has not yet been added to the page. > This can sometimes lead to an invalid or no localized resource returned. > Make sure you are not calling Component#getString() inside your Component's > constructor. Offending component: [XMLUserGroupServicePanel [Component id = > dummy]] 2016-11-17 14:04:10,769 INFO [geoserver.wfs] - Request: > getServiceInfo 2016-11-17 14:07:25,217 INFO [geoserver.wfs] - Request: > getServiceInfo 2016-11-17 14:08:39,836 INFO [geoserver.wfs] - Request: > getServiceInfo > This is unrelated. > BUT... and this is where it gets weird, the credentials work perfectly for > WMS. No creds, no access to WMS layers in "test" workspace. Apply creds, > and authorized users have access to layers. So, there is something wrong > with WFS(-T). > Nothing weird, you did not limit WMS access at the service level. Cheers Andrea -- == GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions S.A.S. Via di Montramito 3/A 55054 Massarosa (LU) phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 http://www.geo-solutions.it http://twitter.com/geosolutions_it *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003* Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003. The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc. -------------------------------------------------------
------------------------------------------------------------------------------
_______________________________________________ Geoserver-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-users
