Hello, I am testing Geofence for future deployment ... I am struggling with Geofence admin rules, it is not well documented, I went through Github Geoserver/Geofence Wiki docs and also through official Geserver - Geofence Internal Server extension docs without much success ...
My guess is that GeoFence Admin Rules present way to limit "administrative" access to workspace configuration (datastores, layers ... within workspace), which is also possible in Geoserver vanilla security system by mean of "Data security" rules with "Access mode" set to "Admin" value e.g. sf.*.*a *: ROLE_SF_ADMIN (rule effectively grants access to "sf" workspace configuration for users with "ROLE_SF_ADMIN") My another understanding (based on testing) is that by installing Geofence Internal Server extension into Geoserver, evaluation of access rights is completely up to Geofence and Geoserver access rules in Security/Data and Security/Services are no longer consulted. (If confirmed, this generates idea to hide those two menus i.e. Security/Data and Security/Services, from Geoserver GUI once Geofence extension is installed just to lessen user confusion) My testing scenario is pretty simple, just to isolate problem: Environment: - OS: Ubuntu 20.04 - JVM: Private Build: 1.8.0_252 (OpenJDK 64-Bit Server VM) - GeoServer instance is running version 2.17.1. - Geofence Internal Server extension for Geoserver 2.17.1 1) Two users in "default" User Group service - sf_admin - topp_admin 2) Two roles in "default" Role service - ROLE_SF_ADMIN - ROLE_TOPP_ADMIN 3) Users have directly assigned respective roles (no user Groups are used) - sf_admin -> ROLE_SF_ADMIN - topp_admin -> ROLE_TOPP_ADMIN 4) Two worskpaces with some layers (from default Geoserver installation) - sf - topp 5) GeoFence Admin Rules - P Role User Workspace Access - 1 ROLE_TOPP_ADMIN * topp ADMIN - 2 ROLE_SF_ADMIN * sf ADMIN This setup leads me to expectations that users are able to edit respective workspace configuration. *Problem:* *User "sf_admin"* (when logged) is able to *edit both workspaces* configuration ie. "sf" and "topp" *User "sf_topp"* (when logged) is able to *edit both workspaces* configuration ie. "sf" and "topp" So both users can access configuration of both worksapaces, despite the fact that Geofence Admin rules selectively grants (based on ROLE) access for users to respective workspace!!! Another finding is that Geofence Admin Rule with "Admin" access mode on specific workspace does not automatically grants user access to layers configuration within workspace. Access to workspace layers configuration also needs to be backed by respective Geofence Data Rule. This is okay and not directly related to issue mentioned above, it is just bit counterintuitive for me ... Please help me better understand Geofence Admin Rules, as now I am not able to limit access to workspace configuration individually as far as I'm using Gofence Internal Server extension thus not able to use Geofence for "administrative" related access management ... Nevertheless I like Geofence very much for its capabilities of "user / non-administrative" related access management comparing vanilla Geoserver securiry system ... Best regards Peter Mozolík
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer [email protected] https://lists.sourceforge.net/lists/listinfo/geoserver-users
