View
2.586
Download
1
Category
Preview:
Citation preview
Mastering Security with GeoServer and GeoFence
Ing. Mauro BartolomeoliIng. Emanuele Tajariol
Ing. Simone GiannecchiniGeoSolutions
GeoSolutions Founded in Italy in late 2006 Expertise
• Image Processing, GeoSpatial Data Fusion• Java, Java Enterprise, C++, Python• JPEG2000, JPIP, Advanced 2D visualization
Supporting/Developing FOSS4G projects GeoServer, MapStore GeoNetwork, GeoNode, Ckan
Clients Public Agencies Private Companies
http://www.geo-solutions.itFOSS4G 2016, Bonn
22nd - 26th August 2016
Overview GeoServer security handles
Authentication (filtering and credential checks) Authorization (resource access managers)
FOSS4G 2016, Bonn22nd - 26th August 2016
Authentication
FOSS4G 2016, Bonn22nd - 26th August 2016
The filter chains Different chains for different URL groups Each chain authenticates in a different way by
composigin different filters
FOSS4G 2016, Bonn22nd - 26th August 2016
UI chain, with form, HTTP session (creation allowed), and remember me services
OGC one, lighter, will use session if available, no creation
Different usage, different chain
FOSS4G 2016, Bonn22nd - 26th August 2016
Available auth filters Gathering user credentials (and eventually invoking
authentication providers chain) Basic Form Digest Anonymous (always the last)
Preauthentication (and eventually load user details from user/group and/or role service)
Session HTTP Header X.509 Remember Me J2EE
Easy to implement and plug new filters Missing: authenticate from environment variables (e.g. Shibboleth SSO)
FOSS4G 2016, Bonn22nd - 26th August 2016
Authentication providers Given credentials pulled from the filters, who
is the user?
Search in user/group database
Auth as aLDAP user
Auth as aDBMS user
XML DBMS tables
Authenticationproviders
User/Groupservice
Pluggable
FOSS4G 2016, Bonn22nd - 26th August 2016
Role providers Given the user, what are her roles in
GeoServer? Fundamental, authorization is role based
Extensible, new providers can be built
LDAP DBMS XMLDBMS tables
FOSS4G 2016, Bonn22nd - 26th August 2016
Extensions CAS (https://www.apereo.org/cas): Single Sign On
integration
Authkey: simple UUID to user mapper Simple key in the URL (must use HTTPS) Allows authentication unware clients to participate Pluggable: possibility to define custom mappers (e.g.
webservices) URLMangler to add authkey to OGC request transparently (via
GetCapabilities)
FOSS4G 2016, Bonn22nd - 26th August 2016
Authorization
FOSS4G 2016, Bonn22nd - 26th August 2016
Authorization Given the user and her roles Can the current «action» on the current «resource»
be allowed?
Action: Generic read/write Specific OGC service/method call
Resource Workspace Layer Layer Group Style
FOSS4G 2016, Bonn22nd - 26th August 2016
ResourceAccessManager Pluggable interface, multiple implementations Define AccessLimits for the various Catalog
Resources (Workspace, Layer, Style, LayerGroup) Can access the current request
(service/method/details) Allows for fine grained limits
Attributes visible Read filters (which features can be read) Write filters (which features can be written)
Filters: Alphanumeric Temporal Spatial
FOSS4G 2016, Bonn22nd - 26th August 2016
Implementations Default security subsystem
Simple per workspace/layer authentication
GeoFence External application (*) Full use of ResourceAccessManager abilities
Other custom implementations Integrate with existing in-house authorization
mechanism Quite popular in large enterprise setup
FOSS4G 2016, Bonn22nd - 26th August 2016
GeoFence
FOSS4G 2016, Bonn22nd - 26th August 2016
GeoFence Extended A&A for GeoServer Optional Authentication, Sophisticated
authorization Open Source, GPL
https://github.com/geoserver/geofence
FOSS4G 2016, Bonn22nd - 26th August 2016
Structure
FOSS4G 2016, Bonn22nd - 26th August 2016
Stand alone User interface
FOSS4G 2016, Bonn22nd - 26th August 2016
User management
FOSS4G 2016, Bonn22nd - 26th August 2016
GeoFence rules Authorizations are expressed as a
priority-based rule set: Type of Rules are ALLOW/DENY/LIMIT The first matching rule is the one that determines
the outcome of the auth request
FOSS4G 2016, Bonn22nd - 26th August 2016
GeoFence rules matching Rules are matched based on:
Username Group the provided user belongs to GeoServer Instance (single GeoFence multiple
GS clusters) OGC Service (e.g., WMS) OGC Service Operation (e.g., GetFeatureInfo) Workspace (E.g. it.geosolutions) Layer name (E.g. topp:states)
FOSS4G 2016, Bonn22nd - 26th August 2016
Example
Example Let’s assume we have configured these rules :
User:u1, Service:WMS, Workspace:W1, ALLOW User:u1, DENY
These rules will grant access for user u1 to all the layers in worspace W1 only for WMS requests
All other types of requests will be DENIED.
FOSS4G 2016, Bonn22nd - 26th August 2016
Restrictions (LIMIT rules) When an ALLOW rule is matched, the user will
have access to the requested resource: Restrictions on available area Restrictions on alphanumeric conditions
FOSS4G 2016, Bonn22nd - 26th August 2016
Restrictions (LIMIT rules) Restrictions on available attributes
FOSS4G 2016, Bonn22nd - 26th August 2016
Stand-alone GeoFence Geofence Probe
(ResourceAccessManager)calls stand-alone GeoFence REST services
A cache is setup to minimize network traffic
A cache can be configured on different aspects: number of entries, expiration time
The cache provides REST operations (using GeoServer’s own REST dispatcher) in order to
Invalidate the cache Query the cache statistics
FOSS4G 2016, Bonn22nd - 26th August 2016
GeoFence REST API REST interface for administration automation Complete CRUD access to the various entities
managed by GeoFence: Users and groups GeoServer instances Rules
Paging support Priority ordering in rules is fundamental: different ways
to insert and set a position for the new rules Batch mode, backup and restore available See details at:
https://github.com/geosolutions-it/geofence/wiki/REST-API
FOSS4G 2016, Bonn22nd - 26th August 2016
GeoFence direct integration
FOSS4G 2016, Bonn22nd - 26th August 2016
GeoFence integration Simple setups demand simple solution Have GeoFence run inside GeoServer Integration similar to GWC one, runs like a plugin
GeoServer GeoWebCache
GeoFence
Rules DB
FOSS4G 2016, Bonn22nd - 26th August 2016
Baby steps Born as a more future-proof alternative to improving
the internal security subsystem
Community module, available via nightly builds
Delivers a subset of the full functionality: access/deny/limit based on mix of roles/user/layer/workspace/service/request
Integrated UI
FOSS4G 2016, Bonn22nd - 26th August 2016
General Configuration
FOSS4G 2016, Bonn22nd - 26th August 2016
General Configuration (continued)
FOSS4G 2016, Bonn22nd - 26th August 2016
Creating rules
FOSS4G 2016, Bonn22nd - 26th August 2016
Rules list
FOSS4G 2016, Bonn22nd - 26th August 2016
Example 1
FOSS4G 2016, Bonn22nd - 26th August 2016
Example 1 – layer preview
FOSS4G 2016, Bonn22nd - 26th August 2016
Example 2
FOSS4G 2016, Bonn22nd - 26th August 2016
Example 2 – layer preview
FOSS4G 2016, Bonn22nd - 26th August 2016
TODO Allow to edit LIMIT rules
Force default style Limit attributes Filter contents
Control writes at the rule level
Better/Easier way to re-order rules between pages (drag and drop can be used on the same page)
Migrate old security system rules to GeoFence as possible
FOSS4G 2016, Bonn22nd - 26th August 2016
That’s all folks!
Questions?info@geo-solutions.it
FOSS4G 2016, Bonn22nd - 26th August 2016
Recommended