-
Notifications
You must be signed in to change notification settings - Fork 55
Proposal #3: GeoServer Roles to GeoFence groups mapping
This proposal is about using GeoServer Roles instead of users for authorization purposes through GeoFence.
The tipical use case is the following:
- users are handled externally of GeoServer / GeoFence, so we cannot have a static list of users configured in GeoFence (e.g. Shibboleth)
- we cannot even dynamically fetch the user list from the external service, because the authentication service doesn't allow this (as we do, for example, with LDAP)
- we can, however, configure a set of limited groups in GeoFence and create rules based on them
- those groups match the roles users are assigned in Geoserver by a specific RoleService (e.g. Iride)
In this scenario it would be useful that the GeoFence / Geoserver probe (GeofenceAccessManager) could ask for permissions using the roles of a user instead of the username. Those roles would match groups of the same name already configured in GeoFence.
The usage of username or roles should be configurable in the geofence-geoserver.properties probe cfg file.
We should implement this in 2 steps:
Currently RuleFilter support only one group for each filter, but a Geoserver user can have many roles: in a first pahse we could limit the recognized roles to a mutually exclusive set, so that only one role of this set is owned by any user - Issue #77 - Pull request #78
We should add two new options to geofence-geoserver.properties:
- useRolesToFilter: true or false (defaults to true); if true roles are used instead of usernames for permissions assignment
- acceptedRoles: list of comma delimited mutually exclusive roles to be mapped to Geofence groups (the matching is done by equality, so the group needs to have the same name of the role, included the ROLE_ prefix many RoleServices append to role names.
We should extend Geofence RuleReaderService to build an ored filter with support for multiple group names (comma delimited?) - Issue #82