Advanced GeoServer Security with GeoFence

Advanced GeoServer Security With GeoFence

Ing. Emanuele Tajariol, GeoSolutions

Ing. Simone Giannecchini, GeoSolutions Ing. Alessio Fabiani, GeoSolutions

FOSS4G 2013, Nottingham 20th September 2013

GeoSolutions

Founded in Italy in late 2006

Expertise

• Image Processing, GeoSpatial Data Fusion

• Java, Java Enterprise, C++, Python

• JPEG2000, JPIP, Advanced 2D visualization

Supporting/Developing FOSS4G projects

GeoServer, MapStore

GeoBatch, GeoNetwork

Clients

Public Agencies

Private Companies

http://www.geo-solutions.it


http://www.geo-solutions.it/



Meet GeoFence


GeoFence

Extended A&A for GeoServer

Authentication Optional

Integrated with GeoServer authorization

architecture

Open Source GPL

Code on GitHub

Authorization Auth on data: e.g. layers, workspaces

Auth on services: e.g. WMS, WFS


https://github.com/geosolutions-it/geofence


GeoFence

Based on GSIP 57 Mixed Interceptor + Probe approach

Extended authorization management for GeoServer

External Rule-Based System

GeoServer Internal Probe

On-the-fly manipulation of incoming requests

Role Base Access Control Users

Groups

Rule-based database IPTables-like

FOSS4G 2013, Nottingham

20th September 2013

http://geoserver.org/display/GEOS/GSIP+57+-+Improving+GeoServer+authorization+framework


GeoFence

Fine Grain Authorization Control Services

Operations

Workspaces

Layers

Attributes (alphanumeric and geospatial)

External Web Application REST Interface

GUI

Scalable 1 GeoFence controls N GeoServer cluster



GeoFence

Java Enterprise infrastructure

Spring/Spring-Remoting

Hibernate

Apache CXF

Supports DBMS

PostgreSQL/PostGIS

Oracle spatial

H2

Performance ensured thanks to a fine-tunable cache



GeoServer Security Model



GeoServer offers extension points for

Authentication (filtering and credential checks)

Authorization (resource access managers)




The GeoFence Authentication provider delegates credential checks to GeoFence

The GeoFence Resource Access Manager asks for permissions to the GeoFence authorization engine






Digging GeoFence


GeoFence Architecture

Geofence Stack (again…)




Modules and

packages

GUI

core: GUI logic, implemented using GWT

webapp: produces the final web application .war file

Geoserver (GeoFence Probe)

security: the GeoServer/GeoFence bridge: implements the ResourceAccessManager, forwarding the authorization requests to a remote GeoFence instance




The GeoFence ResourceAccessManager (Geofence Probe) is deployed in each GeoServer

GeoServer instances in a cluster must share the same ClusterID (instance name)

GeoFence uses the instance name to select rules

The Probe queries GeoFence on each

request* with proper info

Instance name

User

Request Details

GeoFence provide Access Policy rules to

manipulate the request on the fly within

the Probe




The GeoFence ResourceAccessManager (Geofence Probe) uses a cache which minimizes the requests toward GeoFence.

The cache can be configured on different aspects:

number of entries,

expiration time

The cache provides REST operations (using GeoServer’s own REST dispatcher) in order to

Invalidate the cache

Query the cache statistics



GeoFence Rule System

Authorizations are expressed as a priority-based rule set

Type of Rules are ALLOW/DENY/LIMIT

The first matching rule is the one that determines the outcome of the auth request

Incoming authorization requests are transformed in a rule filter

Filtering can be performed on one or more of these fields:

Username

Group the provided user belongs to




Source geoserver instance

We can control multiple GeoServer clusters

OGC Service

E.g. WMS

OGC Service Operation

E.g. GetCapabilities

Workspace

E.g. it.geosolutions

Layer name

E.g. topp:states




Example

Let’s assume we have configured these rules :

User: u1, Service:WMS, Workspace=W1,ALLOW

User: u1, DENY

These rules will grant access for user u1 to

all the layers in worspace W1

only for WMS request

All other types of request will be DENIED.




When an ALLOW rule is matched, the user will have access to the requested resource.

Finer Grain Control on single layer rules

further restrictions may be defined

i.e only a subset of the data contained in the layer could be made queryeable/visibile to the requesting user

Restrictions on visible Area

Restrictions on Queryable Attributes

Restrictions on Available Styles


20th September 2013



Examples

Limiting users access to

a subset of the attributes (R/W)

a specific geographic area.

a subset of the available styles (or the default style can be forced on all requets)

A specific view of the data via a CQL filter

For reading

For writing (delete, create, update)






GeoFence REST Interface

GeoFence provides a REST interface for administration

Allows automation!

It allows a complete CRUD access to the various entities managed by GeoFence:

Users and groups

GeoServer instances

Rules

The Find operation can be optionally paged

a Count operation is provided as well to take advantage of the pagination capability.

Priority ordering in rules is fundamental

there are different ways to insert and set a position for the new rules.

https://github.com/geosolutions-it/geofence/wiki/REST-API


20th September 2013







GeoFence REST Interface

The REST interface also provides a batch mode

multiple CRUD commands can be issued at once

The commands in the batch are processed in the same transaction

Extremely important for automation!

Backup and restore operations are provided as part of the REST interface as well

REST API documentation available at https://github.com/geosolutions-it/geofence/wiki/REST-API









GeoFence User Interface


Top Categories Users

Groups

Instances

Rules




Users

Groups

Instances




Rules

Details

Details


GeoFence and LDAP

An LDAP server can be used as a repository for user and groups, including the optional ldap module in the deploy

LDAP can be configured through the datasource properties file

When using LDAP users and groups are not editable from the GeoFence interface (they are READ-ONLY)

LDAP module documentation at https://github.com/geosolutions-it/geofence/wiki/LDAP-module


https://github.com/geosolutions-it/geofence/wiki/LDAP-module







When LDAP is enabled, specific DAOs are used for users and groups instead of the default ones

GeoFence and Existing Auth Proxies


External Auth Source

Users

Groups

GeoFence DB

GeoFence

Persistence

UserDAO LDAP UserDAO GroupDAO LDAP GroupDAO RuleDAO


GeoFence Use Cases


SIAN


GeoFence Use Cases


GeoFence

MapManager

GeoStore GeoServer GeoFence

MapStore

JMX Agents

GeoGraphic Building Block


GeoFence Use Cases


Astrium GetGeo


GeoFence Use Cases

Layers filtered (CQL filters) by user profile to constrain access to advanced functionality

Possibility of spatial filters to allow regional access only


Destination


GeoFence Status


Project Release as Open Source

Continuous Build is in place

Dev and Users Mailing Lists are in place

Improvements

Documentation

Official Releases

Integrated Build for testing and demoing

UI Refactor


The End

Thanks for not sleeping

(loudly)

[email protected]

[email protected]



GeoFence

GeoFence

Presentazione CUSTOM, Firenze 10 Maggio 2012


Date post:	11-May-2015
Category:	Technology
Upload:	geosolutions
View:	4,480 times
Download:	5 times

Advanced GeoServer Security with GeoFence

Technology