After testing this, on both GeoServer 2.7-RC1 and 2.6.2 I can confirm these
results.
Detailed test procedure and results follows. Results where 2.7-RC1 and
2.6.2 differ are marked with a star (*). Ultimately, I got the same results
as Patric:
Initial setup:
--------------
Security > Users, Groups, and Roles > Roles
- Create Role "testrole"
Security > Users, Groups, and Roles > Users
- Create User/Pass test/test with role testrole
Test case 1
------------
Security > Data
- Add new rule "topp.*.r"
- Assigned to role "testrole"
- Deleted default "*.*.r" and "*.*.w" rules. (Only have the one rule)
Results
-------
GeoServer-2.7-RC1
-----------------
When logged in as test:
> All layers listed in layer preview
> All layers accessible from layer preview
When logged out:
> All layers not in topp listed in layer preview
> All layers not in topp accessible from layer preview. topp layers
give 404.
GeoServer-2.6.2
---------------
When logged in as test:
> All layers listed in layer preview
> All layers accessible from layer preview
When logged out:
> All layers not in topp listed in layer preview
> All layers not in topp accessible from layer preview. topp layers
give 404.
Test case 2
--------------
Security > Data
- Add new rule "topp.states.r".
- Assigned to role "testrole"
- Deleted default "*.*.r" and "*.*.w" rules. (Only have the one rule)
Results
-------
GeoServer-2.7-RC1
-----------------
When logged in as test:
> All layers listed in layer preview
> All layers accessible from layer preview
When logged out:
* All layers not in topp listed in layer preview
* All layers not in topp accessible from layer preview. topp layers
give 404.
GeoServer-2.6.2
---------------
When logged in as test:
> All layers listed in layer preview
> All layers accessible from layer preview
When logged out:
* All layers except topp.states listed in layer preview
* All layers except topp.states accessible from layer preview.
topp.states gives WMS error: Could not find layer topp:states
On Tue, Mar 17, 2015 at 12:59 PM, Torben Barsballe <
[email protected]> wrote:
> I'm going to see if I can reproduce this behaviour locally with a fresh
> download of 2.7-rc1.
>
> Torben
>
> On Tue, Mar 17, 2015 at 9:27 AM, Patric Hafner | geOps <
> [email protected]> wrote:
>
>>
>>
>> After some testing, I found a small difference between 2.6.2 and
>> 2.7-rc1. But I think there is no bug, just misunderstanding by me.
>>
>>
>> As the documentation says " (...) If a permission at the global level is
>> not specified, global permissions are assumed to allow read/write
>> access. If a permission for a workspace is not specified, it inherits
>> permissions from the global specification. If a permission for a layer
>> is not specified, it inherits permissions from its workspace
>> specification. (...)"
>> I thought I have to deny all access in first place in order to be able
>> to follow a "white-list" approach.
>>
>>
>> - Check 1: Deletion of default data security rules
>>
>> *.*.r *
>> *.*.w *
>>
>> GeoServer 2.6.2: Not possible, they are getting re-created automatically
>>
>> GeoServer 2.7-rc1: Not possible, they are getting re-created
>> automatically
>>
>>
>> - Check 2: Limitation of layer access
>>
>> Adding:
>>
>> topp.states.r testrole
>>
>> GeoServer 2.6.2: OK: Layer "states" only readable for role "testrole"
>>
>> GeoServer 2.7-rc1: OK: Layer "states" only readable for role "testrole"
>>
>>
>> after adding the new rule, I am able to remove both default rules on
>> both versions. As expected, this has no effect on security
>>
>> And this is where the differences occurs:
>>
>> GeoServer 2.6.2: All layers except layer "topp.states" are shown in
>> layer preview and are accessible via WMS for unauthorized users
>> (Like I expected)
>>
>> GeoServer 2.7-rc1: All layers except all layers of workspace topp are
>> shown in layer preview. This is not what I have expected.
>>
>> To summarize:
>>
>> * I was confused by the fact, that deletion of both default security
>> rules does not has any effect. The still remain active but are invisible.
>> I expected the deletion to make them inactive. Maybe it should be really
>> be impossible to remove them from the GUI or the removal should have an
>> effect
>
>
>> * Maybe a minor issue: Contents shown in layer preview for unprivileged
>> users differ between GeoServer 2.6.2 and 2.7-rc1 in my testcase
>>
>> Best regards,
>> Patric
>>
>>
>> --
>> web www.geops.de
>> rss www.geops.de/blog/feed
>> follow www.twitter.com/geops
>>
>>
>>
>> On 03/17/2015 04:36 PM, Andrea Aime wrote:
>> > On Mon, Mar 16, 2015 at 9:00 PM, Jody Garnett <[email protected]
>> > <mailto:[email protected]>> wrote:
>> >
>> > First up thanks for testing, I am not aware of any security changes
>> > in 2.7 (it did not make the short list of features we asked for help
>> > testing).
>> >
>> >
>> > We had some changes as part of the jdbcconfig scalability work,
>> > https://github.com/geoserver/geoserver/pull/836
>> >
>> > If this is confirmed to be a problem, I'd call it a relase blocker.
>> > I won't be able to have a look before late tonight (mountain time)
>> though
>> >
>> > Cheers
>> > Andrea
>> >
>> >
>> > --
>> > ==
>> > GeoServer Professional Services from the experts! Visit
>> > http://goo.gl/NWWaa2 for more information.
>> > ==
>> >
>> > Ing. Andrea Aime
>> > @geowolf
>> > Technical Lead
>> >
>> > GeoSolutions S.A.S.
>> > Via Poggio alle Viti 1187
>> > 55054 Massarosa (LU)
>> > Italy
>> > phone: +39 0584 962313
>> > fax: +39 0584 1660272
>> > mob: +39 339 8844549
>> >
>> > http://www.geo-solutions.it
>> > http://twitter.com/geosolutions_it
>> >
>> > *AVVERTENZE AI SENSI DEL D.Lgs. 196/2003*
>> >
>> > Le informazioni contenute in questo messaggio di posta elettronica e/o
>> > nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il
>> > loro utilizzo è consentito esclusivamente al destinatario del messaggio,
>> > per le finalità indicate nel messaggio stesso. Qualora riceviate questo
>> > messaggio senza esserne il destinatario, Vi preghiamo cortesemente di
>> > darcene notizia via e-mail e di procedere alla distruzione del messaggio
>> > stesso, cancellandolo dal Vostro sistema. Conservare il messaggio
>> > stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti,
>> > copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento
>> > contrario ai principi dettati dal D.Lgs. 196/2003.
>> >
>> > The information in this message and/or attachments, is intended solely
>> > for the attention and use of the named addressee(s) and may be
>> > confidential or proprietary in nature or covered by the provisions of
>> > privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data
>> > Protection Code).Any use not in accord with its purpose, any disclosure,
>> > reproduction, copying, distribution, or either dissemination, either
>> > whole or partial, is strictly forbidden except previous formal approval
>> > of the named addressee(s). If you are not the intended recipient, please
>> > contact immediately the sender by telephone, fax or e-mail and delete
>> > the information in this message that has been received in error. The
>> > sender does not give any warranty or accept liability as the content,
>> > accuracy or completeness of sent messages and accepts no responsibility
>> > for changes made after they were sent or for other risks which arise as
>> > a result of e-mail transmission, viruses, etc.
>> >
>> >
>> > -------------------------------------------------------
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming The Go Parallel Website,
>> sponsored
>> by Intel and developed in partnership with Slashdot Media, is your hub
>> for all
>> things parallel software development, from weekly thought leadership
>> blogs to
>> news, videos, case studies, tutorials and more. Take a look and join the
>> conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> Geoserver-devel mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>>
>
>
------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
