Thanks for that detail. I don’t yet grasp what the complexity is – I suspect
it doesn’t apply to my geoserver use-case but maybe you could illuminate that
for me?
I’m using global workspaces (but could consider changing that). However an end
user will always be referencing only one workspace in a request. By parsing
the request parameters the workspace can be known up front before any database
access.
So if I have a bunch of workspaces setup that all use the same datastore, my
assumption is that when a database connection is acquired from the datastore,
the relevant workspace can be known at that time, enabling the code to tell the
database connection to impersonate the user associated with the workspace.
The datastore can connect to the database under the ‘midtier/admin’ user
account. Then, as long as geoserver does not attempt to access a feature in
the workspace before pointing the connection to the impersonated user for that
workspace, the problem is solved.
If the workspace is known from the request parameters and a request never
references more than one workspace does that simplify my problem?
Thank You - Walter
From: andrea.a...@gmail.com [mailto:andrea.a...@gmail.com] On Behalf Of Andrea
Aime
Sent: Thursday, June 16, 2016 3:51 AM
To: Walter Stovall <walter.stov...@byers.com>
Cc: geoserver-devel@lists.sourceforge.net
Subject: Re: [Geoserver-devel] FW: Managing Oracle connections to different
schemas of the same database instance can't be done with the current geoserver
On Wed, Jun 15, 2016 at 6:57 PM, Walter Stovall
<walter.stov...@byers.com<mailto:walter.stov...@byers.com>> wrote:
Oh, that’s nice – thanks.
There’s hopefully just one last part of this problem I need to address (thank
you for all your help).
As mentioned my authenticated-user (the GSUser) is not in fact the name of the
user I want to impersonate. I need to figure out how to get the name of the
impersonated user into the environment.
The impersonated user is based on the geoserver workspace and remains constant
for the life of the workspace. My dream solution would be that I could store
the name of the impersonated user into the workspace itself and somehow
leverage code that gets the name/value into the environment when a request is
dispatched. Poking around, I see that the WorkspaceInfoImpl has
set/getMetadataMap(). If I could put my own name/value pair for the
impersonated user into the MetadataMap for the workspace and then the
MetadataMap were found to be part of the environment that would be the magic
answer.
Of course maybe it’s not that easy but does this trigger any suggestion you
might have? I know the impersonated user name when I create the workspace. I
just don’t know how to get that into the environment when a request against the
workspace is dispatched.
Do I need a dispatcher callback? If so can I make the callback installed by my
service code run before other services like WMS/WFS attempt accessing features
so this is all setup right?
Hmm... this is getting complicated enough that I believe you are going to need
some custom code regardless, in one or more points.
If you are using workspace specific services, you can get the current workspace
from the LocalWorkspace class, that is holding to a thread local. If you are
using global services instead I don't see an easy way out, as a request might
contain data from multiple workspaces.
A few ideas come to mind (mind, I cannot guarantee any of them is good):
1) Create a subclass of the OracleNGDataStoreFactory, register it in SPI (check
META-INF/services), and when createDataStoreInternal is called, attach a
connection listener that looks for LocalWorkspace and your custom map. This
code will reside in GeoServer
2) Create a FeatureTypeInitializer and register it in the GeoServer app
context, while it's meant to initialize a particular feature type, it has
access to the store too, and attach the listener there. Of course you'll have
to care about not attaching the same listener multiple times
3) Modify the code a bit deeper and create a new DataAccessInitializer
interface that would allow custom setup of stores, to be plugged in
ResourcePool like FeatureTypeInitializer is, and do the same as above
4) Add store init parameters like we discussed before, but make them OGC
Expression objects, or Strings that are supposed to be parsed as ECQL, and then
roll your own custom filter functions to extract the values you need from the
surrounding environment (e.g., LocalWorkspace)
I'd go for 3, but it's just me.
Cheers
Andrea
--
==
GeoServer Professional Services from the experts! Visit
http://goo.gl/it488V for more information.
==
Ing. Andrea Aime
@geowolf
Technical Lead
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 339 8844549
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i
file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo
è consentito esclusivamente al destinatario del messaggio, per le finalità
indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne
il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di
procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro
sistema. Conservare il messaggio stesso, divulgarlo anche in parte,
distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse,
costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for the
attention and use of the named addressee(s) and may be confidential or
proprietary in nature or covered by the provisions of privacy act (Legislative
Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in
accord with its purpose, any disclosure, reproduction, copying, distribution,
or either dissemination, either whole or partial, is strictly forbidden except
previous formal approval of the named addressee(s). If you are not the intended
recipient, please contact immediately the sender by telephone, fax or e-mail
and delete the information in this message that has been received in error. The
sender does not give any warranty or accept liability as the content, accuracy
or completeness of sent messages and accepts no responsibility for changes
made after they were sent or for other risks which arise as a result of e-mail
transmission, viruses, etc.
-------------------------------------------------------
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity planning
reports. http://pubads.g.doubleclick.net/gampad/clk?id=1444514421&iu=/41014381
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel
