[Geoserver-devel] [JIRA] (GEOS-7785) Implement a REST Based Role Service for GeoServer

Alessio Fabiani (JIRA) Wed, 05 Oct 2016 07:45:52 -0700

Title: Message Title

Alessio Fabiani created an issue

Issue Type:	New Feature
Affects Versions:	2.10-RC1, 2.9.2
Assignee:	Alessio Fabiani
Components:	Community modules
Created:	05/Oct/16 4:42 PM
Priority:	Medium
Reporter:	Alessio Fabiani

REST user role service

The new security integration requires the development of a GeoServerRoleService that will fetch the roles of a user from GeoNode itself. This proposal is generic enough so that implementors others than GeoNode could implement the same interface to provide the same information to GeoServer.

GeoNode does not offer an API to extract such information, thus it will have to be developed. However, the implementation of a GeoServerRoleService is not simply about returning the list of roles for a user, it requires instead the implementation of a larger set of methods, some optional, some mandatory.

Here is a listing of significant methods that might require calls to GeoNode (based on the LDAP role service, which similarly has to make network calls to work):

Method	Mandatory
getUserNamesForRole(roleName)	? (implemented in LDAP, but I don’t see actual users of this method besides a utility method that nobody uses)
getRolesForUser(user)	Y
getRolesForGroup(group)
getRoles()	Y (used by the UI)
getParentRole(role)
getAdminRole()	Y
getGroupAdminRole()	Y
getRoleCount()	Y (does not seem to be used much, we can trivially implement it from getRoles()

REST API

From the above we could have the following REST API to talk to

.../roles

Returns the full list of roles (no paging required, we assume it’s small). Example response:

{{

{"roles":["r1","r2","r3"]}

}}

.../adminrole

Return the role of the administrator (yes, just one, it’s strange…):

{{

{"adminRole":["root"]}

}}

.../users/<user>/roles

Returns the list of roles for a particular user. Example response:

{{

{"roles":["r1","r2"]}

}}

Configurable API

The GeoServerRoleService talking to a remote service could have the following config parameters:

Base URL for the remote service
Configurable URLs for the various calls
JSON paths to the properties that contain the list of roles, and the one admin role

Code location

Where should we put this new class? I’m tempted to put it in authkey, it makes a nice pair with the authkey REST key mapper.

Securing API access

In terms of security, GeoNode will limit the ability to perform requests by IP address, it’s otherwise going to be open.

Add Comment

This message was sent by Atlassian JIRA

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot

_______________________________________________
Geoserver-devel mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/geoserver-devel