Emanuele Tajariol ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A5f715f5e-d477-4c0d-97bb-5b7644324d82 ) *created* an issue
GeoServer ( https://osgeo-org.atlassian.net/browse/GEOS?atlOrigin=eyJpIjoiZDIwZjQ4Y2MzY2RhNDAwNzg4ZjdlYWMxN2RlYzljYTYiLCJwIjoiaiJ9 ) / Bug ( https://osgeo-org.atlassian.net/browse/GEOS-10418?atlOrigin=eyJpIjoiZDIwZjQ4Y2MzY2RhNDAwNzg4ZjdlYWMxN2RlYzljYTYiLCJwIjoiaiJ9 ) GEOS-10418 ( https://osgeo-org.atlassian.net/browse/GEOS-10418?atlOrigin=eyJpIjoiZDIwZjQ4Y2MzY2RhNDAwNzg4ZjdlYWMxN2RlYzljYTYiLCJwIjoiaiJ9 ) Bad request sent to GeoFence when matching for groups ( https://osgeo-org.atlassian.net/browse/GEOS-10418?atlOrigin=eyJpIjoiZDIwZjQ4Y2MzY2RhNDAwNzg4ZjdlYWMxN2RlYzljYTYiLCJwIjoiaiJ9 ) Issue Type: Bug Assignee: Unassigned Components: GeoFence Created: 14/Mar/22 7:02 PM Priority: Medium Reporter: Emanuele Tajariol ( https://osgeo-org.atlassian.net/secure/ViewProfile.jspa?accountId=557058%3A5f715f5e-d477-4c0d-97bb-5b7644324d82 ) When the option “ Use GeoServer roles to get authorizations ” is used, the AccessManager should send a request to GeoFence specifying the role and requiring no user should be present in the matching rules. The method selecting role and user in the Rule is this one: https://github.com/geoserver/geoserver/blob/84557570531bda5d9ce03703bba379fb2a4b1cfa/src/extension/geofence/src/main/java/org/geoserver/geofence/GeofenceAccessManager.java#L569-L594 When the block if (config.isUseRolesToFilter() && config.getRoles().size() > 0) { String role = "UNKNOWN" ; for (GrantedAuthority authority : user.getAuthorities()) { if (config.getRoles().contains(authority.getAuthority())) { role = authority.getAuthority(); } } LOGGER.log(Level.FINE, "Setting role for filter: {0}" , new Object [] {role}); ruleFilter.setRole(role); } is selected, the user in the rule should also be set: ruleFilter.setUser(RuleFilter.SpecialFilterType.DEFAULT); otherwise the default value ANY will remain as a filter in the rule, and the GeoFence rule engine will match also rules related to other users. In this log for instance: DEBUG [services.RuleReaderServiceImpl] - Filter RuleFilter[user:ANY role:"UNKNOWN"+ inst:name+:default-gs ip:"xxx.xxx.xxx.xxx"+ serv:"WMS"+ req:"GETMAP"+ ws:"geonode"+ layer:"xxx_mapping_pipelineplanned"+] is matching the following Rules: DEBUG [services.RuleReaderServiceImpl] - Role:UNKNOWN DEBUG [services.RuleReaderServiceImpl] - Role:UNKNOWN ---> Rule[id:5518 pri:2972 user:admin ws:geonode l:xxx_mapping_pipelineplanned acc:ALLOW] DEBUG [services.RuleReaderServiceImpl] - Role:UNKNOWN ---> Rule[id:5519 pri:2973 user:admin srv:WMS ws:geonode l:xxx_mapping_pipelineplanned acc:ALLOW] DEBUG [services.RuleReaderServiceImpl] - Filter RuleFilter[user:ANY role:"UNKNOWN"+ inst:name+:default-gs ip:"xxx.xxx.xxx.xxx"+ serv:"WMS"+ req:"GETMAP"+ ws:"geonode"+ layer:"xxx_mapping_pipelineplanned"+] on role UNKNOWN has access AccessInfoInternal[grant:ALLOW] INFO [services.RuleReaderServiceImpl] - Returning AccessInfo[grant:ALLOW admin:false] for RuleFilter[user:ANY role:"UNKNOWN"+ inst:name+:default-gs ip:"xxx.xxx.xxx.xxx"+ serv:"WMS"+ req:"GETMAP"+ ws:"geonode"+ layer:"xxx_mapping_pipelineplanned"+] we are requesting all the rules for role “UNKNOWN”. By looking for group matching, we should not match rules explicitely related to given users. In fact you can see that a Rule for user “admin” is matching, and it should not. ( https://osgeo-org.atlassian.net/browse/GEOS-10418#add-comment?atlOrigin=eyJpIjoiZDIwZjQ4Y2MzY2RhNDAwNzg4ZjdlYWMxN2RlYzljYTYiLCJwIjoiaiJ9 ) Add Comment ( https://osgeo-org.atlassian.net/browse/GEOS-10418#add-comment?atlOrigin=eyJpIjoiZDIwZjQ4Y2MzY2RhNDAwNzg4ZjdlYWMxN2RlYzljYTYiLCJwIjoiaiJ9 ) Get Jira notifications on your phone! Download the Jira Cloud app for Android ( https://play.google.com/store/apps/details?id=com.atlassian.android.jira.core&referrer=utm_source%3DNotificationLink%26utm_medium%3DEmail ) or iOS ( https://itunes.apple.com/app/apple-store/id1006972087?pt=696495&ct=EmailNotificationLink&mt=8 ) This message was sent by Atlassian Jira (v1001.0.0-SNAPSHOT#100197- sha1:81e20ed )
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
