Hi,

Here are my notes after the PMC meeting.


After talking in the PMC meeting, a full-admin should have two roles;
* ROLE_ADMINISTRATOR
* ADMIN

This is how the standard geoserver "admin" user is configured ("release"
data dir).

See the PMC meeting notes as well.  No action for a while because this is
"opening a can of worms."

I will put a PR for the jwt-headers so it handles these multiple-roles
better.

CF:
https://github.com/geoserver/geoserver/blob/main/data/release/security/rest.properties


https://github.com/geoserver/geoserver/blob/a634daa9f243c818e1e7ae8ea3504f803676aa19/src/main/src/main/java/org/geoserver/security/impl/GeoServerRole.java#L21


https://github.com/geoserver/geoserver/blob/6e9e25c0c7cdda9ada9f33f8255130d3afc76801/src/main/src/main/java/org/geoserver/security/impl/AbstractGeoServerSecurityService.java#L25

https://github.com/geoserver/geoserver/blob/fb441eefa631a2f66b31b62c6811e44517493b2c/src/main/src/main/java/org/geoserver/security/GeoServerSecurityManager.java#L2047

Thanks,
Dave

On Mon, May 6, 2024 at 5:23 PM David Blasby <david.bla...@geocat.net> wrote:

> Hi,
>
> I was doing some testing for the JWT Headers SSO module, and noticed a
> problem when accessing the REST API.
>
> I've tracked this down to the roles "ADMIN" vs role "ROLE_ADMINISTRATOR".
>
> I believe (could be wrong) that the WEB uses the role
> "ROLE_ADMINISTRATOR", but the REST API uses the role "ADMIN".
>
> This seems to be setup in -
> https://github.com/geoserver/geoserver/blob/main/data/release/security/rest.properties
>
>
> When I add "ADMIN" to my roles, the REST API allows me access.
>
> I am a bit confused on this - what is the difference between these roles
> and should admin users have both these roles ("ADMIN" and
> "ROLE_ADMINISTRATOR")?
>
> Thanks,
> Dave
>
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Reply via email to