GeoTools / GeoServer PMC meeting - 2024-05-07Attending -
David Blasby - Peter Smythe - Jody Garnett - Andrea Aime Actions from prior meeting: - [DONE] Jody: Make a PR for GSIP 224 <https://github.com/geoserver/geoserver/wiki/GSIP-224> - [DONE] Peter: Make a similar proposal for GeoTools - [DONE] Jody: Make a Proposal for geoserver-users transition to discourse Agenda: - GSIP-224 - Individual contributor clarification <https://github.com/geoserver/geoserver/wiki/GSIP-224> - GSIP-223 - Community module graduation, amending generality rule <https://github.com/geoserver/geoserver/wiki/GSIP-223> - GSIP-222 - Promote Raster Attribute Table module to extension <https://github.com/geoserver/geoserver/wiki/GSIP-222> - GSIP-225 - Migrate geoserver-users from SourceForge to discourse <https://github.com/geoserver/geoserver/wiki/GSIP-225> - https://github.com/geotools/geotools/wiki/Individual-contributor-clarification - Security roles internals - Record of meeting minutes Actions: - Jody: Make a ticket about GROUP_ADMIN not having permission to create a new user (GEOS-10938 <https://osgeo-org.atlassian.net/browse/GEOS-10938>) - Jody: Make a ticket on clean up of admin roles and constants (GEOS-11389 <https://osgeo-org.atlassian.net/browse/GEOS-11389>) - Jody: Open a ticket to refine Demo Page Javascript rewrite (GEOS-11390 <https://osgeo-org.atlassian.net/browse/GEOS-11390>) GSIP-224 - Individual contributor clarification https://github.com/geoserver/geoserver/wiki/GSIP-224 - Is this done? yes GSIP-223 - Community module graduation, amending generality rule https://github.com/geoserver/geoserver/wiki/GSIP-223 No PR, Jody made a PR? Can we merge … - https://github.com/geoserver/geoserver/pull/7603 done - Does this need backport? Probably not since we only publish from main … GSIP-222 - Promote Raster Attribute Table module to extension https://github.com/geoserver/geoserver/wiki/GSIP-222 What is the status? - Proposal was not completed by the time the release window… - Not sure if this is merged can we check? Yes … - 2.25 and main! - Updated Proposals <https://github.com/geoserver/geoserver/wiki/Proposals> page to indicate this is complete GSIP-225 - Migrate geoserver-users from SourceForge to discourse https://github.com/geoserver/geoserver/wiki/GSIP-225 - Proposal was made, and approved What happens next: - user list to discourse is a go, we will wait on SAC for the change - Expected some kind of PR for the website to provide instructions - Then notify users of the change - Proposal has shutting down the SF list after 1 month, and migrate any additional messages over See proposal for details … Encouragement from mastodon: https://fosstodon.org/@geoserver/112367510772585467 GeoTools proposal for individual contributors https://github.com/geotools/geotools/wiki/Individual-contributor-clarification 50% response rate … - Torben is away so assume +0 - No objections - Likely to pass on May 9th :D Could probably safely start the PR 😀 Security roles internals Email questions - Hard to talk about due to naming “role_admin” “admin” “role_administrator” - Sometimes objects, sometimes strings ROLE_ADMINISTRATOR - This is for the user interface, it unlocks the data admin console screens ADMINISTRATOR - This is the “root” kind of access, often used for the REST API - Unlocks all the admin console for all the screens GROUP_ADMIN - Unlocks the security admin console screens The rest.properties is parsed: - The constants from GeoServerRole.java <https://github.com/geoserver/geoserver/blob/main/src/main/src/main/java/org/geoserver/security/impl/GeoServerRole.java> define the role objects GeoServerRole ADMIN_ROLE = new GeoServerRole("ROLE_ADMINISTRATOR"); GeoServerRole GROUP_ADMIN_ROLE = new GeoServerRole("ROLE_GROUP_ADMIN"); GeoServerRole AUTHENTICATED_ROLE = new GeoServerRole("ROLE_AUTHENTICATED"); GeoServerRole ANY_ROLE = new GeoServerRole("*"); GeoServerRole ANONYMOUS_ROLE = new GeoServerRole("ROLE_ANONYMOUS"); The https://github.com/geoserver/geoserver/blob/main/data/release/security/rest.properties file is parsed: /**;GET=ADMIN /**;POST,DELETE,PUT=ADMIN Parsed by AbstractGeoServerSecurityService.java <https://github.com/geoserver/geoserver/blob/main/src/main/src/main/java/org/geoserver/security/impl/AbstractGeoServerSecurityService.java> : - Has its own contents … String DEFAULT_NAME = "default"; String DEFAULT_LOCAL_ADMIN_ROLE = "ADMIN"; String DEFAULT_LOCAL_GROUP_ADMIN_ROLE = "GROUP_ADMIN"; XML Role Service allows you to nominate (for a role service): - Allows you to grant the internal administrator role to a role defined externally (like LDAP) - Allows you to grant the internal group administrator role to a role defined externally (like LDAP) - Does not have a group admin role; makes sense since they are not using the internal screens to manage users… Trying out on empty data directory: - Defining a test role with workspace admin access worked as expected, data screens unlocked - Experimenting showed that GROUP_ADMIN did not behave as expected; it unlocked the security screen - but we did not have permission to add new users. - Action: Make a ticket about GROUP_ADMIN not having permission to create a new user https://osgeo-org.atlassian.net/browse/GEOS-10938 This shows an incomplete migration from GeoServer 2.1 to GeoServer 2.2: - It would be difficult to clean up, as the constants have become intermixed with the defaults in the data directory … - Andrea is trying with an empty data directory; to see what defaults are baked into the the application: -> ADMIN, while ROLE_ADMIN is nowhere to be found - Ideas for a cleanup: - Many places in the code use either one or the other role (some smart ones, both) - Centralize the check that verifies both in a prominent place - Deprecate one of the two constants, make sure every admin check goes for the new method checking both - Remove the old one from the default geoserver data directory - Action: Make a ticket on clean up of admin roles and constants GEOS-11389 <https://osgeo-org.atlassian.net/browse/GEOS-11389> Record of meeting minutes Sent to email list for later reference Also transparency as PSC. Chit chat Should we remove the Demo Requests page? - Not sure how often it is used for training (its original purpose) - Can it be rewritten in Javascript? Yes if we have a Javascript developer. Action: Open a ticket to refine Demo Page Javascript rewrite GEOS-11390 <https://osgeo-org.atlassian.net/browse/GEOS-11390>
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
