Hi David, I created a ticket GEOS-11389 <https://osgeo-org.atlassian.net/browse/GEOS-11389> to continue the discussion, but perhaps this should go on the "technical debt" wiki page. It is surprisingly complicated. -- Jody Garnett
On May 7, 2024 at 11:11:56 AM, David Blasby via Geoserver-devel < geoserver-devel@lists.sourceforge.net> wrote: > Hi, > > Here are my notes after the PMC meeting. > > > After talking in the PMC meeting, a full-admin should have two roles; > * ROLE_ADMINISTRATOR > * ADMIN > > This is how the standard geoserver "admin" user is configured ("release" > data dir). > > See the PMC meeting notes as well. No action for a while because this is > "opening a can of worms." > > I will put a PR for the jwt-headers so it handles these multiple-roles > better. > > CF: > > https://github.com/geoserver/geoserver/blob/main/data/release/security/rest.properties > > > > https://github.com/geoserver/geoserver/blob/a634daa9f243c818e1e7ae8ea3504f803676aa19/src/main/src/main/java/org/geoserver/security/impl/GeoServerRole.java#L21 > > > > https://github.com/geoserver/geoserver/blob/6e9e25c0c7cdda9ada9f33f8255130d3afc76801/src/main/src/main/java/org/geoserver/security/impl/AbstractGeoServerSecurityService.java#L25 > > > https://github.com/geoserver/geoserver/blob/fb441eefa631a2f66b31b62c6811e44517493b2c/src/main/src/main/java/org/geoserver/security/GeoServerSecurityManager.java#L2047 > > Thanks, > Dave > > On Mon, May 6, 2024 at 5:23 PM David Blasby <david.bla...@geocat.net> > wrote: > >> Hi, >> >> I was doing some testing for the JWT Headers SSO module, and noticed a >> problem when accessing the REST API. >> >> I've tracked this down to the roles "ADMIN" vs role "ROLE_ADMINISTRATOR". >> >> I believe (could be wrong) that the WEB uses the role >> "ROLE_ADMINISTRATOR", but the REST API uses the role "ADMIN". >> >> This seems to be setup in - >> https://github.com/geoserver/geoserver/blob/main/data/release/security/rest.properties >> >> >> When I add "ADMIN" to my roles, the REST API allows me access. >> >> I am a bit confused on this - what is the difference between these roles >> and should admin users have both these roles ("ADMIN" and >> "ROLE_ADMINISTRATOR")? >> >> Thanks, >> Dave >> > _______________________________________________ > Geoserver-devel mailing list > Geoserver-devel@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-devel >
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel