Hi David,

I created a ticket GEOS-11389
<https://osgeo-org.atlassian.net/browse/GEOS-11389> to continue the
discussion, but perhaps this should go on the "technical debt" wiki page.
It is surprisingly complicated.
--
Jody Garnett

On May 7, 2024 at 11:11:56 AM, David Blasby via Geoserver-devel <
geoserver-devel@lists.sourceforge.net> wrote:

> Hi,
>
> Here are my notes after the PMC meeting.
>
>
> After talking in the PMC meeting, a full-admin should have two roles;
> * ROLE_ADMINISTRATOR
> * ADMIN
>
> This is how the standard geoserver "admin" user is configured ("release"
> data dir).
>
> See the PMC meeting notes as well.  No action for a while because this is
> "opening a can of worms."
>
> I will put a PR for the jwt-headers so it handles these multiple-roles
> better.
>
> CF:
>
> https://github.com/geoserver/geoserver/blob/main/data/release/security/rest.properties
>
>
>
> https://github.com/geoserver/geoserver/blob/a634daa9f243c818e1e7ae8ea3504f803676aa19/src/main/src/main/java/org/geoserver/security/impl/GeoServerRole.java#L21
>
>
>
> https://github.com/geoserver/geoserver/blob/6e9e25c0c7cdda9ada9f33f8255130d3afc76801/src/main/src/main/java/org/geoserver/security/impl/AbstractGeoServerSecurityService.java#L25
>
>
> https://github.com/geoserver/geoserver/blob/fb441eefa631a2f66b31b62c6811e44517493b2c/src/main/src/main/java/org/geoserver/security/GeoServerSecurityManager.java#L2047
>
> Thanks,
> Dave
>
> On Mon, May 6, 2024 at 5:23 PM David Blasby <david.bla...@geocat.net>
> wrote:
>
>> Hi,
>>
>> I was doing some testing for the JWT Headers SSO module, and noticed a
>> problem when accessing the REST API.
>>
>> I've tracked this down to the roles "ADMIN" vs role "ROLE_ADMINISTRATOR".
>>
>> I believe (could be wrong) that the WEB uses the role
>> "ROLE_ADMINISTRATOR", but the REST API uses the role "ADMIN".
>>
>> This seems to be setup in -
>> https://github.com/geoserver/geoserver/blob/main/data/release/security/rest.properties
>>
>>
>> When I add "ADMIN" to my roles, the REST API allows me access.
>>
>> I am a bit confused on this - what is the difference between these roles
>> and should admin users have both these roles ("ADMIN" and
>> "ROLE_ADMINISTRATOR")?
>>
>> Thanks,
>> Dave
>>
> _______________________________________________
> Geoserver-devel mailing list
> Geoserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>
_______________________________________________
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Reply via email to