Hello everybody, I think the benefits of leaving this possibility to the users might well overcome the dangers. I agree this is utterly dangerous, so it would be wise to leave that feature off by default, and have a config item to activate it on purpose, so the users and sysadmins shall be well aware of this feature and its implications.
There are some use-cases where it is really very handy that GeoServer creates the tables when needed, and in the same projects it might be well possible that the reversal would be equilly practical. If the user performing the REST calls to delete the FeatureType has the rights to admin the workspace, why not also delete the table? When someone is using the REST API he is supposed to know what he is doing, and that he is managing his own data. I have tried to do a POC with a secondary micro-service dedicated to this, but the ACL on the data level then becomes tricky to retrieve from geoserver. The pros that I see about putting an argument to delete the table when you delete the featuretype are: - it's messy to add a secondary service that must somehow "know" who the user is and what his permissions are - during the DELETE event you are at the right place to know if the user can perform such management operation on his dataset - it's exactly the reversal of the "create table if not exists" that is currently implemented the cons that I see as well: - indeed it is dangerous because it means data deletion Andrea Borghi On Thu, Feb 15, 2024 at 9:55 AM Andrea Aime < andrea.a...@geosolutionsgroup.com> wrote: > Hi all, > the typical GeoServer approach is not to be opinionated about things. > "Proudly letting users free since 2002" could be our slogan... want to be > strictly OGC compliant? We have a checkbox for you. > Want to do things in a more convenient way and the hell with standard > strictness? We also support that. > > Table creation is already allowed both by the importer (which also > imports the data), and by the GUI/REST API > <https://github.com/geoserver/geoserver/blob/0ab715486a958632e9e7d54ad5746a4858189f3b/src/restconfig/src/main/java/org/geoserver/rest/catalog/FeatureTypeController.java#L226> > for table creation > (WFS-T should then be used for data import): > > [image: image.png] > > [image: image.png] > > Having a delete would make things symmetric, and I agree that cascade > should be explicitly added for that > to happen. > > That said, I also hear the voice of those claiming "geoserver should not > be used to manage data". > For that, we should have a simple warning in the production section: > "GeoServer offers ability to create > and drop tables through UI and REST API, if this is not your intent, > please lock down the database > grants for the account used by GeoServer"... which is generally speaking > also good IT hygiene in general. > (don't give accounts more rights than necessary). > > Cheers > Andrea > > > On Thu, Feb 15, 2024 at 9:29 AM Rahkonen Jukka < > jukka.rahko...@maanmittauslaitos.fi> wrote: > >> Hi, >> >> >> >> I do not believe that it is generally possible to know if the table was >> created with REST API or by some other means. It is possible to check the >> owner of the table and if Geoserver is configured to use a special database >> account with well thought-out privileges it might be safe to allow to drop >> tables with REST. However, I believe that in most Geoserver installations >> the geoserver db user has all too wide privileges, at least if you ask from >> the DB admins. >> If we will have a configuration option "cascade=true" then it should be >> off by default, and somehow the geoserver admin who turns it on should be >> made aware of all the consequences. >> >> >> >> -Jukka Rahkonen- >> >> >> >> >> >> *Lähettäjä:* Roar Brænden <roar.brenden...@gmail.com> >> *Lähetetty:* keskiviikko 14. helmikuuta 2024 23.29 >> *Vastaanottaja:* geoserver-users@lists.sourceforge.net >> *Kopio:* Gabriel Roldan <gabriel.rol...@gmail.com>; Jody Garnett < >> jody.garn...@gmail.com>; Rahkonen Jukka < >> jukka.rahko...@maanmittauslaitos.fi> >> *Aihe:* Re: [Geoserver-users] Deleting database table through REST API >> >> >> >> Hi, >> >> >> >> I think it would be helpful to separate the use cases. The original >> question was about a database table that were created by the REST API when >> creating a layer. In such a situation it makes sense to delete the table >> when deleting the layer. Otherwise you could see a scenario were there are >> a lot of lost tables in the database. >> >> >> >> In other situations we have a layer that is wrapped on top of an existing >> table. In such cases it would be very disruptive to delete the database >> table when deleting the layer. >> >> >> >> I'm in favor of introducing an extra parameter for instance >> "cascade=true", if the user wants to delete the database table as well. In >> the last scenario it would also make sense to restrict the database user, >> that are configured in Geoserver, from making disruptive calls to the >> database. Like dropping a table. >> >> >> >> Regards, >> >> Roar Brænden >> >> >> >> >> >> 14. feb. 2024 kl. 17:42 skrev Rahkonen Jukka < >> jukka.rahko...@maanmittauslaitos.fi>: >> >> >> >> Hi, >> >> >> >> I was thinking about the same, but if user can do something with the user >> interface then why not with REST? Both are secured only by the >> username/password. However, I do not know if it is possible to drop >> database tables from the UI. I have seen some user requests about cascading >> deletes so that deleting a layer would also delete the data. I think that >> is not a good idea. >> >> >> >> -Jukka Rahkonen- >> >> >> >> *Lähettäjä:* Gabriel Roldan <gabriel.rol...@gmail.com> >> *Lähetetty:* keskiviikko 14. helmikuuta 2024 17.46 >> *Vastaanottaja:* Jody Garnett <jody.garn...@gmail.com> >> *Kopio:* geoserver-users@lists.sourceforge.net >> *Aihe:* Re: [Geoserver-users] Deleting database table through REST API >> >> >> >> Hi all, >> >> For the record, >> >> I'm utterly against deleting database tables through the geoserver REST >> API >> >> * It's absolutely dangerous >> >> * The REST API shall with GeoServer "resources", not infrastructure ones >> >> >> >> If I wanted to delete a table through *a* REST API, I'd better run two >> queries, one to delete the geoserver FeatureType/Layer, >> >> and another one to delete the database table, for which there are >> existing solutions, for example PostgREST https://postgrest.org >> >> (not sure if that one lets you drop tables) but you get the idea. >> >> >> >> Cheers, >> >> Gabe >> >> >> >> >> >> >> >> On Mon, 12 Feb 2024 at 16:25, Jody Garnett <jody.garn...@gmail.com> >> wrote: >> >> I am open to improvements and addition to the importer API (which offers >> some control as it is responsible for the automatic creation of tables; it >> has an opportunity to delete an existing table when replacing contents). >> >> >> >> See example >> https://docs.geoserver.org/latest/en/user/extensions/importer/rest_examples.html#replacing-postgis-table-using-the-contents-of-a-csv-file >> >> >> >> >> >> -- >> >> Jody Garnett >> >> >> >> >> >> On Feb 12, 2024 at 1:30:11 AM, Cécile Vuilleumier < >> cecile.vuilleum...@camptocamp.com> wrote: >> >> Hi all >> When creating a feature type in a database datastore with the REST API, >> GeoServer will create the corresponding table if it does not exist. >> We were wondering if similarly the deletion of a table was also possible >> when deleting the associated feature type and I found this discussion: >> https://sourceforge.net/p/geoserver/mailman/message/36221224/ >> Does anybody know if a proposal had been submitted? I couldn't find it on >> the GitHub wiki but I might have missed it. >> Many thanks, Cécile >> >> -- >> *camp**to**camp* >> >> *Cécile Vuilleumier* >> >> Geospatial developer >> www.camptocamp.com >> >> _______________________________________________ >> Geoserver-users mailing list >> >> Please make sure you read the following two resources before posting to >> this list: >> - Earning your support instead of buying it, but Ian Turton: >> http://www.ianturton.com/talks/foss4g.html#/ >> - The GeoServer user list posting guidelines: >> http://geoserver.org/comm/userlist-guidelines.html >> >> If you want to request a feature or an improvement, also see this: >> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >> >> >> Geoserver-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/geoserver-users >> >> _______________________________________________ >> Geoserver-users mailing list >> >> Please make sure you read the following two resources before posting to >> this list: >> - Earning your support instead of buying it, but Ian Turton: >> http://www.ianturton.com/talks/foss4g.html#/ >> - The GeoServer user list posting guidelines: >> http://geoserver.org/comm/userlist-guidelines.html >> >> If you want to request a feature or an improvement, also see this: >> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >> >> >> Geoserver-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/geoserver-users >> >> >> >> >> -- >> >> Gabriel Roldán >> >> _______________________________________________ >> Geoserver-users mailing list >> >> Please make sure you read the following two resources before posting to >> this list: >> - Earning your support instead of buying it, but Ian Turton: >> http://www.ianturton.com/talks/foss4g.html#/ >> - The GeoServer user list posting guidelines: >> http://geoserver.org/comm/userlist-guidelines.html >> >> If you want to request a feature or an improvement, also see this: >> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >> >> >> Geoserver-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/geoserver-users >> >> >> _______________________________________________ >> Geoserver-users mailing list >> >> Please make sure you read the following two resources before posting to >> this list: >> - Earning your support instead of buying it, but Ian Turton: >> http://www.ianturton.com/talks/foss4g.html#/ >> - The GeoServer user list posting guidelines: >> http://geoserver.org/comm/userlist-guidelines.html >> >> If you want to request a feature or an improvement, also see this: >> https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer >> >> >> Geoserver-users@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/geoserver-users >> > > > -- > > Regards, > > Andrea Aime > > == > GeoServer Professional Services from the experts! > > Visit http://bit.ly/gs-services-us for more information. > == > > Ing. Andrea Aime > @geowolf > Technical Lead > > GeoSolutions Group > phone: +39 0584 962313 > > fax: +39 0584 1660272 > > mob: +39 339 8844549 > > https://www.geosolutionsgroup.com/ > > http://twitter.com/geosolutions_it > > ------------------------------------------------------- > > Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE > 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si > precisa che ogni circostanza inerente alla presente email (il suo > contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è > riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il > messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra > operazione è illecita. Le sarei comunque grato se potesse darmene notizia. > > This email is intended only for the person or entity to which it is > addressed and may contain information that is privileged, confidential or > otherwise protected from disclosure. We remind that - as provided by > European Regulation 2016/679 “GDPR” - copying, dissemination or use of this > e-mail or the information herein by anyone other than the intended > recipient is prohibited. If you have received this email by mistake, please > notify us immediately by telephone or e-mail > _______________________________________________ > Geoserver-users mailing list > > Please make sure you read the following two resources before posting to > this list: > - Earning your support instead of buying it, but Ian Turton: > http://www.ianturton.com/talks/foss4g.html#/ > - The GeoServer user list posting guidelines: > http://geoserver.org/comm/userlist-guidelines.html > > If you want to request a feature or an improvement, also see this: > https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer > > > Geoserver-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/geoserver-users >
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
