Re: [Geoserver-devel] "ADMIN" vs "ROLE_ADMINISTRATOR"

2024-05-08 Thread Jody Garnett 
 Hi David,

I created a ticket GEOS-11389
 to continue the
discussion, but perhaps this should go on the "technical debt" wiki page.
It is surprisingly complicated.
--
Jody Garnett

On May 7, 2024 at 11:11:56 AM, David Blasby via Geoserver-devel <
geoserver-devel@lists.sourceforge.net> wrote:

> Hi,
>
> Here are my notes after the PMC meeting.
>
>
> After talking in the PMC meeting, a full-admin should have two roles;
> * ROLE_ADMINISTRATOR
> * ADMIN
>
> This is how the standard geoserver "admin" user is configured ("release"
> data dir).
>
> See the PMC meeting notes as well.  No action for a while because this is
> "opening a can of worms."
>
> I will put a PR for the jwt-headers so it handles these multiple-roles
> better.
>
> CF:
>
> https://github.com/geoserver/geoserver/blob/main/data/release/security/rest.properties
>
>
>
> https://github.com/geoserver/geoserver/blob/a634daa9f243c818e1e7ae8ea3504f803676aa19/src/main/src/main/java/org/geoserver/security/impl/GeoServerRole.java#L21
>
>
>
> https://github.com/geoserver/geoserver/blob/6e9e25c0c7cdda9ada9f33f8255130d3afc76801/src/main/src/main/java/org/geoserver/security/impl/AbstractGeoServerSecurityService.java#L25
>
>
> https://github.com/geoserver/geoserver/blob/fb441eefa631a2f66b31b62c6811e44517493b2c/src/main/src/main/java/org/geoserver/security/GeoServerSecurityManager.java#L2047
>
> Thanks,
> Dave
>
> On Mon, May 6, 2024 at 5:23 PM David Blasby 
> wrote:
>
>> Hi,
>>
>> I was doing some testing for the JWT Headers SSO module, and noticed a
>> problem when accessing the REST API.
>>
>> I've tracked this down to the roles "ADMIN" vs role "ROLE_ADMINISTRATOR".
>>
>> I believe (could be wrong) that the WEB uses the role
>> "ROLE_ADMINISTRATOR", but the REST API uses the role "ADMIN".
>>
>> This seems to be setup in -
>> https://github.com/geoserver/geoserver/blob/main/data/release/security/rest.properties
>>
>>
>> When I add "ADMIN" to my roles, the REST API allows me access.
>>
>> I am a bit confused on this - what is the difference between these roles
>> and should admin users have both these roles ("ADMIN" and
>> "ROLE_ADMINISTRATOR")?
>>
>> Thanks,
>> Dave
>>
> ___
> Geoserver-devel mailing list
> Geoserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>
___
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Re: [Geoserver-devel] "ADMIN" vs "ROLE_ADMINISTRATOR"

2024-05-07 Thread David Blasby via Geoserver-devel 
Hi,

Here are my notes after the PMC meeting.


After talking in the PMC meeting, a full-admin should have two roles;
* ROLE_ADMINISTRATOR
* ADMIN

This is how the standard geoserver "admin" user is configured ("release"
data dir).

See the PMC meeting notes as well.  No action for a while because this is
"opening a can of worms."

I will put a PR for the jwt-headers so it handles these multiple-roles
better.

CF:
https://github.com/geoserver/geoserver/blob/main/data/release/security/rest.properties


https://github.com/geoserver/geoserver/blob/a634daa9f243c818e1e7ae8ea3504f803676aa19/src/main/src/main/java/org/geoserver/security/impl/GeoServerRole.java#L21


https://github.com/geoserver/geoserver/blob/6e9e25c0c7cdda9ada9f33f8255130d3afc76801/src/main/src/main/java/org/geoserver/security/impl/AbstractGeoServerSecurityService.java#L25

https://github.com/geoserver/geoserver/blob/fb441eefa631a2f66b31b62c6811e44517493b2c/src/main/src/main/java/org/geoserver/security/GeoServerSecurityManager.java#L2047

Thanks,
Dave

On Mon, May 6, 2024 at 5:23 PM David Blasby  wrote:

> Hi,
>
> I was doing some testing for the JWT Headers SSO module, and noticed a
> problem when accessing the REST API.
>
> I've tracked this down to the roles "ADMIN" vs role "ROLE_ADMINISTRATOR".
>
> I believe (could be wrong) that the WEB uses the role
> "ROLE_ADMINISTRATOR", but the REST API uses the role "ADMIN".
>
> This seems to be setup in -
> https://github.com/geoserver/geoserver/blob/main/data/release/security/rest.properties
>
>
> When I add "ADMIN" to my roles, the REST API allows me access.
>
> I am a bit confused on this - what is the difference between these roles
> and should admin users have both these roles ("ADMIN" and
> "ROLE_ADMINISTRATOR")?
>
> Thanks,
> Dave
>
___
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

Re: [Geoserver-devel] "ADMIN" vs "ROLE_ADMINISTRATOR"

2024-05-06 Thread Jody Garnett 
Thinking that this may be by design?

Admin gets full access, … including by default the rest api.

Role Admin is used to unlock some of the data admin screens in the user
interface ( and can be set on a workspace or layer level. )

Admin is required for the more advanced user interface screens like global
settings.

It may be that some of the REST API endpoints could be configured allow
Role Admin access?

--
Jody Garnett


On Mon, May 6, 2024 at 5:49 PM David Blasby via Geoserver-devel <
geoserver-devel@lists.sourceforge.net> wrote:

> Hi,
>
> I was doing some testing for the JWT Headers SSO module, and noticed a
> problem when accessing the REST API.
>
> I've tracked this down to the roles "ADMIN" vs role "ROLE_ADMINISTRATOR".
>
> I believe (could be wrong) that the WEB uses the role
> "ROLE_ADMINISTRATOR", but the REST API uses the role "ADMIN".
>
> This seems to be setup in -
> https://github.com/geoserver/geoserver/blob/main/data/release/security/rest.properties
>
>
> When I add "ADMIN" to my roles, the REST API allows me access.
>
> I am a bit confused on this - what is the difference between these roles
> and should admin users have both these roles ("ADMIN" and
> "ROLE_ADMINISTRATOR")?
>
> Thanks,
> Dave
> ___
> Geoserver-devel mailing list
> Geoserver-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/geoserver-devel
>
___
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel

[Geoserver-devel] "ADMIN" vs "ROLE_ADMINISTRATOR"

2024-05-06 Thread David Blasby via Geoserver-devel 
Hi,

I was doing some testing for the JWT Headers SSO module, and noticed a
problem when accessing the REST API.

I've tracked this down to the roles "ADMIN" vs role "ROLE_ADMINISTRATOR".

I believe (could be wrong) that the WEB uses the role "ROLE_ADMINISTRATOR",
but the REST API uses the role "ADMIN".

This seems to be setup in -
https://github.com/geoserver/geoserver/blob/main/data/release/security/rest.properties


When I add "ADMIN" to my roles, the REST API allows me access.

I am a bit confused on this - what is the difference between these roles
and should admin users have both these roles ("ADMIN" and
"ROLE_ADMINISTRATOR")?

Thanks,
Dave
___
Geoserver-devel mailing list
Geoserver-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-devel