advanced security with geoserver
DESCRIPTION
The presentation will provide an introduction to GeoServer own authentication and authorization subsystems. We’ll cover the supported authentication protocols, such as from basic/digest authentication and CAS support, check through the various identity providers, such as local config files, database tables and LDAP servers, and how it’s possible to combine the various bits in a single comprehensive authentication tool, as well as providing examples of custom authentication plugins for GeoServer, integrating it in a home grown security architecture. We’ll then move on to authorization, describing the GeoServer pluggable authorization mechanism and comparing it with proxy based solution, and check the built in service and data security system, reviewing its benefits and limitations. Finally we’ll explore an advanced authentication tool called GeoFence, and see how it can plug into GeoServer to provide graphical configuration abilities for use complex authorization rules over data and OGC services, taking into account spatial filters, attribute filters, attribute hiding as well as cropping raster data to areas of interest. Finally we’ll show how using LDAP both GeoFence and GeoServer can use a common users database, simplifying administrators job, and provide some real world examples.TRANSCRIPT
Advanced Security With GeoServer
Ing. Mauro Bartolomeoli, GeoSolutionsIng. Emanuele Tajariol, GeoSolutions
Ing. Simone Giannecchini, GeoSolutionsIng. Alessio Fabiani, GeoSolutions
FOSS4G 2014, Portland10th September 2014
GeoSolutions
Founded in Italy in late 2006 Expertise
• Image Processing, GeoSpatial Data Fusion
• Java, Java Enterprise, C++, Python
• JPEG2000, JPIP, Advanced 2D visualization
Supporting/Developing FOSS4G projects GeoServer, MapStore GeoBatch, GeoNetwork
Clients Public Agencies Private Companies
http://www.geo-solutions.it
FOSS4G 2014, Portland10th September 2014
GeoServer Security Subsystem Overview
FOSS4G 2014, Portland10th September 2014
GeoServer Security Subsystem Overview
GeoServer security handles Authentication (filtering and credential checks) Authorization (resource access managers)
FOSS4G 2014, Portland10th September 2014
GeoServer Security Subsystem Overview
Based on Spring Security Users / Groups / Roles
User/group services Role services
Authentication Chains Filters Providers
Authorization Auth on data: e.g. layers, workspaces Auth on services: e.g. WMS, WFS By role
FOSS4G 2014, Portland10th September 2014
Users / Groups / Roles Storage
FOSS4G 2014, Portland10th September 2014
Users / Groups / Roles Storage
User/Group service Storage for users and groups details Storage for user credentials (e.g. passwords)
Password encryption handling Read/Write or Read-only Default implementations
XML files Database through JDBC
Easy to implement and plug new services Used by many filters/providers as a source for
authenticated users detail Missing: Read/Write LDAP User/Group service
FOSS4G 2014, Portland10th September 2014
Users / Groups / Roles Storage
Role service Storage for roles Read/Write or Read-only Assign roles to users and or groups Default implementations
XML files Database through JDBC J2EE (from the Java Web Container) LDAP
Easy to implement and plug new services Active (Default) Role service Used by many filters/providers as a source for
authenticated users roles
FOSS4G 2014, Portland10th September 2014
Authentication
FOSS4G 2014, Portland10th September 2014
Authentication
Filter Chains By «request url» pattern matching
Web UI OGC Services REST API …
By Method: GET, POST, … HTTP Session handling Each chain applies a sequence of configured Filters to
matching requests Only SSL flag
FOSS4G 2014, Portland10th September 2014
Authentication
Filters Gathering user credentials (and eventually invoking
authentication providers chain) Basic Form Anonymous (always the last)
Preauthentication (and eventually load user details from user/group and/or role service)
HTTP Header Digest X.509 Remember Me J2EE
Easy to implement and plug new filters Missing: authenticate from environment variables (e.g. Shibboleth SSO)
FOSS4G 2014, Portland10th September 2014
Authentication
Authentication Providers Used if filters require further authentication of
gathered credentials (no preauthentication can be applied)
Username Password (using user/group service) Database through JDBC (uses credentials to connect to a database,
very different from the JDBC user/group service) LDAP
with ActiveDirectory support
Easy to implement and plug new providers Providers chain, to allow for different authentication
mechanisms (e.g intranet users from LDAP, internet users from db)
FOSS4G 2014, Portland10th September 2014
Authentication
Extensions CAS (https://www.apereo.org/cas): example of SSO
integration Community modules
Authkey: simple UUID to user mapper Pluggable: possibility to define custom mappers (e.g. webservices) URLMangler to add authkey to OGC request transparently (via
GetCapabilities)
Real World Use Cases Shibboleth SSO (using Headers or CGI environment
variables) Mixing filters/providers: LDAP/AD for internal users,
jdbc for external users
FOSS4G 2014, Portland10th September 2014
Authentication
Future improvements Clean up and filling holes Increase LDAP support (e.g. LDAP User/Group
Service for LDAP read-write support) Greater flexibility
Improve authkey community module (new webservice based mappers) and promote to extension
New authentication filters (e.g. reading credentials from CGI environment variables)
FOSS4G 2014, Portland10th September 2014
Authorization
FOSS4G 2014, Portland10th September 2014
Authorization
Simple default implementation Permissions assigned only by user role(s) Data Access Authorization Rules
Workspace Single Layer Access Mode: Read, Write, Admin
Services Authorization Rules Service (WMS, WFS, …) Method (GetMap, GetLegendGraphic, …)
Pluggable ResourceAccessManager SecureCatalog
Security Wrapped Catalog Objects (e.g. ReadOnlyDataStore)
FOSS4G 2014, Portland10th September 2014
Authorization
ResourceAccessManager Define AccessLimits for the various Catalog Resources
(Workspace, Layer, Style, LayerGroup) Allows for fine grained limits
Read filters Write filters Spatial filters
SecureCatalog Wraps original Catalog objects with secured implementations,
aware of ResourceAccessManager defined limits Secured wrappers take care of enforcing authorization rules,
transparently
FOSS4G 2014, Portland10th September 2014
Meet GeoFence
FOSS4G 2014, Portland10th September 2014
GeoFence
Extended A&A for GeoServer Authentication
Optional Integrated with GeoServer authorization
architecture Open Source
GPL Code on GitHub
Authorization Auth on data: e.g. layers, workspaces Auth on services: e.g. WMS, WFS
FOSS4G 2014, Portland10th September 2014
GeoFence
Based on GSIP 57 Mixed Interceptor + Probe approach Extended authorization management for GeoServer External Rule-Based System GeoServer Internal Probe On-the-fly manipulation of incoming requests
Role Based Access Control Users Groups
Rule-based database IPTables-like
FOSS4G 2014, Portland10th September 2014
GeoFence
Fine Grain Authorization Control Services Operations Workspaces Layers Attributes (alphanumeric and geospatial)
External Web Application REST Interface GUI
Scalable 1 GeoFence controls N GeoServer cluster
FOSS4G 2014, Portland10th September 2014
GeoFence
Java Enterprise infrastructure Spring/Spring-Remoting Hibernate Apache CXF
Supports DBMS PostgreSQL/PostGIS Oracle spatial H2
Performance ensured thanks to a fine-tunable cache
FOSS4G 2014, Portland10th September 2014
GeoServer Security Model
FOSS4G 2014, Portland10th September 2014
GeoServer Security Model
The GeoFence Authentication provider delegates credential checks to GeoFence
The GeoFence Resource Access Manager asks for permissions to the GeoFence authorization engine
FOSS4G 2014, Portland10th September 2014
GeoServer Security Model
FOSS4G 2014, Portland10th September 2014
Digging GeoFence
FOSS4G 2014, Portland10th September 2014
GeoFence Architecture
Geofence Stack (again…)
FOSS4G 2014, Portland10th September 2014
GeoFence Architecture
Modules and packages
GUI core: GUI logic, implemented using GWT webapp: produces the final web application .war file
Geoserver (GeoFence Probe) security: the GeoServer/GeoFence bridge: implements
the ResourceAccessManager, forwarding the authorization requests to a remote GeoFence instance
FOSS4G 2014, Portland10th September 2014
GeoFence Architecture
The GeoFence ResourceAccessManager (Geofence Probe) is deployed in each GeoServer
GeoServer instances in a cluster must share the same ClusterID (instance name)
GeoFence uses the instance name to select rules The Probe queries GeoFence on each request* with proper info
Instance name User Request Details
GeoFence provide Access Policy rules to manipulate the request on the fly within the Probe
FOSS4G 2014, Portland10th September 2014
GeoFence Architecture
The GeoFence ResourceAccessManager (Geofence Probe) uses a cache which minimizes the requests toward GeoFence.
The cache can be configured on different aspects:
number of entries, expiration time
The cache provides REST operations (using GeoServer’s own REST dispatcher) in order to
Invalidate the cache Query the cache statistics
FOSS4G 2014, Portland10th September 2014
GeoFence Rule System
Authorizations are expressed as a priority-based rule set
Type of Rules are ALLOW/DENY/LIMIT The first matching rule is the one that determines the
outcome of the auth request
Incoming authorization requests are transformed in a rule filter
Filtering can be performed on one or more of these fields:
Username Group the provided user belongs to
FOSS4G 2014, Portland10th September 2014
GeoFence Rule System
Source geoserver instance We can control multiple GeoServer clusters
OGC Service E.g. WMS
OGC Service Operation E.g. GetCapabilities
Workspace E.g. it.geosolutions
Layer name E.g. topp:states
FOSS4G 2014, Portland10th September 2014
GeoFence Rule System
Example Let’s assume we have configured these rules :
User: u1, Service:WMS, Workspace=W1,ALLOW User: u1, DENY
These rules will grant access for user u1 to all the layers in worspace W1 only for WMS request
All other types of request will be DENIED.
FOSS4G 2014, Portland10th September 2014
GeoFence Rule System
When an ALLOW rule is matched, the user will have access to the requested resource.
Finer Grain Control on single layer rules further restrictions may be defined i.e only a subset of the data contained in the
layer could be made queryeable/visibile to the requesting user
Restrictions on visible Area Restrictions on Queryable Attributes Restrictions on Available Styles
FOSS4G 2014, Portland10th September 2014
GeoFence Rule System
Examples
Limiting users access to a subset of the attributes (R/W) a specific geographic area. a subset of the available styles (or the default style
can be forced on all requests) A specific view of the data via a CQL filter
For reading For writing (delete, create, update)
FOSS4G 2014, Portland10th September 2014
GeoFence Rule System
FOSS4G 2014, Portland10th September 2014
GeoFence REST Interface
GeoFence provides a REST interface for administration Allows automation!
It allows a complete CRUD access to the various entities managed by GeoFence:
Users and groups GeoServer instances Rules
The Find operation can be optionally paged a Count operation is provided as well to take
advantage of the pagination capability. Priority ordering in rules is fundamental
there are different ways to insert and set a position for the new rules.
https://github.com/geosolutions-it/geofence/wiki/REST-API
FOSS4G 2014, Portland10th September 2014
GeoFence REST Interface
The REST interface also provides a batch mode multiple CRUD commands can be issued at once The commands in the batch are processed in the
same transaction Extremely important for automation!
Backup and restore operations are provided as part of the REST interface as well
REST API documentation available athttps://github.com/geosolutions-it/geofence/wiki/REST-API
FOSS4G 2014, Portland10th September 2014
GeoFence User Interface
FOSS4G 2014, Portland10th September 2014
Top Categories Users Groups Instances Rules
GeoFence User Interface
FOSS4G 2014, Portland10th September 2014
Users
Groups
Instances
GeoFence User Interface
FOSS4G 2014, Portland10th September 2014
Rules
Details
Details
GeoFence and LDAP
An LDAP server can be used as a repository for user and groups, including the optional ldap module in the deploy
LDAP can be configured through the datasource properties file
When using LDAP users and groups are not editable from the GeoFence interface (they are READ-ONLY)
LDAP module documentation athttps://github.com/geosolutions-it/geofence/wiki/LDAP-module
FOSS4G 2014, Portland10th September 2014
When LDAP is enabled, specific DAOs are used for users and groups instead of the default ones
GeoFence and Existing Auth Proxies
FOSS4G 2014, Portland10th September 2014
External Auth Source
Users
Groups
GeoFence DB
GeoFence
Persistence
UserDAOLDAP UserDAO GroupDAOLDAP GroupDAO RuleDAO
GeoFence Use Cases
FOSS4G 2014, Portland10th September 2014
SIAN
GeoFence Use Cases
FOSS4G 2014, Portland10th September 2014
GeoFence
MapManager
GeoStore GeoServerGeoFence
MapStore
JMX Agents
GeoGraphicBuilding Block
GeoFence Use Cases
FOSS4G 2014, Portland10th September 2014
Astrium GetGeo
GeoFence Use Cases
Layers filtered (CQL filters) by user profile to constrain access to advanced functionality
Possibility of spatial filters to allow regional access only
FOSS4G 2014, Portland10th September 2014
Destination
GeoFence Status
FOSS4G 2014, Portland10th September 2014
Project Released as Open Source Continuous Build is in place Dev and Users Mailing Lists are in place Latest Improvements
IP based filter rules Catalog Mode support GeoServer community module for the probe Probe Wicket Configuration Page
Further Improvements Documentation Official Releases UI Refactor (based on REST APIs)