Mastering Security with GeoServer and GeoFence

Ing. Mauro BartolomeoliIng. Emanuele Tajariol

Ing. Simone GiannecchiniGeoSolutions

GeoSolutions Founded in Italy in late 2006 Expertise

• Image Processing, GeoSpatial Data Fusion• Java, Java Enterprise, C++, Python• JPEG2000, JPIP, Advanced 2D visualization

Supporting/Developing FOSS4G projects GeoServer, MapStore GeoNetwork, GeoNode, Ckan

Clients Public Agencies Private Companies

http://www.geo-solutions.itFOSS4G 2016, Bonn

22nd - 26th August 2016

Overview GeoServer security handles

Authentication (filtering and credential checks) Authorization (resource access managers)

FOSS4G 2016, Bonn22nd - 26th August 2016

Authentication

FOSS4G 2016, Bonn22nd - 26th August 2016

The filter chains Different chains for different URL groups Each chain authenticates in a different way by

composigin different filters

FOSS4G 2016, Bonn22nd - 26th August 2016

UI chain, with form, HTTP session (creation allowed), and remember me services

OGC one, lighter, will use session if available, no creation

Different usage, different chain

FOSS4G 2016, Bonn22nd - 26th August 2016

Available auth filters Gathering user credentials (and eventually invoking

authentication providers chain) Basic Form Digest Anonymous (always the last)

Preauthentication (and eventually load user details from user/group and/or role service)

Session HTTP Header X.509 Remember Me J2EE

Easy to implement and plug new filters Missing: authenticate from environment variables (e.g. Shibboleth SSO)

FOSS4G 2016, Bonn22nd - 26th August 2016

Authentication providers Given credentials pulled from the filters, who

is the user?

Search in user/group database

Auth as aLDAP user

Auth as aDBMS user

XML DBMS tables

Authenticationproviders

User/Groupservice

Pluggable

FOSS4G 2016, Bonn22nd - 26th August 2016

Role providers Given the user, what are her roles in

GeoServer? Fundamental, authorization is role based

Extensible, new providers can be built

LDAP DBMS XMLDBMS tables

FOSS4G 2016, Bonn22nd - 26th August 2016

Extensions CAS (https://www.apereo.org/cas): Single Sign On

integration

Authkey: simple UUID to user mapper Simple key in the URL (must use HTTPS) Allows authentication unware clients to participate Pluggable: possibility to define custom mappers (e.g.

webservices) URLMangler to add authkey to OGC request transparently (via

GetCapabilities)

FOSS4G 2016, Bonn22nd - 26th August 2016

Authorization

FOSS4G 2016, Bonn22nd - 26th August 2016

Authorization Given the user and her roles Can the current «action» on the current «resource»

be allowed?

Action: Generic read/write Specific OGC service/method call

Resource Workspace Layer Layer Group Style

FOSS4G 2016, Bonn22nd - 26th August 2016

ResourceAccessManager Pluggable interface, multiple implementations Define AccessLimits for the various Catalog

Resources (Workspace, Layer, Style, LayerGroup) Can access the current request

(service/method/details) Allows for fine grained limits

Attributes visible Read filters (which features can be read) Write filters (which features can be written)

Filters: Alphanumeric Temporal Spatial

FOSS4G 2016, Bonn22nd - 26th August 2016

Implementations Default security subsystem

Simple per workspace/layer authentication

GeoFence External application (*) Full use of ResourceAccessManager abilities

Other custom implementations Integrate with existing in-house authorization

mechanism Quite popular in large enterprise setup

FOSS4G 2016, Bonn22nd - 26th August 2016

GeoFence

FOSS4G 2016, Bonn22nd - 26th August 2016

GeoFence Extended A&A for GeoServer Optional Authentication, Sophisticated

authorization Open Source, GPL

https://github.com/geoserver/geofence

FOSS4G 2016, Bonn22nd - 26th August 2016

Structure

FOSS4G 2016, Bonn22nd - 26th August 2016

Stand alone User interface

FOSS4G 2016, Bonn22nd - 26th August 2016

User management

FOSS4G 2016, Bonn22nd - 26th August 2016

GeoFence rules Authorizations are expressed as a

priority-based rule set: Type of Rules are ALLOW/DENY/LIMIT The first matching rule is the one that determines

the outcome of the auth request

FOSS4G 2016, Bonn22nd - 26th August 2016

GeoFence rules matching Rules are matched based on:

Username Group the provided user belongs to GeoServer Instance (single GeoFence multiple

GS clusters) OGC Service (e.g., WMS) OGC Service Operation (e.g., GetFeatureInfo) Workspace (E.g. it.geosolutions) Layer name (E.g. topp:states)

FOSS4G 2016, Bonn22nd - 26th August 2016

Example

Example Let’s assume we have configured these rules :

User:u1, Service:WMS, Workspace:W1, ALLOW User:u1, DENY

These rules will grant access for user u1 to all the layers in worspace W1 only for WMS requests

All other types of requests will be DENIED.

FOSS4G 2016, Bonn22nd - 26th August 2016

Restrictions (LIMIT rules) When an ALLOW rule is matched, the user will

have access to the requested resource: Restrictions on available area Restrictions on alphanumeric conditions

FOSS4G 2016, Bonn22nd - 26th August 2016

Restrictions (LIMIT rules) Restrictions on available attributes

FOSS4G 2016, Bonn22nd - 26th August 2016

Stand-alone GeoFence Geofence Probe

(ResourceAccessManager)calls stand-alone GeoFence REST services

A cache is setup to minimize network traffic

A cache can be configured on different aspects: number of entries, expiration time

The cache provides REST operations (using GeoServer’s own REST dispatcher) in order to

Invalidate the cache Query the cache statistics

FOSS4G 2016, Bonn22nd - 26th August 2016

GeoFence REST API REST interface for administration automation Complete CRUD access to the various entities

managed by GeoFence: Users and groups GeoServer instances Rules

Paging support Priority ordering in rules is fundamental: different ways

to insert and set a position for the new rules Batch mode, backup and restore available See details at:

https://github.com/geosolutions-it/geofence/wiki/REST-API

FOSS4G 2016, Bonn22nd - 26th August 2016

GeoFence direct integration

FOSS4G 2016, Bonn22nd - 26th August 2016

GeoFence integration Simple setups demand simple solution Have GeoFence run inside GeoServer Integration similar to GWC one, runs like a plugin

GeoServer GeoWebCache

GeoFence

Rules DB

FOSS4G 2016, Bonn22nd - 26th August 2016

Baby steps Born as a more future-proof alternative to improving

the internal security subsystem

Community module, available via nightly builds

Delivers a subset of the full functionality: access/deny/limit based on mix of roles/user/layer/workspace/service/request

Integrated UI

FOSS4G 2016, Bonn22nd - 26th August 2016

General Configuration

FOSS4G 2016, Bonn22nd - 26th August 2016

General Configuration (continued)

FOSS4G 2016, Bonn22nd - 26th August 2016

Creating rules

FOSS4G 2016, Bonn22nd - 26th August 2016

Rules list

FOSS4G 2016, Bonn22nd - 26th August 2016

Example 1

FOSS4G 2016, Bonn22nd - 26th August 2016

Example 1 – layer preview

FOSS4G 2016, Bonn22nd - 26th August 2016

Example 2

FOSS4G 2016, Bonn22nd - 26th August 2016

Example 2 – layer preview

FOSS4G 2016, Bonn22nd - 26th August 2016

TODO Allow to edit LIMIT rules

Force default style Limit attributes Filter contents

Control writes at the rule level

Better/Easier way to re-order rules between pages (drag and drop can be used on the same page)

Migrate old security system rules to GeoFence as possible

FOSS4G 2016, Bonn22nd - 26th August 2016

That’s all folks!

Questions?info@geo-solutions.it

FOSS4G 2016, Bonn22nd - 26th August 2016