advanced security with geoserver

Advanced Security With GeoServer

Ing. Mauro Bartolomeoli, GeoSolutionsIng. Emanuele Tajariol, GeoSolutions

Ing. Simone Giannecchini, GeoSolutionsIng. Alessio Fabiani, GeoSolutions

FOSS4G 2014, Portland10th September 2014

GeoSolutions

Founded in Italy in late 2006 Expertise

• Image Processing, GeoSpatial Data Fusion

• Java, Java Enterprise, C++, Python

• JPEG2000, JPIP, Advanced 2D visualization

Supporting/Developing FOSS4G projects GeoServer, MapStore GeoBatch, GeoNetwork

Clients Public Agencies Private Companies

http://www.geo-solutions.it


http://www.geo-solutions.it/

GeoServer Security Subsystem Overview



GeoServer security handles Authentication (filtering and credential checks) Authorization (resource access managers)



Based on Spring Security Users / Groups / Roles

User/group services Role services

Authentication Chains Filters Providers

Authorization Auth on data: e.g. layers, workspaces Auth on services: e.g. WMS, WFS By role


Users / Groups / Roles Storage



User/Group service Storage for users and groups details Storage for user credentials (e.g. passwords)

Password encryption handling Read/Write or Read-only Default implementations

XML files Database through JDBC

Easy to implement and plug new services Used by many filters/providers as a source for

authenticated users detail Missing: Read/Write LDAP User/Group service



Role service Storage for roles Read/Write or Read-only Assign roles to users and or groups Default implementations

XML files Database through JDBC J2EE (from the Java Web Container) LDAP

Easy to implement and plug new services Active (Default) Role service Used by many filters/providers as a source for

authenticated users roles


Authentication


Authentication

Filter Chains By «request url» pattern matching

Web UI OGC Services REST API …

By Method: GET, POST, … HTTP Session handling Each chain applies a sequence of configured Filters to

matching requests Only SSL flag


Authentication

Filters Gathering user credentials (and eventually invoking

authentication providers chain) Basic Form Anonymous (always the last)

Preauthentication (and eventually load user details from user/group and/or role service)

HTTP Header Digest X.509 Remember Me J2EE

Easy to implement and plug new filters Missing: authenticate from environment variables (e.g. Shibboleth SSO)


Authentication

Authentication Providers Used if filters require further authentication of

gathered credentials (no preauthentication can be applied)

Username Password (using user/group service) Database through JDBC (uses credentials to connect to a database,

very different from the JDBC user/group service) LDAP

with ActiveDirectory support

Easy to implement and plug new providers Providers chain, to allow for different authentication

mechanisms (e.g intranet users from LDAP, internet users from db)


Authentication

Extensions CAS (https://www.apereo.org/cas): example of SSO

integration Community modules

Authkey: simple UUID to user mapper Pluggable: possibility to define custom mappers (e.g. webservices) URLMangler to add authkey to OGC request transparently (via

GetCapabilities)

Real World Use Cases Shibboleth SSO (using Headers or CGI environment

variables) Mixing filters/providers: LDAP/AD for internal users,

jdbc for external users


https://www.apereo.org/cas

https://www.apereo.org/cas

Authentication

Future improvements Clean up and filling holes Increase LDAP support (e.g. LDAP User/Group

Service for LDAP read-write support) Greater flexibility

Improve authkey community module (new webservice based mappers) and promote to extension

New authentication filters (e.g. reading credentials from CGI environment variables)


Authorization


Authorization

Simple default implementation Permissions assigned only by user role(s) Data Access Authorization Rules

Workspace Single Layer Access Mode: Read, Write, Admin

Services Authorization Rules Service (WMS, WFS, …) Method (GetMap, GetLegendGraphic, …)

Pluggable ResourceAccessManager SecureCatalog

Security Wrapped Catalog Objects (e.g. ReadOnlyDataStore)


Authorization

ResourceAccessManager Define AccessLimits for the various Catalog Resources

(Workspace, Layer, Style, LayerGroup) Allows for fine grained limits

Read filters Write filters Spatial filters

SecureCatalog Wraps original Catalog objects with secured implementations,

aware of ResourceAccessManager defined limits Secured wrappers take care of enforcing authorization rules,

transparently


Meet GeoFence


GeoFence

Extended A&A for GeoServer Authentication

Optional Integrated with GeoServer authorization

architecture Open Source

GPL Code on GitHub

Authorization Auth on data: e.g. layers, workspaces Auth on services: e.g. WMS, WFS


https://github.com/geosolutions-it/geofence


GeoFence

Based on GSIP 57 Mixed Interceptor + Probe approach Extended authorization management for GeoServer External Rule-Based System GeoServer Internal Probe On-the-fly manipulation of incoming requests

Role Based Access Control Users Groups

Rule-based database IPTables-like


http://geoserver.org/display/GEOS/GSIP+57+-+Improving+GeoServer+authorization+framework


GeoFence

Fine Grain Authorization Control Services Operations Workspaces Layers Attributes (alphanumeric and geospatial)

External Web Application REST Interface GUI

Scalable 1 GeoFence controls N GeoServer cluster



GeoFence

Java Enterprise infrastructure Spring/Spring-Remoting Hibernate Apache CXF

Supports DBMS PostgreSQL/PostGIS Oracle spatial H2

Performance ensured thanks to a fine-tunable cache



GeoServer Security Model



The GeoFence Authentication provider delegates credential checks to GeoFence

The GeoFence Resource Access Manager asks for permissions to the GeoFence authorization engine



Digging GeoFence


GeoFence Architecture

Geofence Stack (again…)




Modules and packages

GUI core: GUI logic, implemented using GWT webapp: produces the final web application .war file

Geoserver (GeoFence Probe) security: the GeoServer/GeoFence bridge: implements

the ResourceAccessManager, forwarding the authorization requests to a remote GeoFence instance




The GeoFence ResourceAccessManager (Geofence Probe) is deployed in each GeoServer

GeoServer instances in a cluster must share the same ClusterID (instance name)

GeoFence uses the instance name to select rules The Probe queries GeoFence on each request* with proper info

Instance name User Request Details

GeoFence provide Access Policy rules to manipulate the request on the fly within the Probe




The GeoFence ResourceAccessManager (Geofence Probe) uses a cache which minimizes the requests toward GeoFence.

The cache can be configured on different aspects:

number of entries, expiration time

The cache provides REST operations (using GeoServer’s own REST dispatcher) in order to

Invalidate the cache Query the cache statistics



GeoFence Rule System

Authorizations are expressed as a priority-based rule set

Type of Rules are ALLOW/DENY/LIMIT The first matching rule is the one that determines the

outcome of the auth request

Incoming authorization requests are transformed in a rule filter

Filtering can be performed on one or more of these fields:

Username Group the provided user belongs to




Source geoserver instance We can control multiple GeoServer clusters

OGC Service E.g. WMS

OGC Service Operation E.g. GetCapabilities

Workspace E.g. it.geosolutions

Layer name E.g. topp:states




Example Let’s assume we have configured these rules :

User: u1, Service:WMS, Workspace=W1,ALLOW User: u1, DENY

These rules will grant access for user u1 to all the layers in worspace W1 only for WMS request

All other types of request will be DENIED.




When an ALLOW rule is matched, the user will have access to the requested resource.

Finer Grain Control on single layer rules further restrictions may be defined i.e only a subset of the data contained in the

layer could be made queryeable/visibile to the requesting user

Restrictions on visible Area Restrictions on Queryable Attributes Restrictions on Available Styles




Examples

Limiting users access to a subset of the attributes (R/W) a specific geographic area. a subset of the available styles (or the default style

can be forced on all requests) A specific view of the data via a CQL filter

For reading For writing (delete, create, update)



GeoFence REST Interface

GeoFence provides a REST interface for administration Allows automation!

It allows a complete CRUD access to the various entities managed by GeoFence:

Users and groups GeoServer instances Rules

The Find operation can be optionally paged a Count operation is provided as well to take

advantage of the pagination capability. Priority ordering in rules is fundamental

there are different ways to insert and set a position for the new rules.

https://github.com/geosolutions-it/geofence/wiki/REST-API




GeoFence REST Interface

The REST interface also provides a batch mode multiple CRUD commands can be issued at once The commands in the batch are processed in the

same transaction Extremely important for automation!

Backup and restore operations are provided as part of the REST interface as well

REST API documentation available athttps://github.com/geosolutions-it/geofence/wiki/REST-API





GeoFence User Interface


Top Categories Users Groups Instances Rules




Users

Groups

Instances




Rules

Details

Details


GeoFence and LDAP

An LDAP server can be used as a repository for user and groups, including the optional ldap module in the deploy

LDAP can be configured through the datasource properties file

When using LDAP users and groups are not editable from the GeoFence interface (they are READ-ONLY)

LDAP module documentation athttps://github.com/geosolutions-it/geofence/wiki/LDAP-module


https://github.com/geosolutions-it/geofence/wiki/LDAP-module

https://github.com/geosolutions-it/geofence/wiki/LDAP-module


When LDAP is enabled, specific DAOs are used for users and groups instead of the default ones

GeoFence and Existing Auth Proxies


External Auth Source

Users

Groups

GeoFence DB

GeoFence

Persistence

UserDAOLDAP UserDAO GroupDAOLDAP GroupDAO RuleDAO


GeoFence Use Cases


SIAN


GeoFence Use Cases


GeoFence

MapManager

GeoStore GeoServerGeoFence

MapStore

JMX Agents

GeoGraphicBuilding Block


GeoFence Use Cases


Astrium GetGeo


GeoFence Use Cases

Layers filtered (CQL filters) by user profile to constrain access to advanced functionality

Possibility of spatial filters to allow regional access only


Destination


GeoFence Status


Project Released as Open Source Continuous Build is in place Dev and Users Mailing Lists are in place Latest Improvements

IP based filter rules Catalog Mode support GeoServer community module for the probe Probe Wicket Configuration Page

Further Improvements Documentation Official Releases UI Refactor (based on REST APIs)


The End

Thanks for not sleeping

(loudly)[email protected]

[email protected]



advanced security with geoserver

Technology

new filters

jdbc usergroup service

internal users

usergroup service database

roles readwrite

ldap support

new providers providers

user credentials