Advanced Security With GeoServer

Advanced Security With GeoServer
Ing. Mauro Bartolomeoli, GeoSolutions
Ing. Emanuele Tajariol, GeoSolutions
Ing. Simone Giannecchini, GeoSolutions
Ing. Alessio Fabiani, GeoSolutions
FOSS4G 2014, Portland
10th September 2014

GeoSolutions
 Founded in Italy in late 2006
 Expertise
• Image Processing, GeoSpatial Data Fusion
• Java, Java Enterprise, C++, Python
• JPEG2000, JPIP, Advanced 2D visualization
 Supporting/Developing FOSS4G projects
 GeoServer, MapStore
 GeoBatch, GeoNetwork
 Clients
 Public Agencies
 Private Companies
 http://www.geo-solutions.it
10th September 2014

GeoServer Security Subsystem Overview
10th September 2014

 GeoServer security handles
 Authentication (filtering and credential checks)
 Authorization (resource access managers)
10th September 2014

 Based on Spring Security
 Users / Groups / Roles
 User/group services
 Role services
 Authentication
 Chains
 Filters
 Providers
 Authorization
 Auth on data: e.g. layers, workspaces
 Auth on services: e.g. WMS, WFS
 By role
10th September 2014

Users / Groups / Roles Storage
10th September 2014

 User/Group service
 Storage for users and groups details
 Storage for user credentials (e.g. passwords)
 Password encryption handling
 Read/Write or Read-only
 Default implementations
 XML files
 Database through JDBC
 Easy to implement and plug new services
 Used by many filters/providers as a source for
authenticated users detail
 Missing: Read/Write LDAP User/Group service
10th September 2014

 Role service
 Storage for roles
 Read/Write or Read-only
 Assign roles to users and or groups
 Default implementations
 XML files
 Database through JDBC
 J2EE (from the Java Web Container)
 LDAP
 Easy to implement and plug new services
 Active (Default) Role service
 Used by many filters/providers as a source for
authenticated users roles
10th September 2014

Authentication
10th September 2014

Authentication
 Filter Chains
 By «request url» pattern matching
 Web UI
 OGC Services
 REST API
 …
 By Method: GET, POST, …
 HTTP Session handling
 Each chain applies a sequence of configured Filters to
matching requests
 Only SSL flag
10th September 2014

Authentication
 Filters
 Gathering user credentials (and eventually invoking
authentication providers chain)
 Basic
 Form
 Anonymous (always the last)
 Preauthentication (and eventually load user details from
user/group and/or role service)
 HTTP Header
 Digest
 X.509
 Remember Me
 J2EE
 Easy to implement and plug new filters
 Missing: authenticate from environment variables (e.g. Shibboleth SSO)
10th September 2014

Authentication
 Authentication Providers
 Used if filters require further authentication of
gathered credentials (no preauthentication can be
applied)
 Username Password (using user/group service)
 Database through JDBC (uses credentials to connect to a database,
very different from the JDBC user/group service)
 LDAP
 with ActiveDirectory support
 Easy to implement and plug new providers
 Providers chain, to allow for different authentication
mechanisms (e.g intranet users from LDAP, internet
users from db)
10th September 2014

Authentication
 Extensions
 CAS (https://www.apereo.org/cas): example of SSO
integration
 Community modules
 Authkey: simple UUID to user mapper
 Pluggable: possibility to define custom mappers (e.g. webservices)
 URLMangler to add authkey to OGC request transparently (via
GetCapabilities)
 Real World Use Cases
 Shibboleth SSO (using Headers or CGI environment
variables)
 Mixing filters/providers: LDAP/AD for internal users,
jdbc for external users
10th September 2014

Authentication
 Future improvements
 Clean up and filling holes
 Increase LDAP support (e.g. LDAP User/Group
Service for LDAP read-write support)
 Greater flexibility
 Improve authkey community module (new webservice
based mappers) and promote to extension
 New authentication filters (e.g. reading credentials
from CGI environment variables)
10th September 2014

Authorization
10th September 2014

Authorization
 Simple default implementation
 Permissions assigned only by user role(s)
 Data Access Authorization Rules
 Workspace
 Single Layer
 Access Mode: Read, Write, Admin
 Services Authorization Rules
 Service (WMS, WFS, …)
 Method (GetMap, GetLegendGraphic, …)
 Pluggable ResourceAccessManager
 SecureCatalog
 Security Wrapped Catalog Objects (e.g. ReadOnlyDataStore)
10th September 2014

Authorization
 ResourceAccessManager
 Define AccessLimits for the various Catalog Resources
(Workspace, Layer, Style, LayerGroup)
 Allows for fine grained limits
 Read filters
 Write filters
 Spatial filters
 SecureCatalog
 Wraps original Catalog objects with secured implementations,
aware of ResourceAccessManager defined limits
 Secured wrappers take care of enforcing authorization rules,
transparently
10th September 2014

Meet GeoFence
10th September 2014

GeoFence
 Extended A&A for GeoServer
 Authentication
 Optional
 Integrated with GeoServer authorization
architecture
 Open Source
 GPL
 Code on GitHub
 Authorization
 Auth on data: e.g. layers, workspaces
 Auth on services: e.g. WMS, WFS
10th September 2014

GeoFence
 Based on GSIP 57
 Mixed Interceptor + Probe approach
 Extended authorization management for GeoServer
 External Rule-Based System
 GeoServer Internal Probe
 On-the-fly manipulation of incoming requests
 Role Based Access Control
 Users
 Groups
 Rule-based database
 IPTables-like
10th September 2014

GeoFence
 Fine Grain Authorization Control
 Services
 Operations
 Workspaces
 Layers
 Attributes (alphanumeric and geospatial)
 External Web Application
 REST Interface
 GUI
 Scalable
 1 GeoFence controls N GeoServer cluster
10th September 2014

GeoFence
 Java Enterprise infrastructure
 Spring/Spring-Remoting
 Hibernate
 Apache CXF
 Supports DBMS
 PostgreSQL/PostGIS
 Oracle spatial
 H2
 Performance ensured thanks to
a fine-tunable cache
10th September 2014

GeoServer Security Model
10th September 2014

GeoServer Security Model
 The GeoFence Authentication provider delegates
credential checks to GeoFence
 The GeoFence Resource Access Manager asks for
permissions to the GeoFence authorization engine
10th September 2014

Digging GeoFence
10th September 2014

GeoFence Architecture
 Geofence Stack (again…)
10th September 2014

Modules and
packages
 GUI
 core: GUI logic, implemented using GWT
 webapp: produces the final web application .war file
 Geoserver (GeoFence Probe)
 security: the GeoServer/GeoFence bridge: implements
the ResourceAccessManager, forwarding the
authorization requests to a remote GeoFence
instance
10th September 2014

 The GeoFence ResourceAccessManager
(Geofence Probe) is deployed in each GeoServer
 GeoServer instances in a cluster must share the same
ClusterID (instance name)
 GeoFence uses the instance name to select rules
 The Probe queries GeoFence on each
request* with proper info
 Instance name
 User
 Request Details
 GeoFence provide Access Policy rules to
manipulate the request on the fly within
the Probe
10th September 2014

 The GeoFence ResourceAccessManager
(Geofence Probe) uses a cache which
minimizes the requests toward
GeoFence.
 The cache can be configured on
different aspects:
 number of entries,
 expiration time
 The cache provides REST operations
(using GeoServer’s own REST
dispatcher) in order to
 Invalidate the cache
 Query the cache statistics
10th September 2014

GeoFence Rule System
 Authorizations are expressed as a
priority-based rule set
 Type of Rules are ALLOW/DENY/LIMIT
 The first matching rule is the one that determines the
outcome of the auth request
 Incoming authorization requests are transformed
in a rule filter
 Filtering can be performed on one or more of
these fields:
 Username
 Group the provided user belongs to
10th September 2014

 Source geoserver instance
 We can control multiple GeoServer clusters
 OGC Service
 E.g. WMS
 OGC Service Operation
 E.g. GetCapabilities
 Workspace
 E.g. it.geosolutions
 Layer name
 E.g. topp:states
10th September 2014

Example
 Let’s assume we have configured these rules :
 User: u1, Service:WMS, Workspace=W1,ALLOW
 User: u1, DENY
 These rules will grant access for user u1 to
 all the layers in worspace W1
 only for WMS request
 All other types of request will be DENIED.
10th September 2014

 When an ALLOW rule is matched, the user will
have access to the requested resource.
 Finer Grain Control on single layer rules
 further restrictions may be defined
 i.e only a subset of the data contained in the
layer could be made queryeable/visibile to the
requesting user
  Restrictions on visible Area
  Restrictions on Queryable Attributes
  Restrictions on Available Styles
10th September 2014

 Examples
 Limiting users access to
 a subset of the attributes (R/W)
 a specific geographic area.
 a subset of the available styles (or the default style
can be forced on all requests)
 A specific view of the data via a CQL filter
 For reading
 For writing (delete, create, update)
10th September 2014

10th September 2014

GeoFence REST Interface
 GeoFence provides a REST interface for administration
 Allows automation!
 It allows a complete CRUD access to the various entities
managed by GeoFence:
 Users and groups
 GeoServer instances
 Rules
 The Find operation can be optionally paged
 a Count operation is provided as well to take
advantage of the pagination capability.
 Priority ordering in rules is fundamental
  there are different ways to insert and set a position
for the new rules.
 https://github.com/geosolutions-it/geofence/wiki/REST-API
10th September 2014

GeoFence REST Interface
 The REST interface also provides a batch mode
 multiple CRUD commands can be issued at once
 The commands in the batch are processed in the
same transaction
 Extremely important for automation!
 Backup and restore operations are provided as part of the
REST interface as well
 REST API documentation available at
https://github.com/geosolutions-it/geofence/wiki/REST-API
10th September 2014

GeoFence User Interface
 Top Categories
 Users
 Groups
 Instances
 Rules
10th September 2014

Users
10th September 2014
Groups
Instances

Rules
10th September 2014
Details
Details

GeoFence and LDAP
 An LDAP server can be used as a repository for user and
groups, including the optional ldap module in the deploy
 LDAP can be configured through the datasource
properties file
 When using LDAP users and groups are not editable from
the GeoFence interface (they are READ-ONLY)
 LDAP module documentation at
https://github.com/geosolutions-it/geofence/wiki/LDAP-module
10th September 2014

GeoFence and Existing Auth Proxies
External Auth Source
LDAP UserDAO LDAP GroupDAO UserDAO GroupDAO RuleDAO
Persistence
 When LDAP is enabled, specific DAOs are used for users
and groups instead of the default ones
10th September 2014
Users
Groups
GeoFence DB
GeoFence

GeoFence Use Cases
10th September 2014
SIAN

GeoFence Use Cases
MapManager
MapStore
GeoFence
GeoFence GeoStore GeoServer
JMX Agents
10th September 2014
GeoGraphic
Building Block

GeoFence Use Cases
10th September 2014
Astrium GetGeo

GeoFence Use Cases
 Layers filtered (CQL filters) by user profile to constrain
access to advanced functionality
 Possibility of spatial filters to allow regional access only
10th September 2014
Destination

GeoFence Status
 Project Released as Open Source
 Continuous Build is in place
 Dev and Users Mailing Lists are in place
 Latest Improvements
 IP based filter rules
 Catalog Mode support
 GeoServer community module for the probe
 Probe Wicket Configuration Page
 Further Improvements
10th September 2014
 Documentation
 Official Releases
 UI Refactor (based on REST APIs)

The End
Thanks for not sleeping
(loudly)
alessio.fabiani@geo-solutions.it
mauro.bartolomeoli@geo-solutions.it
10th September 2014

Advanced Security With GeoServer

More Related Content

What's hot

Similar to Advanced Security With GeoServer

More from GeoSolutions

Recently uploaded

Advanced Security With GeoServer