Slide 1

Slide 1 text

Nuno Oliveira Marco Volpini GeoSolutions Mastering Security with GeoServer and GeoFence

Slide 2

Slide 2 text

GeoSolutions Enterprise Support Services Deployment Subscription Professional Training Customized Solutions GeoNode • Offices in Italy & US, Global Clients/Team • 40+ collaborators, 30+ Engineers • Our products • Our Offer

Slide 3

Slide 3 text

Affiliations We strongly support Open Source, it Is in our core We actively participate in OGC working groups and get funded to advance new open standards We support standards critical to GEOINT

Slide 4

Slide 4 text

GeoServer security overview

Slide 5

Slide 5 text

Security system overview • GeoServer security system is based on Spring Security: Extensible and pluggable by design! • Can be configured via: • WEB administration interface • REST API, not all options are available • Allows us to secure data, services and administration!

Slide 6

Slide 6 text

Security system overview • GeoServer security offers both: • Authentication • Authorization • … and are supported by vanilla GeoServer! • GeoServer security terminology: • Users • Groups • Roles • Data Layers and Workspaces • Services Operations as well

Slide 7

Slide 7 text

Security system overview • GeoServer authentication: • Encryption is supported • Extensions offer others authentication mechanisms • GeoServer authorization is role based: • All security rules are defined against roles!

Slide 8

Slide 8 text

Users, groups and roles • How do they related to each other? • Users can exist on their own • Users can belong to one or more groups • Roles can exist on their own • Roles can be assigned to one or more users • Roles can be assigned to one or more groups • By default they are all stored inside GeoServer data directory!

Slide 9

Slide 9 text

Users, groups and roles • Extension points allow us to integrate with other providers: • User and group service • Roles services

Slide 10

Slide 10 text

Users, groups and roles

Slide 11

Slide 11 text

Users, groups and roles • Is not only about where users, groups and roles are stored • Integration between systems!: • Three levels of integrations

Slide 12

Slide 12 text

GeoServer authentication

Slide 13

Slide 13 text

Authentication mechanisms • Multiple authentication mechanisms may be active at the same time! What’s an authentication mechanism? • Let’s review the terminology: • Authentication provider • Authenticates using the provided data • Authentication filter • Retrieves the authentication information • Authentication chain • Defines what authentication filter is used for each endpoint

Slide 14

Slide 14 text

Authentication filters and providers

Slide 15

Slide 15 text

Authentication provider

Slide 16

Slide 16 text

Authentication filter

Slide 17

Slide 17 text

Authentication chain • Binds incoming request URL and authentication filters:

Slide 18

Slide 18 text

Authentication chain

Slide 19

Slide 19 text

Authentication chain

Slide 20

Slide 20 text

Authentication chain

Slide 21

Slide 21 text

GeoServer authorization

Slide 22

Slide 22 text

Authorization mechanisms • We can define authorization rules for: • Services and operations • Workspaces administration • Data (layers and layers groups) access • Remember authorization rules are defined with roles! • These are the Vanilla GeoServer capabilities! • GeoFence will extend these authorization capabilities!

Slide 23

Slide 23 text

Securing our services • The less generic rules is always applied first!

Slide 24

Slide 24 text

Securing our services

Slide 25

Slide 25 text

Securing our data • The less generic rules is always applied first!

Slide 26

Slide 26 text

Securing our data

Slide 27

Slide 27 text

Securing our data • Challenge: • Allows free access to metadata Data access will return HTTP 401 code • Mixed: • Hides the layers the user cannot read from the capabilities documents triggers authentication for any other attempt • Catalog modes: • Hide: • Hides layers that the user does not have read access to

Slide 28

Slide 28 text

Administration security rules • Similar to data rules, but we select the Admin access mode (only for workspaces!):

Slide 29

Slide 29 text

Advanced authorization with GeoFence

Slide 30

Slide 30 text

GeoFence overview • Advanced authorization engine for GeoServer: • Acts at the access manager level • Only one access manager per time! • Available either as: • A a independent service with its own powerful UI Can applies rules per GeoServer instance • Embedded in GeoServer • Rules can be stored either on h2 (default) or on PostGIS (additional configuration is needed)

Slide 31

Slide 31 text

GeoFence data rules • Rules prioritization definition is supported • Several parameters: • Username or role • IP address • Service and | or operation • Workspace, layer or layer group • Access to the data can be DENY, ALLOW or LIMIT

Slide 32

Slide 32 text

GeoFence data rules ● Rules are shown ordered by priority: ○ The lower the value, the higher the priority

Slide 33

Slide 33 text

GeoFence data rules ● Efficient caching of rules and users! ● Cache control from Admin UI

Slide 34

Slide 34 text

GeoFence data rules (ALLOW) • ALLOW access enables the configuration of additional constraints on a layer! • A specific layer must be selected! • Fine grained control over the styles:

Slide 35

Slide 35 text

GeoFence data rules (ALLOW) • CQL read and write filters • Spatial area filter • Control of attributes access: • None • Read • Write

Slide 36

Slide 36 text

GeoFence data rules (LIMIT) • Limits applies if a rule allowing access to the resource already exists! • Unlike ALLOW No need to select a layer! • Can be defined for Layer Groups and for an entire Workspaces. • LIMIT mode allow definition of: • Spatial Filter (CLIP or INTERSECT) • Catalog mode

Slide 37

Slide 37 text

GeoFence data rules (LIMIT) • Stand alone GeoFence allow us to draw the area:

Slide 38

Slide 38 text

GeoFence data rules (LIMIT)

Slide 39

Slide 39 text

GeoFence data rules (LIMIT) CLIP INTERSECTS

Slide 40

Slide 40 text

GeoFence administration rules • GeoFence Admin rule give access to UI configuration components • Admin Rules can be defined by Role and Username

Slide 41

Slide 41 text

Access manager extension point • For advanced use cases it’s relatively common to define a custom access manager: • Authorized based on a specific value of a feature • We need to retrieve the authorization rules from a third party service • This makes GeoServer authorization system integrable in complex enterprise architectures!

Slide 42

Slide 42 text

Advanced integrations highlights

Slide 43

Slide 43 text

Key authentication module • Allows for a very simple authentication protocol for simple OGC services clients • Various Key to User mappers: • properties file • user property • web service (key refresh) • Extension point to provide custom mapper!

Slide 44

Slide 44 text

Integration with OAuth2 (OpenID) • OpenId support is configurable as an authentication filter • The end points can be populated automatically if the discovery URL is available • We can retrieve the roles from the ID token claims!

Slide 45

Slide 45 text

Integration with Keycloak ● Copy paste the JSON Keycloak config on the GeoServer filter configuration • GeoServer Keycloak integration provides: • Keycloak Authentication Filter • Keycloak Role Service

Slide 46

Slide 46 text