Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mastering Security with GeoServer and GeoFence (FOSS4G 2022 Edition)

Mastering Security with GeoServer and GeoFence (FOSS4G 2022 Edition)

The presentation will provide a comprehensive introduction to GeoServer's own authentication and authorization subsystems. 
The authentication part will cover the various supported authentication protocols (e.g. basic/digest authentication, CAS, OAuth2) and identity providers (such as local config files, database tables and LDAP servers). 
It will explain how to combine various authentication mechanisms in a single comprehensive authentication tool, as well as providing examples of custom authentication plugins for GeoServer, integrating it in a home-grown security architecture.
We’ll then move on to authorization, describing the GeoServer pluggable authorization mechanism, and comparing it with proxy based solution. We will explain the default service and data security system, reviewing its benefits and limitations.
Finally we’ll explore the advanced authorization provider, GeoFence. The different levels of integration with GeoServer will be presented, from the simple and seamless direct integration to the more sophisticated external setup. Finally we’ll explore GeoFence’s complex authorization rules using:

The current user and its roles.
The OGC services, workspace, layer, layer group.
CQL read and write filters.
Attribute selection.
Cropping raster and vector data to areas of interest.

Simone Giannecchini
PRO

August 31, 2022
Tweet

More Decks by Simone Giannecchini

Other Decks in Technology

Transcript

  1. Nuno Oliveira
    Marco Volpini
    GeoSolutions
    Mastering Security with
    GeoServer and GeoFence

    View Slide

  2. GeoSolutions
    Enterprise Support
    Services
    Deployment
    Subscription
    Professional
    Training
    Customized
    Solutions
    GeoNode
    • Offices in Italy & US, Global Clients/Team
    • 40+ collaborators, 30+ Engineers
    • Our products
    • Our Offer

    View Slide

  3. Affiliations
    We strongly support Open
    Source, it Is in our core
    We actively participate in
    OGC working groups and
    get funded to advance new
    open standards
    We support standards
    critical to GEOINT

    View Slide

  4. GeoServer security overview

    View Slide

  5. Security system overview
    • GeoServer security system is based on Spring
    Security:
    Extensible and pluggable by design!
    • Can be configured via:
    • WEB administration interface
    • REST API, not all options are available
    • Allows us to secure data, services and
    administration!

    View Slide

  6. Security system overview
    • GeoServer security offers both:
    • Authentication
    • Authorization
    • … and are supported by vanilla GeoServer!
    • GeoServer security terminology:
    • Users
    • Groups
    • Roles
    • Data Layers and Workspaces
    • Services Operations as well

    View Slide

  7. Security system overview
    • GeoServer authentication:
    • Encryption is supported
    • Extensions offer others authentication
    mechanisms
    • GeoServer authorization is role based:
    • All security rules are defined against roles!

    View Slide

  8. Users, groups and roles
    • How do they related to each other?
    • Users can exist on their own
    • Users can belong to one or more groups
    • Roles can exist on their own
    • Roles can be assigned to one or more users
    • Roles can be assigned to one or more groups
    • By default they are all stored inside GeoServer
    data directory!

    View Slide

  9. Users, groups and roles
    • Extension points allow us to integrate with other
    providers:
    • User and group service
    • Roles services

    View Slide

  10. Users, groups and roles

    View Slide

  11. Users, groups and roles
    • Is not only about
    where users, groups
    and roles are stored
    • Integration between
    systems!:
    • Three levels of
    integrations

    View Slide

  12. GeoServer authentication

    View Slide

  13. Authentication mechanisms
    • Multiple authentication mechanisms may be
    active at the same time!
    What’s an authentication mechanism?
    • Let’s review the terminology:
    • Authentication provider
    • Authenticates using the provided data
    • Authentication filter
    • Retrieves the authentication information
    • Authentication chain
    • Defines what authentication filter is used
    for each endpoint

    View Slide

  14. Authentication filters and providers

    View Slide

  15. Authentication provider

    View Slide

  16. Authentication filter

    View Slide

  17. Authentication chain
    • Binds incoming request URL and
    authentication filters:

    View Slide

  18. Authentication chain

    View Slide

  19. Authentication chain

    View Slide

  20. Authentication chain

    View Slide

  21. GeoServer authorization

    View Slide

  22. Authorization mechanisms
    • We can define authorization rules for:
    • Services and operations
    • Workspaces administration
    • Data (layers and layers groups) access
    • Remember authorization rules are defined with
    roles!
    • These are the Vanilla GeoServer capabilities!
    • GeoFence will extend these authorization capabilities!

    View Slide

  23. Securing our services
    • The less generic rules is always applied first!

    View Slide

  24. Securing our services

    View Slide

  25. Securing our data
    • The less generic rules is always applied first!

    View Slide

  26. Securing our data

    View Slide

  27. Securing our data
    • Challenge:
    • Allows free access to metadata Data access
    will return HTTP 401 code
    • Mixed:
    • Hides the layers the user cannot read from the
    capabilities documents triggers authentication
    for any other attempt
    • Catalog modes:
    • Hide:
    • Hides layers that the user does
    not have read access to

    View Slide

  28. Administration security rules
    • Similar to data rules, but we select the Admin
    access mode (only for workspaces!):

    View Slide

  29. Advanced authorization with
    GeoFence

    View Slide

  30. GeoFence overview
    • Advanced authorization engine for GeoServer:
    • Acts at the access manager level
    • Only one access manager per time!
    • Available either as:
    • A a independent service with its own powerful UI
    Can applies rules per GeoServer instance
    • Embedded in GeoServer
    • Rules can be stored either on h2 (default) or on
    PostGIS (additional configuration is needed)

    View Slide

  31. GeoFence data rules
    • Rules prioritization
    definition is supported
    • Several parameters:
    • Username or role
    • IP address
    • Service and | or
    operation
    • Workspace, layer or
    layer group
    • Access to the data can be
    DENY, ALLOW or LIMIT

    View Slide

  32. GeoFence data rules
    ● Rules are shown ordered by priority:
    ○ The lower the value, the higher the priority

    View Slide

  33. GeoFence data rules
    ● Efficient caching of rules and users!
    ● Cache control from Admin UI

    View Slide

  34. GeoFence data rules (ALLOW)
    • ALLOW access enables the configuration of
    additional constraints on a layer!
    • A specific layer must be selected!
    • Fine grained control over the styles:

    View Slide

  35. GeoFence data rules (ALLOW)
    • CQL read
    and write
    filters
    • Spatial area
    filter
    • Control of
    attributes
    access:
    • None
    • Read
    • Write

    View Slide

  36. GeoFence data rules (LIMIT)
    • Limits applies if a rule allowing access to the
    resource already exists!
    • Unlike ALLOW No need to select a layer!
    • Can be defined for Layer Groups and for an entire
    Workspaces.
    • LIMIT mode allow definition of:
    • Spatial Filter (CLIP or INTERSECT)
    • Catalog mode

    View Slide

  37. GeoFence data rules (LIMIT)
    • Stand alone GeoFence allow us to draw the
    area:

    View Slide

  38. GeoFence data rules (LIMIT)

    View Slide

  39. GeoFence data rules (LIMIT)
    CLIP
    INTERSECTS

    View Slide

  40. GeoFence administration rules
    • GeoFence Admin rule
    give access to UI
    configuration
    components
    • Admin Rules can be
    defined by Role and
    Username

    View Slide

  41. Access manager extension point
    • For advanced use cases it’s relatively common
    to define a custom access manager:
    • Authorized based on a specific value of a
    feature
    • We need to retrieve the authorization rules from
    a third party service
    • This makes GeoServer authorization system
    integrable in complex enterprise architectures!

    View Slide

  42. Advanced integrations highlights

    View Slide

  43. Key authentication module
    • Allows for a very simple
    authentication protocol for
    simple OGC services clients
    • Various Key to User mappers:
    • properties file
    • user property
    • web service (key refresh)
    • Extension point to provide
    custom mapper!

    View Slide

  44. Integration with OAuth2 (OpenID)
    • OpenId support is
    configurable as an
    authentication filter
    • The end points can be
    populated
    automatically if the
    discovery URL is
    available
    • We can retrieve the
    roles from the ID
    token claims!

    View Slide

  45. Integration with Keycloak
    ● Copy paste the
    JSON Keycloak
    config on the
    GeoServer filter
    configuration
    • GeoServer Keycloak
    integration provides:
    • Keycloak Authentication Filter
    • Keycloak Role Service

    View Slide

  46. View Slide