Mastering Security with GeoServer and GeoFence (FOSS4G 2022 Edition)

Transcript

1. Nuno Oliveira Marco Volpini GeoSolutions Mastering Security with GeoServer and

   GeoFence

2. GeoSolutions Enterprise Support Services Deployment Subscription Professional Training Customized Solutions

   GeoNode • Offices in Italy & US, Global Clients/Team • 40+ collaborators, 30+ Engineers • Our products • Our Offer

3. Affiliations We strongly support Open Source, it Is in our

   core We actively participate in OGC working groups and get funded to advance new open standards We support standards critical to GEOINT

4. GeoServer security overview

5. Security system overview • GeoServer security system is based on

   Spring Security: Extensible and pluggable by design! • Can be configured via: • WEB administration interface • REST API, not all options are available • Allows us to secure data, services and administration!

6. Security system overview • GeoServer security offers both: • Authentication

   • Authorization • … and are supported by vanilla GeoServer! • GeoServer security terminology: • Users • Groups • Roles • Data Layers and Workspaces • Services Operations as well

7. Security system overview • GeoServer authentication: • Encryption is supported

   • Extensions offer others authentication mechanisms • GeoServer authorization is role based: • All security rules are defined against roles!

8. Users, groups and roles • How do they related to

   each other? • Users can exist on their own • Users can belong to one or more groups • Roles can exist on their own • Roles can be assigned to one or more users • Roles can be assigned to one or more groups • By default they are all stored inside GeoServer data directory!

9. Users, groups and roles • Extension points allow us to

   integrate with other providers: • User and group service • Roles services

10. Users, groups and roles

11. Users, groups and roles • Is not only about where

    users, groups and roles are stored • Integration between systems!: • Three levels of integrations

12. GeoServer authentication

13. Authentication mechanisms • Multiple authentication mechanisms may be active at

    the same time! What’s an authentication mechanism? • Let’s review the terminology: • Authentication provider • Authenticates using the provided data • Authentication filter • Retrieves the authentication information • Authentication chain • Defines what authentication filter is used for each endpoint

14. Authentication filters and providers

15. Authentication provider

16. Authentication filter

17. Authentication chain • Binds incoming request URL and authentication filters:

18. Authentication chain

19. Authentication chain

20. Authentication chain

21. GeoServer authorization

22. Authorization mechanisms • We can define authorization rules for: •

    Services and operations • Workspaces administration • Data (layers and layers groups) access • Remember authorization rules are defined with roles! • These are the Vanilla GeoServer capabilities! • GeoFence will extend these authorization capabilities!

23. Securing our services • The less generic rules is always

    applied first!

24. Securing our services

25. Securing our data • The less generic rules is always

    applied first!

26. Securing our data

27. Securing our data • Challenge: • Allows free access to

    metadata Data access will return HTTP 401 code • Mixed: • Hides the layers the user cannot read from the capabilities documents triggers authentication for any other attempt • Catalog modes: • Hide: • Hides layers that the user does not have read access to

28. Administration security rules • Similar to data rules, but we

    select the Admin access mode (only for workspaces!):

29. Advanced authorization with GeoFence

30. GeoFence overview • Advanced authorization engine for GeoServer: • Acts

    at the access manager level • Only one access manager per time! • Available either as: • A a independent service with its own powerful UI Can applies rules per GeoServer instance • Embedded in GeoServer • Rules can be stored either on h2 (default) or on PostGIS (additional configuration is needed)

31. GeoFence data rules • Rules prioritization definition is supported •

    Several parameters: • Username or role • IP address • Service and | or operation • Workspace, layer or layer group • Access to the data can be DENY, ALLOW or LIMIT

32. GeoFence data rules • Rules are shown ordered by priority:

    ◦ The lower the value, the higher the priority

33. GeoFence data rules • Efficient caching of rules and users!

    • Cache control from Admin UI

34. GeoFence data rules (ALLOW) • ALLOW access enables the configuration

    of additional constraints on a layer! • A specific layer must be selected! • Fine grained control over the styles:

35. GeoFence data rules (ALLOW) • CQL read and write filters

    • Spatial area filter • Control of attributes access: • None • Read • Write

36. GeoFence data rules (LIMIT) • Limits applies if a rule

    allowing access to the resource already exists! • Unlike ALLOW No need to select a layer! • Can be defined for Layer Groups and for an entire Workspaces. • LIMIT mode allow definition of: • Spatial Filter (CLIP or INTERSECT) • Catalog mode

37. GeoFence data rules (LIMIT) • Stand alone GeoFence allow us

    to draw the area:

38. GeoFence data rules (LIMIT)

39. GeoFence data rules (LIMIT) CLIP INTERSECTS

40. GeoFence administration rules • GeoFence Admin rule give access to

    UI configuration components • Admin Rules can be defined by Role and Username

41. Access manager extension point • For advanced use cases it’s

    relatively common to define a custom access manager: • Authorized based on a specific value of a feature • We need to retrieve the authorization rules from a third party service • This makes GeoServer authorization system integrable in complex enterprise architectures!

42. Advanced integrations highlights

43. Key authentication module • Allows for a very simple authentication

    protocol for simple OGC services clients • Various Key to User mappers: • properties file • user property • web service (key refresh) • Extension point to provide custom mapper!

44. Integration with OAuth2 (OpenID) • OpenId support is configurable as

    an authentication filter • The end points can be populated automatically if the discovery URL is available • We can retrieve the roles from the ID token claims!

45. Integration with Keycloak • Copy paste the JSON Keycloak config

    on the GeoServer filter configuration • GeoServer Keycloak integration provides: • Keycloak Authentication Filter • Keycloak Role Service

46. The End Questions? [email protected] [email protected] [email protected]