Skip to content

Commit

Permalink
Set JDBC role service as primary in GS
Browse files Browse the repository at this point in the history
  • Loading branch information
index-git committed Dec 15, 2023
1 parent 29010af commit 52064bf
Show file tree
Hide file tree
Showing 5 changed files with 23 additions and 11 deletions.
3 changes: 2 additions & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
```
It was already required in v1.22.3.
- Set new environment variable [LAYMAN_ROLE_SERVICE_URI](doc/env-settings.md#LAYMAN_ROLE_SERVICE_URI)
- Stop using environment variable `LAYMAN_GS_ROLE_SERVICE`, it has no effect to Layman anymore. Role service called `layman_role_service` is used now.
### Migrations and checks
#### Schema migrations
- [#165](https://github.com/LayerManager/layman/issues/165) Add column `role_name` to table `rights` in prime DB schema. Add constraint that exactly one of columns `role_name` and `id_user` is not null.
Expand Down Expand Up @@ -853,7 +854,7 @@ There is a critical bug in this release, posting new layer breaks Layman: https:
- [#62](https://github.com/LayerManager/layman/issues/62) GeoServer [Proxy Base URL](https://docs.geoserver.org/2.21.x/en/user/configuration/globalsettings.html) is now automatically set on Layman's startup according to [LAYMAN_GS_PROXY_BASE_URL](https://github.com/LayerManager/layman/blob/v1.21.1/doc/env-settings.md#LAYMAN_GS_PROXY_BASE_URL). If you do not set the variable, value is calculated as [LAYMAN_CLIENT_PUBLIC_URL](doc/env-settings.md#LAYMAN_CLIENT_PUBLIC_URL)+[LAYMAN_GS_PATH](https://github.com/LayerManager/layman/blob/v1.21.1/doc/env-settings.md#LAYMAN_GS_PATH). If you set it to empty string, no change of Proxy Base URL will be done on GeoServer side.
- [#83](https://github.com/LayerManager/layman/issues/89) All layers are created as `GEOMETRY` type, so any other type can be added (for example polygons can be added to points).
- [#73](https://github.com/LayerManager/layman/issues/73) Layman users are automatically created on GeoServer (either at start up of Layman or when reserved) with separate role and workspace. Username is the same as in Layman, name of role is `"USER_"+username`, name of workspace is the same as username. Read and write permissions for workspace are set according to Layman's authorization (as of now read-everyone-write-everyone or read-everyone-write-owner).
- New environment variables [LAYMAN_GS_USER_GROUP_SERVICE](doc/env-settings.md#LAYMAN_GS_USER_GROUP_SERVICE) and [LAYMAN_GS_ROLE_SERVICE](doc/env-settings.md#LAYMAN_GS_ROLE_SERVICE) enable to control which user/group and role services are used at GeoServer. Not setting these variables means to use default services.
- New environment variables [LAYMAN_GS_USER_GROUP_SERVICE](doc/env-settings.md#LAYMAN_GS_USER_GROUP_SERVICE) and [LAYMAN_GS_ROLE_SERVICE](https://github.com/LayerManager/layman/blob/v1.22.0/doc/env-settings.md#LAYMAN_GS_ROLE_SERVICE) enable to control which user/group and role services are used at GeoServer. Not setting these variables means to use default services.
- [#69](https://github.com/LayerManager/layman/issues/69) Three separate identical settings files (`layman_settings_demo.py`, `layman_settings_dev.py`, `layman_settings_test.py`) were merged into one file `layman_settings.py`.
- If username used in REST API request path is not yet reserved, HTTP requests other than POST returns (e.g. GET) HTTP error 404 (Layman code 40). Previously in case of GET request, empty list was returned.
- List of GeoServer reserved workspace names was moved from `layman_settings.py` into source code (`src\layman\common\geoserver\__init__.py`)
Expand Down
3 changes: 0 additions & 3 deletions doc/env-settings.md
Original file line number Diff line number Diff line change
Expand Up @@ -176,9 +176,6 @@ Name of [GeoServer role](https://docs.geoserver.org/2.21.x/en/user/security/weba
### LAYMAN_GS_USER_GROUP_SERVICE
Name of [user/group service](https://docs.geoserver.org/2.21.x/en/user/security/usergrouprole/usergroupservices.html) used for managing users at GeoServer. If not set (default), the service named `default` is chosen. Usually it's [XML user/group service](https://docs.geoserver.org/2.21.x/en/user/security/usergrouprole/usergroupservices.html#xml-user-group-service).

### LAYMAN_GS_ROLE_SERVICE
Name of [role service](https://docs.geoserver.org/2.21.x/en/user/security/usergrouprole/roleservices.html) used for managing roles and user-role associations at GeoServer. If not set (default), the service named `default` is chosen. Usually it's [XML user/group service](https://docs.geoserver.org/2.21.x/en/user/security/usergrouprole/roleservices.html#xml-role-service).

### LAYMAN_GS_AUTHN_HTTP_HEADER_ATTRIBUTE
Secret value of [GeoServer HTTP authentication request header attribute](https://docs.geoserver.org/2.21.x/en/user/security/tutorials/httpheaderproxy/index.html) used for WFS proxy. Only combination of lowercase characters and numbers must be used for the value. If you change an existing value, you have to change it also in GeoServer GUI manually.

Expand Down
9 changes: 9 additions & 0 deletions src/geoserver/role_service.py
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@
from xml.sax.saxutils import escape

from requests_util import url_util
from . import authn

logger = logging.getLogger(__name__)
logging.basicConfig(stream=sys.stdout, level=logging.DEBUG)
Expand Down Expand Up @@ -50,3 +51,11 @@ def setup_jdbc_role_service(data_dir, service_url, role_service_name, db_schema)
file.write(rolesdml_content.format(
schema=db_schema,
))


def set_primary_role_service(data_dir, role_service_name):
security_xml = authn.get_security(data_dir)
element = security_xml.find('roleServiceName')
element.text = role_service_name
security_path = os.path.join(data_dir, 'security/config.xml')
security_xml.write(security_path)
14 changes: 8 additions & 6 deletions src/layman_settings.py
Original file line number Diff line number Diff line change
Expand Up @@ -105,9 +105,16 @@ class EnumWfsWmsStatus(Enum):
GEOSERVER_ADMIN_PASSWORD)
GEOSERVER_DATADIR = '/geoserver/data_dir'
GEOSERVER_INITIAL_DATADIR = '/geoserver/initial_data_dir'
LAYMAN_GS_ROLE_SERVICE = os.getenv('LAYMAN_GS_ROLE_SERVICE', '') or 'default'

LAYMAN_GS_ROLE_SERVICE = 'layman_role_service'
# Name of schema, where Layman maintains internal GS JDBC Role Service.
LAYMAN_INTERNAL_ROLE_SERVICE_SCHEMA = '_role_service'
LAYMAN_ROLE_SERVICE_URI = os.environ['LAYMAN_ROLE_SERVICE_URI']
LAYMAN_ROLE_SERVICE_SCHEMA = parse_qs(urlparse(LAYMAN_ROLE_SERVICE_URI).query)['schema'][0]

LAYMAN_GS_USER_GROUP_SERVICE = os.getenv('LAYMAN_GS_USER_GROUP_SERVICE', '') or 'default'


LAYMAN_GS_USER = os.environ['LAYMAN_GS_USER']
LAYMAN_GS_PASSWORD = os.environ['LAYMAN_GS_PASSWORD']
LAYMAN_GS_AUTH = (LAYMAN_GS_USER, LAYMAN_GS_PASSWORD)
Expand Down Expand Up @@ -224,11 +231,6 @@ class EnumWfsWmsStatus(Enum):
if RIGHTS_EVERYONE_ROLE not in GRANT_PUBLISH_IN_PUBLIC_WORKSPACE:
assert not GRANT_CREATE_PUBLIC_WORKSPACE.difference(GRANT_PUBLISH_IN_PUBLIC_WORKSPACE)

# Name of schema, where Layman maintains internal GS JDBC Role Service.
LAYMAN_INTERNAL_ROLE_SERVICE_SCHEMA = '_role_service'
LAYMAN_ROLE_SERVICE_URI = os.environ['LAYMAN_ROLE_SERVICE_URI']
LAYMAN_ROLE_SERVICE_SCHEMA = parse_qs(urlparse(LAYMAN_ROLE_SERVICE_URI).query)['schema'][0]

# UPLOAD_MAX_INACTIVITY_TIME = 10 # 10 seconds
UPLOAD_MAX_INACTIVITY_TIME = 5 * 60 # 5 minutes

Expand Down
5 changes: 4 additions & 1 deletion src/setup_geoserver.py
Original file line number Diff line number Diff line change
Expand Up @@ -78,9 +78,12 @@ def main():
ensure_jdbc_role_service_internal_schema()
role_service.setup_jdbc_role_service(settings.GEOSERVER_DATADIR,
settings.LAYMAN_ROLE_SERVICE_URI,
'layman_role_service',
settings.LAYMAN_GS_ROLE_SERVICE,
settings.LAYMAN_ROLE_SERVICE_SCHEMA,
)
role_service.set_primary_role_service(settings.GEOSERVER_DATADIR,
settings.LAYMAN_GS_ROLE_SERVICE,
)
epsg_properties.setup_epsg(settings.GEOSERVER_DATADIR,
set(settings.LAYMAN_OUTPUT_SRS_LIST))

Expand Down

0 comments on commit 52064bf

Please sign in to comment.