[GeoNode-devel] Securely using Geoserver rest api with no Geoserver admin credentials Recibidos

[Gonzalo Varela]

Hi, this is my first interaction with Geonode developer mailing list.

I'd like to find a secure way for non-admin Geonode users to use Geoserver
REST API from external applications (python scripts, jupyter notebooks,
maybe mapstore or others).

Can you tell me if there is a security issue with my approach ?

A little context:
I'm currently using geoserver-restconfig lib to allow external applications
do the following:
- upload raster layers
- upload vector layers
- upload time-series layers
- edit layer style
- download layers

To do that I need to authenticate to geoserver with admin privileges.
Today I'm struggling with the requirement of allowing non-admin Geonode
users to do such things from external applications.

I've found Geonode is proxying some Geoserver REST functionalities using
either geoserver_proxy or geoserver_protected_proxy functions on
/geoserver/views.py
Some examples of these functionalities I mentioned are:
- Style editing from mapstore performs a request to
/gs/rest/workspaces/<workspace>/styles/<layer>?access_token=<token>
- WPS requests

I'm evaluating to expose geoserver_protected_proxy function, and use it to
allow logged in Geonode users to:
- create a REST request  using geserver-restconfig lib
- send the request to Genode's geoserver_protected_proxy view method
- have geoserver_protected_proxy redirect to Geoserver REST API
- verify action performed succesfully (layer creation, style update and
others)

I believe this is the most clean and secure way to achieve this
functionality, If someone detects a flaw, security issue or a better way to
procue a similar result I'll be most grateful to hear you out.

Thanks in advance !
Gonzalo Varela
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20220426/79583c42/attachment.html>