[GeoNode-devel] Securely using Geoserver rest api with no Geoserver admin credentials Recibidos

Alessio Fabiani alessio.fabiani at geosolutionsgroup.com
Tue Apr 26 13:10:33 PDT 2022


Hello Gonzalo,
your approach is not wrong per-se, GeoNode uses some proxified requests to
GeoServer in order to do something similar. However, as a general rule,
using proxies should be avoided if possible, because typically they
introduce a lot of latency.
Within the GeoNode use case the proxified request is used only when it has
no clue about the user "access_token", but, instead, there's the need to
use the username and password. This is simply because GeoServer has no
knowledge at all about the GeoNode users and therefore it won't be possible
to login into GeoServer through a non-internal username and password.

Not sure which is your specific use case, but, in the case you are able to
obtain a valid "access_token" associated to the user session somehow, the
best approach would be to hit directly the GeoServer endpoints by passing
it as a Authorization Bearer Header request parameter. Otherwise, your
approach is good.

I Hope this helps somehow,
Alessio.


On Wed, Apr 27, 2022 at 7:38 AM Gonzalo Varela <gonzalo.varela1981 at gmail.com>
wrote:

> Hi, this is my first interaction with Geonode developer mailing list.
>
> I'd like to find a secure way for non-admin Geonode users to use Geoserver
> REST API from external applications (python scripts, jupyter notebooks,
> maybe mapstore or others).
>
> Can you tell me if there is a security issue with my approach ?
>
> A little context:
> I'm currently using geoserver-restconfig lib to allow external
> applications do the following:
> - upload raster layers
> - upload vector layers
> - upload time-series layers
> - edit layer style
> - download layers
>
> To do that I need to authenticate to geoserver with admin privileges.
> Today I'm struggling with the requirement of allowing non-admin Geonode
> users to do such things from external applications.
>
> I've found Geonode is proxying some Geoserver REST functionalities using
> either geoserver_proxy or geoserver_protected_proxy functions on
> /geoserver/views.py
> Some examples of these functionalities I mentioned are:
> - Style editing from mapstore performs a request to
> /gs/rest/workspaces/<workspace>/styles/<layer>?access_token=<token>
> - WPS requests
>
> I'm evaluating to expose geoserver_protected_proxy function, and use it to
> allow logged in Geonode users to:
> - create a REST request  using geserver-restconfig lib
> - send the request to Genode's geoserver_protected_proxy view method
> - have geoserver_protected_proxy redirect to Geoserver REST API
> - verify action performed succesfully (layer creation, style update and
> others)
>
> I believe this is the most clean and secure way to achieve this
> functionality, If someone detects a flaw, security issue or a better way to
> procue a similar result I'll be most grateful to hear you out.
>
> Thanks in advance !
> Gonzalo Varela
> _______________________________________________
> geonode-devel mailing list
> geonode-devel at lists.osgeo.org
> https://lists.osgeo.org/mailman/listinfo/geonode-devel
>


-- 

Regards,

Alessio Fabiani

==
GeoServer Professional Services from the experts!

Visit http://bit.ly/gs-services-us for more information.
==

Ing. Alessio Fabiani

@alfa7691
Founder/Technical Lead


GeoSolutions Group
phone: +39 0584 962313

fax:     +39 0584 1660272

mob:   +39  333 8128928

https://www.geosolutionsgroup.com/

http://twitter.com/geosolutions_it

-------------------------------------------------------

Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE
2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si
precisa che ogni circostanza inerente alla presente email (il suo
contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è
riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il
messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra
operazione è illecita. Le sarei comunque grato se potesse darmene notizia.

This email is intended only for the person or entity to which it is
addressed and may contain information that is privileged, confidential or
otherwise protected from disclosure. We remind that - as provided by
European Regulation 2016/679 “GDPR” - copying, dissemination or use of this
e-mail or the information herein by anyone other than the intended
recipient is prohibited. If you have received this email by mistake, please
notify us immediately by telephone or e-mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-devel/attachments/20220427/35c06875/attachment.html>


More information about the geonode-devel mailing list