<div dir="ltr"><div>Hi, this is my first interaction with Geonode developer mailing list.</div><div><br></div><div>I'd
like to find a secure way for non-admin Geonode users to use Geoserver
REST API from external applications (python scripts, jupyter notebooks,
maybe mapstore or others).</div><div><br></div><div>Can you tell me if there is a security issue with my approach ?<br></div><div><br></div><div>A little context:</div><div><div>I'm currently using geoserver-restconfig lib to allow external applications do the following:</div><div>- upload raster layers</div><div>- upload vector layers</div><div>- upload time-series layers</div><div>- edit layer style</div><div>- download layers</div><div><br></div><div>To do that I need to authenticate to geoserver with admin privileges.<br></div><div>Today I'm struggling with the requirement of allowing non-admin Geonode users to do such things from external applications.</div></div><div><br></div><div>I've
found Geonode is proxying some Geoserver REST functionalities using
either geoserver_proxy or geoserver_protected_proxy functions on
/geoserver/views.py</div><div>Some examples of these functionalities I mentioned are:<br></div><div>- Style editing from mapstore performs a request to /gs/rest/workspaces/<workspace>/styles/<layer>?access_token=<token></div><div>- WPS requests<br></div><div><br></div><div>I'm evaluating to expose geoserver_protected_proxy function, and use it to <br></div><div>allow logged in Geonode users to:</div><div>- create a REST request using geserver-restconfig lib</div><div>- send the request to Genode's geoserver_protected_proxy view method</div><div>- have geoserver_protected_proxy redirect to Geoserver REST API</div><div>- verify action performed succesfully (layer creation, style update and others)<br></div><div><br></div><div>I
believe this is the most clean and secure way to achieve this
functionality, If someone detects a flaw, security issue or a better way
to procue a similar result I'll be most grateful to hear you out.</div><div><br></div><div>Thanks in advance !</div><font color="#888888"><div>Gonzalo Varela</div></font></div>