[GeoNode-users] Geonode & Geoserver - Secure WMS

Tue Jan 30 13:08:46 PST 2018

Hi Olivier,

even not well documented so far if your concern is security then a stronger password mechanism is certainly not enough and you should rather be able to control identities and their profiles with stronger authentication and authorization mechanisms and moreover implement a single sign-on system which is more or less the intent of the OAuth2 server.
At the moment geonode relies on a such internal system and geoserver is federated to that for the above purposes. Also without an OAuth2 server the API token-based mechanism for supporting authentication from external parties would be broken.  
That said even if I’m -1 on your implementation because the approach with LDAP setup would be more scalable and continue to support everything already in place with the possibility to implement your preferred password encryption at LDAP server level you can customize GeoNode starting an upstream geonode-project https://github.com/GeoNode/geonode-project. LDAP would be also supported by GeoServer and GeoFence too (for authorization) if I remember well. Alessio can correct me if I’m wrong.
I’ve never implemented such integration for GeoNode but you can have a look at Exchange which is an upstream project from Boundless currently using LDAP https://github.com/boundlessgeo/exchange/blob/master/requirements.txt#L24.

Hope this helps to figure out the best approach for you.

Regards,
Francesco  

Il giorno 29/gen/2018, alle ore 02:59, Olivier Dalang <olivier.dalang at gmail.com> ha scritto:

> I was actually making a mistake using strongPBE for user passwords, I rather wanted to use digest (salted sha256 iterated 100000 times, and not reversible). This one is straightforward to implement in Django.
> 
> So the whole setup now seems to be working well, with Geonode users/groups completely supported by Geoserver. In my opinion, this is much less circumvoluted than the OAuth2 mechanism.
> 
> Francesco I'd still be very interested to hear about the LDAP setup with Geonode.
> 
> Kind regards,
> 
> Olivier
> 
> 
> 
> 
> On Fri, Jan 26, 2018 at 10:06 AM, Olivier Dalang <olivier.dalang at gmail.com> wrote:
> Hi Francesco,
> 
> Thank your for your message.
> 
> After a little bit of research (I'm not familiar with LDAP), it seems well documented an mature on Geoserver [1], but I'm a bit less sure about Geonode. Have you done that before ? 
> 
> In particular, I have those concerns: 
> - Would groups be supported ? From this thread [2] in early 2017, it doesn't seem to be the case. I see in the django-auth-ldap documentation [3] that it's possible to mirror groups, but as Geonode has it's own people_profile_groups table, I'm not sure it would work with Geonode out of the box.
> - I couldn't find out whether django-auth-ldap is bidirectional or not (will it still be possible to add/edit/delete users from the Django app ?).
> 
> About the approach being too complex, the only tricky part in that setup is the encryption.
> I initially thought there would be reliable python libraries to hash passwords using PBEWITHSHA256AND256BITAES-CBC, but it seems that algorithm is only popular in the java world. Actually it may be easier/cleaner to go the other way around (add a django-comptabile password hasher to geoserver).
> 
> Except that, it's just using existing postgres tables for authentication, which is very well supported by Geoserver, and not very different conceptually from using any other external authentication system (like LDAP), with the added benefit that there's only one integration to manage.
> 
> Kind regards,
> 
> Olivier
> 
> [1] http://docs.geoserver.org/latest/en/user/security/tutorials/ldap/index.html 
> [2] https://lists.osgeo.org/pipermail/geonode-users/2017-March/002837.html 
> [3] https://django-auth-ldap.readthedocs.io/en/latest/groups.html
> 
> 
> 
> On Thu, Jan 25, 2018 at 7:18 PM, Francesco Bartoli <xbartolone at gmail.com> wrote:
> Olivier,
> 
> IMHO this approach is just an over engineering to achieve your use case.
> I would use an external common LDAP for that scope which is cleaner from an architectural point of view.
> 
> Francesco
> 
> Il 25 gen 2018, 04:34 +0100, Olivier Dalang <olivier.dalang at gmail.com>, ha scritto:
>> Hi,
>> 
>> We have very similar requirements here.
>> 
>> I'm currently trying to set this up by sharing user tables between Geonode and Geoserver at database level rather than using OAuth2 calls.
>> 
>> It works like this :
>> 
>> 1/ Create a JDBC user/group service
>> 2/ Create a authkey authentication using "user properties" (this works by reading a "UUID" property for each user)
>> 3/ Change usersddl.xml to create updatable views instead of tables to "proxy" django's tables so that they can be used by geoserver. This must be done for user, user_props (to set the UUID to Django's tokens), and also for groups. Another approach is not to create the tables at all, but customize the queries (but it's more work in the end).
>> 4/ Create a Django PasswordHasher so that Django and Geoserver's hashes are compatible
>> 
>> This way, Geonode and Geoserver users are synced at the database level. It means that Geoserver users/groups can be used through basic http authentication (when connecting from a desktop GIS client for example) and also when using a key in the URL (to display map tiles from the browser for example). As Django tokens expire, it's not too bad if someone gets hold of a token. And the nice thing is that if you use updatable views in postgres, you can add/edit users/groups from within Geoserver or Geonode.
>> 
>> This whole idea seems works well (at least during my early tests), except for step 4. I've been trying to setup Strong PBE Encryption for Django, but couldn't make it work (see this thread https://lists.osgeo.org/pipermail/geonode-users/2018-January/004059.html). Currently, I'm using plain text passwords for my tests, but I'd definitely need to sort step 4 out for this to be usable safely in production.
>> 
>> I'm just in the middle of this, so I don't have a nice code example to share (besides what I shared in that other thread), but if this is of some interest to you, I'll be happy to do so in a few days...
>> 
>> Kind regards,
>> 
>> Olivier
>> 
>> 
>> 
>> 
>> 
>> 
>> On Tue, Jan 23, 2018 at 9:02 AM, Pascal Coulon <Pascal.Coulon at scisys.co.uk> wrote:
>> Brilliant – very useful – exactly what we are about to implement. If this works as per explained we will feedback here.
>> 
>>  
>> 
>> Pascal Coulon
>> 
>> GIS Technical Architect - Enterprise Solutions & Defence
>> SCISYS UK Limited 
>> T: +44 (0)117 9165237 | F: +44 (0)1249 465237 | M:+44 (0) 7876397844
>> E: pascal.coulon at scisys.co.uk | http://www.scisys.co.uk
>> 
>>  
>> 
>> From: Francesco Bartoli [mailto:xbartolone at gmail.com]
>> Sent: 22 January 2018 20:59
>> To: Alessio Fabiani
>> Cc: Pascal Coulon; geonode-users at lists.osgeo.org
>> Subject: Re: [GeoNode-users] Geonode & Geoserver - Secure WMS
>> 
>>  
>> 
>> Never tried this https://github.com/GeoNode/geonode/pull/3415 but it should allow to get an access token from external applications.
>> 
>>  
>> 
>> @Pascal, it is worth a look and maybe a PR for geonode docs on how to use it.
>> 
>>  
>> 
>> Thanks
>> 
>> Francesco 
>> 
>>  
>> 
>> Il giorno 22/gen/2018, alle ore 19:02, Alessio Fabiani <alessio.fabiani at geo-solutions.it> ha scritto:
>> 
>> 
>> 
>> 
>> Hello Pascal,
>> 
>> currently, without further customizations, the only way to access resources from external clients is by putting the valid OAUth2 access_token generated by GeoNode into the OWS request URL parameters.
>> 
>>  
>> 
>> To retrieve this, you need to log into GeoNode, go to any layer details, click on "Download Layer" and copy the "access_token" query parameter from any of the generated query strings.
>> 
>>  
>> 
>> There are plans to make it more easy for the users to retrieve the access_token from GeoNode in the future, but currently this is the only way to do this.
>> 
>>  
>> 
>> 
>> 
>> Regards,
>> 
>> Alessio Fabiani
>> 
>> ==
>> GeoServer Professional Services from the experts! Visit http://goo.gl/it488V for more information.
>> ==
>> 
>> Ing. Alessio Fabiani
>> 
>> @alfa7691
>> Founder/Technical Lead
>> 
>> 
>> GeoSolutions S.A.S.
>> Via di Montramito 3/A
>> 55054  Massarosa (LU)
>> Italy
>> phone: +39 0584 962313
>> fax:     +39 0584 1660272
>> mob:   +39 331 6233686
>> 
>> http://www.geo-solutions.it
>> http://twitter.com/geosolutions_it
>> 
>> -------------------------------------------------------
>> 
>> AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
>> 
>> Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i file/s allegato/i sono da considerarsi strettamente riservate. Il loro utilizzo è consentito esclusivamente al destinatario del messaggio, per le finalità indicate nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il destinatario, Vi preghiamo cortesemente di darcene notizia via e-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal Vostro sistema. Conservare il messaggio stesso, divulgarlo anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per finalità diverse, costituisce comportamento contrario ai principi dettati dal D.Lgs. 196/2003.
>> 
>> The information in this message and/or attachments, is intended solely for the attention and use of the named addressee(s) and may be confidential or proprietary in nature or covered by the provisions of privacy act (Legislative Decree June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord with its purpose, any disclosure, reproduction, copying, distribution, or either dissemination, either whole or partial, is strictly forbidden except previous formal approval of the named addressee(s). If you are not the intended recipient, please contact immediately the sender by telephone, fax or e-mail and delete the information in this message that has been received in error. The sender does not give any warranty or accept liability as the content, accuracy or completeness of sent messages and accepts no responsibility  for changes made after they were sent or for other risks which arise as a result of e-mail transmission, viruses, etc.
>> 
>>  
>> 
>> 2018-01-22 18:50 GMT+01:00 Pascal Coulon <Pascal.Coulon at scisys.co.uk>:
>> 
>> Hello,
>> 
>>  
>> 
>> I have a use case where I need to securely access OGC services managed by GeoNode, Geoserver and GeoFence. Access is required outside Geonode portal into third party application: desktop, other spatial web portal, etc.
>> 
>>  
>> 
>> Geonode is used as the gateway to manage all datasets. On setting the permissions on a given datasets the relevant permissions are being pushed to GeoFence via its rest API. By default a ground data rule is set by default in GeoFence that prevent accessing / viewing all datasets; which means that then datasets would only be visible based on permissions set in GeoNode.
>> 
>>  
>> 
>> The above part makes sense as long as one browses the data only in GeoNode. However, as soon as one wants to access the OGC end points in say QGIS / ArcMAP (e.g. wms, wfs) available on http://mydomain/geoserver/geonode/wms, you are not anymore authenticated. I have already looked into basic authentication; but as far as I understand it, this approach requires recreating the Geonode user in GeoServer.
>> 
>>  
>> 
>> What are the options then for a desktop / third party application’s user to access the secure OGC end-points managed through Geonode? Which Geoserver authentication filter one should use?
>> 
>>  
>> 
>> Hope this makes sense. Any thoughts or pointer would be greatly appreciated.
>> 
>>  
>> 
>> Cheers,
>> 
>>  
>> 
>> Pascal
>> 
>>  
>> 
>>  
>> 
>> SCISYS UK Limited. Registered in England and Wales No. 4373530.
>> 
>> Registered Office: Methuen Park, Chippenham, Wiltshire SN14 0GB, UK.
>> 
>>  
>> 
>> Before printing, please think about the environment.
>> 
>>  
>> 
>> 
>> _______________________________________________
>> geonode-users mailing list
>> geonode-users at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/geonode-users
>> 
>>  
>> 
>> _______________________________________________
>> geonode-users mailing list
>> geonode-users at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/geonode-users
>> 
>>  
>> 
>> 
>>  
>> SCISYS UK Limited. Registered in England and Wales No. 4373530.
>> Registered Office: Methuen Park, Chippenham, Wiltshire SN14 0GB, UK.
>>  
>> Before printing, please think about the environment.
>> 
>> 
>> _______________________________________________
>> geonode-users mailing list
>> geonode-users at lists.osgeo.org
>> https://lists.osgeo.org/mailman/listinfo/geonode-users
>> 
>> 
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/geonode-users/attachments/20180130/f3671a12/attachment-0001.html>