[mapserver-dev] Enable/disable OWS layers by IP list

Daniel Morissette dmorissette at mapgears.com
Wed Feb 13 09:12:03 PST 2013 

Thank you Steve for suggesting the support of subnet masks 
(a.b.c.d/mask), I was going to suggest the same thing.

I also would like to suggest supporting both a list of addresses from a 
file, or the ability to provide the values directly in the mapfile. In 
cases where there are only a couple of IPs to list, being able to 
specify them directly in the mapfile would be much more user-friendly.

e.g.

space-delimited list of addresses:

   "ows_allowed_ip_list" "123.45.67.89 11.22.33.44"

or ref to a file:

   "ows_allowed_ip_list" "file:/path/to/list_of_ips.txt"


I think that long term we'll want more powerful access control 
mechanisms, we have discussed this several times here, but that is a 
much bigger issue to tackle and I think the proposed mechanism can 
easily be deprecated without important side-effects the day that we 
would have something more powerful in place.

And finally, even if that is a simple and straightforward addition, I 
think that a short RFC to document it would be nice and I'd encourage 
you to produce one. RFCs are often the only reference for some features 
until they make it to the docs... there are even some features from a 
few releases ago for which the RFC is still the only/best docs available 
(unfortunately).


Daniel


On 13-02-13 10:18 AM, Tamas Szekeres wrote:
> Hi Steve,
>
> Thanks for the comments, using CIDR notation
> <http://en.wikipedia.org/wiki/CIDR_notation> to define ranges would be
> reasonable. This would allow to define subnets in a single row. I think
> it would work with both ipv4 and ipv6 addresses.
>
> Best regards,
>
> Tamas
>
>
>
> 2013/2/13 Stephen Woodbridge <woodbri at swoodbridge.com
> <mailto:woodbri at swoodbridge.com>>:
>  > On 2/13/2013 8:45 AM, Tamas Szekeres wrote:
>  >>
>  >> Hi Devs,
>  >>
>  >> I got a requirement from Faunalia (http://www.faunalia.it) to
>  >> establish option to Enable/disable OWS layers by IP list.
>  >> We need to add two new parameters to the WEB section of the mapfile,
>  >> and/or in the METADATA section of every single layer:
>  >>
>  >> 1. "ows_allowed_ip_list"
>  >> 2. "ows_denied_ip_list"
>  >>
>  >> Both should point to a file with a list of IP addresses.
>  >
>  >
>  > If you are pointing to a file then these should be
>  >
>  > ows_allowed_ip_file
>  > ows_denied_ip_file
>  >
>  > to avoid confusion. Using "list" implies that a item target should be
> a list
>  > of ip addrs and not a file.
>  >
>  > These should not allow parameter substitution as that would be a simple
>  > defeat of the mechanism.
>  >
>  > Do you plan to support address ranges like:
>  >
>  > 192.168.1.1-192.168.1.10
>  > 192.168.1.0/24 <http://192.168.1.0/24>
>  >
>  > Otherwise looks fine.
>  >
>  > -Steve W
>  >
>  >> The aim is to let the admin to define list of users, identified
>  >> through their IPs to
>  >> allow or deny access to one or more specific WMS or WFS layers.
>  >>
>  >> I've prepared an implementation to this requirement which appears to
>  >> be a fairly simple addition to the code:
>  >>
>  >>
> https://github.com/szekerest/mapserver/commit/4b7c203a1782cd56d01c34e1079a184c04e51207
>  >>
>  >> In my approach if both the allowed list and the denied list contains
>  >> the current endpoint IP then the denied list will take precedence.
>  >> If allowed_ip_list or ows_denied_ip_list is not specified or the
>  >> specified files are not readable then the current behaviour will
>  >> continue to work.
>  >>
>  >> Issue has also been added for this addition:
>  >> https://github.com/mapserver/mapserver/issues/4588
>  >>
>  >>
>  >> Let me know about your opinion whether this change is reasonable.
>  >> Would that require an RFC to be added?
>  >>
>  >> Deadline of this addition is close, so I'd prefer to include this as
>  >> soon as possible.
>  >>
>  >>
>  >> Best regards,
>  >>
>  >> Tamas
>  >> _______________________________________________
>  >> mapserver-dev mailing list
>  >> mapserver-dev at lists.osgeo.org <mailto:mapserver-dev at lists.osgeo.org>
>  >> http://lists.osgeo.org/mailman/listinfo/mapserver-dev
>  >>
>  >
>  > _______________________________________________
>  > mapserver-dev mailing list
>  > mapserver-dev at lists.osgeo.org <mailto:mapserver-dev at lists.osgeo.org>
>  > http://lists.osgeo.org/mailman/listinfo/mapserver-dev
>
>
>
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-dev
>


-- 
Daniel Morissette
http://www.mapgears.com/
Provider of Professional MapServer Support since 2000

More information about the mapserver-dev mailing list