[mapserver-dev] Enable/disable OWS layers by IP list

Lime, Steve D (MNIT) Steve.Lime at state.mn.us
Wed Feb 13 19:48:35 PST 2013 

I think this needs an RFC... This isn't a trivial addition. For example, this mechanism needs to 
apply to stock CGI operations (mode=...) as well or someone could simply work around the OWS 
interfaces using their CGI equivalent.

Which gets me thinking about being able to limit those via a mapfile or shut that functionality
off altogether.

Steve

________________________________________
From: mapserver-dev-bounces at lists.osgeo.org [mapserver-dev-bounces at lists.osgeo.org] on behalf of Daniel Morissette [dmorissette at mapgears.com]
Sent: Wednesday, February 13, 2013 11:12 AM
To: mapserver-dev at lists.osgeo.org
Subject: Re: [mapserver-dev] Enable/disable OWS layers by IP list

Thank you Steve for suggesting the support of subnet masks
(a.b.c.d/mask), I was going to suggest the same thing.

I also would like to suggest supporting both a list of addresses from a
file, or the ability to provide the values directly in the mapfile. In
cases where there are only a couple of IPs to list, being able to
specify them directly in the mapfile would be much more user-friendly.

e.g.

space-delimited list of addresses:

   "ows_allowed_ip_list" "123.45.67.89 11.22.33.44"

or ref to a file:

   "ows_allowed_ip_list" "file:/path/to/list_of_ips.txt"


I think that long term we'll want more powerful access control
mechanisms, we have discussed this several times here, but that is a
much bigger issue to tackle and I think the proposed mechanism can
easily be deprecated without important side-effects the day that we
would have something more powerful in place.

And finally, even if that is a simple and straightforward addition, I
think that a short RFC to document it would be nice and I'd encourage
you to produce one. RFCs are often the only reference for some features
until they make it to the docs... there are even some features from a
few releases ago for which the RFC is still the only/best docs available
(unfortunately).


Daniel


On 13-02-13 10:18 AM, Tamas Szekeres wrote:
> Hi Steve,
>
> Thanks for the comments, using CIDR notation
> <http://en.wikipedia.org/wiki/CIDR_notation> to define ranges would be
> reasonable. This would allow to define subnets in a single row. I think
> it would work with both ipv4 and ipv6 addresses.
>
> Best regards,
>
> Tamas
>
>
>
> 2013/2/13 Stephen Woodbridge <woodbri at swoodbridge.com
> <mailto:woodbri at swoodbridge.com>>:
>  > On 2/13/2013 8:45 AM, Tamas Szekeres wrote:
>  >>
>  >> Hi Devs,
>  >>
>  >> I got a requirement from Faunalia (http://www.faunalia.it) to
>  >> establish option to Enable/disable OWS layers by IP list.
>  >> We need to add two new parameters to the WEB section of the mapfile,
>  >> and/or in the METADATA section of every single layer:
>  >>
>  >> 1. "ows_allowed_ip_list"
>  >> 2. "ows_denied_ip_list"
>  >>
>  >> Both should point to a file with a list of IP addresses.
>  >
>  >
>  > If you are pointing to a file then these should be
>  >
>  > ows_allowed_ip_file
>  > ows_denied_ip_file
>  >
>  > to avoid confusion. Using "list" implies that a item target should be
> a list
>  > of ip addrs and not a file.
>  >
>  > These should not allow parameter substitution as that would be a simple
>  > defeat of the mechanism.
>  >
>  > Do you plan to support address ranges like:
>  >
>  > 192.168.1.1-192.168.1.10
>  > 192.168.1.0/24 <http://192.168.1.0/24>
>  >
>  > Otherwise looks fine.
>  >
>  > -Steve W
>  >
>  >> The aim is to let the admin to define list of users, identified
>  >> through their IPs to
>  >> allow or deny access to one or more specific WMS or WFS layers.
>  >>
>  >> I've prepared an implementation to this requirement which appears to
>  >> be a fairly simple addition to the code:
>  >>
>  >>
> https://github.com/szekerest/mapserver/commit/4b7c203a1782cd56d01c34e1079a184c04e51207
>  >>
>  >> In my approach if both the allowed list and the denied list contains
>  >> the current endpoint IP then the denied list will take precedence.
>  >> If allowed_ip_list or ows_denied_ip_list is not specified or the
>  >> specified files are not readable then the current behaviour will
>  >> continue to work.
>  >>
>  >> Issue has also been added for this addition:
>  >> https://github.com/mapserver/mapserver/issues/4588
>  >>
>  >>
>  >> Let me know about your opinion whether this change is reasonable.
>  >> Would that require an RFC to be added?
>  >>
>  >> Deadline of this addition is close, so I'd prefer to include this as
>  >> soon as possible.
>  >>
>  >>
>  >> Best regards,
>  >>
>  >> Tamas
>  >> _______________________________________________
>  >> mapserver-dev mailing list
>  >> mapserver-dev at lists.osgeo.org <mailto:mapserver-dev at lists.osgeo.org>
>  >> http://lists.osgeo.org/mailman/listinfo/mapserver-dev
>  >>
>  >
>  > _______________________________________________
>  > mapserver-dev mailing list
>  > mapserver-dev at lists.osgeo.org <mailto:mapserver-dev at lists.osgeo.org>
>  > http://lists.osgeo.org/mailman/listinfo/mapserver-dev
>
>
>
> _______________________________________________
> mapserver-dev mailing list
> mapserver-dev at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/mapserver-dev
>


--
Daniel Morissette
http://www.mapgears.com/
Provider of Professional MapServer Support since 2000

_______________________________________________
mapserver-dev mailing list
mapserver-dev at lists.osgeo.org
http://lists.osgeo.org/mailman/listinfo/mapserver-dev

More information about the mapserver-dev mailing list