[Qgis-developer] QEP and PR for new Authentication Configuration System

Tue Jan 20 20:08:09 PST 2015

Hi Régis,

On Mon, Jan 19, 2015 at 1:36 PM, Régis Haubourg <
regis.haubourg at eau-adour-garonne.fr> wrote:

> Hi Larry, very interesting QEP!
>
> I'm not an expert of authentification systems at all. Here, I would love to
> have QGIS be able to auto identify itself using Windows session user
> information.

Can you expound upon how this info is accessed, what exactly is used, and
how it would be used? Then, an authentication config and provider can
possibly be crafted.

> That's what we do with internal webapps with Firefox.  Please
> consider also use cases for system administrator that configure all qgis
> profiles. How can we achieve that without having users take care of master
> keywords?
>

If you are configuring QGIS prior to users using the app, then all the auth
configs and assigning them to server connections can be automated with
pre-population scripts utilizing either a standard initial master password
or a randomly generated one for each user. Then, the user must 'reset'
(change) the auth database with a new password, which duplicates the auth
database and re-encrypts all configs with the new password (optionally
backing up the current db).

If the auth configs are to be added to an existing user's setup (one that
already has a master password and configs in ~/.qgis2/qgis-auth.db), then
the user must input their password during the process, or the admin needs
to know it, so a pre-population script can utilize it.

I have already crafted two pre-population scripts, one with user
interaction and one without, and have started on a script that exports
client SSL certs/keys out of Firefox and sets up auth configs in QGIS
(though QGIS doesn't have a certificate manager yet, so they are certs/key
files on disk). I will ask my employer about releasing these scripts.

Basically, the master password does cause difficulties with regards to
automating rollouts of profiles, etc. However, without it, there is really
no other form (that I could figure out) of protecting the auth configs'
sensitive data, given how completely open and accessible Qt, PyQGIS and the
available source code make everything.

The auth system is in its infancy though, so any opinions, improvements or
sharing of rollout strategies is greatly appreciated.

Regards,

Larry Shaffer
Dakota Cartography
Black Hills, South Dakota

> Cheers
> Régis
>
>
>
>
> --
> View this message in context:
> http://osgeo-org.1560.x6.nabble.com/QEP-and-PR-for-new-Authentication-Configuration-System-tp5182411p5182427.html
> Sent from the Quantum GIS - Developer mailing list archive at Nabble.com.
> _______________________________________________
> Qgis-developer mailing list
> Qgis-developer at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/qgis-developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20150120/7a38560e/attachment-0001.html>