[Qgis-developer] New authentication system ready

Larry Shaffer larrys at dakotacarto.com
Sat Sep 26 11:04:49 PDT 2015 

Hi Tim,

On Sat, Sep 26, 2015 at 2:33 AM, Tim Sutton <tim at kartoza.com> wrote:

> Hi Larry
>
>
> Great to see this new feature make its way into QGIS. One thing I am
> curious about is what happens when we want to publish a project in QGIS
> server. What is the standard workflow for that or similar situations (e.g.
> shared project stored on a network drive?
>

For shared project scenarios, including the network drive setup, you can
edit the authentication configuration ID to something that is shared across
users. (Thanks to Nyall for pointing out that this, and the Handle Bad
Layers dialog, needed solved before feature freeze. [0])

Since the authcfg ID is embedded in the project file, each user just needs
to make an auth config that has their specific credentials for that
resource, then edit the ID (upon creation or config or after) to the same
ID in the project file. Then, when when the resource loads, the same
configuration will be queried on everyone's QGIS, just with their
respective credentials for the authentication method used.

With the very last feature I added, for the Handle Bad Layers dialog, users
can Add/Edit/Remove auth configs within the dialog and have the data source
URI updated to match. So, in the scenario of a shared project, the user
could immediately add an appropriate new auth config (and see exactly what
shared authcfg ID should be used) upon project loading .

Also, see the discussion in the PR about other sharing scenarios, and how
the unimplemented Resource URL could help here  [1].

Regarding the QGIS Server launch, I think a good fix would be to add
support for passing the master password as an environment variable to a
password file, like is done with Postgres and other setups. For example, an
env var like QGIS_AUTH_PASSWORD_PATH could be set to a filepath. In
QgsAuthManager::instance()->init() the variable could be read, password
loaded, then the variable unset in the env. This would also make a great
way to allow using Desktop without having to enter your master password
every session.

Similarly, the master password could be in an OS's keychain or keyring and
be auto-input in the background on launch if that user's OS key cache is
unlocked. See Matthias's suggestion for that [2].

Currently, the master password auto-set can be set via Python, or by way of
a custom C++ plugin, on launch setups using a call to
QgsAuthManager::instance()->setMasterPassword( "mypassword", true ).
However, I think many of the Python bindings should be blocked for the
initial release. So, setting an env variable to a password file path seems
like a good start, especially for QGIS Server.

Note: for Server, you can also use QGIS_AUTH_DB_DIR_PATH to set the path to
a qgis-auth.db dir on the server.

[0] https://github.com/qgis/QGIS/pull/2330#issuecomment-142252072
[1] https://github.com/qgis/QGIS/pull/2330#issuecomment-142673812
[2] https://github.com/qgis/QGIS/pull/1838#issuecomment-70845116
[3]
https://github.com/qgis/QGIS/blob/master/src/core/auth/qgsauthmanager.h#L105-L110

Regards,

Larry Shaffer
Dakota Cartography
Black Hills, South Dakota


> Regards
>
> Tim
>
> On 25 Sep 2015, at 14:59, Larry Shaffer <larrys at dakotacarto.com> wrote:
>
> Hi devs,
>
> As you can see in the PR [0], I've fixed up some things, including adding
> the ability to edit an authentication ID, which will help with workflows
> where users need to share projects. I've also cleaned up the interface and
> moved most PKI-related dialogs out of the main Options view.
>
> I am working on another widget that can be used for the Handle Bad Layers
> and the Layers Properties dialogs. That should work for most issues
> occurring when sharing projects and when users open projects with missing
> authentication IDs. I've also added feedback in the selector widget when it
> tries to load a config ID that is missing.
>
> I should have those bits done today, then it's mostly work on finishing
> the unit test migration to C++.
>
> **However, I would like to merge this now, since it is in a very good
> state for doing so. Does anyone have objections with me merging this?**
>
>
> [0] https://github.com/qgis/QGIS/pull/2330
>
> Regards,
>
> Larry Shaffer
> Dakota Cartography
> Black Hills, South Dakota
>
>
> On Wed, Sep 23, 2015 at 4:38 AM, Luca Manganelli <luca76 at gmail.com> wrote:
>
>> On Tue, Sep 22, 2015 at 10:02 PM, Régis Haubourg
>> <regis.haubourg at eau-adour-garonne.fr> wrote:
>> > Wooooh. that's huge work Larry. Will need quite some time to inspect
>> all that
>> > and give some feedback. Any way , bravo!
>> > Régis
>>
>> +1. The documentation is a MASSIVE job. Compliments!
>> _______________________________________________
>> Qgis-developer mailing list
>> Qgis-developer at lists.osgeo.org
>> http://lists.osgeo.org/mailman/listinfo/qgis-developer
>>
>
> _______________________________________________
> Qgis-developer mailing list
> Qgis-developer at lists.osgeo.org
> http://lists.osgeo.org/mailman/listinfo/qgis-developer
>
>
>>
>
>
>
> Tim Sutton
>
> Visit http://kartoza.com to find out about open source:
>
> * Desktop GIS programming services
> * Geospatial web development
> * GIS Training
> * Consulting Services
>
> Skype: timlinux Irc: timlinux on #qgis at freenode.net
> Tim is a member of the QGIS Project Steering Committee
>
> Kartoza is a merger between Linfiniti and Afrispatial
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20150926/0ac33769/attachment-0001.html>

More information about the Qgis-developer mailing list