[Qgis-developer] Authentification use from Python

Larry Shaffer larrys at dakotacarto.com
Tue Jan 12 14:36:42 PST 2016


Hi Bernhard,

Please note that the Python support for direct access to the credentials
via the auth method config *may* be completely removed for security
reasons.

Ideally, the expansion of credentials within a given auth method config
would only be done within the core application and connection methods
(HTTP, etc.) would be offered through a Python API. In this way an authcfg
token can be passed in and the connection established without access to
credentials.

However, such support and an API are not currently available. It is simple
enough to add to QgsNetworkAccessManager for HTTP[S] connections, but not
so simple for other types of connections, e.g. database via a library or
client. Once completed this means a plugin would not be able to access the
credentials and pass them on to a different connection method, e.g. Python
HTTP lib, etc.

Once such an API is available (or even now, with some work), plugins could
be 'authorized' by the user for access to credentials using revocable
access tokens or signed/revokable certificates.

Until then, the continued Python access to the auth system credentials
means security is not good for the user. It should be considered for
deprecation or just complete removal in 2.14 release.

Regards,

Larry Shaffer
Dakota Cartography
Black Hills, South Dakota

QGIS Support/Development | Boundless
lshaffer at boundlessgeo.com

On Tue, Jan 12, 2016 at 8:14 AM, Bernhard Ströbl <bernhard.stroebl at jena.de>
wrote:

> Hi Luigi,
>
> many thanks! That was the key.
>
> I now have
> <code>
> am = QgsAuthManager.instance()
> myAuthMethodConfig = QgsAuthMethodConfig()
> am.loadAuthenticationConfig(mykey,myAuthMethodConfig,True)
> myAuthMethodConfig.configMap()
> </code>
>
> Bernhard
>
>
> Am 12.01.2016 um 15:58 schrieb Luigi Pirelli:
>
>> Hi Bernhard
>>
>> be inspired by Boundless qgis-geoserver-plugin
>>
>>
>> https://github.com/boundlessgeo/qgis-geoserver-plugin/blob/master/src/geoserverexplorer/gui/gsexploreritems.py#L502
>>
>> I hope it's enough
>>
>> cheers
>> Luigi Pirelli
>>
>>
>> **************************************************************************************************
>> * Boundless QGIS Support/Development: lpirelli AT boundlessgeo DOT com
>> * LinkedIn: https://www.linkedin.com/in/luigipirelli
>> * Stackexchange: http://gis.stackexchange.com/users/19667/luigi-pirelli
>> * GitHub: https://github.com/luipir
>> * Mastering QGIS:
>> https://www.packtpub.com/application-development/mastering-qgis
>>
>> **************************************************************************************************
>>
>>
>> On 12 January 2016 at 12:47, Bernhard Ströbl <bernhard.stroebl at jena.de>
>> wrote:
>>
>>> Hi all,
>>>
>>> my goal is that my users do not save their PostgreSQL passwords in clear
>>> text but that they use the new Authentification system to do so. For my
>>> plugins I would need access to the PostgreSQL username and password,
>>> though.
>>> Is this generally possible in spite of security considerations as
>>> mentioned
>>> in the QGEP? If yes, how would I do it?
>>>
>>> what I have so far is:
>>> <code>
>>> am = QgsAuthManager.instance()
>>> myAuthMethodConfig = am.availableAuthMethodConfigs()[mykey]
>>> myAuthMethodConfig.configMap() # returns an empty dict :-(
>>> </code>
>>>
>>> QGIS 2.12.2
>>>
>>> any help appreciated
>>>
>>> regards
>>>
>>> Bernhard
>>>
>>> [1]
>>>
>>> https://github.com/dakcarto/QGIS-Enhancement-Proposals/blob/auth-system/qep-14-authentication-system.rst
>>>
>>>
>>> __________ Information from ESET Mail Security, version of virus
>>> signature
>>> database 12855 (20160112) __________
>>>
>>> The message was checked by ESET Mail Security.
>>> http://www.eset.com
>>>
>>>
>>> _______________________________________________
>>> Qgis-developer mailing list
>>> Qgis-developer at lists.osgeo.org
>>> List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>>> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>>>
>>
>>
>> __________ Information from ESET Mail Security, version of virus
>> signature database 12856 (20160112) __________
>>
>> The message was checked by ESET Mail Security.
>> http://www.eset.com
>>
>>
>>
> --
> Bernhard Ströbl
> Anwendungsbetreuer GIS
>
> Kommunale Immobilien Jena
> Am Anger 26
> 07743 Jena
>
> Tel.: 03641 49- 5190
> E-Mail: bernhard.stroebl at jena.de
> Internet: www.kij.de
>
>
> Kommunale Immobilien Jena
> Eigenbetrieb der Stadt Jena
> Werkleiter: Karl-Hermann Kliewe
>
>
> __________ Information from ESET Mail Security, version of virus signature
> database 12856 (20160112) __________
>
>
> The message was checked by ESET Mail Security.
> http://www.eset.com
>
>
> _______________________________________________
> Qgis-developer mailing list
> Qgis-developer at lists.osgeo.org
> List info: http://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: http://lists.osgeo.org/mailman/listinfo/qgis-developer
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20160112/00574ef8/attachment.html>


More information about the Qgis-developer mailing list