[Qgis-developer] Authentification use from Python

Bernhard Ströbl bernhard.stroebl at jena.de
Tue Jan 12 23:44:45 PST 2016 

Hi Larry,

thanks for pointing these things out, however I am not sure how to continue.

My situation is as follows: I have some 100 users that connect to our 
central PostgreSQL DB. Most of them have a personal DB account granting 
them write access to certain tables. Keeping their password in a secure 
place is essential and I thus adviced them to not store it with QGIS nor 
to share projects that contain layers loaded with their personal 
account. The Authentication system seems to solve both problems.

However I have about 30 plugins for inhouse use that ease data access. 
Some of these plugins directly query the database for reporting. 
Furthermore I provide the plugin DataDrivenInputMask, that directly 
queries the DB, too. I use QtSql for that.

Security reasons in respect to PostgreSQL connections: Any Python plugin 
can currently access stored credentials either in QtSettings or in any 
loaded PostGIS layer, so accessing them through the authentication 
system is neither better nor worse from a user's perspective (IMHO) 
compared to the current (10+ years old) situation. Not providing access 
will increaese security, of course. So until the mentioned api is in 
place I would opt for only deprecating the direct access, maybe have the 
user allow access for the plugin (only once and store his answer in the 
auth-DB).

If direct access to PostgreSQL credentials cannot be granted it would be 
good if the future api could return a QtSqlDatabase object (which, of 
course, contains the credentials accessible through 
QtSqlDatabase.userName() and QtSqlDatabase.password() methods).

best regards

Bernhard

Am 12.01.2016 um 23:36 schrieb Larry Shaffer:
> Hi Bernhard,
>
> Please note that the Python support for direct access to the credentials
> via the auth method config *may* be completely removed for security
> reasons.
>
> Ideally, the expansion of credentials within a given auth method config
> would only be done within the core application and connection methods
> (HTTP, etc.) would be offered through a Python API. In this way an
> authcfg token can be passed in and the connection established without
> access to credentials.
>
> However, such support and an API are not currently available. It is
> simple enough to add to QgsNetworkAccessManager for HTTP[S] connections,
> but not so simple for other types of connections, e.g. database via a
> library or client. Once completed this means a plugin would not be able
> to access the credentials and pass them on to a different connection
> method, e.g. Python HTTP lib, etc.
>
> Once such an API is available (or even now, with some work), plugins
> could be 'authorized' by the user for access to credentials using
> revocable access tokens or signed/revokable certificates.
>
> Until then, the continued Python access to the auth system credentials
> means security is not good for the user. It should be considered for
> deprecation or just complete removal in 2.14 release.
>
> Regards,
>
> Larry Shaffer
> Dakota Cartography
> Black Hills, South Dakota
>
> QGIS Support/Development | Boundless
> lshaffer at boundlessgeo.com <mailto:lshaffer at boundlessgeo.com>
>
> On Tue, Jan 12, 2016 at 8:14 AM, Bernhard Ströbl
> <bernhard.stroebl at jena.de <mailto:bernhard.stroebl at jena.de>> wrote:
>
>     Hi Luigi,
>
>     many thanks! That was the key.
>
>     I now have
>     <code>
>     am = QgsAuthManager.instance()
>     myAuthMethodConfig = QgsAuthMethodConfig()
>     am.loadAuthenticationConfig(mykey,myAuthMethodConfig,True)
>     myAuthMethodConfig.configMap()
>     </code>
>
>     Bernhard
>
>
>     Am 12.01.2016 um 15:58 schrieb Luigi Pirelli:
>
>         Hi Bernhard
>
>         be inspired by Boundless qgis-geoserver-plugin
>
>         https://github.com/boundlessgeo/qgis-geoserver-plugin/blob/master/src/geoserverexplorer/gui/gsexploreritems.py#L502
>
>         I hope it's enough
>
>         cheers
>         Luigi Pirelli
>
>         **************************************************************************************************
>         * Boundless QGIS Support/Development: lpirelli AT boundlessgeo
>         DOT com
>         * LinkedIn: https://www.linkedin.com/in/luigipirelli
>         * Stackexchange:
>         http://gis.stackexchange.com/users/19667/luigi-pirelli
>         * GitHub: https://github.com/luipir
>         * Mastering QGIS:
>         https://www.packtpub.com/application-development/mastering-qgis
>         **************************************************************************************************
>
>
>         On 12 January 2016 at 12:47, Bernhard Ströbl
>         <bernhard.stroebl at jena.de <mailto:bernhard.stroebl at jena.de>> wrote:
>
>             Hi all,
>
>             my goal is that my users do not save their PostgreSQL
>             passwords in clear
>             text but that they use the new Authentification system to do
>             so. For my
>             plugins I would need access to the PostgreSQL username and
>             password, though.
>             Is this generally possible in spite of security
>             considerations as mentioned
>             in the QGEP? If yes, how would I do it?
>
>             what I have so far is:
>             <code>
>             am = QgsAuthManager.instance()
>             myAuthMethodConfig = am.availableAuthMethodConfigs()[mykey]
>             myAuthMethodConfig.configMap() # returns an empty dict :-(
>             </code>
>
>             QGIS 2.12.2
>
>             any help appreciated
>
>             regards
>
>             Bernhard
>
>             [1]
>             https://github.com/dakcarto/QGIS-Enhancement-Proposals/blob/auth-system/qep-14-authentication-system.rst
>
>
>             __________ Information from ESET Mail Security, version of
>             virus signature
>             database 12855 (20160112) __________
>
>             The message was checked by ESET Mail Security.
>             http://www.eset.com
>
>
>             _______________________________________________
>             Qgis-developer mailing list
>             Qgis-developer at lists.osgeo.org
>             <mailto:Qgis-developer at lists.osgeo.org>
>             List info:
>             http://lists.osgeo.org/mailman/listinfo/qgis-developer
>             Unsubscribe:
>             http://lists.osgeo.org/mailman/listinfo/qgis-developer
>
>
>
>         __________ Information from ESET Mail Security, version of virus
>         signature database 12856 (20160112) __________
>
>         The message was checked by ESET Mail Security.
>         http://www.eset.com
>
>
>
>


__________ Information from ESET Mail Security, version of virus signature database 12860 (20160113) __________

The message was checked by ESET Mail Security.
http://www.eset.com

More information about the Qgis-developer mailing list