[QGIS-Developer] Using encrypted authentication credentials in QGIS Server
Larry Shaffer
larrys at dakotacarto.com
Wed Jun 5 10:59:23 PDT 2019
Hi Tim,
On Mon, Jun 3, 2019 at 10:22 AM Tim Sutton <tim at kartoza.com> wrote:
> Hi All
>
> As explained by the subject line, I would like to reply a QGIS 3.x server
> based site where the project uses the QGIS authentication framework to
> store user names and password for the database connection in an encrypted
> manner.
>
See these env vars for setting up access to an authentication database from
within Server:
https://github.com/qgis/QGIS/blob/master/src/server/qgsserver.cpp#L234-L238
I have not tested this with recent QGIS versions, but maybe someone who has
worked with Server and the auth system may have (Alessandro?).
Most non-interactive auth method plugins should work, e.g. Basic, PKI, etc.
The OAuth2 auth plugin will not work if using a grant flow that requires
interaction; instead, use Resource Owner (the plugin doesn't support Client
Credentials grant flow).
Of course, this means the qgis-auth.db will need pre-populated using QGIS
Desktop prior to use by Server. You will probably want to create a new
profile, so that no other credentials are stored in the SQLite qgis-auth.db
file, or restart QGIS specifically to work on a specific qgis-auth.db file
(using option --authdbdirectory <dir>).
> I have used the authentication manager before on my desktop, but what do I
> need to do to set things up in a server environment?
>
> Also the list of supported services in
> ’Settings->Authentication->Installed Plugins’ does not currently include
> Oracle. Did anyone use the authentication manager against an Oracle
> database before?
>
I have investigated adding auth support to Oracle in the past, but did have
the chance to implement it. Generally, since it uses a
QgsDataSourceURI object for configurations, at least the Basic auth method
plugin's update function should be easy to adapt:
https://github.com/qgis/QGIS/blame/master/src/auth/basic/qgsauthbasicmethod.cpp#L87
This means probably adding a conditional branch based upon oracle provider,
similar to what was done for ogr/gdal:
https://github.com/qgis/QGIS/blame/master/src/auth/basic/qgsauthbasicmethod.cpp#L201-L202
Then, it is a matter of just integrating the auth updating during Oracle
connections (and its pool), and adding the auth widget into the Oracle
connection GUI. This would be similar to how Postgres provider was updated
to support the auth system.
Regards,
Larry Shaffer
Dakota Cartography
Black Hills, South Dakota
> Thanks!
>
> Regards
>
> Tim
>
>
>
> —
>
>
>
>
>
>
>
>
> *Tim Sutton*
>
> *Co-founder:* Kartoza
> *Ex Project chair:* QGIS.org
>
> Visit http://kartoza.com to find out about open source:
>
> Desktop GIS programming services
> Geospatial web development
> GIS Training
> Consulting Services
>
> *Skype*: timlinux
> *IRC:* timlinux on #qgis at freenode.net
>
> I'd love to connect. Here's my calendar link
> <https://calendly.com/timlinux> to make finding time easy.
>
> _______________________________________________
> QGIS-Developer mailing list
> QGIS-Developer at lists.osgeo.org
> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20190605/56c346b1/attachment.html>
More information about the QGIS-Developer
mailing list