[QGIS-Developer] Using encrypted authentication credentials in QGIS Server

Tim Sutton tim at kartoza.com
Wed Jun 5 11:31:04 PDT 2019 

Thanks so much for all the good info below Larry!

Tim Sutton 
Co-founder of Kartoza 
Ex-QGIS project chairman 

> On 5 Jun 2019, at 18:59, Larry Shaffer <larrys at dakotacarto.com> wrote:
> 
> Hi Tim,
> 
>> On Mon, Jun 3, 2019 at 10:22 AM Tim Sutton <tim at kartoza.com> wrote:
>> Hi All
>> 
>> As explained by the subject line, I would like to reply a QGIS 3.x server based site where the project uses the QGIS authentication framework to store user names and password for the database connection in an encrypted manner.
> 
> See these env vars for setting up access to an authentication database from within Server:
> https://github.com/qgis/QGIS/blob/master/src/server/qgsserver.cpp#L234-L238
> 
> I have not tested this with recent QGIS versions, but maybe someone who has worked with Server and the auth system may have (Alessandro?).
> 
> Most non-interactive auth method plugins should work, e.g. Basic, PKI, etc. The OAuth2 auth plugin will not work if using a grant flow that requires interaction; instead, use Resource Owner (the plugin doesn't support Client Credentials grant flow).
> 
> Of course, this means the qgis-auth.db will need pre-populated using QGIS Desktop prior to use by Server. You will probably want to create a new profile, so that no other credentials are stored in the SQLite qgis-auth.db file, or restart QGIS specifically to work on a specific qgis-auth.db file (using option --authdbdirectory <dir>).
>  
>> I have used the authentication manager before on my desktop, but what do I need to do to set things up in a server environment?
>> 
>> Also the list of supported services in ’Settings->Authentication->Installed Plugins’ does not currently include Oracle. Did anyone use  the authentication manager against an Oracle database before?
> 
> I have investigated adding auth support to Oracle in the past, but did have the chance to implement it. Generally, since it uses a QgsDataSourceURI object for configurations, at least the Basic auth method plugin's update function should be easy to adapt:
> https://github.com/qgis/QGIS/blame/master/src/auth/basic/qgsauthbasicmethod.cpp#L87
> 
> This means probably adding a conditional branch based upon oracle provider, similar to what was done for ogr/gdal:
> https://github.com/qgis/QGIS/blame/master/src/auth/basic/qgsauthbasicmethod.cpp#L201-L202
> 
> Then, it is a matter of just integrating the auth updating during Oracle connections (and its pool), and adding the auth widget into the Oracle connection GUI. This would be similar to how Postgres provider was updated to support the auth system.
> 
> Regards,
> 
> Larry Shaffer
> Dakota Cartography
> Black Hills, South Dakota
>  
>> Thanks!
>> 
>> Regards
>> 
>> Tim
>> 
>> 
>> 
>>>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> Tim Sutton
>> 
>> Co-founder: Kartoza
>> Ex Project chair: QGIS.org
>> 
>> Visit http://kartoza.com to find out about open source:
>> 
>> Desktop GIS programming services
>> Geospatial web development
>> GIS Training
>> Consulting Services
>> 
>> Skype: timlinux 
>> IRC: timlinux on #qgis at freenode.net
>> 
>> I'd love to connect. Here's my calendar link to make finding time easy.
>> 
>> _______________________________________________
>> QGIS-Developer mailing list
>> QGIS-Developer at lists.osgeo.org
>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-developer
>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-developer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.osgeo.org/pipermail/qgis-developer/attachments/20190605/52653ba6/attachment-0001.html>

More information about the QGIS-Developer mailing list