Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

💡 [Feature] Protect GeoServer #333

Closed
fmigneault opened this issue Jun 1, 2023 · 0 comments · Fixed by #348
Closed

💡 [Feature] Protect GeoServer #333

fmigneault opened this issue Jun 1, 2023 · 0 comments · Fixed by #348
Assignees
@tlvu
Labels
component/geoserver Related to GeoServer or one of its underlying services enhancement New feature or request project/DACCS Related to DACCS project (https://github.com/orgs/DACCS-Climate) security Issues or features related to security concerns
Projects
DACCS

Comments

@fmigneault
Copy link
Collaborator

Description

Ensure GeoServer is accessed following Magpie/Twticher authentication/authorization.

References
@fmigneault fmigneault added enhancement New feature or request security Issues or features related to security concerns project/DACCS Related to DACCS project (https://github.com/orgs/DACCS-Climate) component/geoserver Related to GeoServer or one of its underlying services labels Jun 1, 2023
@fmigneault fmigneault added this to To do in DACCS via automation Jun 1, 2023
@fmigneault fmigneault mentioned this issue Jun 1, 2023
Merged
@mishaschwartz mishaschwartz mentioned this issue Jun 16, 2023
Merged
DACCS automation moved this from To do to Done Nov 1, 2023
mishaschwartz added a commit that referenced this issue Nov 1, 2023
@mishaschwartz
Geoserver: protect web interface and ows routes behind magpie/twitcher (
6cf2066 
#348)

## Overview

Geoserver: protect web interface and ows routes behind magpie/twitcher
  
Updates Magpie version to
[3.35.0](https://github.com/Ouranosinc/Magpie/tree/3.35.0) in order to
take advantage of updated Geoserver Service.

The `geoserverwms` Magpie service is now deprecated. If a deployment is
currently using this service, it is highly recommended that the
permissions are transferred from the deprecated `geoserverwms` service
to the `geoserver` service.

The `/geoserver` endpoint is now protected by default. If a deployment
currently assumes open access to Geoserver and would like to keep the
same permissions after upgrading to this version, please update the
permissions for the `geoserver` service in Magpie to allow the
`anonymous` group access.

A `Magpie` service named `geoserver` with type `wfs` exists already and
must be manually deleted before the new `Magpie` service created here
can take effect.

The `optional-components/all-public-access` component provides full
access to the `geoserver` service for the `anonymous` group in Magpie.
Please note that this includes some permissions that will allow
anonymous users to perform destructive operations. Because of this,
please remember that enabling the
`optional-components/all-public-access` component is not recommended in
a production environment.

Introduces the `GEOSERVER_SKIP_AUTH` environment variable. If set to
`True`, then requests to the geoserver endpoint will not be authorized
through twitcher/magpie at all. This is not recommended at all. However,
it will slightly improve performance when accessing geoserver endpoints.

## Changes

**Non-breaking changes**

In order to provide public access to geoserver by default now, the
`all-public-access` optional component must be enabled

**Breaking changes**

The current `wfs` Magpie service named `geoserver` must be deleted
before the change here can take effect.

## Related Issue / Discussion

- Resolves #333

## Additional Information
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tlvu tlvu

Labels
component/geoserver Related to GeoServer or one of its underlying services enhancement New feature or request project/DACCS Related to DACCS project (https://github.com/orgs/DACCS-Climate) security Issues or features related to security concerns
Projects
DACCS
  
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Geoserver: protect web interface and ows routes behind magpie/twitcher bird-house/birdhouse-deploy
2 participants
@tlvu @fmigneault