On Wed, Sep 28, 2022 at 6:33 PM Jody Garnett <jody.garn...@gmail.com> wrote:
> We did not, I believe I missed the discussion where the feature was > proposed. > There was no discussion on the list, but PRs, comments on PRs, and ticket are notified to all developers (unless they made moves to filter out those mails, we have no control over that). The PR in question is here, it received reviews from two different parties: https://github.com/geoserver/geoserver/pull/6187 The PR has been open for 3 days, while I understand it's a short time to gather more reviews, it should have been enough for a "hey I'm interested in looking deeper in this one, can you hold up?" or "I believe this warrants a discussion". I While you did not add any such comment, I saw you comment once on the Jira ticket in the past: when there is a PR, please comment on Github instead. Jira notifies only the people directly involved in the ticket, Github notifies all of the devs in the "geoserver team" group. When you raise your hand for something important, best to it so that it reaches all devs. We can also argue whether this is a new feature or an improvement, as it extends an existing functionality to other areas (see below). > I like to be careful when setting up any avenue for external control of > geoserver security. > I agree we need to be careful. However, this "external" is a property file set by the administrator, not something user provided. The functionality itself that has been available since 2016 and which has so far been used to externalize location of data sources and credentials for them (as well as for blobstores and the like). The PR adds one more bit in what can be parameterized. I assume this is for controlling geoserver security via external > environmental variables, say for docker image? While I could see it being > useful to manage the credentials for one user (say admin or root). > Let's have a look at the environment parametrization <https://docs.geoserver.org/stable/en/user/datadirectory/configtemplate.html> first line: > Environment parametrization allows to parameterize some of the settings in GeoServer’s catalog by means of a templating mechanism to tailor GeoServer’s settings to the environment in which is run. The ability to parameterize user passwords fits into this theme (if we want to be picky, env parametrization has gone beyond just "catalog" years ago, encompassing bits of GWC for example). > The docs modified during the PR are here on the password policy page > <https://docs.geoserver.org/latest/en/user/security/passwd.html#parametrized-passwords>, > however they contain example specific to the XML user/group service based > on users.xml file. Can the approach be used for roles service also? > The original target was for XML files, and the first approach was to actually modify only that one. During implementation discussion I suggested implementing a wrapper around a UserDetailService instead (less conditional logic, more general, easier to understand). As a result, while completely untested, it might work for other user detail services as well. Before documenting this as available, I suggest the interested parties do some testing and verify it's actually working, before adding documentation that might sway users the wrong way. > Recommend: > - move the example to the XML user/group service > <https://docs.geoserver.org/latest/en/user/security/usergrouprole/usergroupservices.html#security-rolesystem-usergroupxml> > if > it is only applicable to this one approach? > The current position is a good match for what we know about the implementation, it definitely works on XML user services, might work on others but testing it was out of the ticket scope. Some other devs can test over LDAP, JDBC or their preferred alternative user source and add a documentation example accordingly. > - link from Environment parametrization > <https://docs.geoserver.org/stable/en/user/datadirectory/configtemplate.html> > page > you mentioned to the above heading as another example of Environment > parametrization. > Based on the above, nope, but it can definitely link to passwd.rst Cheers Andrea == GeoServer Professional Services from the experts! Visit http://bit.ly/gs-services-us for more information. == Ing. Andrea Aime @geowolf Technical Lead GeoSolutions Group phone: +39 0584 962313 fax: +39 0584 1660272 mob: +39 339 8844549 https://www.geosolutionsgroup.com/ http://twitter.com/geosolutions_it ------------------------------------------------------- Con riferimento alla normativa sul trattamento dei dati personali (Reg. UE 2016/679 - Regolamento generale sulla protezione dei dati “GDPR”), si precisa che ogni circostanza inerente alla presente email (il suo contenuto, gli eventuali allegati, etc.) è un dato la cui conoscenza è riservata al/i solo/i destinatario/i indicati dallo scrivente. Se il messaggio Le è giunto per errore, è tenuta/o a cancellarlo, ogni altra operazione è illecita. Le sarei comunque grato se potesse darmene notizia. This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. We remind that - as provided by European Regulation 2016/679 “GDPR” - copying, dissemination or use of this e-mail or the information herein by anyone other than the intended recipient is prohibited. If you have received this email by mistake, please notify us immediately by telephone or e-mail
_______________________________________________ Geoserver-devel mailing list Geoserver-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-devel
