Hi,
Thanks for your answer Nuno. Yes, your notes correlates with my tests. I share
your opinion about how Geofence should work. On DENY mode all layers and Layer
groups should not be listed. When ALLOWing something only that should be listed.
I tested again the LIMIT rule. Now I was able to get only limited area for
layer using postgis as a data store. Found this info
https://github.com/geoserver/geofence/wiki/Main-concepts how this LIMITing
works.
Action
The Action specifies the outcome of the rule, if matched (by the filter) and
selected (according to priority).
The two main actions are ALLOW and DENY. If one of these actions is
encountered, the outcome is straightforward.
There's also the LIMIT action. Limit ing rules add constraints to the final
outcome, if it's an ALLOWaction. Constraints can be area constraints or access
mode constraints.
In order to make it clearer, here is a skeleton of the rule selection mechanism:
1. Given a filter, read all matching rules;
2. Reading the rules in the proper priority order, check:
* if the action is limit, collect the constraints in this rule and go on
examining the next rules
* if the action is deny, the request is not authorized.
* if the action is allow, the request is authorized; the collected
constraints, if any, shall be merged and applied.
But with these helps I was not able to publish any raster image, I only get
blank image.
Regards
Ville Jussila
Lähettäjä: Nuno Oliveira [mailto:nuno.olive...@geo-solutions.it]
Lähetetty: 12. elokuuta 2016 2:13
Vastaanottaja: Jussila Ville <ville.juss...@hel.fi>;
geoserver-users@lists.sourceforge.net
Aihe: Re: [Geoserver-users] Geofence - LayerGroups
Hi,
Regarding layer groups doubts, GeoFence doesn't handle layers groups it will
only control access to the layers that are part of a layer group.
This means that layers groups regardless of any data rule defined in GeoFence
will always show up in the listed layers and capabilities documents.
However, GeoFence will control the access to the layers that are part of the
layer group. For example, if we have a layer group made of three layers
(layerA, layerB and layerC) and the current user only has read access to layers
B and C when the user try to visualize the group layer he will only
see data from layers B and C but no data from layer A. Does this correlate with
your tests ?
I cannot really tell if this is the intended behavior or is just a missing
feature. In my opinion if all the layers that are part of a certain layer group
are
not visible the layer group should not be listed and if at least one layer of
the layer group is visible the layer group should be listed. Maybe one of the
developers of GeoFence can join this discussion and provide a better feedback.
Regarding the area limit rule, the area limit restriction should work the same
way for rasters and vectors. When defining a area limit rule we are
saying that when an user matches that rule he will only be able to access the
defined area (a geometry filter will be applied). Sorry but I don't
understand what you mean by "Rule is successfully saved but without map
output.".
Choosing between the embedded version and stand alone version will depend on
your needs. As you say the stand alone version provide more
possibilities to configure the data rules (filter by IP, attributes access, etc
..). The embedded version will already be synchronized with the
GeoServer instance, although you may want to configure a backed database for
production environments or you will need to do it anyway
for cluster environments. Behind the scenes the code used is the same, the
embedded version UI just doens't give you all the possibilities
to configure data rules.
I hope this help.
Regards,
Nuno Oliveira
Le mercredi 10 août 2016 à 07:35 +0000, Jussila Ville a écrit :
Hi,
I’m running Geoserver 2.9.0 with embedded Jetty from Windows installer.
I have searched information about this topic and tested this by myself for a
while without any success. Is it possible to control LayerGroups with GeoFence?
I have tried both embedded and standalone versions without satisfying result,
layerGroups are still visible with client. Connection between Geoserver and
Geofence works fine. Notes below are from using Standalone version.
I have workspace “city” in Geoserver where I have built layers and layergroups.
Layergroups are pointed to that “city”-workspace. The Layergroups are built
with mode Single, Named tree and Container tree depending on its usage and some
of them are nested. I have found this kind of behavior when limiting access
with Geofence
Geofence: DENY everything on all workspace or DENY everything on “city”
workspace
- Only layergroups are visible but not accessible.
Geofence: ALLOW everything on all workspace or on “city” workspace for certain
role
- Layergroups and layers are visible and accessible for user with
certain role.
- Layergroups which are built with Single mode appears in correct
Container tree Layergroup and also at the end of the list layers for user with
certain role.
- User without certain role for “city” workspaces layergroups are
visible but not accessible.
Geofence: ALLOW one layer on “city” workspace for one user
- All layergroups are visible but not accessible
- One layer is visible and accessible
How does LIMIT parameter works for raster layers? Or for vector layers as well.
I tried to define an area to be published from one certain raster layer. I used
this Allowed Area parameter at Layer Limits
SRID=4326;MULTIPOLYGON (((24.94601815481079 60.133969115637946,
24.945974007763702 60.160895510936726, 25 60.160906522783534, 25
60.13398011556427, 24.94601815481079 60.133969115637946)))
Rule is successfully saved but without map output.
At the moment which version should be used, embedded or Standalone version? I
found more parameters from LIMIT on Standalone which I think prefers to our
purposes more.
Thanks for your answer
Best Regards
************************************************
Ville Jussila
Cadastral Surveyor
City of Helsinki / Real Estate Department
City Survey Division / GIS office
puh. +358 9 310 31825 tai +358 40 350 9770
ville.juss...@hel.fi<mailto:ville.juss...@hel.fi>,
www.hel.fi/kv<http://www.hel.fi/kv>
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net<mailto:Geoserver-users@lists.sourceforge.net>
https://lists.sourceforge.net/lists/listinfo/geoserver-users
--
==
GeoServer Professional Services from the experts!
Visit http://goo.gl/it488V for more information.
==
Nuno Miguel Carvalho Oliveira
@nmcoliveira
Software Engineer
GeoSolutions S.A.S.
Via di Montramito 3/A
55054 Massarosa (LU)
Italy
phone: +39 0584 962313
fax: +39 0584 1660272
mob: +39 333 8128928
http://www.geo-solutions.it
http://twitter.com/geosolutions_it
-------------------------------------------------------
AVVERTENZE AI SENSI DEL D.Lgs. 196/2003
Le informazioni contenute in questo messaggio di posta elettronica e/o nel/i
file/s allegato/i sono
da considerarsi strettamente riservate. Il loro utilizzo è consentito
esclusivamente al destinatario del messaggio, per le finalità indicate
nel messaggio stesso. Qualora riceviate questo messaggio senza esserne il
destinatario, Vi preghiamo cortesemente di darcene notizia via e
-mail e di procedere alla distruzione del messaggio stesso, cancellandolo dal
Vostro sistema. Conservare il messaggio stesso, divulgarlo
anche in parte, distribuirlo ad altri soggetti, copiarlo, od utilizzarlo per
finalità diverse, costituisce comportamento contrario ai
principi dettati dal D.Lgs. 196/2003.
The information in this message and/or attachments, is intended solely for the
attention and use of
the named addressee(s) and may be confidential or proprietary in nature or
covered by the provisions of privacy act (Legislative Decree
June, 30 2003, no.196 - Italy's New Data Protection Code).Any use not in accord
with its purpose, any disclosure, reproduction, copying,
distribution, or either dissemination, either whole or partial, is strictly
forbidden except previous formal approval of the named
addressee(s). If you are not the intended recipient, please contact immediately
the sender by telephone, fax or e-mail and delete the
information in this message that has been received in error. The sender does
not give any warranty or accept liability as the content,
accuracy or completeness of sent messages and accepts no responsibility for
changes made after they were sent or for other risks which
arise as a result of e-mail transmission, viruses, etc.
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
Geoserver-users mailing list
Geoserver-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/geoserver-users
