Hi, I do not understand how geofence rules (embedded version server) evaluates the ROLE part of rules nor compare it to the geoserver defined roles:
The usecase is this one: A user with no authentication should access everything except what is published in a given workspace 'NOVA'. An authenticated user 'nova' on geoserver should see and access all the catalog available anonymously, and also its layers published in a workspace 'NOVA:'. Admin should access everything. I have created a user nova (with login nova and password). I have created a group NOVA_GROUP, in which the nova user is added. I have created a role NOVA_READER_ROLE, that I gave to the NOVA_GROUP. In the user settings gui, selecting the nova user, I see that it inherits correctly the NOVA_READER_ROLE role from its group. Right, all is well for this part. Now, I go in the geofence rule edit gui, and here, after a first rule priority 0 allowing everything to the role ADMIN, I add a rule priority 1 allowing the workspace NOVA: to the NOVA_READER_ROLE role, and a lower rule priority 2 denying the workspace NOVA: to * user * role. I have a lowest rule priority 10 allowing everything to * user * role (mind you, my WFS global settings is on basic mode, readonly so). When I define a WFS or WMS source in QGIS on my geoserver url with no authentification, I see all the catalog, but not the NOVA: layers part. Good. But if I set a basic auth for user nova with correct password, I see the same stuff, but I should see ALSO the layers from NOVA: To be able for the user nova to see its NOVA: layers also, I have to define the rule priority 1 for the user nova, and not the NOVA_READER_ROLE role. I do not understand why. It should work with the role, as the role is given to the group in which the user is. Do I set my rules properly? Is there a confusion or discrepancy between the user/group/role definitions in geoserver in comparison to the user/role of geofence (embedded gui in geoserver)? GitHub documentation for geofence says there is no role concept in geofence, but the embedded gui allow to use the roles of geoserver to define rules. Are these considered the usergroup of geofence? It says also the geoserver has no concept of user group, but I can define groups in geoserver, but have no access to them when I define a rule, only users and roles. I see also in the Geofence Admin Page embedded in geoserver gui the option 'Use geoserver roles to get authorizations', but I don't understand if this is related, nor if I have to complete the following box with mutually exclusive roles for authorization, and if I fill this, should I include there ALL the defined roles, even the Admin and ANONYMOUS_ROLE? This is only a subset of our configuration, we have a few users, having secured access to several workspaces, and different users needing the same rights, hence the groups and roles approach, trying to avoid duplicating rules for every users. Sorry for the long post, but I did not know how to explain properly the problem without going into some detailed description of it. Hope this is clear enough. Thank you already for the help on this. All the best, Greg
_______________________________________________ Geoserver-users mailing list Please make sure you read the following two resources before posting to this list: - Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/ - The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer Geoserver-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/geoserver-users
