Re: [Qgis-developer] QEP and PR for new Authentication Configuration System
Hi Régis, On Wed, 21. Jan 2015 at 08:27:58 -0800, Régis Haubourg wrote: > When you say it is covered already by Qt, what does that mean to achieve use > cases like autocredentials for postgis layers or WMS layers for instance? > We still need the current QEP or am I missing something? (I 'm absolutly > outside of my skill circle) I only meant for HTTP(S) services. For databases that's probably also something lower level that needs to be and probably is already addressed in the clients (libpq, OCI etc). I didn't have to explore that yet. Jürgen -- Jürgen E. Fischer norBIT GmbH Tel. +49-4931-918175-31 Dipl.-Inf. (FH) Rheinstraße 13 Fax. +49-4931-918175-50 Software Engineer D-26506 Norden http://www.norbit.de QGIS release manager (PSC) GermanyIRC: jef on FreeNode signature.asc Description: Digital signature ___ Qgis-developer mailing list Qgis-developer@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-developer
Re: [Qgis-developer] QEP and PR for new Authentication Configuration System
HI Jurgen, When you say it is covered already by Qt, what does that mean to achieve use cases like autocredentials for postgis layers or WMS layers for instance? We still need the current QEP or am I missing something? (I 'm absolutly outside of my skill circle) Cheers Régis -- View this message in context: http://osgeo-org.1560.x6.nabble.com/QEP-and-PR-for-new-Authentication-Configuration-System-tp5182411p5182905.html Sent from the Quantum GIS - Developer mailing list archive at Nabble.com. ___ Qgis-developer mailing list Qgis-developer@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-developer
Re: [Qgis-developer] QEP and PR for new Authentication Configuration System
Hi Régis, On Wed, 21. Jan 2015 at 06:38:26 -0800, Régis Haubourg wrote: > Larry_S wrote > > Can you expound upon how this info is accessed, what exactly is used, and > > how it would be used? Then, an authentication config and provider can > > possibly be crafted. > > We use NTLM v2 here: http://davenport.sourceforge.net/ntlm.html On Windows that should already work - Qt handles it internally (4.8 does, 4.7 didn't, but was patched in OSGeo4W to do it). I know that it is used to automate system proxy authentication. I don't know if it's also used for authentication with services, but IIRC that should also be covered. Jürgen -- Jürgen E. Fischer norBIT GmbH Tel. +49-4931-918175-31 Dipl.-Inf. (FH) Rheinstraße 13 Fax. +49-4931-918175-50 Software Engineer D-26506 Norden http://www.norbit.de QGIS release manager (PSC) GermanyIRC: jef on FreeNode signature.asc Description: Digital signature ___ Qgis-developer mailing list Qgis-developer@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-developer
Re: [Qgis-developer] QEP and PR for new Authentication Configuration System
Larry_S wrote > Can you expound upon how this info is accessed, what exactly is used, and > how it would be used? Then, an authentication config and provider can > possibly be crafted. We use NTLM v2 here: http://davenport.sourceforge.net/ntlm.html Régis -- View this message in context: http://osgeo-org.1560.x6.nabble.com/QEP-and-PR-for-new-Authentication-Configuration-System-tp5182411p5182876.html Sent from the Quantum GIS - Developer mailing list archive at Nabble.com. ___ Qgis-developer mailing list Qgis-developer@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-developer
Re: [Qgis-developer] QEP and PR for new Authentication Configuration System
Thanks for the explanations Larry. I hope having technical infos on what we use here for authentification soon. Having the scripts, or some snippets would help. We already use python / bash / powershell scripts to manage user profiles (deploy new settings, check settings, migrate profile content when moving ressources. ) . One question: If pre-population scripts are using final password, is there a way not to have the user resets its password? The idea is to have a totally user transparent process. Cheers Régis -- View this message in context: http://osgeo-org.1560.x6.nabble.com/QEP-and-PR-for-new-Authentication-Configuration-System-tp5182411p5182864.html Sent from the Quantum GIS - Developer mailing list archive at Nabble.com. ___ Qgis-developer mailing list Qgis-developer@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-developer
Re: [Qgis-developer] QEP and PR for new Authentication Configuration System
Hi Régis, On Mon, Jan 19, 2015 at 1:36 PM, Régis Haubourg < regis.haubo...@eau-adour-garonne.fr> wrote: > Hi Larry, very interesting QEP! > > I'm not an expert of authentification systems at all. Here, I would love to > have QGIS be able to auto identify itself using Windows session user > information. Can you expound upon how this info is accessed, what exactly is used, and how it would be used? Then, an authentication config and provider can possibly be crafted. > That's what we do with internal webapps with Firefox. Please > consider also use cases for system administrator that configure all qgis > profiles. How can we achieve that without having users take care of master > keywords? > If you are configuring QGIS prior to users using the app, then all the auth configs and assigning them to server connections can be automated with pre-population scripts utilizing either a standard initial master password or a randomly generated one for each user. Then, the user must 'reset' (change) the auth database with a new password, which duplicates the auth database and re-encrypts all configs with the new password (optionally backing up the current db). If the auth configs are to be added to an existing user's setup (one that already has a master password and configs in ~/.qgis2/qgis-auth.db), then the user must input their password during the process, or the admin needs to know it, so a pre-population script can utilize it. I have already crafted two pre-population scripts, one with user interaction and one without, and have started on a script that exports client SSL certs/keys out of Firefox and sets up auth configs in QGIS (though QGIS doesn't have a certificate manager yet, so they are certs/key files on disk). I will ask my employer about releasing these scripts. Basically, the master password does cause difficulties with regards to automating rollouts of profiles, etc. However, without it, there is really no other form (that I could figure out) of protecting the auth configs' sensitive data, given how completely open and accessible Qt, PyQGIS and the available source code make everything. The auth system is in its infancy though, so any opinions, improvements or sharing of rollout strategies is greatly appreciated. Regards, Larry Shaffer Dakota Cartography Black Hills, South Dakota > Cheers > Régis > > > > > -- > View this message in context: > http://osgeo-org.1560.x6.nabble.com/QEP-and-PR-for-new-Authentication-Configuration-System-tp5182411p5182427.html > Sent from the Quantum GIS - Developer mailing list archive at Nabble.com. > ___ > Qgis-developer mailing list > Qgis-developer@lists.osgeo.org > http://lists.osgeo.org/mailman/listinfo/qgis-developer ___ Qgis-developer mailing list Qgis-developer@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-developer
Re: [Qgis-developer] QEP and PR for new Authentication Configuration System
Anyone have any ideas on who a good person to review this kind of code? - Nathan On Tue, Jan 20, 2015 at 5:07 AM, Larry Shaffer wrote: > Hi, > > I have drafted a QEP [0] for the introduction of a new authentication > configuration system that is protected with a master password, and its > associated pull request [1], which includes a fully functional > implementation with bindings, unit tests and test server (Tomcat/GeoServer). > > Direct link to QEP preview: [2]. > > Please test if you have the available time. Note the new dependency on QCA > (and its OpenSSL plugin), which will need built and installed first. > Contact me if you need help with that, as I have built QCA 2.1.0 on all > major platforms. > > Note: I am looking for another core developer willing to review the code > in exchange for *payment*. Please contact me directly if you are interested. > > [0] https://github.com/qgis/QGIS-Enhancement-Proposals/pull/17 > [1] https://github.com/qgis/QGIS/pull/1838 > [2] > https://github.com/dakcarto/QGIS-Enhancement-Proposals/blob/auth-system/qep-authentication-system.rst > > Regards, > > Larry Shaffer > Dakota Cartography > Black Hills, South Dakota > > ___ > Qgis-developer mailing list > Qgis-developer@lists.osgeo.org > http://lists.osgeo.org/mailman/listinfo/qgis-developer > ___ Qgis-developer mailing list Qgis-developer@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-developer
Re: [Qgis-developer] QEP and PR for new Authentication Configuration System
Il 20/01/2015 12:31, Anita Graser ha scritto: > On Tue, Jan 20, 2015 at 10:40 AM, Andreas Neumann wrote: >> Sorry - I can't comment on a technical level. >> But as a user I very much welcome such a safe password/connection storage > > +1 fully agree with Andreas. same here thanks -- Paolo Cavallini - www.faunalia.eu QGIS & PostGIS courses: http://www.faunalia.eu/training.html ___ Qgis-developer mailing list Qgis-developer@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-developer
Re: [Qgis-developer] QEP and PR for new Authentication Configuration System
On Tue, Jan 20, 2015 at 10:40 AM, Andreas Neumann wrote: > Sorry - I can't comment on a technical level. > But as a user I very much welcome such a safe password/connection storage +1 fully agree with Andreas. Best wishes, Anita ___ Qgis-developer mailing list Qgis-developer@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-developer
Re: [Qgis-developer] QEP and PR for new Authentication Configuration System
Hi Larry, Sorry - I can't comment on a technical level. But as a user I very much welcome such a safe password/connection storage combined with a password manager. I bothered me a lot to see passwords when hovering a layer in the layer manager, and to see the plain text connection info in the .qgs file. I know, there are workarounds (e.g. .pgpass), but most users are not aware about it. Thank you for already considering QGIS server to correctly deal with the authentication, where there is no user input. Andreas On 19.01.2015 20:07, Larry Shaffer wrote: Hi, I have drafted a QEP [0] for the introduction of a new authentication configuration system that is protected with a master password, and its associated pull request [1], which includes a fully functional implementation with bindings, unit tests and test server (Tomcat/GeoServer). Direct link to QEP preview: [2]. Please test if you have the available time. Note the new dependency on QCA (and its OpenSSL plugin), which will need built and installed first. Contact me if you need help with that, as I have built QCA 2.1.0 on all major platforms. Note: I am looking for another core developer willing to review the code in exchange for *payment*. Please contact me directly if you are interested. [0] https://github.com/qgis/QGIS-Enhancement-Proposals/pull/17 [1] https://github.com/qgis/QGIS/pull/1838 [2] https://github.com/dakcarto/QGIS-Enhancement-Proposals/blob/auth-system/qep-authentication-system.rst Regards, Larry Shaffer Dakota Cartography Black Hills, South Dakota ___ Qgis-developer mailing list Qgis-developer@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-developer ___ Qgis-developer mailing list Qgis-developer@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-developer
Re: [Qgis-developer] QEP and PR for new Authentication Configuration System
Hi Larry, very interesting QEP! I'm not an expert of authentification systems at all. Here, I would love to have QGIS be able to auto identify itself using Windows session user information. That's what we do with internal webapps with Firefox. Please consider also use cases for system administrator that configure all qgis profiles. How can we achieve that without having users take care of master keywords? Cheers Régis -- View this message in context: http://osgeo-org.1560.x6.nabble.com/QEP-and-PR-for-new-Authentication-Configuration-System-tp5182411p5182427.html Sent from the Quantum GIS - Developer mailing list archive at Nabble.com. ___ Qgis-developer mailing list Qgis-developer@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-developer
[Qgis-developer] QEP and PR for new Authentication Configuration System
Hi, I have drafted a QEP [0] for the introduction of a new authentication configuration system that is protected with a master password, and its associated pull request [1], which includes a fully functional implementation with bindings, unit tests and test server (Tomcat/GeoServer). Direct link to QEP preview: [2]. Please test if you have the available time. Note the new dependency on QCA (and its OpenSSL plugin), which will need built and installed first. Contact me if you need help with that, as I have built QCA 2.1.0 on all major platforms. Note: I am looking for another core developer willing to review the code in exchange for *payment*. Please contact me directly if you are interested. [0] https://github.com/qgis/QGIS-Enhancement-Proposals/pull/17 [1] https://github.com/qgis/QGIS/pull/1838 [2] https://github.com/dakcarto/QGIS-Enhancement-Proposals/blob/auth-system/qep-authentication-system.rst Regards, Larry Shaffer Dakota Cartography Black Hills, South Dakota ___ Qgis-developer mailing list Qgis-developer@lists.osgeo.org http://lists.osgeo.org/mailman/listinfo/qgis-developer