[Qgis-user] Save projects to DB without creator's permissions
What is the best approach to save QGIS projects to PostgreSQL without saving the project-creator's credentials/permissions? If the DB admin creates a project and saves it to the DB, anyone opening that project will attain the admin's permissions on layers in that map. To recreate: 1) Create a map containing PostGIS layers and save project to DB. All layers should be editable by the admin. Admin is logged into DB with auth config, not basic auth. 2) Create a new read-only user and new profile in QGIS and log in to DB. 3) Open the project and try to edit layers. Read-only user will be able to see and edit all layers just like the DB Admin. Is there a way to save projects to DB WITHOUT saving any user creds/permissions? Cliff -- Cliff Patterson Ph.D. *PSD* | Senior GIS Consultant P: 519-690-2565 ext. 2616 www.psdrcs.com London | 148 Fullarton St. 9th Floor ___ Qgis-user mailing list Qgis-user@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] Save projects to DB without creator's permissions
PS: I realize I can create maps with basic auth and not store the PW, which prompts the user to enter their creds. But is there a better way now to achieve the same result? Cliff On Fri, May 29, 2020 at 1:29 PM Cliff Patterson wrote: > What is the best approach to save QGIS projects to PostgreSQL > without saving the project-creator's credentials/permissions? If the DB > admin creates a project and saves it to the DB, anyone opening that project > will attain the admin's permissions on layers in that map. > > To recreate: > > 1) Create a map containing PostGIS layers and save project to DB. All > layers should be editable by the admin. Admin is logged into DB with auth > config, not basic auth. > 2) Create a new read-only user and new profile in QGIS and log in to DB. > 3) Open the project and try to edit layers. Read-only user will be able to > see and edit all layers just like the DB Admin. > > Is there a way to save projects to DB WITHOUT saving any user > creds/permissions? > > Cliff > > -- > > Cliff Patterson Ph.D. > > *PSD* | Senior GIS Consultant > P: 519-690-2565 ext. 2616 > www.psdrcs.com > London | 148 Fullarton St. 9th Floor > > -- Cliff Patterson Ph.D. *PSD* | Senior GIS Consultant P: 519-690-2565 ext. 2616 www.psdrcs.com London | 148 Fullarton St. 9th Floor ___ Qgis-user mailing list Qgis-user@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] Save projects to DB without creator's permissions
Cliff and list, On Fri, May 29, 2020 at 10:29 AM Cliff Patterson wrote: > What is the best approach to save QGIS projects to PostgreSQL > without saving the project-creator's credentials/permissions? If the DB > admin creates a project and saves it to the DB, anyone opening that project > will attain the admin's permissions on layers in that map. > Sorry Cliff I don't have a solution, just some ideas presented below. I have to say that this sounds like a huge security hole to me; I would expect that extra work would be required to allow others to read, and especially write, someone else's data. > To recreate: > > 1) Create a map containing PostGIS layers and save project to DB. All > layers should be editable by the admin. Admin is logged into DB with auth > config, not basic auth. > What are the access rights to the DB? To the tables within the DB? 2) Create a new read-only user and new profile in QGIS and log in to DB. > A "read-only user"? What is that? AFAIK the list of user restrictions in PostgreSQL is NOSUPERUSER, NOCREATEDB, NOCREATEROLE, NOINHERIT, NOLOGIN, NOREPLICATION, NOBYPASSRLS. None of those mean "read-only". "log in to DB" implies that you have granted at least CONNECT on the DB to the new user. That is, admin must have issued at least a GRANT CONNECT ON DATABASE db TO "new user". 3) Open the project and try to edit layers. Read-only user will be able to > see and edit all layers just like the DB Admin. > Leaving aside what a "read-only user" means, there are also the table privileges. Presumably admin could limit the "new user"'s ability to alter tables in the database by ensuring that all change rights have been revoked, e.g. REVOKE INSERT, UPDATE, DELETE, TRUNCATE ON TABLE foo, bar, paz TO "new user". If some of the layers defined in the project are stored in the filesystem rather than as PostGIS/PostgreSQL tables then I presume one would need to change their accessibility as well. -- Chris Hermansen · clhermansen "at" gmail "dot" com C'est ma façon de parler. ___ Qgis-user mailing list Qgis-user@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] Save projects to DB without creator's permissions
Please use pg_services. No Auth is stored. Just the service name. -+-+-+-+-+-+-+-+-+-Geomaster, LdaRua Afonso Palmeira, 31, 7 D4715-278 BragaNIF 510906109Tm +351 910333888Email jgr@geomaster.ptSent from my mobile. Please excuse the brevity, spelling and punctuation. Mensagem original De : Cliff Patterson Data: 29/05/20 18:39 (GMT+00:00) Para: qgis-user Assunto: Re: [Qgis-user] Save projects to DB without creator's permissions PS: I realize I can create maps with basic auth and not store the PW, which prompts the user to enter their creds. But is there a better way now to achieve the same result? CliffOn Fri, May 29, 2020 at 1:29 PM Cliff Patterson wrote:What is the best approach to save QGIS projects to PostgreSQL without saving the project-creator's credentials/permissions? If the DB admin creates a project and saves it to the DB, anyone opening that project will attain the admin's permissions on layers in that map. To recreate:1) Create a map containing PostGIS layers and save project to DB. All layers should be editable by the admin. Admin is logged into DB with auth config, not basic auth. 2) Create a new read-only user and new profile in QGIS and log in to DB.3) Open the project and try to edit layers. Read-only user will be able to see and edit all layers just like the DB Admin. Is there a way to save projects to DB WITHOUT saving any user creds/permissions? Cliff-- Cliff Patterson Ph.D.PSD | Senior GIS Consultant P: 519-690-2565 ext. 2616www.psdrcs.comLondon | 148 Fullarton St. 9th Floor -- Cliff Patterson Ph.D.PSD | Senior GIS Consultant P: 519-690-2565 ext. 2616www.psdrcs.comLondon | 148 Fullarton St. 9th Floor ___ Qgis-user mailing list Qgis-user@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] Save projects to DB without creator's permissions
Sorry for the confusion, by read-only I meant that the user only has the ability to connect to the schema containing the layer and view it -- no UPDATE, DELETE, etc. This is all set up in the DB and the "read-only" user already has limited access to the layers. The problem is that if you forget to uncheck "store password" in your connection parameters, or if you use stored auth creds, and save a map to the DB, it saves with your permissions. I agree, it is a security hole that could be fixed by simply giving users the ability to strip the credentials on layers when saving to the DB. Cliff On Fri, May 29, 2020 at 2:27 PM chris hermansen wrote: > Cliff and list, > > On Fri, May 29, 2020 at 10:29 AM Cliff Patterson > wrote: > >> What is the best approach to save QGIS projects to PostgreSQL >> without saving the project-creator's credentials/permissions? If the DB >> admin creates a project and saves it to the DB, anyone opening that project >> will attain the admin's permissions on layers in that map. >> > > Sorry Cliff I don't have a solution, just some ideas presented below. I > have to say that this sounds like a huge security hole to me; I would > expect that extra work would be required to allow others to read, and > especially write, someone else's data. > > >> To recreate: >> >> 1) Create a map containing PostGIS layers and save project to DB. All >> layers should be editable by the admin. Admin is logged into DB with auth >> config, not basic auth. >> > > What are the access rights to the DB? To the tables within the DB? > > 2) Create a new read-only user and new profile in QGIS and log in to DB. >> > > A "read-only user"? What is that? AFAIK the list of user restrictions in > PostgreSQL is NOSUPERUSER, NOCREATEDB, NOCREATEROLE, NOINHERIT, NOLOGIN, > NOREPLICATION, NOBYPASSRLS. None of those mean "read-only". > > "log in to DB" implies that you have granted at least CONNECT on the DB to > the new user. That is, admin must have issued at least a GRANT CONNECT ON > DATABASE db TO "new user". > > 3) Open the project and try to edit layers. Read-only user will be able to >> see and edit all layers just like the DB Admin. >> > > Leaving aside what a "read-only user" means, there are also the table > privileges. Presumably admin could limit the "new user"'s ability to alter > tables in the database by ensuring that all change rights have been > revoked, e.g. REVOKE INSERT, UPDATE, DELETE, TRUNCATE ON TABLE foo, bar, > paz TO "new user". > > If some of the layers defined in the project are stored in the filesystem > rather than as PostGIS/PostgreSQL tables then I presume one would need to > change their accessibility as well. > > > > -- > Chris Hermansen · clhermansen "at" gmail "dot" com > > C'est ma façon de parler. > -- Cliff Patterson Ph.D. *PSD* | Senior GIS Consultant P: 519-690-2565 ext. 2616 www.psdrcs.com London | 148 Fullarton St. 9th Floor ___ Qgis-user mailing list Qgis-user@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] Save projects to DB without creator's permissions
Interesting, Jorge. Thanks Cliff On Fri, May 29, 2020 at 2:35 PM Jorge Gustavo Rocha wrote: > Please use pg_services. No Auth is stored. Just the service name. > > -+-+-+-+-+-+-+-+-+- > Geomaster, Lda > Rua Afonso Palmeira, 31, 7 D > 4715-278 Braga > NIF 510906109 > > Tm +351 910333888 <+351%20910333888> > Email j...@geomaster.pt > > Sent from my mobile. Please excuse the brevity, spelling and punctuation. > > > Mensagem original > De : Cliff Patterson > Data: 29/05/20 18:39 (GMT+00:00) > Para: qgis-user > Assunto: Re: [Qgis-user] Save projects to DB without creator's permissions > > PS: I realize I can create maps with basic auth and not store the PW, > which prompts the user to enter their creds. But is there a better way now > to achieve the same result? > > Cliff > > On Fri, May 29, 2020 at 1:29 PM Cliff Patterson > wrote: > >> What is the best approach to save QGIS projects to PostgreSQL >> without saving the project-creator's credentials/permissions? If the DB >> admin creates a project and saves it to the DB, anyone opening that project >> will attain the admin's permissions on layers in that map. >> >> To recreate: >> >> 1) Create a map containing PostGIS layers and save project to DB. All >> layers should be editable by the admin. Admin is logged into DB with auth >> config, not basic auth. >> 2) Create a new read-only user and new profile in QGIS and log in to DB. >> 3) Open the project and try to edit layers. Read-only user will be able >> to see and edit all layers just like the DB Admin. >> >> Is there a way to save projects to DB WITHOUT saving any user >> creds/permissions? >> >> Cliff >> >> -- >> >> Cliff Patterson Ph.D. >> >> *PSD* | Senior GIS Consultant >> P: 519-690-2565 ext. 2616 >> www.psdrcs.com >> London | 148 Fullarton St. 9th Floor >> >> > > -- > > Cliff Patterson Ph.D. > > *PSD* | Senior GIS Consultant > P: 519-690-2565 ext. 2616 > www.psdrcs.com > London | 148 Fullarton St. 9th Floor > > -- Cliff Patterson Ph.D. *PSD* | Senior GIS Consultant P: 519-690-2565 ext. 2616 www.psdrcs.com London | 148 Fullarton St. 9th Floor ___ Qgis-user mailing list Qgis-user@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] Save projects to DB without creator's permissions
Maybe all that you need is in the QHIS auth system is https://docs.qgis.org/3.10/en/docs/user_manual/auth_system/auth_workflows.html#changing-authentication-config-id The master password can be stored in the operating system wallet so that the user will not need to type his password. Regards On Fri, May 29, 2020, 19:39 Cliff Patterson wrote: > PS: I realize I can create maps with basic auth and not store the PW, > which prompts the user to enter their creds. But is there a better way now > to achieve the same result? > > Cliff > > On Fri, May 29, 2020 at 1:29 PM Cliff Patterson > wrote: > >> What is the best approach to save QGIS projects to PostgreSQL >> without saving the project-creator's credentials/permissions? If the DB >> admin creates a project and saves it to the DB, anyone opening that project >> will attain the admin's permissions on layers in that map. >> >> To recreate: >> >> 1) Create a map containing PostGIS layers and save project to DB. All >> layers should be editable by the admin. Admin is logged into DB with auth >> config, not basic auth. >> 2) Create a new read-only user and new profile in QGIS and log in to DB. >> 3) Open the project and try to edit layers. Read-only user will be able >> to see and edit all layers just like the DB Admin. >> >> Is there a way to save projects to DB WITHOUT saving any user >> creds/permissions? >> >> Cliff >> >> -- >> >> Cliff Patterson Ph.D. >> >> *PSD* | Senior GIS Consultant >> P: 519-690-2565 ext. 2616 >> www.psdrcs.com >> London | 148 Fullarton St. 9th Floor >> >> > > -- > > Cliff Patterson Ph.D. > > *PSD* | Senior GIS Consultant > P: 519-690-2565 ext. 2616 > www.psdrcs.com > London | 148 Fullarton St. 9th Floor > > ___ > Qgis-user mailing list > Qgis-user@lists.osgeo.org > List info: https://lists.osgeo.org/mailman/listinfo/qgis-user > Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user ___ Qgis-user mailing list Qgis-user@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] Save projects to DB without creator's permissions
That's exactly the problem with the auth system. If you connect to a DB using the auth system and store a map in the DB (or anywhere for that matter), the map contains your credentials/permissions for EVERY layer that you added. So if you create a map while logged in as DB owner (i.e. full perms for every layer), any user who opens it will have full permissions on every layer in the map. The only workaround for this is to remember to use basic auth and uncheck "store" beside password whenever creating a shared project. Any other less vulnerable workarounds would be very helpful, though I doubt any exist. Cliff On Fri, May 29, 2020 at 3:03 PM Alessandro Pasotti wrote: > Maybe all that you need is in the QHIS auth system is > https://docs.qgis.org/3.10/en/docs/user_manual/auth_system/auth_workflows.html#changing-authentication-config-id > > The master password can be stored in the operating system wallet so that > the user will not need to type his password. > > Regards > > > On Fri, May 29, 2020, 19:39 Cliff Patterson wrote: > >> PS: I realize I can create maps with basic auth and not store the PW, >> which prompts the user to enter their creds. But is there a better way now >> to achieve the same result? >> >> Cliff >> >> On Fri, May 29, 2020 at 1:29 PM Cliff Patterson >> wrote: >> >>> What is the best approach to save QGIS projects to PostgreSQL >>> without saving the project-creator's credentials/permissions? If the DB >>> admin creates a project and saves it to the DB, anyone opening that project >>> will attain the admin's permissions on layers in that map. >>> >>> To recreate: >>> >>> 1) Create a map containing PostGIS layers and save project to DB. All >>> layers should be editable by the admin. Admin is logged into DB with auth >>> config, not basic auth. >>> 2) Create a new read-only user and new profile in QGIS and log in to DB. >>> 3) Open the project and try to edit layers. Read-only user will be able >>> to see and edit all layers just like the DB Admin. >>> >>> Is there a way to save projects to DB WITHOUT saving any user >>> creds/permissions? >>> >>> Cliff >>> >>> -- >>> >>> Cliff Patterson Ph.D. >>> >>> *PSD* | Senior GIS Consultant >>> P: 519-690-2565 ext. 2616 >>> www.psdrcs.com >>> London | 148 Fullarton St. 9th Floor >>> >>> >> >> -- >> >> Cliff Patterson Ph.D. >> >> *PSD* | Senior GIS Consultant >> P: 519-690-2565 ext. 2616 >> www.psdrcs.com >> London | 148 Fullarton St. 9th Floor >> >> ___ >> Qgis-user mailing list >> Qgis-user@lists.osgeo.org >> List info: https://lists.osgeo.org/mailman/listinfo/qgis-user >> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user > > -- Cliff Patterson Ph.D. *PSD* | Senior GIS Consultant P: 519-690-2565 ext. 2616 www.psdrcs.com London | 148 Fullarton St. 9th Floor ___ Qgis-user mailing list Qgis-user@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] Save projects to DB without creator's permissions
On Mon, Jun 1, 2020 at 3:35 PM Cliff Patterson wrote: > That's exactly the problem with the auth system. If you connect to a DB > using the auth system and store a map in the DB (or anywhere for that > matter), the map contains your credentials/permissions for EVERY layer that > you added. So if you create a map while logged in as DB owner (i.e. full > perms for every layer), any user who opens it will have full permissions on > every layer in the map. The only workaround for this is to remember to use > basic auth and uncheck "store" beside password whenever creating a shared > project. > > Any other less vulnerable workarounds would be very helpful, though I > doubt any exist. > Cliff, I probably misunderstood your issue. What I was trying to say is that you can create a project with (say) one PG layer that required your credentials (user "cliff") to be created but you want other users (user "alice") to be able to access the layer with her own credentials. You can create an authentication configuration and set its authid to some easy to share value (you have 7 chars if I remember correctly), then you will store your credentials in your authentication DB for that authid and "alice" will store her credentials in her own authentication DB using the same authid. Note that "alice" credentials are different from "cliffs" credentials, the authentication DB is also different (unless they are using the same machine and the same OS account and the same user profile), the only thing that is equal is the authentication configuration id. The thing is that you don't share the authentication DB, you share the authid 7 digits code only an the other users will use their own credentials. Kind regards, > Cliff > > On Fri, May 29, 2020 at 3:03 PM Alessandro Pasotti > wrote: > >> Maybe all that you need is in the QHIS auth system is >> https://docs.qgis.org/3.10/en/docs/user_manual/auth_system/auth_workflows.html#changing-authentication-config-id >> >> The master password can be stored in the operating system wallet so that >> the user will not need to type his password. >> >> Regards >> >> >> On Fri, May 29, 2020, 19:39 Cliff Patterson >> wrote: >> >>> PS: I realize I can create maps with basic auth and not store the PW, >>> which prompts the user to enter their creds. But is there a better way now >>> to achieve the same result? >>> >>> Cliff >>> >>> On Fri, May 29, 2020 at 1:29 PM Cliff Patterson >>> wrote: >>> What is the best approach to save QGIS projects to PostgreSQL without saving the project-creator's credentials/permissions? If the DB admin creates a project and saves it to the DB, anyone opening that project will attain the admin's permissions on layers in that map. To recreate: 1) Create a map containing PostGIS layers and save project to DB. All layers should be editable by the admin. Admin is logged into DB with auth config, not basic auth. 2) Create a new read-only user and new profile in QGIS and log in to DB. 3) Open the project and try to edit layers. Read-only user will be able to see and edit all layers just like the DB Admin. Is there a way to save projects to DB WITHOUT saving any user creds/permissions? Cliff -- Cliff Patterson Ph.D. *PSD* | Senior GIS Consultant P: 519-690-2565 ext. 2616 www.psdrcs.com London | 148 Fullarton St. 9th Floor >>> >>> -- >>> >>> Cliff Patterson Ph.D. >>> >>> *PSD* | Senior GIS Consultant >>> P: 519-690-2565 ext. 2616 >>> www.psdrcs.com >>> London | 148 Fullarton St. 9th Floor >>> >>> ___ >>> Qgis-user mailing list >>> Qgis-user@lists.osgeo.org >>> List info: https://lists.osgeo.org/mailman/listinfo/qgis-user >>> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user >> >> > > -- > > Cliff Patterson Ph.D. > > *PSD* | Senior GIS Consultant > P: 519-690-2565 ext. 2616 > www.psdrcs.com > London | 148 Fullarton St. 9th Floor > > -- Alessandro Pasotti QCooperative: www.qcooperative.net ItOpen: www.itopen.it ___ Qgis-user mailing list Qgis-user@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] Save projects to DB without creator's permissions
Hi! Alessandro, you where quicker! ☺ If I understand correct, the actual credentials isn’t stored to the project. Just the auth config ID. If the user doesn’t have this in his local authentication database, or has it with other credentials(read) the project will not open with admin credentials. Karl-Magnus Jönsson Från: Qgis-user För Cliff Patterson Skickat: den 1 juni 2020 15:36 Till: Alessandro Pasotti Kopia: qgis-user Ämne: Re: [Qgis-user] Save projects to DB without creator's permissions That's exactly the problem with the auth system. If you connect to a DB using the auth system and store a map in the DB (or anywhere for that matter), the map contains your credentials/permissions for EVERY layer that you added. So if you create a map while logged in as DB owner (i.e. full perms for every layer), any user who opens it will have full permissions on every layer in the map. The only workaround for this is to remember to use basic auth and uncheck "store" beside password whenever creating a shared project. Any other less vulnerable workarounds would be very helpful, though I doubt any exist. Cliff On Fri, May 29, 2020 at 3:03 PM Alessandro Pasotti mailto:apaso...@gmail.com>> wrote: Maybe all that you need is in the QHIS auth system is https://docs.qgis.org/3.10/en/docs/user_manual/auth_system/auth_workflows.html#changing-authentication-config-id The master password can be stored in the operating system wallet so that the user will not need to type his password. Regards On Fri, May 29, 2020, 19:39 Cliff Patterson mailto:cpatter...@psdrcs.com>> wrote: PS: I realize I can create maps with basic auth and not store the PW, which prompts the user to enter their creds. But is there a better way now to achieve the same result? Cliff On Fri, May 29, 2020 at 1:29 PM Cliff Patterson mailto:cpatter...@psdrcs.com>> wrote: What is the best approach to save QGIS projects to PostgreSQL without saving the project-creator's credentials/permissions? If the DB admin creates a project and saves it to the DB, anyone opening that project will attain the admin's permissions on layers in that map. To recreate: 1) Create a map containing PostGIS layers and save project to DB. All layers should be editable by the admin. Admin is logged into DB with auth config, not basic auth. 2) Create a new read-only user and new profile in QGIS and log in to DB. 3) Open the project and try to edit layers. Read-only user will be able to see and edit all layers just like the DB Admin. Is there a way to save projects to DB WITHOUT saving any user creds/permissions? Cliff -- Cliff Patterson Ph.D. PSD | Senior GIS Consultant P: 519-690-2565 ext. 2616 www.psdrcs.com<http://www.psdrcs.com> London | 148 Fullarton St. 9th Floor [http://psdrcs.com/assets/email_signature.png] -- Cliff Patterson Ph.D. PSD | Senior GIS Consultant P: 519-690-2565 ext. 2616 www.psdrcs.com<http://www.psdrcs.com> London | 148 Fullarton St. 9th Floor [http://psdrcs.com/assets/email_signature.png] ___ Qgis-user mailing list Qgis-user@lists.osgeo.org<mailto:Qgis-user@lists.osgeo.org> List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user -- Cliff Patterson Ph.D. PSD | Senior GIS Consultant P: 519-690-2565 ext. 2616 www.psdrcs.com<http://www.psdrcs.com> London | 148 Fullarton St. 9th Floor [http://psdrcs.com/assets/email_signature.png] ___ Qgis-user mailing list Qgis-user@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] Save projects to DB without creator's permissions
Hi Karl and Alessandro, This is helpful but DEFINITELY not intuitive. I will test this configuration and report back. Cheers, Cliff On Mon, Jun 1, 2020 at 9:51 AM Karl Magnus Jönsson < karl-magnus.jons...@kristianstad.se> wrote: > Hi! > > Alessandro, you where quicker! J > > > > If I understand correct, the actual credentials isn’t stored to the > project. Just the auth config ID. If the user doesn’t have this in his > local authentication database, or has it with other credentials(read) the > project will not open with admin credentials. > > > > *Karl-Magnus Jönsson* > > > > *Från:* Qgis-user *För *Cliff > Patterson > *Skickat:* den 1 juni 2020 15:36 > *Till:* Alessandro Pasotti > *Kopia:* qgis-user > *Ämne:* Re: [Qgis-user] Save projects to DB without creator's permissions > > > > That's exactly the problem with the auth system. If you connect to a DB > using the auth system and store a map in the DB (or anywhere for that > matter), the map contains your credentials/permissions for EVERY layer that > you added. So if you create a map while logged in as DB owner (i.e. full > perms for every layer), any user who opens it will have full permissions on > every layer in the map. The only workaround for this is to remember to use > basic auth and uncheck "store" beside password whenever creating a shared > project. > > > > Any other less vulnerable workarounds would be very helpful, though I > doubt any exist. > > > > Cliff > > > > On Fri, May 29, 2020 at 3:03 PM Alessandro Pasotti > wrote: > > Maybe all that you need is in the QHIS auth system is > https://docs.qgis.org/3.10/en/docs/user_manual/auth_system/auth_workflows.html#changing-authentication-config-id > > > > The master password can be stored in the operating system wallet so that > the user will not need to type his password. > > > > Regards > > > > > > On Fri, May 29, 2020, 19:39 Cliff Patterson wrote: > > PS: I realize I can create maps with basic auth and not store the PW, > which prompts the user to enter their creds. But is there a better way now > to achieve the same result? > > > > Cliff > > > > On Fri, May 29, 2020 at 1:29 PM Cliff Patterson > wrote: > > What is the best approach to save QGIS projects to PostgreSQL > without saving the project-creator's credentials/permissions? If the DB > admin creates a project and saves it to the DB, anyone opening that project > will attain the admin's permissions on layers in that map. > > > > To recreate: > > > > 1) Create a map containing PostGIS layers and save project to DB. All > layers should be editable by the admin. Admin is logged into DB with auth > config, not basic auth. > > 2) Create a new read-only user and new profile in QGIS and log in to DB. > > 3) Open the project and try to edit layers. Read-only user will be able to > see and edit all layers just like the DB Admin. > > > > Is there a way to save projects to DB WITHOUT saving any user > creds/permissions? > > > > Cliff > > > > -- > > Cliff Patterson Ph.D. > > *PSD* | Senior GIS Consultant > P: 519-690-2565 ext. 2616 > www.psdrcs.com > London | 148 Fullarton St. 9th Floor > > > > > -- > > Cliff Patterson Ph.D. > > *PSD* | Senior GIS Consultant > P: 519-690-2565 ext. 2616 > www.psdrcs.com > London | 148 Fullarton St. 9th Floor > > ___ > Qgis-user mailing list > Qgis-user@lists.osgeo.org > List info: https://lists.osgeo.org/mailman/listinfo/qgis-user > Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user > > > > > -- > > Cliff Patterson Ph.D. > > *PSD* | Senior GIS Consultant > P: 519-690-2565 ext. 2616 > www.psdrcs.com > London | 148 Fullarton St. 9th Floor > > -- Cliff Patterson Ph.D. *PSD* | Senior GIS Consultant P: 519-690-2565 ext. 2616 www.psdrcs.com London | 148 Fullarton St. 9th Floor ___ Qgis-user mailing list Qgis-user@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] Save projects to DB without creator's permissions
Tested this solution and it works perfectly. When using the same ID in the authentication settings, the projects saved to the DB do not retain the creator's per-layer permissions. Thanks for the help! Cliff On Mon, Jun 1, 2020 at 11:19 AM Cliff Patterson wrote: > Hi Karl and Alessandro, > > This is helpful but DEFINITELY not intuitive. I will test this > configuration and report back. > > Cheers, > Cliff > > On Mon, Jun 1, 2020 at 9:51 AM Karl Magnus Jönsson < > karl-magnus.jons...@kristianstad.se> wrote: > >> Hi! >> >> Alessandro, you where quicker! J >> >> >> >> If I understand correct, the actual credentials isn’t stored to the >> project. Just the auth config ID. If the user doesn’t have this in his >> local authentication database, or has it with other credentials(read) the >> project will not open with admin credentials. >> >> >> >> *Karl-Magnus Jönsson* >> >> >> >> *Från:* Qgis-user *För *Cliff >> Patterson >> *Skickat:* den 1 juni 2020 15:36 >> *Till:* Alessandro Pasotti >> *Kopia:* qgis-user >> *Ämne:* Re: [Qgis-user] Save projects to DB without creator's permissions >> >> >> >> That's exactly the problem with the auth system. If you connect to a DB >> using the auth system and store a map in the DB (or anywhere for that >> matter), the map contains your credentials/permissions for EVERY layer that >> you added. So if you create a map while logged in as DB owner (i.e. full >> perms for every layer), any user who opens it will have full permissions on >> every layer in the map. The only workaround for this is to remember to use >> basic auth and uncheck "store" beside password whenever creating a shared >> project. >> >> >> >> Any other less vulnerable workarounds would be very helpful, though I >> doubt any exist. >> >> >> >> Cliff >> >> >> >> On Fri, May 29, 2020 at 3:03 PM Alessandro Pasotti >> wrote: >> >> Maybe all that you need is in the QHIS auth system is >> https://docs.qgis.org/3.10/en/docs/user_manual/auth_system/auth_workflows.html#changing-authentication-config-id >> >> >> >> The master password can be stored in the operating system wallet so that >> the user will not need to type his password. >> >> >> >> Regards >> >> >> >> >> >> On Fri, May 29, 2020, 19:39 Cliff Patterson >> wrote: >> >> PS: I realize I can create maps with basic auth and not store the PW, >> which prompts the user to enter their creds. But is there a better way now >> to achieve the same result? >> >> >> >> Cliff >> >> >> >> On Fri, May 29, 2020 at 1:29 PM Cliff Patterson >> wrote: >> >> What is the best approach to save QGIS projects to PostgreSQL >> without saving the project-creator's credentials/permissions? If the DB >> admin creates a project and saves it to the DB, anyone opening that project >> will attain the admin's permissions on layers in that map. >> >> >> >> To recreate: >> >> >> >> 1) Create a map containing PostGIS layers and save project to DB. All >> layers should be editable by the admin. Admin is logged into DB with auth >> config, not basic auth. >> >> 2) Create a new read-only user and new profile in QGIS and log in to DB. >> >> 3) Open the project and try to edit layers. Read-only user will be able >> to see and edit all layers just like the DB Admin. >> >> >> >> Is there a way to save projects to DB WITHOUT saving any user >> creds/permissions? >> >> >> >> Cliff >> >> >> >> -- >> >> Cliff Patterson Ph.D. >> >> *PSD* | Senior GIS Consultant >> P: 519-690-2565 ext. 2616 >> www.psdrcs.com >> London | 148 Fullarton St. 9th Floor >> >> >> >> >> -- >> >> Cliff Patterson Ph.D. >> >> *PSD* | Senior GIS Consultant >> P: 519-690-2565 ext. 2616 >> www.psdrcs.com >> London | 148 Fullarton St. 9th Floor >> >> ___ >> Qgis-user mailing list >> Qgis-user@lists.osgeo.org >> List info: https://lists.osgeo.org/mailman/listinfo/qgis-user >> Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user >> >> >> >> >> -- >> >> Cliff Patterson Ph.D. >> >> *PSD* | Senior GIS Consultant >> P: 519-690-2565 ext. 2616 >> www.psdrcs.com >> London | 148 Fullarton St. 9th Floor >> >> > > -- > > Cliff Patterson Ph.D. > > *PSD* | Senior GIS Consultant > P: 519-690-2565 ext. 2616 > www.psdrcs.com > London | 148 Fullarton St. 9th Floor > > -- Cliff Patterson Ph.D. *PSD* | Senior GIS Consultant P: 519-690-2565 ext. 2616 www.psdrcs.com London | 148 Fullarton St. 9th Floor ___ Qgis-user mailing list Qgis-user@lists.osgeo.org List info: https://lists.osgeo.org/mailman/listinfo/qgis-user Unsubscribe: https://lists.osgeo.org/mailman/listinfo/qgis-user
Re: [Qgis-user] Save projects to DB without creator's permissions
Glad to hear that it worked! If you feel like the documentation should include an example, feel free to add some more content to the https://docs.qgis.org/testing/en/docs/user_manual/auth_system/auth_workflows.html There is also a section on organizations that might be relevant for this kind of information. https://docs.qgis.org/testing/en/docs/user_manual/introduction/qgis_configuration.html#deploying-qgis-within-an-organization On Mon, Jun 1, 2020 at 5:29 PM Cliff Patterson wrote: > Tested this solution and it works perfectly. When using the same ID in the > authentication settings, the projects saved to the DB do not retain the > creator's per-layer permissions. > > Thanks for the help! > > Cliff > > On Mon, Jun 1, 2020 at 11:19 AM Cliff Patterson > wrote: > >> Hi Karl and Alessandro, >> >> This is helpful but DEFINITELY not intuitive. I will test this >> configuration and report back. >> >> Cheers, >> Cliff >> >> On Mon, Jun 1, 2020 at 9:51 AM Karl Magnus Jönsson < >> karl-magnus.jons...@kristianstad.se> wrote: >> >>> Hi! >>> >>> Alessandro, you where quicker! J >>> >>> >>> >>> If I understand correct, the actual credentials isn’t stored to the >>> project. Just the auth config ID. If the user doesn’t have this in his >>> local authentication database, or has it with other credentials(read) the >>> project will not open with admin credentials. >>> >>> >>> >>> *Karl-Magnus Jönsson* >>> >>> >>> >>> *Från:* Qgis-user *För *Cliff >>> Patterson >>> *Skickat:* den 1 juni 2020 15:36 >>> *Till:* Alessandro Pasotti >>> *Kopia:* qgis-user >>> *Ämne:* Re: [Qgis-user] Save projects to DB without creator's >>> permissions >>> >>> >>> >>> That's exactly the problem with the auth system. If you connect to a DB >>> using the auth system and store a map in the DB (or anywhere for that >>> matter), the map contains your credentials/permissions for EVERY layer that >>> you added. So if you create a map while logged in as DB owner (i.e. full >>> perms for every layer), any user who opens it will have full permissions on >>> every layer in the map. The only workaround for this is to remember to use >>> basic auth and uncheck "store" beside password whenever creating a shared >>> project. >>> >>> >>> >>> Any other less vulnerable workarounds would be very helpful, though I >>> doubt any exist. >>> >>> >>> >>> Cliff >>> >>> >>> >>> On Fri, May 29, 2020 at 3:03 PM Alessandro Pasotti >>> wrote: >>> >>> Maybe all that you need is in the QHIS auth system is >>> https://docs.qgis.org/3.10/en/docs/user_manual/auth_system/auth_workflows.html#changing-authentication-config-id >>> >>> >>> >>> The master password can be stored in the operating system wallet so that >>> the user will not need to type his password. >>> >>> >>> >>> Regards >>> >>> >>> >>> >>> >>> On Fri, May 29, 2020, 19:39 Cliff Patterson >>> wrote: >>> >>> PS: I realize I can create maps with basic auth and not store the PW, >>> which prompts the user to enter their creds. But is there a better way now >>> to achieve the same result? >>> >>> >>> >>> Cliff >>> >>> >>> >>> On Fri, May 29, 2020 at 1:29 PM Cliff Patterson >>> wrote: >>> >>> What is the best approach to save QGIS projects to PostgreSQL >>> without saving the project-creator's credentials/permissions? If the DB >>> admin creates a project and saves it to the DB, anyone opening that project >>> will attain the admin's permissions on layers in that map. >>> >>> >>> >>> To recreate: >>> >>> >>> >>> 1) Create a map containing PostGIS layers and save project to DB. All >>> layers should be editable by the admin. Admin is logged into DB with auth >>> config, not basic auth. >>> >>> 2) Create a new read-only user and new profile in QGIS and log in to DB. >>> >>> 3) Open the project and try to edit layers. Read-only user will be able >>> to see and edit all layers just like the DB Admin. >>> >>> >>> >>> Is there a way to save projects t
Re: [Qgis-user] Save projects to DB without creator's permissions
Awesome, thanks! On Mon, Jun 1, 2020 at 11:43 AM Alessandro Pasotti wrote: > > Glad to hear that it worked! > > If you feel like the documentation should include an example, feel free to > add some more content to the > https://docs.qgis.org/testing/en/docs/user_manual/auth_system/auth_workflows.html > > There is also a section on organizations that might be relevant for this > kind of information. > > https://docs.qgis.org/testing/en/docs/user_manual/introduction/qgis_configuration.html#deploying-qgis-within-an-organization > > > > On Mon, Jun 1, 2020 at 5:29 PM Cliff Patterson > wrote: > >> Tested this solution and it works perfectly. When using the same ID in >> the authentication settings, the projects saved to the DB do not retain the >> creator's per-layer permissions. >> >> Thanks for the help! >> >> Cliff >> >> On Mon, Jun 1, 2020 at 11:19 AM Cliff Patterson >> wrote: >> >>> Hi Karl and Alessandro, >>> >>> This is helpful but DEFINITELY not intuitive. I will test this >>> configuration and report back. >>> >>> Cheers, >>> Cliff >>> >>> On Mon, Jun 1, 2020 at 9:51 AM Karl Magnus Jönsson < >>> karl-magnus.jons...@kristianstad.se> wrote: >>> >>>> Hi! >>>> >>>> Alessandro, you where quicker! J >>>> >>>> >>>> >>>> If I understand correct, the actual credentials isn’t stored to the >>>> project. Just the auth config ID. If the user doesn’t have this in his >>>> local authentication database, or has it with other credentials(read) the >>>> project will not open with admin credentials. >>>> >>>> >>>> >>>> *Karl-Magnus Jönsson* >>>> >>>> >>>> >>>> *Från:* Qgis-user *För *Cliff >>>> Patterson >>>> *Skickat:* den 1 juni 2020 15:36 >>>> *Till:* Alessandro Pasotti >>>> *Kopia:* qgis-user >>>> *Ämne:* Re: [Qgis-user] Save projects to DB without creator's >>>> permissions >>>> >>>> >>>> >>>> That's exactly the problem with the auth system. If you connect to a DB >>>> using the auth system and store a map in the DB (or anywhere for that >>>> matter), the map contains your credentials/permissions for EVERY layer that >>>> you added. So if you create a map while logged in as DB owner (i.e. full >>>> perms for every layer), any user who opens it will have full permissions on >>>> every layer in the map. The only workaround for this is to remember to use >>>> basic auth and uncheck "store" beside password whenever creating a shared >>>> project. >>>> >>>> >>>> >>>> Any other less vulnerable workarounds would be very helpful, though I >>>> doubt any exist. >>>> >>>> >>>> >>>> Cliff >>>> >>>> >>>> >>>> On Fri, May 29, 2020 at 3:03 PM Alessandro Pasotti >>>> wrote: >>>> >>>> Maybe all that you need is in the QHIS auth system is >>>> https://docs.qgis.org/3.10/en/docs/user_manual/auth_system/auth_workflows.html#changing-authentication-config-id >>>> >>>> >>>> >>>> The master password can be stored in the operating system wallet so >>>> that the user will not need to type his password. >>>> >>>> >>>> >>>> Regards >>>> >>>> >>>> >>>> >>>> >>>> On Fri, May 29, 2020, 19:39 Cliff Patterson >>>> wrote: >>>> >>>> PS: I realize I can create maps with basic auth and not store the PW, >>>> which prompts the user to enter their creds. But is there a better way now >>>> to achieve the same result? >>>> >>>> >>>> >>>> Cliff >>>> >>>> >>>> >>>> On Fri, May 29, 2020 at 1:29 PM Cliff Patterson >>>> wrote: >>>> >>>> What is the best approach to save QGIS projects to PostgreSQL >>>> without saving the project-creator's credentials/permissions? If the DB >>>> admin creates a project and saves it to the DB, anyone opening that project >>>> will attain the admin's permissions on layers in that map. >>>> >>>> >>>> >>
