Home Explore Help
Register Sign In
siwei
/
web-server
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
web-server
/
doc
/
en
/
user
/
source
/
community
/
acl
/
index.rst

index.rst 5.1 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130 
  1. GeoServer Access Control List authorization
    2. 

  2. ===========================================
    3. 

  3. 

  4. `GeoServer ACL <https://github.com/geoserver/geoserver-acl>`__ is an advanced authorization system for GeoServer.
    5. 

  5. 

  6. The source code for this plugin resides on the `geoserver-acl <https://github.com/geoserver/geoserver-acl/tree/main/src/plugin>`__ project code base,
    7. 

  7. where it's `tested <https://github.com/geoserver/geoserver-acl/actions/workflows/build-plugin.yaml>`__ against the stable, development, and maintenance
    8. 

  8. versions of GeoServer.
    9. 

  9. 

  10. This community module hence only runs a `Testcontainers <https://testcontainers.com/>`__ based integration test suite, using the
    11. 

  11. `geoservercloud/geoserver-acl <https://hub.docker.com/r/geoservercloud/geoserver-acl/tags>`__ Docker image for the dependency version defined in
    12. 

  12. this project's `pom.xml`.
    13. 

  13. 

  14. Installation
    15. 

  15. ------------
    16. 

  16. 

  17. The plugin `.zip` file is to be installed as usual, un-zipping it inside the GeoServer `WEB-INF/lib` folder.
    18. 

  18. 

  19. The GeoServer ACL service is distributed as a Docker image in dockerhub: `geoservercloud/geoserver-acl <https://hub.docker.com/r/geoservercloud/geoserver-acl/tags>`__
    20. 

  20. 

  21. For the plugin to work in GeoServer, you need a running GeoServer ACL service.
    22. 

  22. 

  23. Please check the accompanying `compose.yml <./compose.yml>`__ example docker composition for a complete set up.
    24. 

  24. 

  25. Plugin Configuration
    26. 

  26. --------------------
    27. 

  27. 

  28. The GeoServer ACL plugin requires GeoServer to be run with some System properties or environment variables to
    29. 

  29. set up the ACL API client target URL and credentials.
    30. 

  30. 

  31. System Properties
    32. 

  32. ~~~~~~~~~~~~~~~~~
    33. 

  33. 

  34. If you choose to use Java System properties, add the following ones to the GeoServer JVM parameters,
    35. 

  35. with the appropriate values:
    36. 

  36. 

  37. .. code-block:: shell
    38. 

  38. 

  39.    -Dgeoserver.acl.client.basePath=https://example.com/acl/api
    40. 

  40.    -Dgeoserver.acl.client.username=geoserver
    41. 

  41.    -Dgeoserver.acl.client.password=ch4ng3m3
    42. 

  42. 

  43. Disabling the plugin
    44. 

  44. ~~~~~~~~~~~~~~~~~~~~
    45. 

  45. 

  46. The `geoserver.acl.enabled` config property defaults to `true` so it's not required for the plugin to run.
    47. 

  47. In order to completely disable the plugin, set it to `false`:
    48. 

  48. 

  49. .. code-block:: shell
    50. 

  50. 

  51.    -Dgeoserver.acl.enabled=false
    52. 

  52. 

  53. Environment variables
    54. 

  54. ~~~~~~~~~~~~~~~~~~~~~
    55. 

  55. 

  56. In production environments it's usually more convenient to control configuration options through
    57. 

  57. environment variables, where sensitive values can be obtained from docker/kubernetes secrets.
    58. 

  58. 

  59. All the system properties mentioned above can be mapped to environment variables by changing their
    60. 

  60. names to upper case and replacing dots by underscores:
    61. 

  61. 

  62. For example:
    63. 

  63. 

  64. .. code-block:: shell
    65. 

  65. 

  66.    export GEOSERVER_ACL_ENABLED=false
    67. 

  67.    export GEOSERVER_ACL_CLIENT_BASEPATH=https://example.com/acl/api
    68. 

  68.    export GEOSERVER_ACL_CLIENT_USERNAME=geoserver
    69. 

  69.    export GEOSERVER_ACL_CLIENT_PASSWORD=ch4ng3m3
    70. 

  70. 

  71. And so on.
    72. 

  72. 

  73. Setting the plugin's authorization cache expiration time
    74. 

  74. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    75. 

  75. 

  76. The GeoServer ACL API plugin implements a local cache for authorization requests/responses, that has
    77. 

  77. a default `30` seconds expiration time.
    78. 

  78. 

  79. The cache "expiration time", or "time to live", can be changed through the `Dgeoserver.acl.client.cache.ttl`
    80. 

  80. configuration property, which accepts a `java.time.Duration` string. For example:
    81. 

  81. 

  82. .. code-block:: shell
    83. 

  83. 

  84.    -Dgeoserver.acl.client.cache.ttl=PT5S
    85. 

  85. 

  86. or
    87. 

  87. 

  88. .. code-block:: shell
    89. 

  89. 

  90.    export GEOSERVER_ACL_CLIENT_CACHE_TTL=PT5S
    91. 

  91. 

  92. will set the cache TTL to `5` seconds.
    93. 

  93. 

  94. Examples:
    95. 

  95. 

  96. .. code-block:: text
    97. 

  97. 

  98.    "PT20.345S" -- parses as "20.345 seconds"
    99. 

  99.    "PT15M"     -- parses as "15 minutes" (where a minute is 60 seconds)
    100. 

  100.    "PT10H"     -- parses as "10 hours" (where an hour is 3600 seconds)
    101. 

  101.    "P2D"       -- parses as "2 days" (where a day is 24 hours or 86400 seconds)
    102. 

  102.    "P2DT3H4M"  -- parses as "2 days, 3 hours and 4 minutes"
    103. 

  103. 

  104. This is **important** because the cache TTL will impact the latency for GeoServer to respond to data access
    105. 

  105. or workspace admin access rules modified or deleted directly through the ACL REST API that happen outside GeoServer.
    106. 

  106. 

  107. If you're implementing a workflow where you're managing ACL rules directly through the ACL service API,
    108. 

  108. you might want to set a shorter cache TTL.
    109. 

  109. 

  110. Alternatively, you can introduce a direct call to the GeoServer REST API to force clearing the cache using
    111. 

  111. the `/rest/reset` endpoint. For example:
    112. 

  112. 

  113. .. code-block:: shell
    114. 

  114. 

  115.    curl -u admin:geoserver -X POST "http://localhost:8080/geoserver/rest/reset"
    116. 

  116. 

  117. The web user interface can also be used to clear out the caches through the "Server Status" page, clicking
    118. 

  118. the `Resource Cache -> Clear` button.
    119. 

  119. 

  120. In either case, you'd see a message like the following in the GeoServer logs, provided the logging configuration
    121. 

  121. enables the info level for the `org.geoserver.acl.authorization.cache` topic:
    122. 

  122. 

  123. .. code-block:: text
    124. 

  124. 

  125.    INFO   [org.geoserver.acl.authorization.cache] - evicted 56 cached ACL authorizations
    126. 

  126. 

  127. .. note::
    128. 

  128.    The cache time to live is not a problem when the plugin runs in `GeoServer Cloud <https://github.com/geoserver/geoserver-cloud>`__,
    129. 

  129.    because the ACL Service integrates with the *GeoServer Cloud* event bus, and notifies all the running pods when a data access
    130. 

  130.    or admin access rule is changed, and the GeoServer microservices react immediately clearing out the authorization cache.
    131.