sqlsession.rst 3.9 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273
  1. .. _data_sqlsession:
  2. Custom SQL session start/stop scripts
  3. =====================================
  4. Starting with version 2.1.4 GeoServer support custom SQL scripts that can be run every time GeoServer
  5. grabs a connection from the connection pool, and every time the session is returned to the pool.
  6. These scripts can be parametrized with the expansion of environment variables, which can be in turn
  7. set into the OGC request parameters with the same mechanism as :ref:`sld_variable_substitution`.
  8. In addition to the parameters provided via the request the ``GSUSER`` variable is guaranteed to
  9. contain the current GeoServer user, or be null if no authentication is available. This is useful
  10. if the SQL sessions scripts are used to provide tight control over database access
  11. The SQL script can expand environment variables using the ``${variableName, defaultValue}`` syntax,
  12. for example the following alters the current database user to be the same as the GeoServer current user,
  13. or ``geoserver`` in case no user was authenticated
  14. .. code-block::
  15. SET SESSION AUTHORIZATION ${GSUSER,geoserver}
  16. Using SQL session scripts to control authorizations at the database level
  17. -------------------------------------------------------------------------
  18. GeoServer connects to a database via a connection pool, using the same rights as the user that
  19. is specified in the connection pool setup.
  20. In a setup that provides a variety of services and tables the connection pool user must have
  21. a rather large set of rights, such as table selection (WMS), table insert/update/delete (WFS-T) and
  22. even table creation (data upload via RESTConfig, WPS Import process and eventual new processes leveraging
  23. direct database connections).
  24. What a user can do can be controlled by means of the GeoServer security subsystem, but in high security
  25. setups this might not be considered enough, and a database level access control be preferred instead.
  26. In these setups normally the connection pool user has limited access, such as simple read only access,
  27. while specific users are allowed to perform more operations.
  28. When setting up such a solution remember the following guidelines:
  29. * The connection pool user must be able to access all table metadata regardless of whether it is able
  30. to actually perform a select on the tables (dictionary tables/describe functionality must be always accessible)
  31. * The connection pool must see each and every column of tables and views, in other words, the
  32. structure of the tables must not change as the current user changes
  33. * the database users and the GeoServer user must be kept in synch with some external tools, GeoServer
  34. provides no out of the box facilities
  35. * during the GeoServer startup the code will access the database to perform some sanity checks,
  36. in that moment there is no user authenticated in GeoServer so the code will run under whatever
  37. user was specified as the "default value" for the ``GSUSER`` variable.
  38. * The user that administers GeoServer (normally ``admin``, but it can be renamed, and other users
  39. given the administration roles too) must also be a database user, all administrative access on the
  40. GeoServer GUI will have that specific user controlling the session
  41. Typical use cases:
  42. * Give insert/update/delete rights only to users that must use WFS-T
  43. * Only allow the administrator to create new tables
  44. * Limit what rows of a table a user can see by using dynamic SQL views taking into account the
  45. current user to decide what rows to return
  46. To make a point in case, if we want the PostgreSQL session to run with the current GeoServer user
  47. credentials the following scripts will be used:
  48. .. figure:: images/postgresqlSession.png
  49. :align: center
  50. *Setting up session authorization for PostgreSQL*
  51. The first command makes the database session use either the current GeoServer user, or the ``geoserver``
  52. user if no authentication was available (anonymous user, or startup situation).
  53. The second command resets the session to the rights of the connection pool user.