Home Explore Help
Register Sign In
siwei
/
web-server
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
web-server
/
doc
/
en
/
user
/
source
/
security
/
usergrouprole
/
interaction.rst

interaction.rst 3.0 KB
Permalink History Raw

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455 
  1. .. _security_rolesystem_interaction:
    2. 

  2. 

  3. Interaction between user/group and role services
    4. 

  4. ================================================
    5. 

  5. 

  6. The following section describes the interaction between the :ref:`security_rolesystem_usergroupservices` and the :ref:`security_rolesystem_roleservices`.
    7. 

  7. 

  8. Calculating the roles of a user
    9. 

  9. -------------------------------
    10. 

  10. 

  11. The diagram below illustrates how a user/group service and a role service interact to calculate user roles.
    12. 

  12. 

  13. .. figure:: images/usergrouprole1.png
    14. 

  14.    :align: center
    15. 

  15. 

  16.    *User/group and role service interacting for role calculation*
    17. 

  17. 

  18. On fetching an enabled user from a user/group service, the roles(s) assigned to that user must be identified. The identification procedure is:
    19. 

  19. 

  20. #. Fetch all enabled groups for the user. If a group is disabled, it is discarded.
    21. 

  21. #. Fetch all roles associated with the user and add the roles to the result set.
    22. 

  22. #. For each enabled group the user is a member of, fetch all roles associated with the group and add the roles to the result set.
    23. 

  23. #. For each role in the result set, fetch all ancestor roles and add those roles to the result set.
    24. 

  24. #. Personalize each role in the result set as required.
    25. 

  25. #. If the result set contains the local admin role, add the role ``ROLE_ADMINISTRATOR``.
    26. 

  26. #. If the result set contains the local group admin role, add the role ``ROLE_GROUP_ADMIN``.
    27. 

  27. 

  28. .. note::
    29. 

  29. 

  30.    Role personalization looks for role parameters (key/value pairs) for each role and checks if the user properties (key/value pairs) contain an identical key. If any matches are found, the value of the role parameter is replaced by the value of the user property.
    31. 

  31. 

  32. 

  33. Authentication of user credentials
    34. 

  34. ----------------------------------
    35. 

  35. 

  36. A user/group service is primarily used during authentication. An authentication provider in the :ref:`security_auth_chain` may use a user/group service to authenticate user credentials. 
    37. 

  37. 

  38. .. figure:: images/usergrouprole2.png
    39. 

  39.    :align: center
    40. 

  40. 

  41.    *Using a a user/group service for authentication*
    42. 

  42. 

  43. GeoServer defaults
    44. 

  44. ------------------
    45. 

  45. 

  46. The following diagram illustrates the default user/group service, role service, and authentication provider in GeoServer:
    47. 

  47. 

  48. .. figure:: images/usergrouprole3.png
    49. 

  49.    :align: center
    50. 

  50. 

  51.    *Default GeoServer security configuration*
    52. 

  52. 

  53. Two authentication providers are configured—the *Root* provider and the *Username/password* provider. The *Root* provider authenticates for the GeoServer :ref:`security_root` and does not use a user/group service. The *Username/password* provider is the default provider and relays username and password credentials to a user/group service.
    54. 

  54. 

  55. A single user/group service, which persist the user database as XML, is present. The database contains a single user named ``admin`` and no groups. Similarly, the role service persists the role database as XML. By default, this contains a single role named ``ADMIN``, which is associated with the ``admin`` user. The ``ADMIN`` role is mapped to the ``ROLE_ADMINISTRATOR`` role and as a result, the ``admin`` user is associated with system administrator role during role calculation.
    56.