Startseite Erkunden Hilfe
Registrieren Anmelden
siwei
/
web-server
1
0
Fork 0
Dateien Issues 0 Pull-Requests 0 Wiki
Branch: master
Branches Tags
web-server
/
doc
/
en
/
user
/
source
/
services
/
wps
/
security.rst

security.rst 4.2 KB
Permalink Verlauf Originalformat

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172 
  1. .. _wps_security:
    2. 

  2. 

  3. WPS Security and input limits
    4. 

  4. =============================
    5. 

  5. 

  6. GeoServer service security is normally based on the generic :ref:`OGC security configuration <security_service>`, however, when it comes to WPS there is also a need to **restrict access to individual processes**, in the same way that data security restricts access to layers.
    7. 

  7. 

  8. WPS security allows access to be determined by process group or by single process. Each process and process group can be enabled/disabled, or subject to access control based on the user roles.
    9. 

  9. 

  10. .. figure:: images/security.png
    11. 

  11.    
    12. 

  12.    The WPS security page
    13. 

  13. 

  14. The WPS security configurations can be changed using the :ref:`web_admin` on the :guilabel:`WPS security` page under :guilabel:`Security`.
    15. 

  15. 

  16. .. figure:: images/security_link.png
    17. 

  17. 

  18.    Click to access the WPS security settings
    19. 

  19. 

  20. Setting access roles
    21. 

  21. --------------------
    22. 

  22. 

  23. The list of roles attached to each group or process will determine which users can access which processes. If the list is empty the group/process will be available to all users, unless it has been disabled, in which case it won't be available to anyone.
    24. 

  24. 

  25. The roles string must be a list of roles separated by semicolons. The role editor provides auto-completion and also allows quick copy and paste of role lists from one process definition to the other:
    26. 

  26. 

  27. .. figure:: images/security_roles.png
    28. 

  28. 

  29.    Role selector field with auto-complete
    30. 

  30. 

  31. Access modes
    32. 

  32. ------------
    33. 

  33. 

  34. The process access mode configuration specifies how GeoServer will advertise secured processes and behave when a secured process is accessed without the necessary privileges. The parameter can be one of three values:
    35. 

  35. 

  36. * **HIDE** (default): The processes not available to the current user will be hidden from the user (not listed in the capabilities documents). Direct access will result in GeoServer claiming the process does not exist.
    37. 

  37. * **CHALLENGE**: All processes will be shown in the capabilities documents, but an authentication request will be raised if a secured process is specifically requested by a user that does not have sufficient access rights
    38. 

  38. * **MIXED**: The secured processes will not be shown in the capabilities documents for users not having sufficient access rights, but an authentication request will still be raised if a secured process is requested. 
    39. 

  39. 

  40. Complex Inputs
    41. 

  41. --------------
    42. 

  42. 

  43. By default, Execute requests support loading complex inputs from references to local files and external servers. This behavior can be restricted in the **Complex Inputs** section. When the flag is checked, an Execute request with an input reference that is not an internal WCS/WFS/WPS request will result in a service exception reporting the error.
    44. 

  44. 

  45. Input limits
    46. 

  46. ------------
    47. 

  47. 

  48. The amount of resources used by a process is usually related directly to the inputs of the process itself. With this in mind, administrators can set three different type of limits on each process inputs:
    49. 

  49. 

  50. * The maximum size of complex inputs
    51. 

  51. * The range of acceptable values for numeric values
    52. 

  52. * The maximum multiplicity of repeatable inputs
    53. 

  53. 

  54.   .. note:: As an example of the last point, think of contour extraction, where the number of levels for the contours can drastically affect the execution time
    55. 

  55. 

  56. GeoServer allows the administrator to configure these limits, and fail requests that don't respect them.
    57. 

  57. 

  58. The maximum size can be given a global default on the :guilabel:`WPS security` page. It is also possible to define limits on a per-process basis by navigating to the process limits editor in the process list.
    59. 

  59. 

  60. .. note:: Processes having a ``*`` beside the link have a defined set of limits
    61. 

  61. 

  62. .. figure:: images/security_processselector.png
    63. 

  63. 

  64.    The process selector, with access constraints and links to the limits configuration
    65. 

  65. 

  66. The process limits editor shows all inputs for which a limit can be provided. An empty field means that limits are disabled for that input.
    67. 

  67. 

  68. .. figure:: images/security_processlimits.png
    69. 

  69. 

  70.    The process limit page, with input limits configured
    71. 

  71. 

  72. .. warning:: In order for the limits to be saved: click on :guilabel:`OK` on this :guilabel:`Process limits` page; and then click :guilabel:`OK` on the :guilabel:`Process selection` page; and finally :guilabel:`Save` on the :guilabel:`WPS security` page.
    73.