Skip to content
This repository has been archived by the owner on May 17, 2022. It is now read-only.

3liz/pyqgisservercontrib-lizmap-access-policy

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

16 Commits
pyqgisservercontrib/lizmapaccesspolicy
pyqgisservercontrib/lizmapaccesspolicy
 
 
tests
tests
 
 
.gitignore
.gitignore
 
 
.gitlab-ci.yml
.gitlab-ci.yml
 
 
LICENSE.txt
LICENSE.txt
 
 
MANIFEST.in
MANIFEST.in
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
requirements.tests
requirements.tests
 
 
requirements.txt
requirements.txt
 
 
setup.py
setup.py
 
 

Repository files navigation

Lizmap access policy filter plugin for py-qgis-wps

Middleware filter for managing access control policy for py-qgis-wps

Description

This extension allow to define access policy for WPS processe for Lizmap user and Lizmap groups

Access policies ared defined with two directives: 'deny' and 'allow'. Each entry define a list of ar defined as comma separated list of processes identifiers. Globbing style wildcards are allowed.

Order of evaluation is allow/deny, if one directive match, the other is not evaluated. If none match then full access is granted.

Example of access policy definition that allow only 'scripts' processing scripts for group operators:

   - deny: all
     allow: 'script:*'
     groups: operator

Forbidden processes will not show in GetCapabilities and DescribeProcess or Execute will return a 403 HTTP error.

Multiple rules can be configured, first all allow directives will be tested then all deny directive. That is, order is not significant when defining rules.

Policy configuration

Policy rules are configured using a YAML file. The path to this configuration file is given by the QGSRV_LIZMAP_POLICY environment variable or the policy variable in the server section of the py-qgis-server configuration.

Example of policy configuration:

# Hot reload policy configuration when file change - no
# need to restart server 
autoreload: yes

# Define access policies
policies:
    # Global policy, forbid access to all processes to everybody
    - deny: all

    # Policy for groups admin and operator
    - allow:  'scripts:*'
      groups: 
        - admin
        - operator

    # Allow 'scripts:private' only for users 'franck' and 'helen'
    - allow: 'scripts:private'
      users: franck, helen

    # Policy rule for group operator that apply only for map 'france_parts'
    - allow: 'pyqgiswps_test:testsimplevalue'
      groups: 
        - operator
      maps:  
        - 'france_parts

    # Policy 'pyqgiswps_test:*' for everyone but only for map 'france_parts'
    - allow: 'pyqgiswps_test:*'
      maps: 'france_parts'


# Include other policies
include_policies:
    - lizmapacls/*/*.yml

Policy directives

  • deny : a list of processes forbidden, globing style wildcards are allowed.
  • allow: a list of allowed processes, globing style wildcards are allowed.
  • users: a list of users for which the rule apply
  • groups: a list of groups for which the rule apply
  • maps: a liste of MAPS parameter for which the rule apply, globing wildcards are allowed.

About

Middleware filter for managing access control policy for https://github.com/3liz/py-qgis-wps

Topics

security extension python3 wps py-qgis-wps

Resources

Readme

License

MPL-2.0 license

Security policy

Security policy
Activity
Custom properties

Stars

0 stars

Watchers

5 watching

Forks

0 forks
Report repository

Releases

2 tags

Sponsor this project

Packages

No packages published

Languages