Authorization

GBD WebSuite authorization is role-based, with pluggable authorization providers. Each user in the system has a list of accociated roles. The access to specific objects is based on user’s roles.

Access rules

Some types of the objects in the configuration can have access configurations attached to them:

  • main application

  • server action

  • project

  • map

  • layer

Additionally, some actions define internal access blocks for specific commands.

An access block is a list of AccessRule objects. Each AccessRule contains

  • the type of the rule - “allow” or “deny”,

  • the role name this rule applies to

When the user requests an object, the server checks the access rules defined in this object against the list of the user’s roles. If any role has been found, the access is granted or denied, depending on the rule, otherwise the parent object is checked, until the root of the object hierarchy is reached, in which case the access is denied.

Roles

A role is just an identifier and can be freely choosen. There are a few predefined roles that have special meaning in GBD WebSuite:

guest

Not logged-in user

user

Any logged-in user

all

All users, logged-in and guests

admin

Administrator. Users that have this role are automatically granted access to all resources

Authorization strategies

Since access rules are inherited, the first thing you have to configure is the root access block. If your projects are mostly public (or when you don’t need any authorization at all), you can grant access to “all” in the topmost config

## in the main config:

"access": [
    {
        "type": "allow",
        "role": "all"
    }
]

Now, if you need to restrict access to some object, e.g. a project, you need two access rules: one to allow a specific role, and one to deny “all”

## in the project config:

"access": [
    {
        "type": "allow",
        "role": "member"
    },
    {
        "type": "deny",
        "role": "all"
    }
]

On the other side, if most of your projects require a login, it’s easier to start with a “deny all” rule

## in the main config:

"access": [
    {
        "type": "deny",
        "role": "all"
    }
]

and then explicitly allow access to specific objects

# in the project config:

"access": [
    {
        "type": "allow",
        "role": "member"
    }
]

Authorization providers

When the user logs in, their credentials are passed to all configured providers in turn. If some provider accepts the credentials, it is supposed to return a list of roles for this user.

file

The file provider uses a simple json file to store authorization data. The json is just an array of “user” objects

[
    {
        "login": "user login",
        "password": "sha512 encoded password",
        "name": "display name for the user",
        "roles": [ "role1", "role2", ...]
    },
    {
        ...
    }
}

The name and the location of the file is up to you, just specify its absolute path in the configuration. To generate the encoded password, use the auth passwd command.

ldap

The ldap provider can authorize users against an ActiveDirectory or an OpenLDAP server. You should configure at least an URL of the server and a set of rules to map LDAP filters to GWS role names. Here’s an example configuration using the test LDAP server provided by forumsys.com

{
    "type": "ldap",

    ## the URL format is  "ldap://host:port/baseDN?searchAttribute":

    "url": "ldap://ldap.forumsys.com:389/dc=example,dc=com?uid",

    ## credentials to bind to the server:

    "bindDN": "cn=read-only-admin,dc=example,dc=com",
    "bindPassword": "password",

    ## map filters to roles:

    "users": [

        ## LDAP user "newton" possesses the GWS role "moderator" and "member":

        {
            "matches": "(&(cn=newton))",
            "roles": ["moderator", "member"]
        },

        ## all members of the LDAP group "mathematicians" possess the GWS role "member":

        {
            "memberOf": "(&(ou=mathematicians))",
            "roles": ["member"]
        }
    ]
}