Skip to content

Rule matching

Jump to bottom Edit New page
Emanuele Tajariol edited this page Jan 12, 2022 · 1 revision

Rule matching

This page explains how a user request toward GeoServer is evaluated in the GeoFence rule engine.

Request

When a user asks GeoServer for a resource, GeoServer will check if the user is authorized to operate on the resource.

GeoServer will then ask GeoFence for an authorization, passing a filter specifying who made the request (e.g. the geoserver instance, the username of the user requesting the resource, the calling ip address), and what is the object of the request (the service -- WMS, WFS, ..., the workspace involved, the layer).

Rule evaluation

Such a filter will be matched against the rule fields.

  1. Given a filter, read all the matching rules;

  2. Loop on the found rules in the proper priority order, and check:

    1. if the action type is LIMIT, collect the constraints in this rule and go on examining the next rules;
    2. if the action type is DENY, the request is not authorized;
    3. if the action type is ALLOW, the request is authorized; the collected limit constraints, if any, shall be merged and applied.

Constraints merging

The constraints merging is performed in the most restrictive way:

  • resulting allowed area will be the intersection of all the allowed areas;

  • resulting allowed attributes will be the intersection of the allowed attributes in every LIMIT rule, with the least permissive access: i.e.: (this is not implemented)

    Rule Attr1 Attr2 Attr3 Attr4 Attr5 Attr6 Attr7 Attr8 Attr9
    Rule1 RW RW RW RO RO RO Deny Deny Deny
    Rule2 RW RO Deny RW RO Deny RW RO Deny
    Result RW RO Deny RO RO Deny Deny Deny Deny

Merging groups

If a user belongs to more than one group, the step "rule evaluation" is repeated for each group the user belongs to.

For each group, the final authorizations (the outcome explained in the previous section) will be computed and collected.

At the end, the authorizations in each group will merged in an additive way, so that the user will have all the privileges granted to each group the user belongs to.

It means that:

  • resulting allowed area will be the union of all the allowed areas;

  • resulting attribute access will be summed with the most permissive access in each authorization outcome:

    Rule Attr1 Attr2 Attr3 Attr4 Attr5 Attr6 Attr7 Attr8 Attr9
    Rule1 RW RW RW RO RO RO Deny Deny Deny
    Rule2 RW RO Deny RW RO Deny RW RO Deny
    Result RW RW RW RW RO RO RW RO Deny
Add a custom footer
Clone this wiki locally