Update documentation regarding how to secure datasets and default geofence rules

[vidlb]

Expected Behavior

A dataset should be visible by other users when shared with them using the "Share" tab in the main UI.

Actual Behavior

My layer is only visible for the user who uploaded it. Allowing view for the "registered members" group does not work, same thing if I create a rule to share with a specific user. Allowing "anonymous" to view also doesn't work.

Steps to Reproduce the Problem

0. Set the first geofence rule by denying everything
1. Upload a dataset
2. Allow registered members to view
3. Login with another user than the dataset owner and try to query data
4. Dataset appears in the list, but the WMS doesn't work. Geoserver thow errors "could not find layer"

First I thought this was due to https://github.com/GeoNode/geonode/issues/11447 but the update to 4.2.2 couldn't fix this. @giohappy any guess ?

Specifications

• GeoNode version: 4.2.2
• Installation type : geonode-project
• Installation method : docker
• Platform: ubuntu

[vidlb]

It seems the "0" rule in geofence where everything is denied is a problem. Is it still the recommended way ?

I just changed the role from "*" to "ROLE_ANONYMOUS" and it's now working as expected (only registered members are allowed to query the dataset). It may be enough for me since I want all my layers visible by logged in users, but it won't for complex group setups, and it's a problem if following the docs ends up in denied access on datasets.

May be something should be clarified in the docs, regarding geofence and how to properly set rules. Right now it isn't clear to me wether I should manually set rules using geoserver interface, and which role to use (registered, anonymous, etc.). Or if this should only be done using geonode UI only.

[kikislater]

@vidlb Could you please explain where in geoserver do you change:

I just changed the role from "*" to "ROLE_ANONYMOUS" and it's now working as expected

[vidlb]

@kikislater this is in Security / GeoFrence data rule.
By default there is nothing there, but the docs stated that you need to add a first rule (0) applying to all (*) to deny requests, then rules for a specific dataset are automatically added when a dataset is uploaded or shared via geonode interface.
But this somehow isn't right since it will block every requests even if you share the dataset with a group (only the dataset owner will be allowed).
Not sure if this is a geoserver or geonode issue...

[kikislater]

Ok so you mean under Setup of the GeoFence Server and Rules, the 2. Check the GeoFence default Rules from the docs: https://docs.geonode.org/en/master/advanced/components/index.html#setup-of-the-geofence-server-and-rules

You chande this rule to anonymous:

Screenshots are out of date from this page and some commands are not updated, like in Troubleshooting and Advanced Features (api). So I wonder how reliable is ... and why in something replicable like docker the rule is not here

[vidlb]

Yes this is the one. For sure if no rule is created, every dataset are visible by anyone. In my case this was critical since our dataset cannot be public, for now.

I found out most people are using geonode as an open data platform, so this stuff about securing datasets may be outdated / less maintained indeed. It's also difficult if you need to share via WFS / WMS, since there are no login mechanism for geonode integrated into QGIS, and you cannot use geonode login credentials to authenticate web services (you must create geoserver users for this).

[kikislater]

I don't have this rule (even the one said in docs than modified one you mentionned) in docker and layers are not public ... there are several issues with groups and permissions, it's a bit anoying

there are no login mechanism for geonode integrated into QGIS, and you cannot use geonode login credentials to authenticate web services (you must create geoserver users for this).

You can use geonode plugin to do that, but I agree it's not convenient.

[vidlb]

I know about the plugin it's annoying because you cannot choose any parameter (in my case I want to query with TILED parameter and make use of GWC, but it's not possible, layers are added as plain WMS without tiling, so the tile cache isn't used)

[vidlb]

I don't have this rule (even the one said in docs than modified one you mentionned) in docker and layers are not public

Are you sure about that ? They may not appear in geonode welcome page, but have you tried a direct WMS query, without token ? I don't see why this would work for you but not for me, which version is it ?

[vidlb]

Well I tried again after removing the rule and indeed, I got Could not find layer message, so I don't know if something changed or is it just I was testing it wrong ?
Is it possible that my cookie / token was accessible while trying the query from a firefox private window ?

Now I don't understand how unauthenticated requests are blocked, if not by geofence. In any case, the docs needs to be updated

[kikislater]

For my understanding, rules are per layer. For example:

[vidlb]

What I mean is that the only "DENY" rules I see are for download or WFS, all other are "ACCEPT" for "ROLE_AUTHENTICATED".
So now that I removed the "DENY ALL" - 0 rule I don't understand what is keeping me from accessing a layer via WMS while being anonymous.
This was the purpose of this DENY ALL rule from the (outdated) docs.