Layer groups not appearing in WMS GetCapabilities

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Layer groups not appearing in WMS GetCapabilities

Mikael Vaaltola
Hello everyone,

I'm having issues with GeoServer layer security and layer groups. I would like to have a global rule to prevent unauthenticated users access, and then manually designate layers, layer groups and workspaces that unauthenticated users can read. My problem is that layer groups are not returned in the GetCapabilities request for unauthenticated users despite giving read access.

I tested this with GS 2.15.0 on W10 using the Windows installer and default data. I created a "tasmania_group" layer group inside the topp workspace. The layer group mode is single and the layer group contains only the topp:tasmania_roads layer with the CRS and bounds properly set. I have the following rules in layers.properties:

*.*.r=ROLE_AUTHENTICATED,GROUP_ADMIN,ADMIN # prevent unauthenticated users from reading anything
*.*.w=GROUP_ADMIN,ADMIN
topp.*.*r=* # allow everyone to read the topp workspace
tasmania.r=* # allow everyone to read the global layer group tasmania that comes in default datadirectory
topp.tasmania_group.r=* # allow everyone to read the layer group I created
mode=HIDE # hide layers user does not have read access to

WMS GetCapabilities request returns all layers in topp workspace for unauthenticated users, and all layers for authenticated users. However, the layer groups are not included in the GetCapabilities response for unauthenticated users. Unauthenticated users can still do GetMap requests for tasmania and topp:tasmania_group layer groups without issues.

How could I get the layer groups to appear in GetCapabilities response for unauthenticated users? Using CHALLENGE mode is unfortunately not a suitable option for my use case. I have a feeling I'm missing something, but I couldn't find an answer in the documentation. Thank you in advance for any help and suggestions.

Best regards,
Mikael Vaaltola
Gispo Oy


_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:
- Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


[hidden email]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
Reply | Threaded
Open this post in threaded view
|

Re: Layer groups not appearing in WMS GetCapabilities

Humphries, Graham (StateGrowth)

You can get the layer groups from the REST service.

EG: https://<host>/geoserver/rest/workspaces/ssg/layergroups.json

 

Cheers,

Graham H

 

From: Mikael Vaaltola [mailto:[hidden email]]
Sent: Saturday, 30 March 2019 1:38 AM
To: [hidden email]
Subject: [Geoserver-users] Layer groups not appearing in WMS GetCapabilities

 

Hello everyone,

 

I'm having issues with GeoServer layer security and layer groups. I would like to have a global rule to prevent unauthenticated users access, and then manually designate layers, layer groups and workspaces that unauthenticated users can read. My problem is that layer groups are not returned in the GetCapabilities request for unauthenticated users despite giving read access.

 

I tested this with GS 2.15.0 on W10 using the Windows installer and default data. I created a "tasmania_group" layer group inside the topp workspace. The layer group mode is single and the layer group contains only the topp:tasmania_roads layer with the CRS and bounds properly set. I have the following rules in layers.properties:

 

*.*.r=ROLE_AUTHENTICATED,GROUP_ADMIN,ADMIN # prevent unauthenticated users from reading anything

*.*.w=GROUP_ADMIN,ADMIN

topp.*.*r=* # allow everyone to read the topp workspace

tasmania.r=* # allow everyone to read the global layer group tasmania that comes in default datadirectory

topp.tasmania_group.r=* # allow everyone to read the layer group I created

mode=HIDE # hide layers user does not have read access to

 

WMS GetCapabilities request returns all layers in topp workspace for unauthenticated users, and all layers for authenticated users. However, the layer groups are not included in the GetCapabilities response for unauthenticated users. Unauthenticated users can still do GetMap requests for tasmania and topp:tasmania_group layer groups without issues.

 

How could I get the layer groups to appear in GetCapabilities response for unauthenticated users? Using CHALLENGE mode is unfortunately not a suitable option for my use case. I have a feeling I'm missing something, but I couldn't find an answer in the documentation. Thank you in advance for any help and suggestions.

 

Best regards,

Mikael Vaaltola

Gispo Oy




CONFIDENTIALITY NOTICE AND DISCLAIMER
The information in this transmission may be confidential and/or protected by legal professional privilege, and is intended only for the person or persons to whom it is addressed. If you are not such a person, you are warned that any disclosure, copying or dissemination of the information is unauthorised. If you have received the transmission in error, please immediately contact this office by telephone, fax or email, to inform us of the error and to enable arrangements to be made for the destruction of the transmission, or its return at our cost. No liability is accepted for any unauthorised use of the information contained in this transmission.


_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:
- Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


[hidden email]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
Reply | Threaded
Open this post in threaded view
|

Re: Layer groups not appearing in WMS GetCapabilities

Mikael Vaaltola
Thank you Graham for your reply,

your advice is correct, the REST API does indeed show the layer groups for unauthenticated users. However, I would also like to have these layer groups included in the capabilities document, so WMS clients that don't use the REST service (e.g. QGIS) could see them. I'm wondering if hiding the layer groups from the capabilities document in this case is intended behaviour or possibly a bug. Any advice would be much appreciated!

Best regards,
Mikael

On Mon, 1 Apr 2019 at 00:27, Humphries, Graham (StateGrowth) <[hidden email]> wrote:

You can get the layer groups from the REST service.

EG: https://<host>/geoserver/rest/workspaces/ssg/layergroups.json

 

Cheers,

Graham H

 

From: Mikael Vaaltola [mailto:[hidden email]]
Sent: Saturday, 30 March 2019 1:38 AM
To: [hidden email]
Subject: [Geoserver-users] Layer groups not appearing in WMS GetCapabilities

 

Hello everyone,

 

I'm having issues with GeoServer layer security and layer groups. I would like to have a global rule to prevent unauthenticated users access, and then manually designate layers, layer groups and workspaces that unauthenticated users can read. My problem is that layer groups are not returned in the GetCapabilities request for unauthenticated users despite giving read access.

 

I tested this with GS 2.15.0 on W10 using the Windows installer and default data. I created a "tasmania_group" layer group inside the topp workspace. The layer group mode is single and the layer group contains only the topp:tasmania_roads layer with the CRS and bounds properly set. I have the following rules in layers.properties:

 

*.*.r=ROLE_AUTHENTICATED,GROUP_ADMIN,ADMIN # prevent unauthenticated users from reading anything

*.*.w=GROUP_ADMIN,ADMIN

topp.*.*r=* # allow everyone to read the topp workspace

tasmania.r=* # allow everyone to read the global layer group tasmania that comes in default datadirectory

topp.tasmania_group.r=* # allow everyone to read the layer group I created

mode=HIDE # hide layers user does not have read access to

 

WMS GetCapabilities request returns all layers in topp workspace for unauthenticated users, and all layers for authenticated users. However, the layer groups are not included in the GetCapabilities response for unauthenticated users. Unauthenticated users can still do GetMap requests for tasmania and topp:tasmania_group layer groups without issues.

 

How could I get the layer groups to appear in GetCapabilities response for unauthenticated users? Using CHALLENGE mode is unfortunately not a suitable option for my use case. I have a feeling I'm missing something, but I couldn't find an answer in the documentation. Thank you in advance for any help and suggestions.

 

Best regards,

Mikael Vaaltola

Gispo Oy




CONFIDENTIALITY NOTICE AND DISCLAIMER
The information in this transmission may be confidential and/or protected by legal professional privilege, and is intended only for the person or persons to whom it is addressed. If you are not such a person, you are warned that any disclosure, copying or dissemination of the information is unauthorised. If you have received the transmission in error, please immediately contact this office by telephone, fax or email, to inform us of the error and to enable arrangements to be made for the destruction of the transmission, or its return at our cost. No liability is accepted for any unauthorised use of the information contained in this transmission.


_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:
- Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


[hidden email]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
Reply | Threaded
Open this post in threaded view
|

Re: Layer groups not appearing in WMS GetCapabilities

Humphries, Graham (StateGrowth)

I think you would need to check the OGC standard. I would think there is no requirement to have layer groups in the capabilities document, so it is the intention not to include layer groups.

 

You could write your own I guess.

 

Cheers,

Graham

 

From: Mikael Vaaltola [mailto:[hidden email]]
Sent: Monday, 1 April 2019 11:23 PM
To: Humphries, Graham (StateGrowth) <[hidden email]>
Cc: [hidden email]
Subject: Re: [Geoserver-users] Layer groups not appearing in WMS GetCapabilities

 

Thank you Graham for your reply,

 

your advice is correct, the REST API does indeed show the layer groups for unauthenticated users. However, I would also like to have these layer groups included in the capabilities document, so WMS clients that don't use the REST service (e.g. QGIS) could see them. I'm wondering if hiding the layer groups from the capabilities document in this case is intended behaviour or possibly a bug. Any advice would be much appreciated!

 

Best regards,

Mikael

 

On Mon, 1 Apr 2019 at 00:27, Humphries, Graham (StateGrowth) <[hidden email]> wrote:

You can get the layer groups from the REST service.

EG: https://<host>/geoserver/rest/workspaces/ssg/layergroups.json

 

Cheers,

Graham H

 

From: Mikael Vaaltola [mailto:[hidden email]]
Sent: Saturday, 30 March 2019 1:38 AM
To: [hidden email]
Subject: [Geoserver-users] Layer groups not appearing in WMS GetCapabilities

 

Hello everyone,

 

I'm having issues with GeoServer layer security and layer groups. I would like to have a global rule to prevent unauthenticated users access, and then manually designate layers, layer groups and workspaces that unauthenticated users can read. My problem is that layer groups are not returned in the GetCapabilities request for unauthenticated users despite giving read access.

 

I tested this with GS 2.15.0 on W10 using the Windows installer and default data. I created a "tasmania_group" layer group inside the topp workspace. The layer group mode is single and the layer group contains only the topp:tasmania_roads layer with the CRS and bounds properly set. I have the following rules in layers.properties:

 

*.*.r=ROLE_AUTHENTICATED,GROUP_ADMIN,ADMIN # prevent unauthenticated users from reading anything

*.*.w=GROUP_ADMIN,ADMIN

topp.*.*r=* # allow everyone to read the topp workspace

tasmania.r=* # allow everyone to read the global layer group tasmania that comes in default datadirectory

topp.tasmania_group.r=* # allow everyone to read the layer group I created

mode=HIDE # hide layers user does not have read access to

 

WMS GetCapabilities request returns all layers in topp workspace for unauthenticated users, and all layers for authenticated users. However, the layer groups are not included in the GetCapabilities response for unauthenticated users. Unauthenticated users can still do GetMap requests for tasmania and topp:tasmania_group layer groups without issues.

 

How could I get the layer groups to appear in GetCapabilities response for unauthenticated users? Using CHALLENGE mode is unfortunately not a suitable option for my use case. I have a feeling I'm missing something, but I couldn't find an answer in the documentation. Thank you in advance for any help and suggestions.

 

Best regards,

Mikael Vaaltola

Gispo Oy

 



CONFIDENTIALITY NOTICE AND DISCLAIMER
The information in this transmission may be confidential and/or protected by legal professional privilege, and is intended only for the person or persons to whom it is addressed. If you are not such a person, you are warned that any disclosure, copying or dissemination of the information is unauthorised. If you have received the transmission in error, please immediately contact this office by telephone, fax or email, to inform us of the error and to enable arrangements to be made for the destruction of the transmission, or its return at our cost. No liability is accepted for any unauthorised use of the information contained in this transmission.




CONFIDENTIALITY NOTICE AND DISCLAIMER
The information in this transmission may be confidential and/or protected by legal professional privilege, and is intended only for the person or persons to whom it is addressed. If you are not such a person, you are warned that any disclosure, copying or dissemination of the information is unauthorised. If you have received the transmission in error, please immediately contact this office by telephone, fax or email, to inform us of the error and to enable arrangements to be made for the destruction of the transmission, or its return at our cost. No liability is accepted for any unauthorised use of the information contained in this transmission.


_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:
- Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


[hidden email]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
Reply | Threaded
Open this post in threaded view
|

Re: Layer groups not appearing in WMS GetCapabilities

Mikael Vaaltola
Hi,

as far as I know, the WMS standard does not say anything about layer groups, so not including them in the capabilities document could probably not be considered a bug in itself. But layer groups are included in the capabilities document by default (with *.*.r=*). By this logic, shouldn't they be also included in the case where:

*.*.r=ADMIN
<workspace>.<layergroup>.r=*

Not including the layer groups in this case is inconsistent with default behaviour. It also makes it impossible to publish public layer groups via WMS, without running server-side code to modify the capabilities document before returning it. I don't believe this is actually how it's meant to work, but of course I could be wrong. I would like to know if it would be unreasonable to create a new issue on the tracker for this, or what would be the best way to proceed?

Best regards,
Mikael Vaaltola

On Tue, 2 Apr 2019 at 01:24, Humphries, Graham (StateGrowth) <[hidden email]> wrote:

I think you would need to check the OGC standard. I would think there is no requirement to have layer groups in the capabilities document, so it is the intention not to include layer groups.

 

You could write your own I guess.

 

Cheers,

Graham

 

From: Mikael Vaaltola [mailto:[hidden email]]
Sent: Monday, 1 April 2019 11:23 PM
To: Humphries, Graham (StateGrowth) <[hidden email]>
Cc: [hidden email]
Subject: Re: [Geoserver-users] Layer groups not appearing in WMS GetCapabilities

 

Thank you Graham for your reply,

 

your advice is correct, the REST API does indeed show the layer groups for unauthenticated users. However, I would also like to have these layer groups included in the capabilities document, so WMS clients that don't use the REST service (e.g. QGIS) could see them. I'm wondering if hiding the layer groups from the capabilities document in this case is intended behaviour or possibly a bug. Any advice would be much appreciated!

 

Best regards,

Mikael

 

On Mon, 1 Apr 2019 at 00:27, Humphries, Graham (StateGrowth) <[hidden email]> wrote:

You can get the layer groups from the REST service.

EG: https://<host>/geoserver/rest/workspaces/ssg/layergroups.json

 

Cheers,

Graham H

 

From: Mikael Vaaltola [mailto:[hidden email]]
Sent: Saturday, 30 March 2019 1:38 AM
To: [hidden email]
Subject: [Geoserver-users] Layer groups not appearing in WMS GetCapabilities

 

Hello everyone,

 

I'm having issues with GeoServer layer security and layer groups. I would like to have a global rule to prevent unauthenticated users access, and then manually designate layers, layer groups and workspaces that unauthenticated users can read. My problem is that layer groups are not returned in the GetCapabilities request for unauthenticated users despite giving read access.

 

I tested this with GS 2.15.0 on W10 using the Windows installer and default data. I created a "tasmania_group" layer group inside the topp workspace. The layer group mode is single and the layer group contains only the topp:tasmania_roads layer with the CRS and bounds properly set. I have the following rules in layers.properties:

 

*.*.r=ROLE_AUTHENTICATED,GROUP_ADMIN,ADMIN # prevent unauthenticated users from reading anything

*.*.w=GROUP_ADMIN,ADMIN

topp.*.*r=* # allow everyone to read the topp workspace

tasmania.r=* # allow everyone to read the global layer group tasmania that comes in default datadirectory

topp.tasmania_group.r=* # allow everyone to read the layer group I created

mode=HIDE # hide layers user does not have read access to

 

WMS GetCapabilities request returns all layers in topp workspace for unauthenticated users, and all layers for authenticated users. However, the layer groups are not included in the GetCapabilities response for unauthenticated users. Unauthenticated users can still do GetMap requests for tasmania and topp:tasmania_group layer groups without issues.

 

How could I get the layer groups to appear in GetCapabilities response for unauthenticated users? Using CHALLENGE mode is unfortunately not a suitable option for my use case. I have a feeling I'm missing something, but I couldn't find an answer in the documentation. Thank you in advance for any help and suggestions.

 

Best regards,

Mikael Vaaltola

Gispo Oy

 



CONFIDENTIALITY NOTICE AND DISCLAIMER
The information in this transmission may be confidential and/or protected by legal professional privilege, and is intended only for the person or persons to whom it is addressed. If you are not such a person, you are warned that any disclosure, copying or dissemination of the information is unauthorised. If you have received the transmission in error, please immediately contact this office by telephone, fax or email, to inform us of the error and to enable arrangements to be made for the destruction of the transmission, or its return at our cost. No liability is accepted for any unauthorised use of the information contained in this transmission.




CONFIDENTIALITY NOTICE AND DISCLAIMER
The information in this transmission may be confidential and/or protected by legal professional privilege, and is intended only for the person or persons to whom it is addressed. If you are not such a person, you are warned that any disclosure, copying or dissemination of the information is unauthorised. If you have received the transmission in error, please immediately contact this office by telephone, fax or email, to inform us of the error and to enable arrangements to be made for the destruction of the transmission, or its return at our cost. No liability is accepted for any unauthorised use of the information contained in this transmission.


_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:
- Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


[hidden email]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
Reply | Threaded
Open this post in threaded view
|

Re: Layer groups not appearing in WMS GetCapabilities

Olyster
In reply to this post by Mikael Vaaltola
Hi,

I had the same problem. Turns out that one of the layer in the layers group
was causing the error.

We had this message in the log (verbose) :

"Error writing metadata; skipping layer: LAYERNAME"

Verify if you have this message in the log.

Try creating another group, add one layer and check if the group appears in
the GetCapabilities. Repeat for all layers you want in the group.

When you find layers that are causing the problem, recreate them manually
then add them to the group.

Hope this helps





--
Sent from: http://osgeo-org.1560.x6.nabble.com/GeoServer-User-f3786390.html


_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:
- Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


[hidden email]
https://lists.sourceforge.net/lists/listinfo/geoserver-users
Reply | Threaded
Open this post in threaded view
|

Re: Layer groups not appearing in WMS GetCapabilities

Mikael Vaaltola
Hi,

thank you very much for the suggestion! Unfortunately I was not able to get the layer group working by deleting the layer group and layers and re-adding them. There also wasn't any errors in the log. On verbose logging, the log was full of DEBUG-messages: [geoserver.ows] - Could not find a layer group named web, but I'm not sure how useful this is.

Inspired by your experience, I tried creating a new workspace, new store, published a couple of layers, and created a layer group inside the workspace. I then gave everyone read access to the workspace, individual layers and layer group separately. This worked, and the new layer group showed up in the Capabilities document for unauthenticated users! However, I have not been able to replicate the results. I tried creating new layer groups following the same steps as closely as possible but they are not showing up. It remains a mystery to me why only this one layer group is shown in the capabilities document, but others are not.

-Mikael

On Thu, 4 Apr 2019 at 19:19, Olyster <[hidden email]> wrote:
Hi,

I had the same problem. Turns out that one of the layer in the layers group
was causing the error.

We had this message in the log (verbose) :

"Error writing metadata; skipping layer: LAYERNAME"

Verify if you have this message in the log.

Try creating another group, add one layer and check if the group appears in
the GetCapabilities. Repeat for all layers you want in the group.

When you find layers that are causing the problem, recreate them manually
then add them to the group.

Hope this helps





--
Sent from: http://osgeo-org.1560.x6.nabble.com/GeoServer-User-f3786390.html


_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:
- Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


[hidden email]
https://lists.sourceforge.net/lists/listinfo/geoserver-users


_______________________________________________
Geoserver-users mailing list

Please make sure you read the following two resources before posting to this list:
- Earning your support instead of buying it, but Ian Turton: http://www.ianturton.com/talks/foss4g.html#/
- The GeoServer user list posting guidelines: http://geoserver.org/comm/userlist-guidelines.html

If you want to request a feature or an improvement, also see this: https://github.com/geoserver/geoserver/wiki/Successfully-requesting-and-integrating-new-features-and-improvements-in-GeoServer


[hidden email]
https://lists.sourceforge.net/lists/listinfo/geoserver-users