Authentication System: allow Database (initially Postgres) storage for authentication DB #248
Comments
|
Ah wow this would be a great improvement! |
|
@rldhont @pblottiere @mhugent what do you think about this proposal? |
|
Nice, would that also make it possible to implement LDAP or other forms of centralized Authentication Service (not part of this proposal, but maybe creating the abstract interface could already keep an eye on such)? Or am I missing a/the point again :-) ? |
The primary goal is to have an abstract interface for auth DB storage (similar to the current QGS project storage implementation), for now I would focus on real DBs and postgres in particular, I'm not sure if ldap could fit in this design but we should keep that possibility open and see if it's possible to abstract the interface up to a level that makes this possible. |
|
It is a great idea! Is it linked to #278 ? Are you thinking of proposing it for the grant-2024 ? |
Not really.
I wasn't going to but now that you remind it to me it seems a good idea. |
elpaso
changed the title
|
Custom backends for storage of secrets make a lot of sense. It would be really useful to have the abstraction for storage of secrets defined in a way that it is possible to implement non-database backends - for example services like Bitwarden or LastPass. I would imagine that such implementations would run a third-party CLI to log in and fetch+decrypt secrets... |
Thank you for your comment, I will consider the possibility to abstract the API in such a way that allows for remote non-DB backends but keep in mind that the current implementation is already based on a DB (sqlite) and extending it to use other backends is easier than extending it to handle completely different backends. |
|
Thank you for submitting your proposal to the 2024 QGIS Grant Programme. The 2 week discussion period starts today. At the end of the discussion, the proposal author has to provide a 3-line pitch of their proposal for the voter information material. (For an example from last year check qgis/PSC#58 (comment)) |
|
@rldhont @pblottiere @mhugent @pathmapper and anyone else that could be interested, looks like there is only partial funding from the grants for this QEP so I am trying find the missing funds (I have already find ~50% of the funds). If you are interested to fund this effort please send me an email. Thank you! |
Implementation of QEP Authentication System: allow Database storage for authentication DB qgis/QGIS-Enhancement-Proposals#248
Implementation of QEP Authentication System: allow Database storage for authentication DB qgis/QGIS-Enhancement-Proposals#248
|
The final report for this proposal has already been submitted. Can the issue be closed? |
|
Just to say thanks you for this evolution which is really appreciated. I drop the documentation link to help understanding the new capacities: https://docs.qgis.org/testing/en/docs/user_manual/auth_system/auth_overview.html#custom-authentication-databases |
QGIS Enhancement: Server: allow Postgres storage for authentication DB
Date 2022/03/09
Author Alessandro Pasotti (@elpaso)
maintainer @elpaso
Version QGIS 3.28
Summary
The QGIS authentication database is currently using SQLITE to store encrypted credentials, this implementation doesn't work on a QGIS Server deployment on the cloud when multiple instances of the server are running in different containers or VMs (we have experienced this issue on kubernetes but the problem is not limited to it).
The use case for a shared authentication DB is for a web application or an API to allow for R/W access to credentials from multiple server instances access by clients under a secured channel.
Proposed Solution
Abstract out the actual storage of the encrypted credentials allowing to optionally use a client/server DB as the authentication DB, Postgres being the primary target.
The main goal is to be able to use a client/server authentication DB in QGIS Server, the functionality will be enabled with a server settings and will not be exposed to QGIS Desktop, however it is not excluded that it will be exposed to QGIS Desktop in the future if valid use cased will be presented.
Affected Files
QgsAuthManagerPerformance Implications
None
Backwards Compatibility
None, the default authentication DB will remain the current implementation (SQLITE).
Votes
(required)
The text was updated successfully, but these errors were encountered: