Dataspaces in GeoServer
To configure the dataspace model of the platform in Geoserver, users are assigned to dataspace-specific roles in Keycloak. This ensures that data access and manipulation are tightly controlled through role-based permissions, allowing users to interact only with the geospatial content relevant to dataspaces they have access to. The Geoserver manages access to geospatial content using Roles, Users, Permissions, and Groups.
How the Platform's Dataspace Concept maps to Geoserver
For each dataspace, we implement our own set of roles which get permissions on geospatial data (Layers, Layergroups) granted by assigning the corresponding permissions to the role in Geoserver.
- Layers: Layers are the finest level where permissions to roles in the Geoserver can be granted. On this level, you can specify Read, Write or Administrative access individually to each layer. Additionally, Layers are assigned to workspaces in Geoserver and inherit the permissions from there, if no individual configuration is done on layer level.
- Layergroups: Layergroups are from the security perspective special layer types. Layergroups are managed in the same way as layers.
- Permission: Permissions in Geoserver (per deafault, without plugins) can be assigned in three levels: Read, Write and Admin. Read and Write grant only access to existing Layers (using them). The Admin permissions grant the right to manage a layer.
- Groups The Geoserver allows to work with Groups within the platform. These are not used for the CIVITAS/CORE Platform.
- Workspaces Workspaces in Geoserver are a hierarchical structure above many Geoserver entities like Layers and Layergroups. They are only used to structure the content. In CIVITAS/CORE we use them to group all Entities of one dataspace. With this grouping, it is possible to define the permissions and role assignments directly on workspace level and inherit them to the entities assigned to them.
Example for Keycloak and Geoserver
The following settings describe the dataspaces named "baumkataster" and "denkmalschutz" defined in Keycloak and Geoserver:
- Keycloak client "geo-data":
- Roles for dataspace "baumkataster":
baumkataster
- Roles for dataspace "denkmalschutz":
denkmalschutz
- Roles for dataspace "baumkataster":
- Keycloak user "Max Mustermann" (
max@mustermann.de
)- User-Role-Assignments:
baumkataster
,denkmalschutz
- User-Role-Assignments:
- Geoserver roles:
baumkataster
,denkmalschutz
If Max requests resources from Geoserver and therefore logs into Geoserver (via the Keycloak),
- Keycloak sends an access_token: (user:
max@mustermann.de
, roles: [baumkataster
,denkmalschutz
]) - Geoserver creates a User:
max@mustermann.de
(if not already existing) - Geoserver creates the roles: (
baumkataster
,denkmalschutz
) - Manually in Geoserver, the permissions Read, Write and Admin are assigned to the roles
Mapping illustrated
This mapping is illustrated in the following image by using the same color for matching objects.
Setting up Dataspaces in Geoserver
After completing the initial platform setup (refer to the Admin Guide), Geoserver is automatically configured to synchronize roles from Keycloak, ensuring it recognizes all existing platform roles (for each dataspace).
During each user login, their assigned roles are also synced with Geoserver. The only remaining manual step is to assign the appropriate permissions to these synced roles at the workspace level. Once this is done, permissions are validated each time a user requests access to any content.
For further details on Geoserver administration, please consult the Admin Guide.