diff --git a/CHANGELOG.md b/CHANGELOG.md index b084eb5e9..28502c927 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -15,6 +15,7 @@ - [#165](https://github.com/LayerManager/layman/issues/165) Add column `role_name` to table `rights` in prime DB schema. Add constraint that exactly one of columns `role_name` and `id_user` is not null. - [#165](https://github.com/LayerManager/layman/issues/165) Create internal GeoServer [JDBC Role Service](https://docs.geoserver.org/2.21.x/en/user/security/usergrouprole/roleservices.html#jdbc-role-service) DB schema `_role_service`. #### Data migrations +- [#165](https://github.com/LayerManager/layman/issues/165) Delete technical roles and user-role relations in GeoServer `default` role service, which is now replaced by JDBC role service. ### Changes - [#165](https://github.com/LayerManager/layman/issues/165) POST Workspace [Layers](doc/rest.md#post-workspace-layers)/[Maps](doc/rest.md#post-workspace-maps) and PATCH Workspace [Layer](doc/rest.md#patch-workspace-layer)/[Map](doc/rest.md#patch-workspace-map) saves [role names](doc/models.md#role) mentioned in `access_rights.read` and `access_rights.write` parameters into DB. - [#165](https://github.com/LayerManager/layman/issues/165) Many endpoints respect role access rights: diff --git a/src/layman/upgrade/__init__.py b/src/layman/upgrade/__init__.py index aa2253819..6f9df0eac 100644 --- a/src/layman/upgrade/__init__.py +++ b/src/layman/upgrade/__init__.py @@ -71,6 +71,9 @@ upgrade_v1_22.remove_authn_txt_files, upgrade_v1_22.insert_map_layer_relations, ]), + ((1, 23, 0), [ + upgrade_v1_23.delete_user_roles, + ]), ], } diff --git a/src/layman/upgrade/upgrade_v1_23.py b/src/layman/upgrade/upgrade_v1_23.py index 06de9bb99..2655bba4e 100644 --- a/src/layman/upgrade/upgrade_v1_23.py +++ b/src/layman/upgrade/upgrade_v1_23.py @@ -1,8 +1,11 @@ +from urllib.parse import urljoin import logging +import requests -from geoserver import util as gs_util +from geoserver import util as gs_util, GS_REST, GS_REST_TIMEOUT from db import util as db_util from layman import settings +from layman.common.prime_db_schema import users logger = logging.getLogger(__name__) DB_SCHEMA = settings.LAYMAN_PRIME_SCHEMA @@ -124,3 +127,34 @@ def create_role_service_schema(): db_util.run_statement(create_user_roles_view) gs_util.reload(settings.LAYMAN_GS_AUTH) + + +def delete_user_roles(): + logger.info(f' Delete user roles from GeoServer') + + role_service = 'default' + gs_rest_roles = urljoin(GS_REST, f'security/roles/service/{role_service}/') + + for user in users.get_usernames(): + logger.info(f' Delete user {user}') + for role in [f'USER_{user}', settings.LAYMAN_GS_ROLE]: + r_url = urljoin(gs_rest_roles, f'role/{role}/user/{user}/') + response = requests.delete( + r_url, + headers=gs_util.headers_json, + auth=settings.LAYMAN_GS_AUTH, + timeout=GS_REST_TIMEOUT, + ) + association_not_exists = response.status_code == 404 + if not association_not_exists: + response.raise_for_status() + + response = requests.delete( + urljoin(gs_rest_roles, 'role/' + role), + headers=gs_util.headers_json, + auth=settings.LAYMAN_GS_AUTH, + timeout=GS_REST_TIMEOUT, + ) + role_not_exists = response.status_code == 404 + if not role_not_exists: + response.raise_for_status()