Releases: LayerManager/layman
Releases Β· LayerManager/layman
v1.23.2
Upgrade requirements
- #1021 After upgrade and start of Layman, it's needed to change GeoServer configuration by following steps:
- Log in to GeoServer Admin
- Click on Security > Authentication
- Find part "Authentication Filters" and click on "laymanHttpHeader"
- In part "Role source" choose "Role service" in left dropdown and "layman_role_service" in right dropdown.
- Click on Save button.
Changes
v1.23.1
Known issues
- #1021 WFS-T error "
<layer>
is read-only".- Fixed in v1.23.2.
- #1022 Login not working in demo configuration with authentication
- Fixed in v1.23.2.
Changes
- #1016 Flower and Celery worker containers used to wait for all dependencies and also check role service, from now on it waits only for Layman API to be ready.
- #165 Roles in REST endpoint GET Roles result are in alphabetical order.
v1.23.0
Known issues
- #1016 Flower container did not start if LAYMAN_ROLE_SERVICE_URI points to
host.docker.internal
.- Fixed in v1.23.1.
- #1021 WFS-T error "
<layer>
is read-only".- Fixed in v1.23.2.
- #1022 Login not working in demo configuration with authentication
- Fixed in v1.23.2.
Upgrade requirements
- Change environment variable LAYMAN_CLIENT_VERSION:
LAYMAN_CLIENT_VERSION=v1.18.0
- Stop using environment variable
LAYMAN_GS_ROLE_SERVICE
, it has no effect to Layman anymore. Layman now uses role service identified by new environment variable LAYMAN_ROLE_SERVICE_URI. The service is calledlayman_role_service
on GeoServer. - Set new environment variable LAYMAN_ROLE_SERVICE_URI
- Stop using environment variable
OAUTH2_INTROSPECTION_SUB_KEY
, it has no effect to Layman anymore. - If you are using Wagtail as OAuth2 provider
- After running
make upgrade-demo
ormake upgrade-demo-full
, run also scriptv1_23_change_oauth2_sub_username_to_user_id.py
:docker compose -f docker-compose.deps.demo.yml -f docker-compose.demo.yml run --rm --no-deps -u root -e LAYMAN_WAGTAIL_DB_URI=<URI_of_Wagtail_db> layman bash -c "cd src && python3 -B v1_23_change_oauth2_sub_username_to_user_id.py"
URI_of_Wagtail_db
is PostgreSQL connection URI to Wagtail database, e.g.postgresql://user:[email protected]:5432/wagtail_db_name
- The script changes OAuth2 "sub" values in Layman prime DB schema from Wagtail usernames to Wagtail user IDs. See 940.
- After running
Migrations and checks
Schema migrations
- #165 Add column
role_name
to tablerights
in prime DB schema. Add constraint that exactly one of columnsrole_name
andid_user
is not null. - #165 Create DB schema
_role_service
that can be used as role service. - #165 Column
name
in tableworkspaces
in prime DB schema length is changed to 59 characters. - Drop DB table
right_types
.
Data migrations
- #165 Delete technical roles and user-role relations in GeoServer
default
role service, which is now replaced by JDBC role service.
Changes
- #165 Prior to this version, Layman enabled to use usernames and pseudo-role
EVERYONE
in access rights. From now on, Layman accepts also role names. - #165 Roles (except of
EVERYONE
) are managed by role service. - #165 New REST endpoint GET Roles with list of all roles registered in role service, that can be used in access rights.
- This new endpoint was added to Test Client into tab "Others".
- #165 POST Workspace Layers/Maps and PATCH Workspace Layer/Map saves role names mentioned in
access_rights.read
andaccess_rights.write
parameters into prime DB schema. - #165 Many requests respect roles in access rights:
- #165 POST Workspace Layers/Maps respects roles in GRANT_CREATE_PUBLIC_WORKSPACE and GRANT_PUBLISH_IN_PUBLIC_WORKSPACE
- #165 Many endpoints return previously associated role names in
access_rights.read
andaccess_rights.write
keys: - #165 Name of users and public workspaces are from now on restricted to a maximum length of 59 characters.
- 940 Use
userId
as OAuth2 "sub" instead ofusername
. This is suitable for Wagtail. - 940 Stop supporting Liferay as OAuth2 provider.
- 941 Wagtail database is now persistent when restarting Layman or Wagtail.
- All changes from v1.22.1, v1.22.2 and v1.22.3.
- #960 Handle WMS requests with HTTP error more efficiently in timgen.
- #962 Make values of
layman_metadata.publication_status
andstatus
key(s) more consistent in responses of PATCH Workspace Layer/Map and GET Workspace Layer/Map. - Timgen handles better some edge cases:
- If map's internal layer points to non-existent workspace, Timgen is faster and does not fail.
- If map's file was not obtained from Layman, Timgen fails quickly.
- Upgrade Python dependencies
- werkzeug 2.3.7 -> 3.0.7 (suggested by dependabot)
- urllib3 1.26.16 -> 1.26.18 (suggested by dependabot)
- pillow 10.0.0 -> 10.1.0 (suggested by dependabot)
- cacheout 0.14.1 -> 0.15.0
- flask 2.3.3 -> 3.0.0
- jsonschema 4.19.0 -> 4.20.0
- owslib 0.29.2 -> 0.29.3
- importlib-metadata 6.8.0 -> 7.0.0
- psycopg2-binary 2.9.7 -> 2.9.9
- redis 5.0.0 -> 5.0.1
- unidecode 1.3.6 -> 1.3.7
- platformdirs 3.10.0 -> 4.1.0
- pycodestyle 2.11.0 -> 2.11.1
- pytest 7.4.2 -> 7.4.3
- pytest-rerunfailures 12.0 -> 13.0
- pytest-timeout 2.1.0 -> 2.2.0
- Add development dependency
plantuml/plantuml
for rendering PlantUML diagrams.
v1.22.3
Known issues
- #1022 Login not working in demo configuration with authentication
- Fixed in v1.23.2.
Upgrade requirements
- Change environment variable LAYMAN_CLIENT_VERSION:
LAYMAN_CLIENT_VERSION=v1.17.2
Changes
- Improve logging in Layman Test Client related to Passport.js.
- 968 Enable to use not-so-secure SSL communication (UnsafeLegacyRenegotiation) in Layman Test Client. It can be activated by environment variable NODE_OPTIONS:
NODE_OPTIONS="--openssl-config=/code/unsafe_openssl.cnf"
v1.22.2
Known issues
- #1022 Login not working in demo configuration with authentication
- Fixed in v1.23.2.
Upgrade requirements
- Change environment variable LAYMAN_CLIENT_VERSION:
LAYMAN_CLIENT_VERSION=v1.17.1
Changes
v1.22.1
Known issues
- #956 Unable to login into GeoServer with https protocol
- Fixed in v1.22.2.
- #958 Request through LTC proxy returns URLs with http although request came to https
- Fixed in v1.22.2.
- #1022 Login not working in demo configuration with authentication
- Fixed in v1.23.2.
Changes
- #949 Fix reading map-layer relations from map composition that includes also other than WMS and Vector layers.
v1.22.0
Known issues
- #949 Reading map-layer relations fails for map composition that includes also other than WMS and Vector layers.
- Fixed in v1.22.1.
- #956 Unable to login into GeoServer with https protocol
- Fixed in v1.22.2.
- #958 Request through LTC proxy returns URLs with http although request came to https
- Fixed in v1.22.2.
- #1022 Login not working in demo configuration with authentication
- Fixed in v1.23.2.
Upgrade requirements
- Change environment variable LAYMAN_CLIENT_VERSION:
LAYMAN_CLIENT_VERSION=v1.17.0
- Stop using environment variable
LAYMAN_GS_PROXY_BASE_URL
, it has no effect to Layman anymore.- GeoServer's Proxy Base URL is now automatically set by Layman on each start. Value is automatically derived from environment variables
LAYMAN_CLIENT_PUBLIC_URL
(protocol) andLAYMAN_PROXY_SERVER_NAME
(domain and port). URL path is always/geoserver/
.
- GeoServer's Proxy Base URL is now automatically set by Layman on each start. Value is automatically derived from environment variables
- Stop using environment variable
LAYMAN_GS_PATH
, it has no effect to Layman anymore.- GeoServer's URL path must be always
/geoserver/
(that is true for GeoServer shipped with Layman).
- GeoServer's URL path must be always
Migrations and checks
Schema migrations
- #868 Create new table
map_layer
in prime DB schema.
Data migrations
- #887 Drop unique DB index on
users
table onsub
column. Create unique DB index onusers
table on (sub
,issuer_id
) columns. - #765 Fix
issuer_id
values inusers
table that were broken since v1.21.0. - #765 Remove
authn.txt
files from workspace directories. The same information as inauthn.txt
files is saved in prime DB schema. - #868 Fill table
map_layer
with relations between maps and internal layers (layers published on this Layman instance). Relations to external layers (layers of other servers) are not imported into the table.
Changes
- #868 Responses to many requests respect HTTP X-Forwarded headers of the request. Those requests are:
- GET Publications, Layers, Workspace Layers, Maps, and Workspace Maps
- GET, PATCH, and DELETE Workspace Layer
- GET, PATCH, and DELETE Workspace Map
- GET Workspace Map File
- POST and DELETE Workspace Layers
- POST and DELETE Workspace Maps
- requests to WMS and WFS endpoints
- #868 Responses to GET Workspace Layer Metadata Comparison and GET Workspace Map Metadata Comparison do not respect HTTP X-Forwarded headers of the request intentionally, in order to keep URLs in canonical form.
- #868 Relations between map and internal layers are updated in
map_layer
table when calling POST Workspace Maps, PATCH Workspace Map, DELETE Workspace Map, and DELETE Workspace Maps. - #901 Endpoints POST and PATCH accept map compositions in version
3.x.x
. - #927 SLD styles are internally published to GeoServer with
raw
parameter set toTrue
. - #880 Use Docker Compose v2 (
docker compose
) in Makefile withoutcompatibility
flag and removeMakefile_docker-compose_v1
file. Docker containers are named according to Docker Compose v2 and may have different name after upgrade. - #765 Stop saving OAuth2 claims in filesystem, use prime DB schema only.
- #893 It is possible to specify logging level by new environment variable LAYMAN_LOGLEVEL. Default level is
INFO
. - Use
psycopg2.pool.ThreadedConnectionPool
to share DB connections. - Add new test Python dependency:
- jsonpath-ng 1.6.0
- Upgrade Python dependencies
- certifi 2023.5.7 -> 2023.7.22 (suggested by dependabot)
- tornado 6.3.2 -> 6.3.3 (suggested by dependabot)
- flask 2.3.2 -> 2.3.3
- jsonschema 4.17.3 -> 4.19.0
- lxml 4.9.2 -> 4.9.3
- owslib 0.28.1 -> 0.29.2
- psycopg2-binary 2.9.5 -> 2.9.7
- redis 4.5.5 -> 5.0.0
- autopep8 2.0.1 -> 2.0.4
- flake8 6.0.0 -> 6.1.0
- pillow 9.3.0 -> 10.0.0
- pycodestyle 2.10.0 -> 2.11.0 (to be consistent with GitHub Actions)
- pytest 7.2.0 -> 7.4.2
- pytest-rerunfailures 10.3 -> 12.0
- watchdog 2.2.0 -> 3.0.0
v1.21.1
v1.21.0
Known issues
- #887 New user workspaces are created for already existing users.
- Fixed in v1.21.1.
- #1022 Login not working in demo configuration with authentication
- Fixed in v1.23.2.
Upgrade requirements
- Change environment variable LAYMAN_CLIENT_VERSION:
LAYMAN_CLIENT_VERSION=v1.16.0
- Rename environment variable
OAUTH2_LIFERAY_SECRET
toOAUTH2_CLIENT_SECRET
. - Rename all environment variables
OAUTH2_LIFERAY_SECRET<n>
toOAUTH2_CLIENT<n>_SECRET
. For example, variableOAUTH2_LIFERAY_SECRET4
becomesOAUTH2_CLIENT4_SECRET
. - Rename all other
OAUTH2_LIFERAY_<postfix>
environment variables toOAUTH2_<postfix>
. For example, variableOAUTH2_LIFERAY_AUTH_URL
becomesOAUTH2_AUTH_URL
. - If you are using environment variable
OAUTH2_CALLBACK_URL
, change only its URL path from/client/authn/oauth2-liferay/callback
to/client/authn/oauth2-provider/callback
. Keep protocol, domain, and port unchanged. - Stop using environment variable
LAYMAN_AUTHN_OAUTH2_PROVIDERS
, it has no effect to Layman anymore. There is exactly one OAuth2 provider Python module now, no need to set it. - Stop using environment variable
FLASK_ENV
, it has no effect to Layman anymore.- If you used environment variable
FLASK_ENV
with valuedevelopment
, add new environment variableFLASK_DEBUG
:FLASK_DEBUG=1
- If you used environment variable
- Stop using environment variable
CSW_RECORD_URL
, it has no effect to Layman anymore. Value is derived from variableCSW_PROXY_URL
. - Stop using HTTP header
AuthorizationIssUrl
when authenticating by OAuth. The header has no effect to Layman anymore. There is exactly one OAuth2 provider now, no need to distinguish it. Now, the only distinguished HTTP header when authenticating by OAuth2 isAuthorization
header. - If you are running Layman with development settings (e.g. starting it with
make start-dev
)- change values of environment variables:
OAUTH2_CLIENT_ID=VECGuQb00tWt8HZNkA4cxu6dnoQD5pF6Up3daAoK OAUTH2_CLIENT_SECRET=aY14rwkEKasNqBEZX8OnhpRk8lpHAfT7oKTlf4LriEK8oMZxhnGKcnt4bZ72pceNEl83B6LtBvhKr3BqBLFA80Pd6Ugav2rkc8bk7TE4LkaoB2qcBQmjiOiEpizsgZGx OAUTH2_AUTH_URL=http://localhost:8083/o/authorize OAUTH2_TOKEN_URL=http://wagtail:8000/o/token/ OAUTH2_INTROSPECTION_URL=http://wagtail:8000/o/introspect/ OAUTH2_INTROSPECTION_SUB_KEY=username OAUTH2_USER_PROFILE_URL=http://wagtail:8000/profile
- unset environment variable
OAUTH2_SCOPE
(previouslyOAUTH2_LIFERAY_SCOPE
) - after usual dev upgrade commands run also
make wagtail-build
- change values of environment variables:
- If your upgrade command ends with message
Error response from daemon: invalid IP address in add-host: "host-gateway"
, try to uninstall Docker Engine completely and install it again with Docker Compose plugin (see e.g. manual for Centos). Then run upgrade command again.
Migrations and checks
Schema migrations
- #528 Add new data type
enum_wfs_wms_status
and create new string columnwfs_wms_status
inpublications
table in prime DB schema.
Data migrations
- #528 Fill column
wfs_wms_status
inpublications
table in prime DB schema. Set valueAVAILABLE
for each vector layer that is fully available in WFS and WMS and for each raster layer that is fully available in WMS. SetNOT_AVAILABLE
for all other layers andnull
for all existing maps. - #520 Set MetadataURL for each layer in WFS and WMS workspace in GeoServer.
Changes
- #769 New request GET Publications was added. It enables querying both layers and maps by single request.
- #769 New key
publication_type
was added to responses of requests GET Publications, GET Layers, GET Workspace Layers, GET Maps, and GET Workspace Maps. Possible values of the key arelayer
andmap
. - #528 New key
wfs_wms_status
was added to layer items in responses of requests GET Layers, GET Workspace Layers, and GET Publications. - #520 New element
MetadataURL
was added for each layer to GetCapabilities response of WFS2.0.0
and WMS1.3.0
. The element contains URL of CSW metadata record of the layer. - #800 Requests POST Workspace Layers and PATCH Workspace Layer support new parameter
time_regex_format
. Its value is later accessible in the new subkeywms
.time
.regex_format
in responses of GET Workspace Layer and PATCH Workspace Layer requests. - #764, #860 Layman accepts new types of QML styles:
- labels without symbology
- point clustering
- #857 Requests POST Workspace Layers and PATCH Workspace Layer accept
host.docker.internal
inexternal_table_uri
parameter to reachlocalhost
of host server. - #847 Fix publishing external table layers with
@
character or other dangerous characters in the username or in the password. - #833 Make Timgen WMS requests more robust (handle WMS errors, delayed retry, add timestamp to each request).
- #877 Use Docker Compose v2 (
docker compose
) in Makefile. As of now, all containers are named in the same way as previously. Old Makefile using Docker Compose v1 (docker-compose
) is archived asMakefile_docker-compose_v1
. It will be removed in the next minor release. - #815 Propagate
LAYMAN_PROXY_SERVER_NAME
value to GeoServer environment variable GEOSERVER_CSRF_WHITELIST. - #765 Remove Liferay from dev stack, use Wagtail CRX + Django OAuth Toolkit as new OAuth2 provider (authorization server).
- Upgrade Python dependencies
- flask 2.2.2 -> 2.3.2
- redis 4.5.1 -> 4.5.4
- owslib 0.27.2 -> 0.28.1
- requests 2.28.1 -> 2.31.0
- Upgrade Node.js Timgen dependencies
- vite 3.2.5 -> 3.2.7
- Document that temporal part of timeseries datetime dimension extracted by
time_regex
parameter is cut off, so the smallest possible unit of datetime dimension is one day.
v1.20.1
Known issues
- #847 Publishing layers from an external table with @ in username or password fails
- Fixed in v1.21.0.