21.2. Fluxul de Autentificare a Utilizatorului

../../../_images/auth-user-usage.png

Fig. 21.19 Fluxul de lucru al utilizatorului generic

21.2.1. Autentificarea HTTP(S)

Una dintre cele mai comune conectări la resurse are loc prin prin HTTP(S), cum ar fi serverele de cartografiere web și plugin-urile cu metode de autentificare, care adesea lucrează cu aceste tipuri de conexiuni. Plugin-urile cu metode au acces la obiectul cerere HTTP și pot manipula atât cererea cât și antetele sale. Acest lucru permite mai multe forme de autentificare prin internet. Atunci când conectarea are loc prin HTTP(S) cu ajutorul metodei standard de autentificare nume de utilizator/ parolă, se va încerca autentificarea HTTP de bază a conexiunii.

../../../_images/auth-http-basic-wms.png

Fig. 21.20 Configurarea unei conexiuni WMS pentru HTTP BASIC

21.2.2. Autentificarea bazei de date

Connections to database resources are generally stored as key=value pairs, which will expose usernames and (optionally) passwords, if not using an authentication configuration. When configuring with the auth system, the key=value will be an abstracted representation of the credentials, e.g. authfg=81t21b9.

../../../_images/auth-db-ssl-pki.png

Fig. 21.21 Configurarea unei conexiuni Postgres SSL-with-PKI

21.2.3. Autentificarea PKI

When configuring PKI components within the authentication system, you have the option of importing components into the database or referencing component files stored on your filesystem. The latter may be useful if such components change frequently, or where the components will be replaced by a system administrator. In either instance you will need to store any passphrase needed to access private keys within the database.

../../../_images/auth-pki-config.png

Fig. 21.22 Fluxul de lucru pentru configurarea PKI

All PKI components can be managed in separate editors within the Certificate Manager, which can be accessed in the Authentication tab in QGIS Options dialog (Settings ► Options) by clicking the Manage Certificates button.

../../../_images/auth-open-Certificate-manager.png

Fig. 21.23 Deschiderea Managerului de Certificate

In the Certificate Manager, there are editors for Identities, Servers and Authorities. Each of these are contained in their own tabs, and are described below in the order they are encountered in the workflow chart above. The tab order is relative to frequently accessed editors once you are accustomed to the workflow.

Notă

Because all authentication system edits write immediately to the authentication database, there is no need to click the Options dialog OK button for any changes to be saved. This is unlike other settings in the Options dialog.

21.2.3.1. Autorități

You can manage available Certificate Authorities (CAs) from the Authorities tab in the Certificate manager from the Authentication tab of the QGIS Options dialog.

As referenced in the workflow chart above, the first step is to import or reference a file of CAs. This step is optional, and may be unnecessary if your PKI trust chain originates from root CAs already installed in your operating system (OS), such as a certificate from a commercial certificate vendor. If your authenticating root CA is not in the OS’s trusted root CAs, it will need to be imported or have its file system path referenced. (Contact your system administrator if unsure.)

../../../_images/auth-editor-authorities.png

Fig. 21.24 Editorul de autorități

By default, the root CAs from your OS are available; however, their trust settings are not inherited. You should review the certificate trust policy settings, especially if your OS root CAs have had their policies adjusted. Any certificate that is expired will be set to untrusted and will not be used in secure server connections, unless you specifically override its trust policy. To see the QGIS-discoverable trust chain for any certificate, select it and click the metadata Show information for certificate.

../../../_images/auth-authority-imported_cert-info-chain.png

Fig. 21.25 Dialogul nformațiilor despre Certificat

You can edit the Trust policy selectString for any selected certificate within the chain. Any change in trust policy to a selected certificate will not be saved to the database unless the fileSave Save certificate trust policy change to database button is clicked per selected certification. Closing the dialog will not apply the policy changes.

../../../_images/auth-authority-edit-trust_save-not-close.png

Fig. 21.26 Salvarea modificărilor aduse politicii de încredere

You can review the filtered CAs, both intermediate and root certificates, that will be trusted for secure connections or change the default trust policy by clicking the transformSettings Options button.

Atenționare

Schimbarea politicii de încredere implicită, poate genera probleme conexiunilor securizate.

../../../_images/auth-editor-authorities_utilities-menu.png

Fig. 21.27 Meniul opțiunilor pentru autorități

You can import CAs or save a file system path from a file that contains multiple CAs, or import individual CAs. The standard PEM format for files that contain multiple CA chain certifications has the root cert at the bottom of the file and all subsequently signed child certificates above, towards the beginning of the file.

The CA certificate import dialog will find all CA certificates within the file, regardless of order, and also offers the option to import certificates that are considered invalid (in case you want to override their trust policy). You can override the trust policy upon import, or do so later within the Authorities editor.

../../../_images/auth-authority-import.png

Fig. 21.28 Dialogul de importare a certificatelor

Notă

If you are pasting certificate information into the PEM text field, note that encrypted certificates are not supported.

21.2.3.2. Identități

You can manage available client identity bundles from the Identities tab in the Certificate manager from the Authentication tab of the QGIS Options dialog. An identity is what authenticates you against a PKI-enabled service and usually consists of a client certificate and private key, either as separate files or combined into a single „bundled” file. The bundle or private key is often passphrase-protected.

Once you have any Certificate Authorities (CAs) imported you can optionally import any identity bundles into the authentication database. If you do not wish to store the identities, you can reference their component file system paths within an individual authentication configuration.

../../../_images/auth-editor-identities.png

Fig. 21.29 Editorul de Identități

When importing an identity bundle, it can be passphrase-protected or unprotected, and can contain CA certificates forming a trust chain. Trust chain certifications will not be imported here; they can be added separately under the Authorities tab.

Upon import the bundle’s certificate and private key will be stored in the database, with the key’s storage encrypted using the QGIS master password. Subsequent usage of the stored bundle from the database will only require input of the master password.

Personal identity bundles consisting of PEM/DER (.pem/.der) and PKCS#12 (.p12/.pfx) components are supported. If a key or bundle is passphrase-protected, the password will be required to validate the component prior to import. Likewise, if the client certificate in the bundle is invalid (for example, its effective date has not yet started or has elapsed) the bundle can not be imported.

../../../_images/auth-identity-import_paths.png

Fig. 21.30 Import de identitate PEM/DER

../../../_images/auth-identity-import_bundle-valid.png

Fig. 21.31 Import de identitate PKCS#12

21.2.4. Gestionarea straturilor eronate

Occasionally, the authentication configuration ID that is saved with a project file is no longer valid, possibly because the current authentication database is different than when the project was last saved, or due to a credentials mismatch. In such cases the Handle bad layers dialog will be presented upon QGIS launch.

../../../_images/auth-handle-bad-layers.png

Fig. 21.32 Gestionarea straturilor eronate și a autentificării

If a data source is found to have an authentication configuration ID associated with it, you will be able to edit it. Doing so will automatically edit the data source string, much in the same way as opening the project file in a text editor and editing the string.

../../../_images/auth-handle-bad-layers-edit.png

Fig. 21.33 Editarea ID-ului de configurare a autentificării, în cazul straturilor eronate

21.2.5. Schimbarea ID-ului de configurare a autentificării

Occasionally, you will need to change the authentication configuration ID that is associated with accessing a resource. There are instances where this is useful:

  • Resource auth config ID is no longer valid: This can occur when you have switched auth databases add need to align a new configuration to the ID already associated with a resource.

  • Shared project files: If you intended to share projects between users, e.g. via a shared file server, you can predefine a 7-character (containing a-z and/or 0-9) that is associated with the resource. Then, individual users change the ID of an authentication configuration that is specific to their credentials of the resource. When the project is opened, the ID is found in the authentication database, but the credentials are different per user.

../../../_images/auth-change-config-id.png

Fig. 21.34 Schimbarea ID-ului de configurare pentru autentificarea stratului (câmp de text galben, deblocat)

Atenționare

Changing the auth config ID is considered an advanced operation and should only be done with full knowledge as to why it is necessary. This is why there is a lock button that needs clicked, to unlock the ID’s text field prior to editing the ID.

21.2.6. Suport pentru serverul QGIS

When using a project file, with layers that have authentication configurations, as a basis for a map in QGIS Server, there are a couple of additional setup steps necessary for QGIS to load the resources:

  • Baza de date pentru autentificare trebuie să fie disponibilă

  • Parola master a bazei de date pentru autentificare trebuie să fie disponibilă

When instantiating the authentication system, Server will create or use qgis-auth.db file in the active user profile, or the directory defined by the QGIS_AUTH_DB_DIR_PATH environment variable. It may be that the Server’s user has no HOME directory, in which case, use the environment variable to define a directory that the Server’s user has read/write permissions and is not located within the web-accessible directories.

To pass the master password to Server, write it to the first line of file at a path on the file system readable by the Server processes user and defined using the QGIS_AUTH_PASSWORD_FILE environment variable. Ensure to limit the file as only readable by the Server’s process user and to not store the file within web-accessible directories.

Notă

QGIS_AUTH_PASSWORD_FILE variable will be removed from the Server environment immediately after accessing.

21.2.7. Excepții de server SSL

../../../_images/auth-ssl-config.png

Fig. 21.35 Excepție de server SSL

You can manage SSL server configurations and exceptions from the Servers tab in the Authentication section of the QGIS Options dialog.

Sometimes, when connecting to an SSL server, there are errors with the SSL „handshake” or the server’s certificate. You can ignore those errors or create an SSL server configuration as an exception. This is similar to how web browsers allow you to override SSL errors, but with more granular control.

Atenționare

You should not create an SSL server configuration unless you have complete knowledge of the entire SSL setup between the server and client. Instead, report the issue to the server administrator.

Notă

Some PKI setups use a completely different CA trust chain to validate client identities than the chain used to validate the SSL server certificate. In such circumstances, any configuration created for the connecting server will not necessarily fix an issue with the validation of your client identity, and only your client identity’s issuer or server administrator can fix the issue.

You can pre-configure an SSL server configuration by clicking the signPlus button. Alternatively, you can add a configuration when an SSL error occurs during a connection and you are presented with an SSL Error dialog (where the error can be ignored temporarily or saved to the database and ignored):

../../../_images/auth-server-exception.png

Fig. 21.36 Adăugarea manuală a configurărilor

../../../_images/auth-server-error-add-exception.png

Fig. 21.37 Adăugarea configurărilor pe durata erorii SSL

O dată ce o configurație SSL este salvată în baza de date, aceasta poate fi editată sau ștearsă.

../../../_images/auth-editor-servers.png

Fig. 21.38 Configurațiile SSL existente

../../../_images/auth-server-edit.png

Fig. 21.39 Editarea unei configurații SSL existente

If you want to pre-configure an SSL configuration and the import dialog is not working for your server’s connection, you can manually trigger a connection via the Python Console by running the following code (replace https://bugreports.qt-project.org with the URL of your server):

from qgis.PyQt.QtNetwork import QNetworkRequest
from qgis.PyQt.QtCore import QUrl
from qgis.core import QgsNetworkAccessManager

req = QNetworkRequest(QUrl('https://bugreports.qt-project.org'))
reply = QgsNetworkAccessManager.instance().get(req)

This will open an SSL error dialog if any errors occur, where you can choose to save the configuration to the database.