You are here:GeoTux»Geo-Blogs»SDI»Accessing data from QGIS Server based on user roles

Statistics

Invitados: 101
Usuarios registrados: 3236
Usuarios en línea:
-
Registrados hoy:
-

Register

RSS

Blogs and News:
Recibe las actualizaciones en Geo-Noticias y Geo-Blogs

Get them by e-mail
Recibir Geo-Noticias y Geo-Blogs por e-mail

¿What is this about?

Latest Geo-Tweets

Tuesday, 07 May 2019 03:43

Accessing data from QGIS Server based on user roles

Written by  German Carrillo
Rate this item
(0 votes)

There is a frequent requirement for geographic web services from institutions dealing with sensitive information: They want their services to be exposed differently to interested parties, according to role permissions configured by the publisher. This post shows you a way to restrict access to your geographic web services in QGIS Server.

 

 

QGIS Server installation on Windows

To run QGIS Server on Windows you need to install a web server like Apache or NGINX. This post won't deal with this installation in depth, so if you know about web servers and their configuration, great! If you don't, but you still want to follow this post in your own computer, you have basically two options:

 

1. Download OSGeo4W for 64 bits and follow the instructions in the QGIS docs, or,

2. Download OSGeo4W for 32 bits (yeah, you read it well). The 32 bits OSGeo4W installer includes Apache, so for this demo you could use just that. Of course, in your production environment you should definitely use packages for 64 bits.

 

Keep in mind that this post is based on paths for the option 2. That means, if you choose the 64 bits installer, you should be careful with the paths that involve OSGeo4W directories.

If you go for the 32 bits package, once you download and execute OSGeo4W for 32 bits, choose 3 packages for installation: Apache 2, QGIS LTR and QGIS Server LTR. Once installed, reboot your system and run ApacheMonitor.exe placed in C:/OSGeo4W/apache/bin/ApacheMonitor.exe, which allows us to control the Apache server status from the task bar.

Apache Mnitor in the task bar.

(Try to ignore the "Activate Windows" message in the picture, it's just that I never use it :P)

 

Publishing a geographic web service

For a brief introduction on how QGIS Server works and what it is capable of, you could read these presentations: Introduction to QGIS Server and QGIS Server Workshop.

 

QGIS Server needs a QGS/QGZ project. For a quick demo you can download a project and its corresponding data from this link.

Download the folder and extract its contents in C:/ so that you can access C:/qgis\\projects\\catastro.qgz and C:/qgis\\projects\\datos_catastro_taller_qgis_server.gpkg files locally.

 

Now that the QGIS project and the data are placed in that specific folder (it is a folder chosen for this demo, you could actually use other paths in you server), you can go to the following URL in your web browser:

http://localhost/qgis-ltr/qgis_mapserv.fcgi.exe?MAP=C:\qgis\projects\catastro.qgz&SERVICE=WMS&VERSION=1.3.0&REQUEST=GetCapabilities

This is a WMS GetCapabilities request, so we expect a XML document as response. If you get something like this, then your QGIS Server is up and accepting requests!

 

Is it that easy? Really?

Yeap! Well, you should also know about a configuration file that tells Apache to execute QGIS Server each time someone calls

http://localhost/qgis-ltr/qgis_mapserv.fcgi.exe?

This file is in C:/OSGeo4W/httpd.d/httpd_qgis-ltr.conf

 

If you're interested in it, you can skim such file and see that there are also some environment variables that are set each time Apache starts. We will be replacing such file with more advanced configurations later in this post, so keep it in mind.

 

Where is the data?

You can use QGIS desktop as a client for the data QGIS Server is serving.

Open QGIS desktop, go to Layer --> Data Source Manager --> WMS/WMTS and add a new service with the URL

http://localhost/qgis-ltr/qgis_mapserv.fcgi.exe?MAP=C:\qgis\projects\catastro.qgz&

Choose a name for it, I'll just use wms_cadastre

Additionally, check the "Ignore axis orientation (WMS 1.3/WMTS)" option and click on the OK button.

In the next dialog, connect to the service, select both layers, choose PNG as output format and change the CRS to "WGS 84 / Pseudo-Mercator" (EPSG: 3857)

Click on the Add button to add the layers into QGIS. You should now see something like this:

 

But, who chose that symbology for the data?

The publisher sets layer symbology and other important configurations. You should configure your data and your project in QGIS (desktop) before publishing it through QGIS Server. This post won't cover that topic, but you can read more about it in the QGIS docs.

 

Enabling Python plugins for QGIS Server

To make QGIS Server load Python plugins we need to:

 

1. Configure a couple of environment variables in the Apache config file: PYTHONPATH and QGIS_PLUGINPATH.

For convenience, we have already set those variables for you in httpd_qgis-ltr_python.conf. Remove the current config file located in C:\OSGeo4W\\httpd.d\\, download the new one from here and place it in the C:\OSGeo4W\\httpd.d\\ folder. Now rename it to httpd_qgis-ltr.conf.

 

If you want, you could open the file and observe the values of PYTHONPATH and QGIS_PLUGINPATH.

 

Restart Apache right now using the ApacheMonitor icon in the task bar. If you have troubles restarting Apache, read the Troubleshooting section at the end of this post.

 

2. Put your QGIS Python plugin in the folder (C:\qgis\\plugins\\) that we just set in the Apache config file.

First, we'll load a "Hello Server" plugin that responds with a custom message any request where the SERVICE parameter is equal to "Hello" (it might be uppercase, lowercase, or any combination).

So, create the C:\qgis\\plugins\\ folder, download this ZIP file and extract its content in C:\qgis\\plugins\\.

Go to a web browser and visit the following URL:

http://localhost/qgis-ltr/qgis_mapserv.fcgi.exe?MAP=C:\qgis\projects\catastro.qgz&SERVICE=HELLO

If everything goes well, instead of a XML you should see this response:

 

Server plugin: Restricting access to a geographic web service

Now that Python plugins are enabled on the server, let's go one step further. QGIS Server allows us to restrict the access to layers, features, attributes and the edit permissions over all of them. Awesome!!!

 

Download the "Control Access" plugin ZIP file from here and extract its content in C:\qgis\\plugins\\

 

By default, the plugin doesn't restrict access over the data. We'll be tweaking the Python code a bit (just a matter of commenting/uncommenting code) to see the plugin in action.

 

Restrict access based on an extent (expression)

Open the file C:\qgis\\plugins\\access_control\\access_control.py, uncomment the line 9 and comment the line 10. We're telling QGIS Server to block any geometry from any layer that does not intersect the bounding box defined by coordinates -8245386.2, 525874.5 and -8245321.2, 525920.4.

After saving the file and restarting Apache (again, if you have troubles restarting it, go to the Troubleshooting section at the end of this post), if we access the service once more we should only see this (the extent in light purple is added just for illustration):