Project: QGIS

Version: 2.12.0

Feature: Encrypted password management

QGIS 2.12 introduces a new authentication system (see PR 2330, QEP 14. Here's what is included:

  • Master-password-encrypted authentication configurations stored in an SQLite database
  • Authentication method plugin architecture (like data providers)
  • Basic auth method plugin
  • Basic plugin integrated with PostGIS and OWS provider connections
  • Inline with current username/password setup (still fully functional)
  • SSL server connection configurations (save exceptions or custom configs for SSL connection errors)

PKI authentication related:

  • Import extra Certificate Authorities, intermediate cert issuers and personal identity bundles
  • Manage certificate components like in Firefox
  • Authentication method plugins for PEM and PKCS#12 bundles on disk, and for stored personal identities
  • Integrated with OWS provider connections (PostGIS and other databases will take a bit more work)

For shared project scenarios, including a network drive setup, you can edit the authentication configuration (authcfg) ID to something that is shared across users.

Since the authcfg ID is embedded in the project file, each user just needs to make an auth config that has their specific credentials for that resource, then edit the ID (upon creation of config or after) to the same ID in the project file. Then, when the resource loads, the same configuration will be queried on everyone's QGIS, just with their respective credentials for the authentication method used.

For the Handle Bad Layers dialog, users can Add/Edit/Remove auth configs within the dialog and have the data source URI updated to match. So, in the scenario of a shared project, the user could immediately add an appropriate new auth config (and see exactly what shared authcfg ID should be used) upon project loading .

Currently, the master password auto-set can be set via Python, or by way of a custom C++ plugin, on launch setups using a call to QgsAuthManager::instance()->setMasterPassword( "mypassword", true ), or by QGIS_AUTH_PASSWORD_FILE environment variable to set the path to a file with the master password.

Note: for Server, you can also use QGIS_AUTH_DB_DIR_PATH to set the path to a qgis-auth.db directory and QGIS_AUTH_PASSWORD_FILE to set the path to a file with the master password on the server.

PKI example docs: https://github.com/dakcarto/QGIS-Enhancement-Proposals/blob/auth-system/extras/auth-system/pkiuser.rst

This feature was developed by: Larry Shaffer

This feature was funded by: Boundless Spatial, Inc.