Enhancing Security in "Add Data from Path" Tool in ArcGIS Pro
Executive Summary:
This proposal advocates for the enhancement of the "Add Data from Path" tool in ArcGIS Pro to support API keys and other parameters in the header for added security and to introduce key-store support. These enhancements are critical to ensuring ArcGIS Pro remains a leader in GIS technology, meeting the evolving needs of a diverse and security-conscious user base. As a case study, the Open Source Software QGIS, which already provides this functionality, is examined to illustrate the benefits and feasibility of these enhancements.
Introduction:
ArcGIS Pro is recognized for its powerful capabilities and user-friendly interface. However, as the digital landscape evolves and the demand for robust security measures increases, there is a pressing need to enhance the "Add Data from Path" tool to support more secure data transactions and management. This proposal outlines the benefits and necessity of integrating such features into ArcGIS Pro, drawing insights from the QGIS implementation.
Current Challenges:
- Limited Security in Data Import: The current inability to pass API keys and other parameters in headers when adding data via URLs exposes users to potential security vulnerabilities.
- Lack of Key-Store Support: Without key-store support, users are missing out on a secure method to manage and access cryptographic keys, which is essential for protecting sensitive data.
Case Study: QGIS
- Functionality Overview: QGIS, an open-source GIS software, has successfully implemented the ability to pass API keys and other parameters in headers for secure data transactions. This functionality has been well-received by its user base and is considered a standard feature for modern GIS platforms.
- Security and User Experience: The implementation in QGIS demonstrates an improved security posture and user experience, providing a model for how ArcGIS Pro could similarly benefit from such enhancements.
Proposed Enhancements:
API Key and Header Parameter Support:
- Modify the "Add Data from Path" tool to allow for the secure transmission of API keys and other header parameters, drawing inspiration from the QGIS model.
- Ensure this enhancement aligns with the best practices for API security and data integrity.
Key-Store Support:
- Integrate key-store support to provide a robust method for managing cryptographic keys, further strengthening the security framework of ArcGIS Pro.
Justification:
- Enhanced Security: These enhancements will significantly improve the security of data transactions in ArcGIS Pro, protecting users against unauthorized access and potential data breaches.
- Competitive Edge: By mirroring the functionality present in QGIS, ArcGIS Pro will not only meet but exceed current industry standards, reinforcing its position as a market leader.
- User Trust and Compliance: By offering advanced security features, ArcGIS Pro will attract a broader user base, including industries that handle highly sensitive data, and ensure users comply with various regulatory requirements.
- Future-Proofing: As GIS technology evolves, the integration of secure, cloud-based services and APIs will become increasingly critical. These enhancements will ensure ArcGIS Pro remains relevant and powerful in a rapidly changing digital environment.
Conclusion:
The integration of API key support and key-store functionality into the "Add Data from Path" tool is not just an enhancement; it's a fundamental step toward ensuring that ArcGIS Pro continues to lead the way in secure, user-friendly GIS technology. By adopting these changes, Esri will provide its users with the tools they need to manage their data securely and efficiently, reinforcing its commitment to excellence and innovation.
We urge the Esri Product Development Team to consider this proposal as a priority for the upcoming development cycle. Incorporating insights from the QGIS case study, Esri can enhance its product's security features, thereby demonstrating its commitment to leading the industry in responsible and secure data management.
Thank you for considering this proposal. We look forward to your positive response and are happy to provide any further information or clarification as needed.
Example: QGIS Implementation
Just want to check if you got a chance to check this out. Please let us know if this doesn't work for you.
Please read "Custom request parameters" section in this help doc: https://pro.arcgis.com/en/pro-app/2.9/help/mapping/layer-properties/add-layers-to-a-map.htm#ESRI_SEC...
@TanuHoque
The current functionality does not support:
- Passing variables Authorization information properly into the headers for WMS and XYZ Tile urls.
- XYZ Tile Urls are not supported for passing request params as there is no option in the dropdown for XYZ Tile Urls.
- Allowing the end-user to update/edit the results after saving
- Keystore system. Note the QGIS example image above. The Authentication configuration can be saved securely and updated as required.
Let's start with WMS and XYZ Tiles
The typical approach for securely passing api keys in get and post requests is via the `Authorization` parameter. This key first followed by a string value of `bearer` or a custom string such as `Apikey` and then the `API_Key`. (Note: Passing keys securely via this method works in QGIS for WMS and XYZ)
curl "https://api.nearmap.com/tiles/v3/VERTICAL/{z}/{x}/{y}.jpg" \
-H "Content-Type: application/json" \
-H "Authorization: ApiKey YOUR_API_KEY_HERE" \
-o "tile.jpg"
Additionally, other params can be passed in the header such as `since` depending on the APIs supported functionality:
curl "https://api.nearmap.com/tiles/v3/VERTICAL/{z}/{x}/{y}.jpg" \
-H "Content-Type: application/json" \
-H "Authorization: ApiKey YOUR_API_KEY_HERE" \
-H "since: 2022-02-10" \
-o "tile.jpg"
Testing in QGIS:
- The method works as expected and even saves and lets me update the API key and additional arguments.
Testing in ArcGIS Pro:
1.) Custom request params are not supported fro ZYX tiles so i tried passing through XYZ into ArcGIS Server Web Service and WMS and no luck. So the method does not even currently exist in a way that ensures API keys are securely handled.
I fully understand it's possible to pass the api key directly in the path and the params for xyz tiles however this does not bode well for security.
example:
https://api.nearmap.com/tiles/v3/{tileResourceType}/{z}/{x}/{y}.{format}?apikey={YOUR_API_KEY}
Now for WMS.
Following the same method in QGIS i can reuse that same API key header information and then add additional key and value pairs for the request.
Using WMS OGC Web Service in ArcGIS Pro does not support passing the Authorization.
Additionally I am unable to pass the additional key and value pairs in the url.
In conclusion, the above should address the challenges and considerations involved in securely passing, editing, and storing authorization details for WMS and XYZ Tile URLs in ArcGIS Pro.