PDA

View Full Version : Pentaho Security Implementation



CompBoy
02-01-2006, 11:14 AM
Hi

I am evaluating Pentaho for our use. One of the questions I have not been able to get a feel for, is the question of user access and security. I notice that the graphic in the "Create Pentaho Solutions" document indicates "Single Signon" functionality supplied by a third party J2EE function. Can you elaborate on this? Specifically how do we limit/control user access?

adeshazor
02-01-2006, 12:29 PM
Our demo includes samples of how to integrate the Pentaho platform into a portal strategy/solution. The demo uses the features of JBoss Portal to handle user authentication. The demo also includes samples that use this user information and the secure filter component to limit the report parameter values available to a particular user. The URLs below will provide additional information.

Secure Filter Documentation
http://www.pentaho.org/index.php?option=com_remository&Itemid=275&func=select&id=1

Security Threads in Forums
http://www.pentaho.org/index.php?option=com_simpleboard&Itemid=275&func=view&id=564&catid=32
http://www.pentaho.org/index.php?option=com_simpleboard&Itemid=275&func=view&id=772&catid=3

Anthony

CompBoy
02-20-2006, 12:06 PM
Hi Anthony,

I am trying to come up with a way to limit what options are available to a given user, from the screen. As I understand the way pentaho works now, a user logs in and sees all available icons in the pentaho-solustions directories. Then when he selects an icon that he does not have access to the data for, he simply does not receive the report. I find this distasteful. Is it possible to setup alternate solution directories, and pass the desired solution directory into Pentaho? This would allow me to setup different solution direcoties for each group of users, and direct them to those solutions assigned to that group of users.

Seeing as I am not familiar with JBoss Portal, is this something that could be handled at that end?

mbatchelor
02-25-2006, 07:45 PM
Within JBoss Portal, you can assign roles to your various portlets using preferences. Something like this fragment in the portlet.xml:

<portlet>
<portlet-name>Sample-Secure-Portlet</portlet-name>
<portlet-class>org.pentaho.ui.portlet.ActionPortlet</portlet-class>
... other stuff defined here for this portlet ...
<portlet-preferences>
<preference>
<name>action</name>
<value>samples/reports/SampleSecure.xaction</value>
</preference>
<preference>
<name>role</name>
<value>some_report_role,other_role</value>
<read-only>true</read-only>
</preference>
</portlet-preferences>
</portlet>


Then, you can implement an interceptor (org.jboss.portal.server.invocation.Interceptor) that can be used to completely prevent even showing the portlet if the user has no access.

In the interceptor, you would get the preference using the PortletPreferenceSetPlugin (org.jboss.portal.portlet.plugins.preferences.PortletPreferenceSetPlugin),
and then check that the user is in the role with:

theHttpServletRequest.isUserInRole(roleFromPreference)

You can get the HttpServletRequest by calling:

HttpServletRequest req =
(HttpServletRequest) invocation .getAttachment(PortletKey.DISPATCHED_REQUEST);

There should be samples available on the JBoss web site for doing this kind of thing.

I hope this helps,

Marc

gskohner
03-24-2006, 11:02 AM
Thanks Mark,

You seem to have all the answers. Do you envision a wrapper for the functionality that you describe? For example if the Solution Engine could run with the web user's credentials when a "run as web user" tag is set in the xaction

I sure that this would cause other problems, but it seems like we all want to go beyond "secure filters" to secure "solution execution".