PDA

View Full Version : [Mondrian] XMLA Security roles



Pedro Casals
02-28-2007, 05:40 AM
Hi!

I cannot make security roles work properly when making a query through XMLA (it works OK if the query is done through mondrianQuery tag).
In mondrian.xmla.impl.DefaultXmlaServlet.handleSoapBody I can see this code:
// use context variable `role' as this request's XML/A role
XmlaRequest xmlaReq = new DefaultXmlaRequest(xmlaReqElem,
(String) context.get(CONTEXT_ROLE));

However, I do not see where this context is filled besides in handleSoapHeader. handleSoapHeader function only puts this keys: CONTEXT_XMLA_SESSION_ID, CONTEXT_XMLA_SESSION_STATE.

One question more: If security is not implemented I would do it. I have read XMLA 1.1 spec and I could not see where to define the role in the SOAP message. Should it be defined as a restriction?

Thanks in advance for your answer

Pedro



______________________________________________
LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y m

Julian Hyde
02-28-2007, 06:21 AM
_____

From: Pedro Casals

I cannot make security roles work properly when making a query through
XMLA (it works OK if the query is done through mondrianQuery tag).
In mondrian.xmla.impl.DefaultXmlaServlet.handleSoapBody I can see this
code:
// use context variable `role' as this request's XML/A role
XmlaRequest xmlaReq = new DefaultXmlaRequest(xmlaReqElem,
(String)
context.get(CONTEXT_ROLE));

However, I do not see where this context is filled besides in
handleSoapHeader. handleSoapHeader function only puts this keys:
CONTEXT_XMLA_SESSION_ID, CONTEXT_XMLA_SESSION_STATE.


I think you're right. Whoever wrote DefaultXmlaServlet put in a hook to
use the sugested role if it is present... but it is up to the XMLA
client to set it as an attribute in the HTTP header.


One question more: If security is not implemented I would do it. I have
read XMLA 1.1 spec and I could not see where to define the role in the
SOAP message. Should it be defined as a restriction?


The XMLA request should specify the user (probably has part of the HTTP
header, NOT par of the XML). I know Pentaho Spreadsheet Services does
this, for example.

The XmlaHandler should then resolve the user to a role (to be precise,
the user and the schema resolve to a role -- a user might run under
different roles in different schemas). We have discussed extending
XmlaHandler to use a plugin user-to-role resolver running off JNDI or
JAAS or extra information we might add extra fields to datasources.xml
to define authentication and access-control lists.

(I can't find that discussion right now... anyone??)

Julian

_______________________________________________
Mondrian mailing list
Mondrian (AT) pentaho (DOT) org
http://lists.pentaho.org/mailman/listinfo/mondrian

Pedro Casals
02-28-2007, 02:20 PM
Thanks Julian,

I'll write a callback to process the http header (and go thru jpivot xmla client to see if I can put this header). The firts question right now is: A callback should implement the XmlaRequestCallback interface. But where and how do I define the callback? Could you give me an example, please?

thanks in advance

Pedro

----- Mensaje original ----
De: Julian Hyde <julianhyde (AT) speakeasy (DOT) net>
Para: Mondrian developer mailing list <mondrian (AT) pentaho (DOT) org>
Enviado: mi

Julian Hyde
02-28-2007, 05:40 PM
Pedro,

There are no instructions! But I've found out a little by reading the
code.

There are 3 classes which implement the callback interface, all of them
in the test suite.

If you implement your own callback, you may find it useful to also write
new classes

*

mondrian.xmla.DefaultRequestCallback (which does nothing for
each method) and make your implementation derive from that. (This will
help protect your code against future changes to this interface.)
*

mondrian.xmla.DelegatingRequestCallback which implements each
method by passing each request to a 'parent' callback object. This
implements the 'decorator' pattern, and allows people to chain
callbacks.

Put your callback into mondrian.xmla.impl package. Other people will use
it if it is useful!

To register a callback. Looks like callback class names are registered
in web.xml. I imagine that the class needs a special constructor e.g. a
public constructor with no args. You should be able to figure all this
out by reading XmlaServlet.initCallbacks().

Hopefully you can deduce the rest. I'd be grateful if you could add
instructions on how to write and register a callback into the javadoc of
XmlaRequestCallback, so no one else has to ask this question.

Julian


_____

From: mondrian-bounces (AT) pentaho (DOT) org [mailto:mondrian-bounces (AT) pentaho (DOT) org]
On Behalf Of Pedro Casals
Sent: Wednesday, February 28, 2007 10:20 AM
To: Mondrian developer mailing list
Subject: Re: [Mondrian] XMLA Security roles


Thanks Julian,

I'll write a callback to process the http header (and go thru jpivot
xmla client to see if I can put this header). The firts question right
now is: A callback should implement the XmlaRequestCallback interface.
But where and how do I define the callback? Could you give me an
example, please?

thanks in advance

Pedro

----- Mensaje original ----
De: Julian Hyde <julianhyde (AT) speakeasy (DOT) net>
Para: Mondrian developer mailing list <mondrian (AT) pentaho (DOT) org>
Enviado: mi

John V. Sichi
02-28-2007, 05:40 PM
Note: I'm in the middle of reworking the XML/A tests to use
DiffRepository instead of file collections; should be done soon. So
Pedro, before updating the tests, you'll want to sync to the latest I'll
be checking in.

JVS

Julian Hyde wrote:[color=blue]
> Pedro,
>
> There are no instructions! But I've found out a little by reading the code.
>
> There are 3 classes which implement the callback interface, all of them
> in the test suite.
>
> If you implement your own callback, you may find it useful to also write
> new classes
>
> *
> mondrian.xmla.DefaultRequestCallback (which does nothing for each
> method) and make your implementation derive from that. (This will
> help protect your code against future changes to this interface.)
> *
> mondrian.xmla.DelegatingRequestCallback which implements each
> method by passing each request to a 'parent' callback object. This
> implements the 'decorator' pattern, and allows people to chain
> callbacks.
>
> Put your callback into mondrian.xmla.impl package. Other people will use
> it if it is useful!
>
> To register a callback. Looks like callback class names are registered
> in web.xml. I imagine that the class needs a special constructor e.g. a
> public constructor with no args. You should be able to figure all this
> out by reading XmlaServlet.initCallbacks().
>
> Hopefully you can deduce the rest. I'd be grateful if you could add
> instructions on how to write and register a callback into the javadoc of
> XmlaRequestCallback, so no one else has to ask this question.
>
> Julian
>
> ------------------------------------------------------------------------
> *From:* mondrian-bounces (AT) pentaho (DOT) org
> [mailto:mondrian-bounces (AT) pentaho (DOT) org] *On Behalf Of *Pedro Casals
> *Sent:* Wednesday, February 28, 2007 10:20 AM
> *To:* Mondrian developer mailing list
> *Subject:* Re: [Mondrian] XMLA Security roles
>
> Thanks Julian,
>
> I'll write a callback to process the http header (and go thru jpivot
> xmla client to see if I can put this header). The firts question
> right now is: A callback should implement the XmlaRequestCallback
> interface. But where and how do I define the callback? Could you
> give me an example, please?
> thanks in advance
>
> Pedro
> ----- Mensaje original ----
> De: Julian Hyde <julianhyde (AT) speakeasy (DOT) net>
> Para: Mondrian developer mailing list <mondrian (AT) pentaho (DOT) org>
> Enviado: mi

Haridasan T
03-01-2007, 09:50 AM
Greetings,
Appreciate if you can help me to connect to oracle database from Mondrian

Which all xml files need to be changed

Thanks

Hari Nair
--


On 2/28/07, Pedro Casals <pcasalsfradera (AT) yahoo (DOT) com> wrote:[color=blue]
>
> Hi!
>
> I cannot make security roles work properly when making a query through
> XMLA (it works OK if the query is done through mondrianQuery tag).
> In mondrian.xmla.impl.DefaultXmlaServlet.handleSoapBody I can see this
> code:
> // use context variable `role' as this request's XML/A role
> XmlaRequest xmlaReq = new DefaultXmlaRequest(xmlaReqElem,
> (String) context.get
> (CONTEXT_ROLE));
>
> However, I do not see where this context is filled besides in
> handleSoapHeader. handleSoapHeader function only puts this keys:
> CONTEXT_XMLA_SESSION_ID, CONTEXT_XMLA_SESSION_STATE.
>
> One question more: If security is not implemented I would do it. I have
> read XMLA 1.1 spec and I could not see where to define the role in the
> SOAP message. Should it be defined as a restriction?
>
> Thanks in advance for your answer
>
> Pedro
>
> ------------------------------
>
> LLama Gratis a cualquier PC del Mundo.
> Llamadas a fijos y m