Hitachi Vantara Pentaho Community Forums
Results 1 to 4 of 4

Thread: Strange behaviour and security issue with mondrian roles and pentaho ACLs

  1. #1

    Exclamation Strange behaviour and security issue with mondrian roles and pentaho ACLs

    To sum up, the problem is that, if a user has no pentaho ACL access to a schema file “.xml”, Mondrian doesn't make any checking of roles in the schema and the user can see everything, as if the roles didn't exist. If I give pentaho ACL access to the file, Mondrian do the checking and apply roles. Just the other way round.


    It is very strange, not expected, and a security problem.

    Do you know what I am doing wrong?

  2. #2

    Default

    Hi, again. Here are the details.

    I have two users: demo and prueba1, with their respective folders in pentaho-solutions. Each user has only pentaho ACLs access in his pentaho-solutions folder. In demo folder there is a schema, published with Schema Workbench, with an entry in datasources.xml. The schema works fine with Saiku and Jpivot.

    I want that only demo user have access to this schema.

    So, with New Analysis and Jpivot everything works fine. The schema .xml is in the demo folder, and when prueba1 user logs in, he doesn't have pentaho access ACLs to the xml file and he can't see the schema in New Analysis.

    I tried the same configuration with Saiku, but I discovered that Saiku doesn't work this way, like Jpivot. Even if a user does not have pentaho access ACLs to the xml file of the schema, he is able to see the schema and its cubes in Saiku. So all users see all schemas whatever pentaho ACLs they have.
    So I tried to set mondrian roles in the schema to grant access with Saiku. I created the role Demo (assigned to demo user). In the schema I gave grant access all to Demo role, and grant access none to Authenticated role, to which all users belong, even prueba1. So it is predictable that Saiku will show the schema to demo user and not to prueba1 user, because he belongs to Authenticated role, and it has grant access none.

    But it doesn't work! Prueba1 user can still see the schema.

    I have discovered that mondrian checks roles for demo user but do not check them for prueba1 user. I can see it in catalina out when I start Saiku with every user, with the message
    “Setting role to datasource:foodmart_es role: Demo, Authenticated”. When I do the same with prueba1 user, no message is generated, and the schema is shown in Saiku.

    And here is the trick! If I set pentaho ACLs access to the xml file of the schema to prueba1 user, everything woks. I can not see the schema with Saiku and prueba1 user, and a message “Setting role to datasource:foodmart_es role: ” appears in catalina.out. But the problem is that now in Jpivot the schema is shown for prueba1 user because he has pentaho ACLs access.

    To sum up, it seems that Saiku does not check mondrian roles if the user has no pentaho ACLs access to the schema xml file, and it could be a security problem.
    Am I doing anything wrong?

    I am using Pentaho BIServer 4.8.0 and I tried with Saiku 2.4 and 2.5

    I think it is an issue of Mondrian, not Saiku. I had a look to mondrian.log. When demo user starts Saiku nothing is in the logs, but when prueba1 user does, in the log appears a lot of messages:

    “Access level ALL granted to cube Ventas because of the grant to schema foodmart_es”

    even if the user has no grant access.

  3. #3
    Join Date
    Mar 2007
    Posts
    142

    Default

    Have you turned on the role mapper in the BI server config?

    ref: http://infocenter.pentaho.com/help/i..._mondrian.html
    Luc Boudreau
    aka. Luc le Magnifique
    aka. Monsieur Oui Oui

    Lead Engineer, Pentaho Corporation
    Web: http://devdonkey.blogspot.com
    Twitter: luclemagnifique
    IRC: Monsieur_Oui_Oui@freenode

  4. #4

    Default

    Hi Luc,

    I have set up One-To-One UserRoleMapper.

    If a user has no pentaho ACL access to a schema file “.xml”, Mondrian (or Saiku) doesn't make any checking of roles in the schema and the user can see everything, as if the roles didn't exist. If I give pentaho ACL access to the file, Mondrian (or Saiku) do the checking and apply roles. Just the other way round as expected.

    Fernando

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Privacy Policy | Legal Notices | Safe Harbor Privacy Policy

Copyright © 2005 - 2019 Hitachi Vantara Corporation. All Rights Reserved.