Hitachi Vantara Pentaho Community Forums
Results 1 to 3 of 3

Thread: metadataService security issue

  1. #1
    Join Date
    Aug 2013
    Posts
    7

    Post metadataService security issue

    I am trying to use the pir.html web service to view Interactive Reports (IRs) Anonymously (without requiring Authentication). I am currently using three separate pentaho environments (dev/QA/prod), and their security settings are exactly the same on all three servers, however I am only able to successfully view IRs Anonymously on our test environment. By security settings, I am referring to the ObjectDefinitionSource property in the filterInvocationInterceptor bean in /pentaho-solutions/system/applicationContext-spring-security.xml, as well as the <data-access-view-roles> & <data-access-roles> properties in /system/data-access/settings.xml, and a few other settings that I don't think are relevant to this discussion.

    Now, the issue...

    Our solution uses a metadata datasource to (mostly) drive our Reports/Dashboards, which is configured with the proper Role restrictions such that Dashboards using the metadata model have no issues being viewed Anonymously; it's only when I attempt to generate reports using specifically the pir.html content-generator that I get errors (When I instead generate Interactive Reports via the /pentaho-solutions/system/reporting/reportviewer/ content-generator the reports actually display).

    It's got to be the /ws-run/metadataService web-service (/pentaho-solutions/common-ui/) that's causing this problem - actually, I knowit's the metadataService call that's causing the issue because running it manually, and UNAUTHENTICATED, produces the following


    from DEV environment (where the issue resides):

    http://bidev01:8080/pentaho/content/...=1377275290614


    outputs:
    Code:
    <ns:listBusinessModelsResponse/>
    This output is not valid, because when I run the same URL but as an AUTHENTICATED user, I get:

    http://bidev01:8080/pentaho/content/...=1377275290614

    outputs:
    Code:
    <ns:listBusinessModelsResponse>
    <return type="org.pentaho.common.ui.metadata.model.impl.ModelInfo"> <domainId>admin/resources/metadata/ALL_REQUESTS.xmi</domainId> <modelDescription>This is the data model for ALL_REQUESTS</modelDescription> <modelId>MODEL_1</modelId> <modelName>ALL_REQUESTS</modelName>
    </return> <return type="org.pentaho.common.ui.metadata.model.impl.ModelInfo">
    <domainId>steel-wheels/metadata.xmi</domainId> <modelDescription>This model contains information about Employees.</modelDescription> <modelId>BV_HUMAN_RESOURCES</modelId> <modelName>Human Resources</modelName>
    </return> .... </ns:listBusinessModelsResponse>
    On my QA server (where this problem does not reside) I am able to make this web service call either Anonymously or Authenticated and get the same (valid!) results. The ObjectDefinitionSource property in ApplicationContext-spring-security looks like this:

    Code:
    \A/content/iadhoc.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/ws-run/metadataservice.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/ws-run/metadataserviceda.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/ws-run/interactiveadhocservice.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/ws-run/usersettingservice.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/pentaho-interactive-reporting.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/viewaction?.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/viz-crossfilter/.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/viz-sunburst/.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/viz-funnel/.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/viz-calendar/.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/getresource.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/pentaho-cdf.*solution.public.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/pivot.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/pentaho-cdf.*.js.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/pentaho-cdf.*.resources.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/pentaho-cdf.*.resource.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/pentaho-cdf/storage.*.action.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/cda/doquery.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/dashboards.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/analyzer/viewer.*.solution.*.public.*.path.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/analyzer/viewer.*.solution=Public.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/analyzer/viewer.*solution.*Public.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/analyzer/editor.*command.*solution=public.*action.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/analyzer/editor.*command=open.*solution=Public.*path.*action.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/viewaction.*solution=public.*action.*background.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/dashboards/theme.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/dashboards/resource.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/openflashchart/open-flash-chart-full-embedded-font.swf.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/analyzer/webcontext.js.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/analyzer/styles.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/mantle/widgets.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/mantle/mantlestyle.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/analyzer/scripts.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/js/require.*.js.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/reporting.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/pentaho-geo/resources/baselayers/baselayers.js.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/pentaho-geo/resources/web.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/dashboards/script.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/common-ui.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/webcontext.js.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/dashboards.*.command.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/dashboards.*.solution.*.public.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/index.jsp.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/viewaction.*solution.Public.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/i18n.*.plugin.*.name.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/.*require-js-cfg.js\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/webcontext.js.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/common-ui/resources/web/cache/cache-service.js.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/cacheexpirationservice.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/js/theme.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/common-ui/resources/themes/.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/common-ui/resources/web/dojo/djconfig.js.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/pentaho-mobile/resources/.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/docs/.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/mantlelogin/.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/mantle/mantleloginservice/*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/mantle/.*\Z=PentahoUsers,PentahoAdmins
    \A/welcome/.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/public/.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/login.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/ping/alive.gif.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/j_spring_security_check.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/getimage.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/getresource.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/admin/resources/metadata/.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/admin.*\Z=PentahoAdmins,Anonymous,PentahoUsers
    \A/auditreport.*\Z=PentahoAdmins
    \A/auditreportlist.*\Z=PentahoAdmins
    \A/versioncontrol.*\Z=PentahoAdmins
    \A/propertieseditor.*\Z=PentahoAdmins
    \A/propertiespanel.*\Z=PentahoAdmins
    \A/subscriptionadmin.*\Z=PentahoAdmins
    \A/resetrepository.*\Z=PentahoAdmins
    \A/viewaction.*solution.admin.*\Z=PentahoAdmins
    \A/scheduleradmin.*\Z=PentahoAdmins
    \A/publish.*\Z=PentahoAdmins,PentahoUsers
    \A/logout.*\Z=Anonymous,PentahoAdmins,PentahoUsers
    \A/solutionrepositoryservice.*component=delete.*solution=system.*\Z=Nobody
    \A/solutionrepositoryservice.*solution=system.*component=delete.*\Z=Nobody
    \A/admin.*\Z=PentahoAdmins,Anonymous,PentahoUsers
    ...
    \A/.*\Z=PentahoAdmins,PentahoUsers
    I've attached the output from pentaho.log to this post; Anyone have any suggesstion? Please, help me!!!!!!!!!!


    TL;DR: metadataService web-service doesn't work UNAUTHENTICATED, and only when trying to view Interactive Reports using pir.html. Dashboards are viewable just fine.
    Attached Files Attached Files

  2. #2
    Join Date
    Aug 2013
    Posts
    7

    Default Fixed!

    Fixed; had to add a few more lines to my filterInvocationInterceptor to grant access to some additional service calls:

    Code:
    \A/content/analyzer/editor.*\Z=PentahoUsers,PentahoAdmins
    \A/content/analyzer/.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/content/metadatamodelssvc?action=listmodels.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    \A/xmla.*\Z=Anonymous,PentahoUsers,PentahoAdmins
    ...
    Coincidentally, this fixed another issue I had been having with trying to view Analyzer reports Anonymously.

  3. #3
    Join Date
    Aug 2013
    Posts
    7

    Default

    I'm still testing this theory, but I believe the problem may have been that my database connections were defined through the application (enterprise-console) and not using JNDI definitions. Will keep this thread posted on my findings, lol.

    Anyone looking at this thread have any insight into whether or not this is a valid theory? Thanks.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Privacy Policy | Legal Notices | Safe Harbor Privacy Policy

Copyright © 2005 - 2019 Hitachi Vantara Corporation. All Rights Reserved.