Hitachi Vantara Pentaho Community Forums
Page 1 of 3 123 LastLast
Results 1 to 10 of 27

Thread: LDAP configuration migration to Pentaho 5.0.1 CE

  1. #1
    Join Date
    Nov 2013
    Posts
    4

    Default LDAP configuration migration to Pentaho 5.0.1 CE

    Hi,

    I'm trying to migrate working Pentaho 4.8 LDAP configuration to Pentaho 5.0.1 CE.

    The results so far are proper authentication of users but ACLs settings seem to have a problem.

    Neither users nor admins can not create anything (reports/analysis/schedules/folders/etc.).

    Datasource management and Tools menus are also invisible for admins.

    Recreating ACL lists (removing pentaho-solutions/system/jackrabbit/repository/ subfolders) doesn't help.

    Below some pieces of my configuration.

    repository.spring.properties (where myadmin, PentahoAdmins, all_users are LDAP based)

    Code:
    singleTenantAdminDefaultUserName=myadmin
    singleTenantAdminUserName=myadmin
    singleTenantAdminDefaultAuthorityName=PentahoAdmins
    singleTenantAdminAuthorityName=PentahoAdmins
    repositoryAdminUsername=myadmin
    singleTenantAuthenticatedAuthorityName=all_users
    singleTenantAnonymousAuthorityName=Anonymous
    superAdminAuthorityName=PentahoAdmins
    superAdminUserName=myadmin
    systemTenantAdminUserName=myadmin
    systemTenantAdminPassword=mypassword
    security.properties

    Code:
    provider=ldap
    applicationContext-security-ldap.properties which is working on 4.8 (the only difference is adminRole and adminUser added in 5.0)

    Code:
    contextSource.providerUrl=ldap\://myldap\:389/o\=myorganization,o\=eu
    contextSource.userDn=uid\=ldapread,ou\=generic,o\=myusers,o\=myorganization,o\=eu
    contextSource.password=mypassword
    
    userSearch.searchBase=o\=myusers
    userSearch.searchFilter=(uid\={0})
    
    populator.convertToUpperCase=false
    populator.groupRoleAttribute=cn
    populator.groupSearchBase=ou\=mygroups
    populator.groupSearchFilter=(uniqueMember\={0})
    populator.rolePrefix=
    populator.searchSubtree=true
    
    allAuthoritiesSearch.roleAttribute=cn
    allAuthoritiesSearch.searchBase=ou\=mygroups
    allAuthoritiesSearch.searchFilter=(objectClass\=mygroup)
    
    allUsernamesSearch.usernameAttribute=uid
    allUsernamesSearch.searchBase=o\=myusers
    allUsernamesSearch.searchFilter=(memberOf\=cn\=all_users,ou\=mygroups,o\=myorganization,o\=eu)
    
    adminRole=cn\=PentahoAdmins,ou\=mygroups,o\=myorganization,o\=eu
    adminUser=uid\=myuser,o\=myusers
    data-access/settings.xml

    PHP Code:
    ...
      <!-- 
    roles with data access permissions --> 
      <
    data-access-roles>PentahoAdmins</data-access-roles>
      <!-- 
    users with data access permissions -->
      <!--  <
    data-access-users></data-access-users>   -->
      <!-- 
    roles with datasource view permissions -->
      <
    data-access-view-roles>all_users,PentahoAdmins</data-access-view-roles>
      <!-- 
    users with datasource view permissions -->
      <!--<
    data-access-view-users>suzy</data-access-view-users>-->
      <!-- default 
    view acls for user or role -->
      <
    data-access-default-view-acls>31</data-access-default-view-acls>
      <
    data-access-staging-jndi>Hibernate</data-access-staging-jndi>
      <
    data-access-datasource-solution-storage>admin</data-access-datasource-solution-storage>
    ... 

    defaultUser.spring.xml - commented out the content of dafaultUserRoleMappings tag which contained mappings for suzy,pat,tiffany, etc.

    pentaho.xml - I was trying to add <acl-publisher>, <default-acls>, <acl-voter> and <acl-files> (working for me on Pentaho 4.8) but there was no difference if the config was with or without it.

    applicationContext-spring-security.xml - replaced Admin and Authenticated roles with LDAP based all_users and PentahoAdmins roles inside filterInvocationInterceptor and filterInvocationInterceptorForWS beans but left unchanged inside defaultRole bean.

    While trying to create folder I get exception

    Code:
    org.pentaho.platform.api.repository2.unified.UnifiedRepositoryAccessDeniedException: access denied while creating folder with name "test"
    The strange thing I've noticed debugging security is that when I log in with LDAP administrator user account then AbstractSecurityInterceptor shows all the Granted Authorities except for the PentahoAdmins LDAP role while DefaultLdapAuthoritiesPopulator finds the all the LDAP roles.

    URL patterns added based on the content of applicationContext-spring-security.xml

    Code:
    11:01:46,224 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/admin.*\Z; attributes: [PentahoAdmins]
    11:01:46,224 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/auditreport.*\Z; attributes: [PentahoAdmins]
    11:01:46,224 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/auditreportlist.*\Z; attributes: [PentahoAdmins]
    11:01:46,224 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/versioncontrol.*\Z; attributes: [PentahoAdmins]
    11:01:46,225 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/propertieseditor.*\Z; attributes: [PentahoAdmins]
    11:01:46,225 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/propertiespanel.*\Z; attributes: [PentahoAdmins]
    11:01:46,225 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/subscriptionadmin.*\Z; attributes: [PentahoAdmins]
    11:01:46,225 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/resetrepository.*\Z; attributes: [PentahoAdmins]
    11:01:46,225 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/viewaction.*solution.admin.*\Z; attributes: [PentahoAdmins]
    11:01:46,225 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/scheduleradmin.*\Z; attributes: [PentahoAdmins]
    11:01:46,225 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/publish.*\Z; attributes: [PentahoAdmins]
    11:01:46,153 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/webservices/unifiedrepository\?wsdl.*\Z; attributes: [Anonymous, all_users]
    11:01:46,153 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/webservices/userrolelistservice\?wsdl.*\Z; attributes: [Anonymous, all_users]
    11:01:46,154 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/webservices/userroleservice\?wsdl.*\Z; attributes: [Anonymous, all_users]
    11:01:46,154 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/webservices/authorizationpolicy\?wsdl.*\Z; attributes: [Anonymous, all_users]
    11:01:46,154 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/webservices/rolebindingdao\?wsdl.*\Z; attributes: [Anonymous, all_users]
    11:01:46,154 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/webservices/scheduler\?wsdl.*\Z; attributes: [Anonymous, all_users]
    11:01:46,154 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/webservices/repositorysync\?wsdl.*\Z; attributes: [Anonymous, all_users]
    11:01:46,154 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/webservices/datasourcemgmtservice\?wsdl.*\Z; attributes: [Anonymous, all_users]
    11:01:46,155 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/webservices/.*\Z; attributes: [all_users]
    11:01:46,155 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/api/.*require-js-cfg.js\Z; attributes: [Anonymous, all_users]
    11:01:46,155 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/api/.*\Z; attributes: [all_users]
    11:01:46,155 DEBUG [DefaultFilterInvocationDefinitionSource] Added URL pattern: \A/plugin/.*\Z; attributes: [all_users]
    Any idea of the possible soution? Am I missing something in my config?

    Best Regards,
    Marcin

  2. #2
    Join Date
    Nov 2013
    Posts
    4

    Default

    Quote Originally Posted by mpiatek View Post
    ...
    The strange thing I've noticed debugging security is that when I log in with LDAP administrator user account then AbstractSecurityInterceptor shows all the Granted Authorities except for the PentahoAdmins LDAP role while DefaultLdapAuthoritiesPopulator finds the all the LDAP roles.
    ...
    Further investigation shows that after InteractiveAuthenticationSuccessEvent PentahoAdmins LDAP role on the list of Granted Authorities is replaced by Administrator role (which is not comming from my LDAP).


    I've tried to modify repository.spring.properties and applicationContext-spring-security.xml files and replace my LDAP groups with Administrator (despite the documentation which tells to put there LDAP group names) - and everything works fine!


    Is it intended behaviour? Documentation inconsistency or a bug?

  3. #3

    Red face Not work correctly

    Hi,

    I'm trying to run the newest Pentaho 5 CE with LDAP authentication, but i'm not sure running ok.
    When you say .... "I've tried to modify repository.spring.properties and applicationContext-spring-security.xml ..." could you put the content of both files to help me ? I'm very confused about LDAP groups with Administrator role !!!

    Best regards
    Jordi


    Quote Originally Posted by mpiatek View Post
    Further investigation shows that after InteractiveAuthenticationSuccessEvent PentahoAdmins LDAP role on the list of Granted Authorities is replaced by Administrator role (which is not comming from my LDAP).


    I've tried to modify repository.spring.properties and applicationContext-spring-security.xml files and replace my LDAP groups with Administrator (despite the documentation which tells to put there LDAP group names) - and everything works fine!


    Is it intended behaviour? Documentation inconsistency or a bug?

  4. #4
    Join Date
    Nov 2013
    Posts
    4

    Default

    Quote Originally Posted by jcarreras@biton.es View Post
    Hi,

    I'm trying to run the newest Pentaho 5 CE with LDAP authentication, but i'm not sure running ok.
    When you say .... "I've tried to modify repository.spring.properties and applicationContext-spring-security.xml ..." could you put the content of both files to help me ? I'm very confused about LDAP groups with Administrator role !!!

    Best regards
    Jordi
    Yes, it is confusing... I've just replaced every occurrence of LDAP group used to identify Pentaho administrators (PentahoAdmins) with Administrator (Pentaho built-in group?) in the files mentioned above.

    Hope this helps. It's working for me but I'm still confused if it is a bug or documentation inconsistency?

    applicationContext-spring-security.xml - replaced roles: Admin with Administrator (NOT LDAP based!) and Authenticated with LDAP based all_users

    Code:
    ...
      <bean id="filterInvocationInterceptor"
            class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
        <property name="authenticationManager">
          <ref local="authenticationManager" />
        </property>
        <property name="accessDecisionManager">
          <ref local="httpRequestAccessDecisionManager" />
        </property>
        <property name="objectDefinitionSource">
          <value>
            <!--
                Note - the "=Nobody" below is saying that resource URLs with those
                patterns not be available through a web call.
            -->
            <=!=[=C=D=A=T=A=[
    CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    \A/.*require-js-cfg.js\Z=Anonymous,all_users
    \A/js/require.js\Z=Anonymous,all_users
    \A/js/require-cfg.js\Z=Anonymous,all_users
    \A/content/data-access/resources/gwt/.*css\Z=Anonymous,all_users
    \A/webcontext.js.*\Z=Anonymous,all_users
    \A/content/common-ui/resources/web/cache/cache-service.js.*\Z=Anonymous,all_users
    \A/cacheexpirationservice.*\Z=Anonymous,all_users
    \A/js/theme.*\Z=Anonymous,all_users
    \A/content/common-ui/resources/themes/.*\Z=Anonymous,all_users
    \A/content/common-ui/resources/web/dojo/djconfig.js.*\Z=Anonymous,all_users
    \A/content/pentaho-mobile/resources/.*\Z=Anonymous,all_users
    \A/docs/.*\Z=Anonymous,all_users
    \A/mantlelogin/.*\Z=Anonymous,all_users
    \A/mantle/mantleloginservice/*\Z=Anonymous,all_users
    \A/mantle/.*\Z=all_users
    \A/welcome/.*\Z=Anonymous,all_users
    \A/public/.*\Z=Anonymous,all_users
    \A/login.*\Z=Anonymous,all_users
    \A/ping/alive.gif.*\Z=Anonymous,all_users
    \A/j_spring_security_check.*\Z=Anonymous,all_users
    \A/getimage.*\Z=Anonymous,all_users
    \A/getresource.*\Z=Anonymous,all_users
    \A/admin.*\Z=Administrator
    \A/auditreport.*\Z=Administrator
    \A/auditreportlist.*\Z=Administrator
    \A/versioncontrol.*\Z=Administrator
    \A/propertieseditor.*\Z=Administrator
    \A/propertiespanel.*\Z=Administrator
    \A/subscriptionadmin.*\Z=Administrator
    \A/resetrepository.*\Z=Administrator
    \A/viewaction.*solution.admin.*\Z=Administrator
    \A/scheduleradmin.*\Z=Administrator
    \A/publish.*\Z=Administrator
    \A/logout.*\Z=Anonymous
    \A/solutionrepositoryservice.*component=delete.*solution=system.*\Z=Nobody
    \A/solutionrepositoryservice.*solution=system.*component=delete.*\Z=Nobody
    .*system.*pentaho.xml.*=Nobody
    .*system.*applicationcontext.*.xml.*=Nobody
    .*system.*pentahoobjects.spring.xml.*=Nobody
    .*system.*pentahosystemconfig.xml.*=Nobody
    .*system.*adminplugins.xml.*=Nobody
    .*system.*plugin.properties.*=Nobody
    .*system.*sessionstartupactions.xml.*=Nobody
    .*system.*systemlisteners.xml.*=Nobody
    .*system.*hibernate.*=Nobody
    .*system.*birt/.*=Nobody
    .*system.*dialects/.*=Nobody
    .*system.*google/.*=Nobody
    .*system.*jasperreports/.*=Nobody
    .*system.*kettle/.*=Nobody
    .*system.*logs/.*=Nobody
    .*system.*mondrian/.*=Nobody
    .*system.*quartz/.*=Nobody
    .*system.*simple-jndi/.*=Nobody
    .*system.*smtp-email/.*=Nobody
    .*system.*ui/.*=Nobody
    .*system.*\.\./.*=Nobody
    \A/.*\Z=all_users
            ]=]=>
          </value>
        </property>
      </bean>
    
    
      <bean id="filterInvocationInterceptorForWS" class="org.springframework.security.intercept.web.FilterSecurityInterceptor">
        <property name="authenticationManager">
          <ref local="authenticationManager" />
        </property>
        <property name="accessDecisionManager">
          <ref local="httpRequestAccessDecisionManager" />
        </property>
        <!-- allow anyone to see the wsdl of various services -->
        <property name="objectDefinitionSource">
          <value>
            <=!=[=C=D=A=T=A=[CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
    \A/webservices/unifiedrepository\?wsdl.*\Z=Anonymous,all_users
    \A/webservices/userrolelistservice\?wsdl.*\Z=Anonymous,all_users
    \A/webservices/userroleservice\?wsdl.*\Z=Anonymous,all_users
    \A/webservices/authorizationpolicy\?wsdl.*\Z=Anonymous,all_users
    \A/webservices/rolebindingdao\?wsdl.*\Z=Anonymous,all_users
    \A/webservices/scheduler\?wsdl.*\Z=Anonymous,all_users
    \A/webservices/repositorysync\?wsdl.*\Z=Anonymous,all_users
    \A/webservices/datasourcemgmtservice\?wsdl.*\Z=Anonymous,all_users
    \A/webservices/.*\Z=all_users
    \A/api/.*require-js-cfg.js\Z=Anonymous,all_users
    \A/api/.*\Z=all_users
    \A/plugin/.*\Z=all_users
          ]=]=>
          </value>
        </property>
      </bean>
    
    
      <bean id="defaultRole" class="java.lang.String">
        <constructor-arg value="Authenticated" />
      </bean>
    
    
      <bean id="anonymousRole" class="java.lang.String">
        <constructor-arg value="Anonymous" />
      </bean>
    
    
    ...
    repository.spring.properties

    Code:
    singleTenantAdminDefaultUserName=myadmin
    singleTenantAdminUserName=myadmin
    singleTenantAdminDefaultAuthorityName=Administrator
    singleTenantAdminAuthorityName=Administrator
    repositoryAdminUsername=myadmin
    singleTenantAuthenticatedAuthorityName=all_users
    singleTenantAnonymousAuthorityName=Anonymous
    superAdminAuthorityName=Administrator
    superAdminUserName=myadmin
    systemTenantAdminUserName=myadmin
    systemTenantAdminPassword=mypassword
    Also be aware that content of applicationContext-security-ldap.properties is strictly related to your LDAP server configuration and should be tested with some LDAP client tool in first place.
    Last edited by mpiatek; 01-12-2014 at 07:57 AM.

  5. #5
    Join Date
    Mar 2013
    Posts
    22

    Default

    Can you place your full configuration, i'm trying to migrate just like you from 4.8 to 5.0.1 and when i configure all the LDAP parameters, i just get Error 404 in tomcat. I would appreciate it

    Edit: I finished configure like you did, but i just get this error when i launch de platform, checking logs right now... :
    Name:  pentaho error.jpg
Views: 299
Size:  21.8 KB
    Last edited by alucard1626; 02-04-2014 at 05:07 PM.

  6. #6
    Join Date
    Dec 2013
    Posts
    1

    Default

    Quote Originally Posted by alucard1626 View Post
    Can you place your full configuration, i'm trying to migrate just like you from 4.8 to 5.0.1 and when i configure all the LDAP parameters, i just get Error 404 in tomcat. I would appreciate it

    Edit: I finished configure like you did, but i just get this error when i launch de platform, checking logs right now... :
    I ran into that same error today when I modified the repositoryAdminUsername setting in repository.spring.properties. I had to set it back to the default pentahoRepoAdmin in order for the application to initialize.


    With regards to this thread, from what I can tell the pentaho 'Administrator' role is mapped to the ldap.adminRole in applicationContext-spring-security-ldap.xml (note: ldap.adminRole is specified applicationContext-security-ldap.properties). So that could explain why everything started working once you replaced your LDAP PentahoAdmins role with Pentaho's Administrator role. I'm currently configuring ldap myself and this part was very confusing, however I'm not even sure if I am correct or not.

  7. #7
    Join Date
    Mar 2013
    Posts
    22

    Default

    Quote Originally Posted by DanLake View Post
    I ran into that same error today when I modified the repositoryAdminUsername setting in repository.spring.properties. I had to set it back to the default pentahoRepoAdmin in order for the application to initialize.


    With regards to this thread, from what I can tell the pentaho 'Administrator' role is mapped to the ldap.adminRole in applicationContext-spring-security-ldap.xml (note: ldap.adminRole is specified applicationContext-security-ldap.properties). So that could explain why everything started working once you replaced your LDAP PentahoAdmins role with Pentaho's Administrator role. I'm currently configuring ldap myself and this part was very confusing, however I'm not even sure if I am correct or not.
    well... yeah, that solved it, but now i got the past HTTP 404 Status... as you said, Pentaho "Administrator" seems to be mapped with the repository.

    EDIT: Checking logs, i found this error in my catalaina logs:

    feb 10, 2014 9:11:24 AM org.apache.catalina.startup.ContextConfig validateSecurityRoles
    Información: ATENCIÓN: El nombre de papel de seguridad PENTAHO-ADMIN es usado en un <auth-constraint> sin haber sido definido en <security-role>
    feb 10, 2014 9:11:59 AM org.apache.catalina.core.StandardContext start
    Grave: Error listenerStart
    i don't really understand what i'm missing, can someone help me??
    Last edited by alucard1626; 02-10-2014 at 11:26 AM.

  8. #8
    Join Date
    Jan 2013
    Posts
    101

    Default

    Hi,

    I'm trying to implement LDAP for users to login. I don't see the option described in the security_guide.pdf

    From User Console Home menu, click Administration, then select Authentication from the left.

    I only see Users and Roles, Mail Server and Settings. What am I missing?

    Mike

  9. #9
    Join Date
    Mar 2013
    Posts
    22

    Default

    Quote Originally Posted by arcelio1023 View Post
    Hi,

    I'm trying to implement LDAP for users to login. I don't see the option described in the security_guide.pdf

    From User Console Home menu, click Administration, then select Authentication from the left.

    I only see Users and Roles, Mail Server and Settings. What am I missing?

    Mike
    Are you deploying Pentaho EE?? cause security guide is for the Enterprice version, not the Community version

  10. #10
    Join Date
    Jan 2013
    Posts
    101

    Default

    I wish EE. I'm using community. Do I have to use the manual method?

    Mike

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Privacy Policy | Legal Notices | Safe Harbor Privacy Policy

Copyright © 2005 - 2017 Pentaho Corporation. All Rights Reserved.