Hitachi Vantara Pentaho Community Forums
Results 1 to 5 of 5

Thread: Schema grant issue

  1. #1

    Default Schema grant issue

    Dear Forum Members

    I am trying to implement this security options in Mondrian schema and currently am facing issues to get around with it. I am using pentaho biserver 5.0.1 Community edition.

    1) Tried "Listing 6.3. Lookup-map role mapper configuration" as indicated in "Mondrian in Action" document, by editing pentahoObjects.spring.xml as below (un-commented this portion) and restarted the biserver.

    <bean id="Mondrian-UserRoleMapper"
    name="Mondrian-SampleLookupMap-UserRoleMapper"
    class="org.pentaho.platform.plugin.action.mondrian.mapper.MondrianLookupMapUserRoleListMapper"
    scope="singleton">
    <property name="lookupMap">
    <map>
    <entry key="ceo" value="M_CEO" />
    <entry key="cto" value="M_CTO" />
    <entry key="dev" value="M_DEV" />
    <entry key="Power User" value="Power User" />
    </map>
    </property>
    </bean>

    2) Created a user and role (both) named as ceo in Pentaho. Assigned the user ceo with the role ceo in Pentaho.

    3) Designed the Mondrian schema which is working fine when tested through JPivot view / Saiku analytics without adding grants. However when added the following code in Mondrian schema xml file

    <Role name="M_CEO">
    <SchemaGrant access="none">
    </SchemaGrant>
    </Role>


    and while testing through both the visualization tool (Jpivot / saiku), am getting the exception. Pasted below is the exception that I got when using Jpivot view

    --------------------------------------- Exception starts ----------------------------------------------

    10:26:02,242 ERROR [Logger] Error: Pentaho
    10:26:02,244 ERROR [Logger] misc-org.pentaho.platform.plugin.services.connections.mondrian.MDXConnection: MDXConnection.ERROR_0002 - Invalid connection properties: DataSource=Availability Report with Role; PoolNeeded=false; EnableXmla=true; Provider=mondrian; Catalog=mondrian:/Availability Report; Locale=en_US
    org.pentaho.platform.api.engine.PentahoAccessControlException: MondrianOneToOneUserRoleListMapper.ERROR_001_ - Access is denied because the roles of this user don't correspond to any present in the Mondrian schema requested.
    at org.pentaho.platform.plugin.action.mondrian.mapper.MondrianLookupMapUserRoleListMapper.mapRoles(MondrianLookupMapUserRoleListMapper.java:81)
    at org.pentaho.platform.plugin.action.mondrian.mapper.MondrianAbstractPlatformUserRoleMapper.mapConnectionRoles(MondrianAbstractPlatformUserRoleMapper.java:125)
    at org.pentaho.platform.plugin.services.connections.mondrian.MDXConnection.mapPlatformRolesToMondrianRolesHelper(MDXConnection.java:202)
    at org.pentaho.platform.plugin.services.connections.mondrian.MDXConnection.mapPlatformRolesToMondrianRoles(MDXConnection.java:191)
    at org.pentaho.platform.plugin.services.connections.mondrian.MDXConnection.init(MDXConnection.java:236)
    at org.pentaho.platform.plugin.services.connections.mondrian.MDXConnection.init(MDXConnection.java:145)
    at org.pentaho.platform.plugin.services.connections.mondrian.MDXConnection.setProperties(MDXConnection.java:105)
    at org.pentaho.platform.engine.services.connection.PentahoConnectionFactory.getConnection(PentahoConnectionFactory.java:129)
    at org.pentaho.platform.plugin.action.mondrian.MondrianModelComponent.getInitialQuery(MondrianModelComponent.java:120)
    at org.pentaho.platform.plugin.action.mondrian.MondrianModelComponent.getInitialQuery(MondrianModelComponent.java:265)
    at org.pentaho.jpivot.PivotViewComponent.executeAction(PivotViewComponent.java:472)
    at org.pentaho.platform.engine.services.solution.ComponentBase.execute(ComponentBase.java:465)
    at org.pentaho.platform.engine.services.runtime.RuntimeContext.executeComponent(RuntimeContext.java:1313)
    at org.pentaho.platform.engine.services.runtime.RuntimeContext.executeAction(RuntimeContext.java:1279)
    at org.pentaho.platform.engine.services.runtime.RuntimeContext.performActions(RuntimeContext.java:1176)
    at org.pentaho.platform.engine.services.runtime.RuntimeContext.executeLoop(RuntimeContext.java:1122)
    at org.pentaho.platform.engine.services.runtime.RuntimeContext.executeSequence(RuntimeContext.java:1004)
    at org.pentaho.platform.engine.services.runtime.RuntimeContext.executeSequence(RuntimeContext.java:910)
    at org.pentaho.platform.engine.services.solution.SolutionEngine.executeInternal(SolutionEngine.java:386)
    at org.pentaho.platform.engine.services.solution.SolutionEngine.execute(SolutionEngine.java:305)
    at org.pentaho.platform.engine.services.solution.SolutionEngine.execute(SolutionEngine.java:193)
    at org.pentaho.jpivot.AnalysisViewService.getNewAnalysisViewRuntime(AnalysisViewService.java:553)
    at org.pentaho.jpivot.Pivot_jsp._jspService(Pivot_jsp.java:471)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at org.pentaho.platform.web.servlet.PluginDispatchServlet.service(PluginDispatchServlet.java:89)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.pentaho.platform.web.http.filters.PentahoWebContextFilter.doFilter(PentahoWebContextFilter.java:161)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.pentaho.platform.web.http.filters.PentahoRequestContextFilter.doFilter(PentahoRequestContextFilter.java:83)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
    at org.springframework.security.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:109)
    at org.springframework.security.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
    at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    at org.springframework.security.ui.ExceptionTranslationFilter.doFilterHttp(ExceptionTranslationFilter.java:101)
    at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    at org.springframework.security.providers.anonymous.AnonymousProcessingFilter.doFilterHttp(AnonymousProcessingFilter.java:105)
    at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    at org.springframework.security.ui.basicauth.BasicProcessingFilter.doFilterHttp(BasicProcessingFilter.java:174)
    at org.pentaho.platform.web.http.security.PentahoBasicProcessingFilter.doFilterHttp(PentahoBasicProcessingFilter.java:88)
    at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    at org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235)
    at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    at org.pentaho.platform.web.http.filters.HttpSessionPentahoSessionIntegrationFilter.doFilter(HttpSessionPentahoSessionIntegrationFilter.java:265)
    at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    at org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter.doFilterHttp(SecurityContextHolderAwareRequestFilter.java:91)
    at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    at org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:175)
    at org.springframework.security.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:99)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.pentaho.platform.web.http.filters.SystemStatusFilter.doFilter(SystemStatusFilter.java:59)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.pentaho.platform.web.http.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:112)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.pentaho.platform.web.http.filters.WebappRootForwardingFilter.doFilter(WebappRootForwardingFilter.java:66)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
    at java.lang.Thread.run(Unknown Source)
    10:26:02,260 ERROR [Logger] Error end:
    10:26:02,266 ERROR [Logger] misc-MondrianModelComponent: MondrianModel.ERROR_0001 - getInitialQuery(): Connection is not valid: {DataSource=Availability Report with Role, PoolNeeded=false, EnableXmla=true, Provider=mondrian, Catalog=mondrian:/Availability Report}
    10:26:02,267 ERROR [PivotViewComponent] ce40ef71-92d8-11e3-aa3b-00059a3c7800:COMPONENT:context-705053096-1392094562220:PivotView.ERROR_0010 - !PivotView.ERROR_0010_QUERY_GENERATION_FAILED!
    10:26:02,295 ERROR [SolutionEngine] ce40ef71-92d8-11e3-aa3b-00059a3c7800:SOLUTION-ENGINE:default.xjpivot: Action Sequence execution failed, see details below
    | Error Time: Tuesday, February 11, 2014 10:26:02 AM IST
    | Session ID: admin
    | Instance Id: ce40ef71-92d8-11e3-aa3b-00059a3c7800
    | Action Sequence:
    | Execution Stack:
    EXECUTING ACTION: Pivot View (PivotViewComponent)
    | Action Class: PivotViewComponent
    | Action Desc: Pivot View
    | Loop Index: 0
    Stack Tracerg.pentaho.platform.api.engine.ActionExecutionException: RuntimeContext.ERROR_0017 - Action failed to execute
    at org.pentaho.platform.engine.services.runtime.RuntimeContext.executeComponent(RuntimeContext.java:1341)
    at org.pentaho.platform.engine.services.runtime.RuntimeContext.executeAction(RuntimeContext.java:1279)
    at org.pentaho.platform.engine.services.runtime.RuntimeContext.performActions(RuntimeContext.java:1176)
    at org.pentaho.platform.engine.services.runtime.RuntimeContext.executeLoop(RuntimeContext.java:1122)
    at org.pentaho.platform.engine.services.runtime.RuntimeContext.executeSequence(RuntimeContext.java:1004)
    at org.pentaho.platform.engine.services.runtime.RuntimeContext.executeSequence(RuntimeContext.java:910)
    at org.pentaho.platform.engine.services.solution.SolutionEngine.executeInternal(SolutionEngine.java:386)
    at org.pentaho.platform.engine.services.solution.SolutionEngine.execute(SolutionEngine.java:305)
    at org.pentaho.platform.engine.services.solution.SolutionEngine.execute(SolutionEngine.java:193)
    at org.pentaho.jpivot.AnalysisViewService.getNewAnalysisViewRuntime(AnalysisViewService.java:553)
    at org.pentaho.jpivot.Pivot_jsp._jspService(Pivot_jsp.java:471)
    at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at org.pentaho.platform.web.servlet.PluginDispatchServlet.service(PluginDispatchServlet.java:89)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.pentaho.platform.web.http.filters.PentahoWebContextFilter.doFilter(PentahoWebContextFilter.java:161)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.pentaho.platform.web.http.filters.PentahoRequestContextFilter.doFilter(PentahoRequestContextFilter.java:83)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:378)
    at org.springframework.security.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:109)
    at org.springframework.security.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
    at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    at org.springframework.security.ui.ExceptionTranslationFilter.doFilterHttp(ExceptionTranslationFilter.java:101)
    at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    at org.springframework.security.providers.anonymous.AnonymousProcessingFilter.doFilterHttp(AnonymousProcessingFilter.java:105)
    at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    at org.springframework.security.ui.basicauth.BasicProcessingFilter.doFilterHttp(BasicProcessingFilter.java:174)
    at org.pentaho.platform.web.http.security.PentahoBasicProcessingFilter.doFilterHttp(PentahoBasicProcessingFilter.java:88)
    at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    at org.springframework.security.context.HttpSessionContextIntegrationFilter.doFilterHttp(HttpSessionContextIntegrationFilter.java:235)
    at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    at org.pentaho.platform.web.http.filters.HttpSessionPentahoSessionIntegrationFilter.doFilter(HttpSessionPentahoSessionIntegrationFilter.java:265)
    at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    at org.springframework.security.wrapper.SecurityContextHolderAwareRequestFilter.doFilterHttp(SecurityContextHolderAwareRequestFilter.java:91)
    at org.springframework.security.ui.SpringSecurityFilter.doFilter(SpringSecurityFilter.java:53)
    at org.springframework.security.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:390)
    at org.springframework.security.util.FilterChainProxy.doFilter(FilterChainProxy.java:175)
    at org.springframework.security.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:99)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.pentaho.platform.web.http.filters.SystemStatusFilter.doFilter(SystemStatusFilter.java:59)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.pentaho.platform.web.http.filters.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:112)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.pentaho.platform.web.http.filters.WebappRootForwardingFilter.doFilter(WebappRootForwardingFilter.java:66)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:233)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:470)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:293)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:861)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:606)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:489)
    at java.lang.Thread.run(Unknown Source)

    --------------------------------------- Exception Ends----------------------------------------------

    Please assist me in understanding the concept and resolve this issue.

  2. #2
    Join Date
    Jan 2013
    Posts
    796

    Default

    I could be misremembering, but if you're using roles in the platform then the default will be to deny access, unless the user is associated with a role that has been granted access. Have you tried defining a role with access to your schema?

  3. #3

    Default

    Hi mcampbell

    Thanks for your time. Can you please let me know how to check which roles are provided with grant access to the schema and which roles have been denied to access the schema.

    Quote Originally Posted by mcampbell View Post
    I could be misremembering, but if you're using roles in the platform then the default will be to deny access, unless the user is associated with a role that has been granted access. Have you tried defining a role with access to your schema?

  4. #4
    Join Date
    Jan 2013
    Posts
    796

    Default

    I would try adding a role in your schema which explicitly grants all access, and name it based on one of your mapped roles (e.g. "M_DEV"). Then see whether users in the dev group are able to get access.

  5. #5

    Default

    Thanks a lot, mcampbell. Your reply has contributed a lot. Summarizing the concept so that others might (hopefully) get benefit out of it. Please feedback if the understanding is incorrect. (Below use cases which I have provided is to cover grant working principle with respect to schema level - schema grant)

    1) If a schema has no grant specified, then it is open to all - plain vanilla case
    2) If a schema has grant specified with particular role, say "M_DEV" as access="all", then only the users tagged to the role "M_DEV" can see the schema / cube. Rest of the users, even though an admin cannot see that cube / schema
    3) If a schema has grant specified with particular role, say "M_DEV" as access="none" and no other roles been granted access="all", then no users (not only "M_DEV" but all roles) can see the cube / schema
    4) If a schema has grant specified with particular role, say "M_DEV" as access="all" and another role "M_CEO" as access="none", then only the users tagged to the role "M_DEV" can see the schema / cube. Rest of the users not only M_CEO, even though an admin cannot see that cube / schema. So the result is same as that of use case 2 as above.


    Quote Originally Posted by mcampbell View Post
    I would try adding a role in your schema which explicitly grants all access, and name it based on one of your mapped roles (e.g. "M_DEV"). Then see whether users in the dev group are able to get access.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Privacy Policy | Legal Notices | Safe Harbor Privacy Policy

Copyright © 2005 - 2019 Hitachi Vantara Corporation. All Rights Reserved.