Hitachi Vantara Pentaho Community Forums
Results 1 to 8 of 8

Thread: Authentication problem?

  1. #1

    Default Authentication problem?

    Hi all,

    I have configured the acegi security to read usernames, passwords and authorities from our normal office authentication database. Which works fine for the normal solution repository, but it's giving me trouble when used with the Adhoc reporter.
    Whenever a user with authority "Power User" (self-defined) is logged in and wants to access the WAQR, he is greeted with some fancy exception message culminating in "xml has no properties" and the following exception appears in the server.log:

    2007-12-21 17:37:20,477 ERROR [STDERR] 2007/12/21 17:37:20:475 GMT [ERROR] [AdhocWebService] - Servlet.service() for servlet AdhocWebService threw exception <java.lang.NullPointerException>java.lang.NullPointerException
    at org.pentaho.ui.servlet.AdhocWebService.createSolutionRepositoryTree(AdhocWebService.java:1339)
    at org.pentaho.ui.servlet.AdhocWebService.getSolutionRepositoryTree(AdhocWebService.java:1358)
    at org.pentaho.ui.servlet.AdhocWebService.getSolutionRepositoryFolderContents(AdhocWebService.java:1254)
    at org.pentaho.ui.servlet.AdhocWebService.dispatch(AdhocWebService.java:257)
    at org.pentaho.ui.servlet.AdhocWebService.doGet(AdhocWebService.java:209)
    at org.pentaho.ui.servlet.AdhocWebService.doPost(AdhocWebService.java:272)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:264)
    at org.acegisecurity.intercept.web.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:107)
    at org.acegisecurity.intercept.web.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:72)
    at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
    at org.acegisecurity.ui.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:110)
    at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
    at org.acegisecurity.ui.switchuser.SwitchUserProcessingFilter.doFilter(SwitchUserProcessingFilter.java:335)
    at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
    at com.pentaho.security.SecurityStartupFilter.doFilter(SecurityStartupFilter.java:76)
    at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
    at org.acegisecurity.providers.anonymous.AnonymousProcessingFilter.doFilter(AnonymousProcessingFilter.java:125)
    at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
    at org.acegisecurity.ui.rememberme.RememberMeProcessingFilter.doFilter(RememberMeProcessingFilter.java:142)
    at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
    at com.pentaho.security.RequestParameterAuthenticationFilter.doFilter(RequestParameterAuthenticationFilter.java:164)
    at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
    at org.acegisecurity.ui.basicauth.BasicProcessingFilter.doFilter(BasicProcessingFilter.java:178)
    at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
    at org.acegisecurity.ui.AbstractProcessingFilter.doFilter(AbstractProcessingFilter.java:217)
    at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
    at org.acegisecurity.ui.logout.LogoutFilter.doFilter(LogoutFilter.java:108)
    at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
    at com.pentaho.security.HttpSessionReuseDetectionFilter.doFilter(HttpSessionReuseDetectionFilter.java:130)
    at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
    at org.acegisecurity.context.HttpSessionContextIntegrationFilter.doFilter(HttpSessionContextIntegrationFilter.java:193)
    at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
    at org.acegisecurity.wrapper.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:81)
    at org.acegisecurity.util.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:274)
    at org.acegisecurity.util.FilterChainProxy.doFilter(FilterChainProxy.java:148)
    at org.acegisecurity.util.FilterToBeanProxy.doFilter(FilterToBeanProxy.java:98)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.pentaho.core.system.SystemStatusFilter.doFilter(SystemStatusFilter.java:53)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.pentaho.ui.servlet.SetCharacterEncodingFilter.doFilter(SetCharacterEncodingFilter.java:112)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:179)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:128)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:104)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:241)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:580)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    at java.lang.Thread.run(Thread.java:595)

    My user authentication is set up such that for each user exactly one authority is returned. So far I have been unable to figure out how to inject "Power User" into the values of authorities accepted for WAQR. Where do I need to go with this?

    regards
    Wolfgang

  2. #2
    Join Date
    Oct 2006
    Posts
    817

    Default

    Did you execute steps 5 and 6 from the Security Configuration Checklist? This is necessary since you're using a custom role (i.e. Power User).

  3. #3

    Default Thanks, is now working

    Good advice. I had executed all steps except for the restoration of the repository.
    I would remark, though, that this not an ideal solution as it is implemented. If I wanted to add another role sometime down the line, I would lose all my special access rules. Depending on the solution(s) in use, this could be a major headache! It would be much better, if there was another way to load an additional role into the autorization system.

    best regards
    Wolfgang Schulze-Zachau

  4. #4
    Join Date
    Oct 2006
    Posts
    817

    Default

    Your remarks are appreciated. However, let me add the following.

    If I wanted to add another role sometime down the line, I would lose all my special access rules.
    While "special access rules" are lost when you perform a "restoration of the repository" aka "re-applying the default ACL," a re-application is not necessarily required when adding a new role.

    A re-application is used only when you want to modify ACLs in large batches. For example, if you want to add a ROLE_FINANCE later, you can simply add that role to your authentication database. It would then show up in the Permissions interface for you to assign "special access rules."

  5. #5

    Default

    Fair call. Works fine for everthing except for the adhoc reporting. And that was the original reason behind this thread.
    It appears that the only way to include new "custom" roles into the authorization model of the WAQR is by restoring the repository, unless I have misunderstood this (in which can somebody please explain to me).
    I don't see this as a big problem, but I think it should be documented, so that users in general are made aware of the limitation BEFORE they define their own custom roles.
    Let's just face it: anybody wanting to use the Pentaho BI platform in a commercial environment will want to re-use the existing authentication/authorization solutions as much as possible. We are only 65 people here at my company and already the user administration is becoming a nightmare. And Acegi Security is splendid on that. Took me a day to figure out how it all works (I really think the Pentaho documentation could be a lot better on this), but now I got it going.
    Except the adhoc reporter simply didn't want to know. That's where my grump is.

  6. #6
    Join Date
    Oct 2006
    Posts
    817

    Default

    Thanks again for the feedback. It is appreciated. I'd like to capture exactly where you ran into problems. Can you elaborate on the following statements?

    the only way to include new "custom" roles into the authorization model of the WAQR is by restoring the repository
    As mentioned below, permissions in WAQR are defined using Pentaho Metadata Editor (PME). PME does a one-time fetch of usernames and roles for the user to use when defining permissions. If the username and role sets are altered, then a refresh will be necessary from within PME if you wish to use the new usernames and roles--but a complete re-application of default ACLs from the BI Server is not necessary.

    the user administration is becoming a nightmare
    No part of Pentaho does "user administration." There are UIs in the Pentaho suite which do access control list (ACL) administration. Is this what you mean? (Examples of ACL administration are the Permissions interface available from the Admin menu in the BI Server and additionally the Security property available from within the Pentaho Metadata Editor.)

    the Pentaho documentation could be a lot better
    Can you provide a link or title to the document(s) to which you are referring? In what ways can they be improved?

  7. #7

    Default

    Right, let's go through your questions one by one (although they are all interlinked, so there will be some overlap):

    permissions in WAQR are defined using Pentaho Metadata Editor (PME).
    There is no user guide or any other part of the documentation for the MetaEditor that explains this. The two PDF files that are shipped with it, are totally out of date and only explain some of the basic concepts, but neither mention anything about the security model and the permissions. In consequence our first couple of business models were set up completely without permissions, because we simply didn't know any better.
    Now, if somebody logs into the BI suite and then selects Go -> New Report, the WAQR loads, but if that person doesn't have ADMIN rights, all he ever gets is a "xml has no properties" error message. This all changes when the repository is restored. After that, anybody with a successful authentication can see all the business models.
    We haven't started applying individual roles to individual models, so I can't say yet how this works with roles applied. But these two behaviours are surprising. And I am sure that most normal users don't understand what "xml has no properties" means.
    the user administration is becoming a nightmare
    This wasn't aimed at Pentaho at all. We are an e-commerce company with quite a good number of legacy systems in place. At the moment we have at least 6 different user databases in use for various purposes and the IT team (my team) has to keep them up to date. As the business owner doesn't see much business value in unifying all of them into one, not much effort can be spent on doing so.
    All I wanted to express here, is that I took this opportunity (of being able to configure acegi-security) to avoid introducing another user database.
    Can you provide a link or title to the document(s) to which you are referring? In what ways can they be improved?
    Right, where do I start?
    MetaEditor: There is no user guide (or at least I haven't been able to find one). So if it wasn't for the fact that we actually hired an experienced BI developer (who seemed to know what he needed to do to get a business model going) I would have some bad scratch marks on my head by now.
    BTW, the spoon user guide is a good example of what a user guide should look like.
    There is very little direct information available WRT customization of the site. We were requested to make the BI site look like the rest of our intranet. Took a while to figure out where all the relevant templates etc are, but we go there in the end. And, AFAICS there is no documentation on how to customize the templates in WAQR (and if there is, please point me there).
    Initially I wanted to deploy the platform manually. But I simply couldn't get it to work. I guess, there are just too many possible variations to put together a comprehensive user guide for that, but I can definitely say that the wiki pages, although they are a help, they are incomplete. Or maybe it's just me, being a newbie to pentaho and jboss.

    Don't get me wrong, I think the pentaho suite rocks. But it sure is a steep learning curve.
    And I do have a good number of open threads where I cannot get any answers from the community. As of 2 days ago, we have a support contract in place, so I'll try my luck with that.

  8. #8
    Join Date
    Nov 2006
    Posts
    135

    Default Regarding Adhoc template documentation

    AFAICS there is no documentation on how to customize the templates in WAQR (and if there is, please point me there).
    This wiki page:
    http://wiki.pentaho.org/display/Pent...ting+Templates

    has information on creating new templates, and customizing existing templates. The information is a bit sparse, and will get more elaboration in the future. But it should be sufficient for much of what you want to accomplish. If something is unclear, post back and I'll do my best to provide more detailed information.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Privacy Policy | Legal Notices | Safe Harbor Privacy Policy

Copyright © 2005 - 2019 Hitachi Vantara Corporation. All Rights Reserved.