Hitachi Vantara Pentaho Community Forums
Results 1 to 6 of 6

Thread: Problems with non admin users

  1. #1

    Default Problems with non admin users

    Hi all,

    I’ve installed Pentaho CE version 3.5.2 and followed the steps described in the following documents to achieve LDAP authentication:


    After applying the changes and logging Pentaho User Console (PUC) with a user with “admin” role, everything works fine. Then I’ve granted access (All permissions) to “BI Developer Examples” folder to a role obtained from LDAP.

    On logging on PUC with a user with the referred role (but without Admin role), the user authenticated ok, but the “Browse” frame still frozen with “Loading…”.

    On analyzing logs (with increased verbosity like http://wiki.pentaho.com/display/Serv...e+LDAP+Logging and http://wiki.pentaho.com/display/Serv...curity+Logging) I found that the roles are loaded from LDAP. I attached some messages from log I think can tell something (the entire log is very huge):

    ...
    09:26:55,825 DEBUG [SecurityHelper] principal from IPentahoSession: org.springframework.security.providers.UsernamePasswordAuthenticationToken@12362689: Principal: org.springframework.security.userdetails.ldap.LdapUserDetailsImpl@13c2797: Username: [PROTECTED]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE__GU-COPLAN, ROLE__GS-EMAIL, ROLE_Authenticated, ROLE__GS-BC, ROLE__GS-LABG, ROLE__GS-REDEADM, ROLE__GS-AVA, ROLE__G-TECNICOS-ADM, ROLE__GS-CI; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@fffdaa08: RemoteIpAddress: 2002:c887:1a24:0:0:0:c887:1a24; SessionId: 21896A6D47DC3FE0E3958572C5A1D988; Granted Authorities: ROLE__GU-COPLAN, ROLE__GS-EMAIL, ROLE_Authenticated, ROLE__GS-BC, ROLE__GS-LABG, ROLE__GS-REDEADM, ROLE__GS-AVA, ROLE__G-TECNICOS-ADM, ROLE__GS-CI

    09:26:55,825 DEBUG [SecurityHelper] principal class: org.springframework.security.providers.UsernamePasswordAuthenticationToken

    09:26:55,825 DEBUG [SecurityHelper] principal is an instance of Authentication

    09:26:55,825 DEBUG [GrantedAuthorityEffectiveAclsResolver] Locating AclEntry[]s (from set of 4) that apply to Authentication: org.springframework.security.providers.UsernamePasswordAuthenticationToken@12362689: Principal: org.springframework.security.userdetails.ldap.LdapUserDetailsImpl@13c2797: Username:
    [PROTECTED]; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE__GU-COPLAN, ROLE__GS-EMAIL, ROLE_Authenticated, ROLE__GS-BC, ROLE__GS-LABG, ROLE__GS-REDEADM, ROLE__GS-AVA, ROLE__G-TECNICOS-ADM, ROLE__GS-CI; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@fffdaa08: RemoteIpAddress: 2002:c887:1a24:0:0:0:c887:1a24; SessionId: 21896A6D47DC3FE0E3958572C5A1D988; Granted Authorities: ROLE__GU-COPLAN, ROLE__GS-EMAIL, ROLE_Authenticated, ROLE__GS-BC, ROLE__GS-LABG, ROLE__GS-REDEADM, ROLE__GS-AVA, ROLE__G-TECNICOS-ADM, ROLE__GS-CI

    09:26:55,825 DEBUG [GrantedAuthorityEffectiveAclsResolver] Returning null AclEntry array as zero effective AclEntrys found

    09:26:55,828 DEBUG [HttpSessionContextIntegrationFilter] SecurityContextHolder now cleared, as request processing completed

    09:26:55,831 ERROR [[SolutionRepositoryService]] Servlet.service() for servlet SolutionRepositoryService threw exception
    java.lang.NullPointerException
    at org.pentaho.platform.repository.solution.SolutionRepositoryServiceImpl.getSolutionRepositoryDoc(SolutionRepositoryServiceImpl.java:477)
    at org.pentaho.platform.web.servlet.SolutionRepositoryService.dispatch(SolutionRepositoryService.java:152)
    ...



    ps1 - I’m using a role_prefix=”ROLE_”
    ps2 - in my previous installation (version 1.7) I’ve it all working.


    Thanks in advance for any help,

    Mauro

  2. #2

    Default

    Quote Originally Posted by mschramm View Post

    On logging on PUC with a user with the referred role (but without Admin role), the user authenticated ok, but the “Browse” frame still frozen with “Loading…”.
    Same thing i m getting with jdbc security also.
    That problem is solved if we assign Authenticated role to each user in addition to your roles. i think Its default role which pentaho wants for authentication.
    You can try this if u don't have a problem in assigning in that one more role.

  3. #3

    Default

    Arun,

    Thanks for your reply.

    I think I’ve already done your tip.

    See a piece of my applicationContext-spring-security-ldap.xml:

    Code:
    <bean id="populator1" class="org.springframework.security.ldap.populator.DefaultLdapAuthoritiesPopulator">
               <constructor-arg index="0">
                        <ref local="contextSource"/>
               </constructor-arg>
               <constructor-arg index="1" value="${populator1.constructor-arg1}"/>
               <property name="groupRoleAttribute" value="${populator1.groupRoleAttribute}"/>
               <property name="groupSearchFilter" value="${populator1.groupSearchFilter}"/>
               <property name="rolePrefix" value="${populator1.rolePrefix}"/>
               <property name="defaultRole" value="${populator1.defaultRole}"/>
      </bean>
    See also the properties in applicationContext-security-ldap.properties:

    Code:
    populator1.constructor-arg1=**ommited**
      populator1.groupRoleAttribute=cn
      populator1.groupSearchFilter=member={0}
      populator1.rolePrefix=ROLE_
      populator1.defaultRole=ROLE_Authenticated
    If you look at the logging in my previous post, you will see that the user get the role ROLE_Authenticated at logon time.

    Have I forgot something?

    Regards,

    Mauro

  4. #4

    Thumbs up It works!

    Hi all,

    I find a solution (at least for me).

    Before to see it, take a look at my “default- acls” configuration (at pentaho.xml):
    Code:
    <default-acls>
        <acl-entry role="ROLE__GU-PENTAHO-ADMIN" acl="FULL_CONTROL" />  <!-- this is our admin role -->
        <acl-entry role="ROLE__GU-SDS" acl="EXECUTE_SUBSCRIBE" />     <!-- this is our developer role -->
     </default-acls>
    Only administrators and developers have access to folders and solutions by default.

    The solution is grant access to all others users (authenticated) to the repository’s root. I've done this by creating an override:
    Code:
    <overrides>
        <file path="/pentaho-solutions">
            <acl-entry role="ROLE_Authenticated" acl="EXECUTE" />
        </file>
    </overrides>
    
    This makes sense. The unique problem is the different behavior from version 1.7 (that version does'nt need this override).

    Regards,

    Mauro

  5. #5

    Post Loading...

    Hello

    I am facing a similar issue for 3.6.0 CE

    I have configured jdbc security from the wiki page. I am able to log in correctly

    When I login using Admin role I am able to view the reports without any problem
    However when I login with a different role ... no folders are displayed and the tree is stuck at
    Loading...

    I have configured my ACL as (here system is my Admin role)
    Code:
    <default-acls>
                            <acl-entry role="system" acl="FULL_CONTROL" />           
                            <acl-entry role="customeradmin" acl="EXECUTE" />                
                            <acl-entry role="locationadmin" acl="EXECUTE" />                  
                            <acl-entry role="Authenticated" acl="EXECUTE" /> 
    </default-acls>
    I also tried over riding with FULL_CONTROL permission to my roles at the root folder as suggested in this thread
    Code:
    <overrides> 
                            <file path="/pentaho-solutions"> 
                                <acl-entry role="customeradmin" acl="FULL_CONTROL" />                 
                            <acl-entry role="locationadmin" acl="FULL_CONTROL" />     
                            </file> 
    </overrides>
    But after logging in as a Non Admin user in the logs I get the following
    Code:
    04:49:48,001 DEBUG [GrantedAuthorityEffectiveAclsResolver] Locating AclEntry[]s (from set of 1) that apply to Authentication: org.springframework.security.providers.UsernamePasswordAuthenticationToken@13da8b6b: Principal: org.springframework.security.userdetails.User@fe877a00: Username: akotian_gc_cus; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: customeradmin; Password: [PROTECTED]; Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@fffbcba8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: E96B617EC16222715911A58D38907E5C; Granted Authorities: customeradmin
    log4j:ERROR Attempted to append to closed appender named [PENTAHOFILE].
    log4j:ERROR Attempted to append to closed appender named [PENTAHOFILE].
    04:49:48,003 DEBUG [GrantedAuthorityEffectiveAclsResolver] Returning null AclEntry array as zero effective AclEntrys found
    log4j:ERROR Attempted to append to closed appender named [PENTAHOFILE].
    log4j:ERROR Attempted to append to closed appender named [PENTAHOFILE].
    04:49:48,008 DEBUG [HttpSessionContextIntegrationFilter] SecurityContextHolder now cleared, as request processing completed
    log4j:ERROR Attempted to append to closed appender named [PENTAHOFILE].
    04:49:48,009 ERROR [[SolutionRepositoryService]] Servlet.service() for servlet SolutionRepositoryService threw exception
    java.lang.NullPointerException
    I reapplied the ACL's in the hiberbate database from
    http://wiki.pentaho.com/display/Serv...ng+Default+ACL

    Now the table PRO_ACLS_LIST contains the new entries
    But table GRANTED_AUTHORITIES still contain old values..
    Are we supposed to drop this table also?

    Is the above error occurring because my user with role i.e. customeradmin does not have Authenticated as a role?

    If so how can I assign the role Authenticated to my user with role customeradmin?
    (When I login to PAC I am not able to view the roles to assign role Authenticated
    to any user as seen in thread
    http://forums.pentaho.com/showthread...ed+Authorities)

    I tried assigning permissions to specific reports using share option from PUC.. but still when I log in with that user or role .. the tree is stuck at Loading..

    Can somebody please help.. I am stuck with this for some time now

    Thanks
    Ashley

  6. #6

    Default

    A temporary solution for me is the remove the role Authenticated
    for the different URL's in ApplicationContext-spring-security.xml.
    and reapply the ACL's

    But I am not sure if this would result in some other security issues..

    Regards
    Ashley

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Privacy Policy | Legal Notices | Safe Harbor Privacy Policy

Copyright © 2005 - 2019 Hitachi Vantara Corporation. All Rights Reserved.