Hitachi Vantara Pentaho Community Forums
Results 1 to 3 of 3

Thread: Dynamic role for Mondrian connection

  1. #1
    Join Date
    Feb 2008
    Posts
    23

    Default Dynamic role for Mondrian connection

    Hi,
    i'm tying to implement dynamic role rof mondrian, extending DelegatingRole and setting correponding instance to connection. My code is as follows:
    Code:
    package mondrian.olap;
    
    import java.util.Arrays;
    
    import mondrian.olap.RoleImpl.DelegatingHierarchyAccess;
    
    import org.pentaho.platform.engine.core.system.PentahoSessionHolder;
    import org.pentaho.platform.engine.core.system.PentahoSystem;
    import org.pentaho.platform.engine.security.SecurityHelper;
    import org.pentaho.platform.util.logging.Logger;
    import org.springframework.security.Authentication;
    import org.springframework.security.GrantedAuthority;
    
    public class ConnectionRole extends DelegatingRole {
    	  public ConnectionRole(Role role) {
              super(role);
              Logger.error(PentahoSystem.class, "Created Dynamic Mondrian Role : "+Arrays.toString(getPlatformRolesFromSession()));
      }
     
      public static class HierarchyAccessExample extends DelegatingHierarchyAccess{
            public HierarchyAccessExample(HierarchyAccess hierarchyAccess) {
                      super(hierarchyAccess);
                      Logger.error(PentahoSystem.class, "HierarchyAccessExample constructor");
            }
      }
     
      
      public Access getAccess(Schema schema) {
              Logger.error(PentahoSystem.class, "schemas override");
              return role.getAccess(schema);
      }
     
      public Access getAccess(Cube cube) {
              Logger.error(PentahoSystem.class, "cubes override");
              return role.getAccess(cube);
      }
      public Access getAccess(Dimension dimension) {
              Logger.error(PentahoSystem.class, "dimensions override");
              return role.getAccess(dimension);
      }
      public Access getAccess(Hierarchy hierarchy) {
              Logger.error(PentahoSystem.class, "hierarchies override");
              return role.getAccess(hierarchy);
      }
      
      public HierarchyAccess getAccessDetails(Hierarchy hierarchy) {
              Logger.error(PentahoSystem.class, "hierarchy access override");
              return new HierarchyAccessExample(role.getAccessDetails(hierarchy));
      }
      public Access getAccess(Member member) {
              Logger.error(PentahoSystem.class, "members override: "+member.getLevel().getUniqueName());
              Access access = role.getAccess(member);
              return getAccess(member, access);
      }
     
      // no one see's information that is in a department they do not have access too
      protected Access getAccess(Member member, Access access) {
        //final String storeNamelevel = "[Store].[Store Country].[Store State].[Store City].[Store Name]";
            final String departmentLevel = "[Department]";
            Logger.error(PentahoSystem.class, "members override: "+member.getLevel().getUniqueName());
           
        if (member.getLevel().getUniqueName().equals(departmentLevel)) {
          Object o = member.getPropertyValue("ldap_role");
          Boolean isAdmin = Arrays.binarySearch(getPlatformRolesFromSession(), "Admin") > 0 ? true : false;
          Boolean hasRole = Arrays.binarySearch(getPlatformRolesFromSession(), o) > 0;
          return (o != null && (hasRole || isAdmin)) ? access : Access.NONE;
        } else {
          return access;
        }
      }
     
      protected String[] getPlatformRolesFromSession() {
                // Get the Spring Security authentication object
                Authentication auth = SecurityHelper.getAuthentication(PentahoSessionHolder.getSession(), false);
                String[] rtn = null;
                // Get the authorities
                GrantedAuthority[] gAuths = auth.getAuthorities();
                if ((gAuths != null) && (gAuths.length > 0) ) {
                  // Copy role names out of the Authentication
                  rtn = new String[gAuths.length];
                  for (int i=0; i<gAuths.length; i++) {
                    rtn[i] = gAuths[i].getAuthority();
                  }
                  // Sort the returned list of roles
                  Arrays.sort(rtn);
                }
                return rtn;
              }
    }
    and in MDXConnection i have
    Code:
    ...
         if (nativeConnection == null) {
            logger.error(Messages.getErrorString(
                "MDXConnection.ERROR_0002_INVALID_CONNECTION", properties != null ? properties.toString() : "null")); //$NON-NLS-1$ //$NON-NLS-2$
          }
        } catch (Throwable t) {
          if (logger != null) {
            logger.error(Messages.getErrorString(
                "MDXConnection.ERROR_0002_INVALID_CONNECTION", properties != null ? properties.toString() : "null"), t); //$NON-NLS-1$ //$NON-NLS-2$
          } else {
            Logger.error(this.getClass().getName(), Messages.getErrorString(
                "MDXConnection.ERROR_0002_INVALID_CONNECTION", properties != null ? properties.toString() : "null"), t); //$NON-NLS-1$ //$NON-NLS-2$
          }
        }
        ConnectionRole crxRole = new ConnectionRole(nativeConnection.getRole());
        nativeConnection.setRole(crxRole);
    I tried to create new Analysis View and in debugger i found, that role method, controlling member access (getAccess(Member member, Access access)), is never called (but method controlling hierarchy access was called, so, role was set correctly).
    Why does this happen? As i understood, in such case member access controller has to be called for every member, in other case such construction is useless... could anybody please advice? I use 3.6.0 pentaho and 3.2.0 mondrian.

  2. #2

    Default

    Hi,

    can i get a sample implementation ?
    Regards,
    Atul Darne.

  3. #3
    Join Date
    Apr 2016
    Posts
    1

    Default

    For my case the problem was the initial role without any MemberGrant configuration.
    From Pentaho documentation:
    https://help.pentaho.com/Documentati.../Multi-Tenancy

    There are a couple of important considerations.

    • A member grant must exist. If there is no member grant on a hierarchy, Mondrian will not check to see if the user has access.
    • The member has to exist in the data. For example, the member could not be [Location].[State].[NoWhere] unless 'NoWhere' is a legitimate member. It is an option to have fake members in the dimension table with no facts and use that as the default.
    • If a dimension needs to be restricted, you must restrict it separately. Restricting a hierarchy does not restrict other hierarchies, so if there is not a measure or restricted member, Analyzer will show you all members of the dimension.




    Giorgio
    Last edited by gascani; 06-21-2016 at 09:42 AM.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Privacy Policy | Legal Notices | Safe Harbor Privacy Policy

Copyright © 2005 - 2019 Hitachi Vantara Corporation. All Rights Reserved.