[Mondrian] RDBMS authorization

Matt Campbell mkambol at gmail.com
Tue Jun 24 07:41:11 CDT 2008 

That's right--it's the datasource definition I'm talking about.  We have
lots of Catalogs specified in datasource.xml that vary only by the
username/password contained in the DataSourceInfo tag.  I'm wondering if
there's a simpler way that we could bridge the gap between authorization
defined in Mondrian and authorization defined in the database.

With AS2K there was sort of a way to do this.  If you used Integrated
Authentication for your datasource the logged in user credentials would be
used for any ROLAP or drillthrough queries to the database.  Integrated Auth
isn't really an option here, but it still might be useful to have some other
way to map Roles to database connection information.



On Mon, Jun 23, 2008 at 6:07 PM, Julian Hyde <jhyde at pentaho.com> wrote:

>  I don't understand. Mondrian catalogs don't contain username & password -
> by design. A mondrian connect string brings together the URI of a catalog
> (i.e. metadata) with JDBC information (i.e. the location of the data).
>
> Are you perhaps referring to data sources defined in datasources.xml?
>
> Julian
>
>  ------------------------------
> *From:* mondrian-bounces at pentaho.org [mailto:mondrian-bounces at pentaho.org]
> *On Behalf Of *Matt Campbell
> *Sent:* Monday, June 23, 2008 12:55 PM
> *To:* Mondrian developer mailing list
> *Subject:* [Mondrian] RDBMS authorization
>
>
> In our application we rely heavily on RDBMS authorization rules to govern
> row/column security.  A single database may have many different roles, and a
> particular db user will be mapped to one of these roles.  Because of this,
> we deploy several Mondrian catalogs per database instance, one for each
> role, with a different jdbc connection string for each.
>
> This feels sub-optimal to me, because the actual Mondrian schema is
> identical in all of these cases.  We may have 20 different catalogs whose
> only difference is the username/password in the jdbc connection.  I've been
> wondering lately if we could somehow associate the database connection with
> a particular Mondrian role, allowing us to collapse all of these catalogs
> down to a single one.  Both the member and cell cache would need to be
> specific to each role.
>
> Any thoughts on whether this would be reasonable enhancement?
>
>
> _______________________________________________
> Mondrian mailing list
> Mondrian at pentaho.org
> http://lists.pentaho.org/mailman/listinfo/mondrian
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.157946-web2.www.pentaho.org/pipermail/mondrian/attachments/20080624/10f3a87a/attachment-0001.html

More information about the Mondrian mailing list