<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<STYLE type=text/css><!-- DIV {margin:0px;} --></STYLE>
<META content="MSHTML 6.00.6000.16414" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=445474309-21032007><FONT face=Verdana
color=#000080 size=2>Pedro,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=445474309-21032007><FONT face=Verdana
color=#000080 size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=445474309-21032007><FONT face=Verdana
color=#000080 size=2>You should extend SchemaReader. It shouldn't be that
painful for existing code - implementations generally extend
DelegatingSchemaReader or RolapSchemaReader, so they wouldn't have to do any
extra work.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=445474309-21032007><FONT face=Verdana
color=#000080 size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=445474309-21032007><FONT face=Verdana
color=#000080 size=2>Note that if you grant access to a member of a hierarchy,
you implicitly see all of its ancestors. E.g. if you give access to San
Francsisco, you see California and USA. Unless, that is, you set top-level to
City or lower.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=445474309-21032007><FONT face=Verdana
color=#000080 size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=445474309-21032007><FONT face=Verdana
color=#000080 size=2>When you've done the code changes, send me a zip file and
I'll check them in. As part of your code change, please document the rules you
are implementing in schema.html, and add tests in
AccessControlTest.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=445474309-21032007><FONT face=Verdana
color=#000080 size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=445474309-21032007><FONT face=Verdana
color=#000080 size=2>Julian</FONT></SPAN></DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000080 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> mondrian-bounces@pentaho.org
[mailto:mondrian-bounces@pentaho.org] <B>On Behalf Of </B>Pedro
Casals<BR><B>Sent:</B> Tuesday, March 20, 2007 12:20 PM<BR><B>To:</B> Mondrian
developer mailing list<BR><B>Subject:</B> Re: [Mondrian] XMLA
Security<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">I
agree, it's easier to manage things through SchemaReader. However, there are
some methods missing: I've seen schemaReader.getHierarchyLevels(hierarchy)
(for <FONT face=Verdana color=#000080 size=2>Hierarchy.getLevels()</FONT>) but
not getLevelDepth, getDimensions, etc.</DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">How
would you feel if I added these methods to the SchemaReader interface? I kown
changing interfaces is hard for all those that have implemented
functionalities based on the interface, but extending the interface to a new
interface like SecuritySchemaReader would make thing quite confusing, wouldn't
it?</DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Tell
me the way you prefer</DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Pedro<BR><BR></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">-----
Mensaje original ----<BR>De: Julian Hyde
<julianhyde@speakeasy.net><BR>Para: Mondrian developer mailing list
<mondrian@pentaho.org><BR>Enviado: sábado, 17 de marzo, 2007
1:08:03<BR>Asunto: RE: [Mondrian] XMLA Security<BR><BR>
<DIV dir=ltr align=left><FONT face=Verdana color=#000080
size=2></FONT> </DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000080 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> mondrian-bounces@pentaho.org
[mailto:mondrian-bounces@pentaho.org] <B>On Behalf Of </B>Pedro
Casals<BR><B>Sent:</B> Friday, March 16, 2007 4:34 AM<BR><B>To:</B>
mondrian@pentaho.org<BR><B>Subject:</B> [Mondrian] XMLA
Security<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV>Hello:</DIV>
<DIV> </DIV>
<DIV>I'm working on mondrian XMLA security and I have some doubts: The
scenario is that you have a role that restricts the access to the two
upper levels of an hierarchy (this hierarchy has four levels).</DIV>
<DIV> </DIV>
<DIV>1st. I belive that the XMLA client should not be aware that this
hierarchy has 4 levels. Do yo agree? This is the way JPivot is
working. <SPAN class=890340000-17032007><FONT face=Verdana
color=#000080 size=2> </FONT></SPAN></DIV>
<DIV><SPAN class=890340000-17032007></SPAN> </DIV></DIV></BLOCKQUOTE>
<DIV><SPAN class=890340000-17032007><FONT face=Verdana color=#000080
size=2>Seems reasonable. How can a restricted client tell that there are 4
levels right now? I'm guessing (a) the Hierarchy.getLevels() method and (b)
the Level.getDepth() method. We could add versions of those methods to
SchemaReader, and make jpivot/xmla call them.</FONT></SPAN></DIV>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000080 2px solid; MARGIN-RIGHT: 0px">
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><FONT
face=Verdana color=#000080 size=2></FONT> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">2nd.
Provided you agree with the previous point, what do you think would be the
best strategy?: On one hand, upon cube defition load we could arrange
the cube definition to match the role restriction. On the other hand, we
could go on all XMLA request and filter it.</DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Doing
it with the first strategy, it looks like its easier to manage. However, I
see pooled cubes and I do not know if these pooled cubes are shared among
several XMLA clients. Should this be the case, we should have to go through
the second way.</DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Doing
it the second strategy, we have to deal with all different XMLA requests,
which should take more work, but looks safe, since no one could workaround
security writing direct MDX.<SPAN class=890340000-17032007><FONT
face=Verdana color=#000080 size=2> </FONT></SPAN></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><SPAN
class=890340000-17032007></SPAN> </DIV></BLOCKQUOTE>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><SPAN
class=890340000-17032007><FONT face=Verdana color=#000080 size=2>It's laudable
to create an entire metadata API which includes access-control. But it's a lot
of work. We took the simpler route, which is the SchemaReader
interface.</FONT></SPAN></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><SPAN
class=890340000-17032007><FONT face=Verdana color=#000080
size=2></FONT></SPAN> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><SPAN
class=890340000-17032007><FONT face=Verdana color=#000080 size=2>So, the
client (XMLA or JPivot) is an 'insider'. It is allowed full access to the
catalog, but for things it is displaying to the user, it uses the SchemaReader
facade.</FONT></SPAN></DIV>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000080 2px solid; MARGIN-RIGHT: 0px">
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><SPAN
class=890340000-17032007></SPAN> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><FONT
face=Verdana color=#000080 size=2></FONT> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">3rd.
Is there a way to restrict a measure to a role?<SPAN
class=890340000-17032007><FONT face=Verdana color=#000080
size=2> </FONT></SPAN></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><SPAN
class=890340000-17032007></SPAN> </DIV></BLOCKQUOTE>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><SPAN
class=890340000-17032007><FONT face=Verdana color=#000080 size=2>You can
restrict access to any given set of members in a hierarchy. That includes the
Measures hierarchy.</FONT></SPAN></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><SPAN
class=890340000-17032007><FONT face=Verdana color=#000080
size=2></FONT></SPAN> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><SPAN
class=890340000-17032007><FONT face=Verdana color=#000080 size=2>Take a look
at the AccessControlTest. That is the spec. Anything you need but which isn't
tested, please add and contribute. If anything doesn't work, contribute the
test and log a bug.</FONT></SPAN></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><SPAN
class=890340000-17032007><FONT face=Verdana color=#000080
size=2></FONT></SPAN> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><SPAN
class=890340000-17032007><FONT face=Verdana color=#000080
size=2>Julian</FONT></SPAN></DIV>
<DIV>_______________________________________________<BR>Mondrian mailing
list<BR>Mondrian@pentaho.org<BR><A
href="http://lists.pentaho.org/mailman/listinfo/mondrian"
target=_blank>http://lists.pentaho.org/mailman/listinfo/mondrian</A></DIV></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><BR></DIV></DIV><BR>
<HR SIZE=1>
<BR><FONT face=Verdana size=-2>LLama Gratis a cualquier PC del
Mundo.<BR>Llamadas a fijos y móviles desde 1 céntimo por minuto.<BR><A
href="http://us.rd.yahoo.com/mail/es/tagline/messenger/*http://es.voice.yahoo.com/">http://es.voice.yahoo.com</A></FONT></BLOCKQUOTE></BODY></HTML>