<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<STYLE type=text/css><!-- DIV {margin:0px;} --></STYLE>
<META content="MSHTML 6.00.6000.16414" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=257062418-20042007><FONT color=#000080><FONT
face=Verdana size=2>I wrote a unit test and checked in your changes as change
9138:</FONT>
<P><A href="http://p4web.eigenbase.org/@md=d&c=6PU@//9138?ac=10"><U><FONT
color=#0000ff><FONT face=Verdana
size=2>http://p4web.eigenbase.org/@md=d&c=6PU@//9138?ac=10</FONT></U></FONT></A></P>
<P><FONT><FONT face=Verdana><FONT size=2><SPAN class=257062418-20042007>See
XmlaBasicTest.testMDLevelsAccessControlled. This only checks the behavior of
MDSCHEMA_LEVELS. Similar tests are needed for other XMLA metadata queries.
Please add more tests similar to that to match the behavior you
need.</SPAN></FONT></FONT></FONT></P>
<P><FONT><FONT face=Verdana><FONT size=2><SPAN
class=257062418-20042007>Julian</SPAN></FONT></FONT></FONT></P>
<P><FONT><FONT face=Verdana><FONT size=2><SPAN
class=257062418-20042007></SPAN></FONT></FONT></FONT> </P></FONT></SPAN></DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000080 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> Pedro Casals
[mailto:pcasalsfradera@yahoo.com] <BR><B>Sent:</B> Tuesday, April 17, 2007
10:33 AM<BR><B>To:</B> Julian Hyde<BR><B>Subject:</B> Re: [Mondrian] XMLA
Security<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Julian:</DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">You
told me to provide a unit test, but the unit test is already done! It's
the access control test, with the only difference that access is done
through XMLA and not with mondrian native access. I do not know how to define
the system so it does twice the access control test, one with the mondrian
native connection and the second with XMLA connection.</DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">What
must I do now?</DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Yours,.</DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Pedro<BR><BR></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">-----
Mensaje original ----<BR>De: Julian Hyde
<julianhyde@speakeasy.net><BR>Para: Pedro Casals
<pcasalsfradera@yahoo.com><BR>Enviado: lunes, 9 de abril, 2007
10:31:09<BR>Asunto: RE: [Mondrian] XMLA Security<BR><BR>
<DIV dir=ltr align=left><SPAN class=725253008-09042007><FONT face=Verdana
color=#000080 size=2>Pedro,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=725253008-09042007><FONT face=Verdana
color=#000080 size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=725253008-09042007><FONT face=Verdana
color=#000080 size=2>Can you contribute a unit test. I will not check in this
code until you do so.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=725253008-09042007><FONT face=Verdana
color=#000080 size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=725253008-09042007><FONT face=Verdana
color=#000080 size=2>Julian</FONT></SPAN></DIV><BR>
<BLOCKQUOTE dir=ltr
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000080 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> mondrian-bounces@pentaho.org
[mailto:mondrian-bounces@pentaho.org] <B>On Behalf Of </B>Julian
Hyde<BR><B>Sent:</B> Wednesday, April 04, 2007 11:33 PM<BR><B>To:</B>
'Mondrian developer mailing list'<BR><B>Subject:</B> RE: [Mondrian] XMLA
Security<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV dir=ltr align=left><SPAN class=268052506-05042007><FONT face=Verdana
color=#000080 size=2>Can you also contribute a unit test, against the
foodmart schema? Code without a unit test is like a really cool Xmas present
with no batteries included! See mondrian.test.AccessControlTest and
mondrian.test.SchemaTest for some examples.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=268052506-05042007><FONT face=Verdana
color=#000080 size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=268052506-05042007><FONT face=Verdana
color=#000080 size=2>I don't agree that members should be the total of only
their <EM>visible </EM>children. For example, if Fred has access to only
[USA].[CA].[San Francisco] and [USA].[CA].[Oakland], I think the total for
[USA].[CA] should include all cities in California.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=268052506-05042007><FONT face=Verdana
color=#000080 size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=268052506-05042007><FONT face=Verdana
color=#000080 size=2>I don't deny that there are cases where you would only
want to see the total of the accessible cities. But in my opinion it
shouldn't be the default behavior. I think there is some way to write a
calculated member for that - I would be open to extending the language to
make that easier to achieve. Anyone know what MSAS does
here?</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=268052506-05042007><FONT face=Verdana
color=#000080 size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=268052506-05042007><FONT face=Verdana
color=#000080 size=2>Julian</FONT></SPAN></DIV><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000080 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B> mondrian-bounces@pentaho.org
[mailto:mondrian-bounces@pentaho.org] <B>On Behalf Of </B>Pedro
Casals<BR><B>Sent:</B> Wednesday, April 04, 2007 4:04 AM<BR><B>To:</B>
Mondrian developer mailing list<BR><B>Subject:</B> Re: [Mondrian] XMLA
Security<BR></FONT><BR></DIV>
<DIV></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Thanks
to your hint I realized that code changes were small. Since I have no
access to CVS, I post here the changed classes. All changes are marked
with this comment: //PCF : role</DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Besides,
I attach a default callback implementation and the needed modification in
web.xml.<BR>I also attach the security role definition, that covers most
of the situations:</DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">-
Grant only some measures</DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">- Deny
a hole dimension. </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">-
Deny part of an hierarchy, both in levels and members</DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Pending:</DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">JPivot
is not placing the role in the HTTP header. I will ask to Andreas which is
his preferred approach, and my proposed solution.</DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Known
bug at this moment:</DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">-
Security role definition is order dependant, more than specified in doc.
For example: in my role definition, if the definition of <FONT
color=#000080 size=2>[Estructura Comercial] <FONT color=#000000 size=3>is
placed before Dimension definition, the latter is not taken into
account!</FONT></FONT></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">-
look at XMLA Security bug.xls attached file. If a member of a level of an
hierarchy is denied, the member is computed for the totals of the
ancestors (wich is wrong), but is not computed on its own level (wich is
correct).</DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Pedro</DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">-----
Mensaje original ----<BR>De: Julian Hyde
<julianhyde@speakeasy.net><BR>Para: Mondrian developer mailing list
<mondrian@pentaho.org><BR>Enviado: martes, 3 de abril, 2007
18:53:55<BR>Asunto: RE: [Mondrian] XMLA Security<BR><BR>
<DIV dir=ltr align=left><SPAN class=694145216-03042007><FONT face=Verdana
color=#000080 size=2></FONT></SPAN> </DIV><FONT face=Verdana
color=#000080 size=2></FONT><BR>
<BLOCKQUOTE
style="PADDING-LEFT: 5px; MARGIN-LEFT: 5px; BORDER-LEFT: #000080 2px solid; MARGIN-RIGHT: 0px">
<DIV class=OutlookMessageHeader lang=en-us dir=ltr
align=left><STRONG><FONT face=Tahoma size=2></FONT></STRONG><BR>The
problem with this security role is that when I try to retrieve all the
children from <FONT size=2><FONT color=#000080>[Estructura
Comercial].[Toda la Estructura].[01] </FONT><FONT color=#000000 size=3>I
get none, because the code navigates tries to solve the name one part at
a time, but we do not have access to <FONT color=#000080
size=2>[Estructura Comercial].[Toda la
Estructura].</FONT></FONT></FONT></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><FONT
face=Verdana color=#000080 size=2></FONT> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif">Is
it that the role definition is wrong or should I adjust the code (which
is really complicated!!!!)<SPAN class=694145216-03042007><FONT
face=Verdana color=#000080 size=2> </FONT></SPAN></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><SPAN
class=694145216-03042007></SPAN> </DIV></DIV></BLOCKQUOTE>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><SPAN
class=694145216-03042007><FONT face=Verdana color=#000080 size=2>The code
which looks up the member being granted should definitely do so in a
non-access-controlled context. By all means adjust the code (and be sure
to add a unit test for the bug). Maybe use the global schema
reader?</FONT></SPAN></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><SPAN
class=694145216-03042007><FONT face=Verdana color=#000080
size=2></FONT></SPAN> </DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><SPAN
class=694145216-03042007><FONT face=Verdana color=#000080
size=2>Julian</FONT></SPAN></DIV>
<DIV>_______________________________________________<BR>Mondrian mailing
list<BR>Mondrian@pentaho.org<BR><A
href="http://lists.pentaho.org/mailman/listinfo/mondrian" target=_blank
rel=nofollow>http://lists.pentaho.org/mailman/listinfo/mondrian</A></DIV></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><BR></DIV></DIV><BR>
<HR SIZE=1>
<BR><FONT face=Verdana size=-2>LLama Gratis a cualquier PC del
Mundo.<BR>Llamadas a fijos y móviles desde 1 céntimo por minuto.<BR><A
href="http://us.rd.yahoo.com/mail/es/tagline/messenger/*http://es.voice.yahoo.com/"
target=_blank
rel=nofollow>http://es.voice.yahoo.com</A></FONT></BLOCKQUOTE></BLOCKQUOTE></DIV>
<DIV
style="FONT-SIZE: 12pt; FONT-FAMILY: times new roman, new york, times, serif"><BR></DIV></DIV><BR>
<HR SIZE=1>
<BR><FONT face=Verdana size=-2>LLama Gratis a cualquier PC del
Mundo.<BR>Llamadas a fijos y móviles desde 1 céntimo por minuto.<BR><A
href="http://us.rd.yahoo.com/mail/es/tagline/messenger/*http://es.voice.yahoo.com/">http://es.voice.yahoo.com</A></FONT></BLOCKQUOTE></BODY></HTML>