[Mondrian] XMLA Security

Pedro Casals pcasalsfradera at yahoo.com
Tue Apr 3 07:33:19 EDT 2007


Julian,

after a closer analysis, I did not have to extend SchemaReader, and most of the issues are solved. However I have one last problem that is difficult to solve. But, perhaps, the problem may be related to a wrong security definition.

This is the dimension:
<Dimension name="Estructura Comercial" foreignKey="LPCCLI" caption="Estructura Comercial">
<Hierarchy hasAll="true" allMemberName="Toda la Estructura" primaryKey="MCCCLI" allMemberCaption="Toda la estructura">
<Table name="Clientes" />
<Level name="Zona venta" column="MCDELV" captionColumn="NOMDEL" uniqueMembers="true" caption="Todas las zonas"/>
<Level name="Vendedor" column="MCVEN1" captionColumn="NOMVEN" uniqueMembers="true" caption="Todas los vendedores"/>
<Level name="Cliente" column="MCCCLI" captionColumn="MCNOMB" uniqueMembers="true" caption="Todas los clientes"/>
</Hierarchy>
</Dimension>

And this is the security role:
<Role name="V102">
<SchemaGrant access="none">
<CubeGrant cube="Ventas" access="all">
<HierarchyGrant hierarchy="[Estructura Comercial]" access="custom" 
topLevel="[Estructura Comercial].[Zona venta]"
bottomLevel="[Estructura Comercial].[Cliente]">
<MemberGrant member="[Estructura Comercial].[Toda la Estructura].[01]" access="all"/>
</HierarchyGrant>
</CubeGrant>
</SchemaGrant>
</Role> 

The problem with this security role is that when I try to retrieve all the children from [Estructura Comercial].[Toda la Estructura].[01] I get none, because the code navigates tries to solve the name one part at a time, but we do not have access to [Estructura Comercial].[Toda la Estructura].

Is it that the role definition is wrong or should I adjust the code (which is really complicated!!!!)

After this issue is solved, I will mail the code changes, incluiding a mondrian.xmla.impl.DefaultXmlaRequestCallback implementation (and its web.xml definition)

Pedro

----- Mensaje original ----
De: Julian Hyde <julianhyde at speakeasy.net>
Para: Mondrian developer mailing list <mondrian at pentaho.org>
Enviado: miércoles, 21 de marzo, 2007 10:48:15
Asunto: RE: [Mondrian] XMLA Security


Pedro,
 
You should extend SchemaReader. It shouldn't be that painful for existing code - implementations generally extend DelegatingSchemaReader or RolapSchemaReader, so they wouldn't have to do any extra work.
 
Note that if you grant access to a member of a hierarchy, you implicitly see all of its ancestors. E.g. if you give access to San Francsisco, you see California and USA. Unless, that is, you set top-level to City or lower.
 
When you've done the code changes, send me a zip file and I'll check them in. As part of your code change, please document the rules you are implementing in schema.html, and add tests in AccessControlTest.
 
Julian




From: mondrian-bounces at pentaho.org [mailto:mondrian-bounces at pentaho.org] On Behalf Of Pedro Casals
Sent: Tuesday, March 20, 2007 12:20 PM
To: Mondrian developer mailing list
Subject: Re: [Mondrian] XMLA Security


I agree, it's easier to manage things through SchemaReader. However, there are some methods missing: I've seen schemaReader.getHierarchyLevels(hierarchy) (for Hierarchy.getLevels()) but not getLevelDepth, getDimensions, etc.
 
How would you feel if I added these methods to the SchemaReader interface? I kown changing interfaces is hard for all those that have implemented functionalities based on the interface, but extending the interface to a new interface like SecuritySchemaReader would make thing quite confusing, wouldn't it?
 
Tell me the way you prefer
 
Pedro


----- Mensaje original ----
De: Julian Hyde <julianhyde at speakeasy.net>
Para: Mondrian developer mailing list <mondrian at pentaho.org>
Enviado: sábado, 17 de marzo, 2007 1:08:03
Asunto: RE: [Mondrian] XMLA Security


 




From: mondrian-bounces at pentaho.org [mailto:mondrian-bounces at pentaho.org] On Behalf Of Pedro Casals
Sent: Friday, March 16, 2007 4:34 AM
To: mondrian at pentaho.org
Subject: [Mondrian] XMLA Security


Hello:
 
I'm working on mondrian XMLA security and I have some doubts: The scenario is that you have a role that restricts the access to the two upper levels of an hierarchy (this hierarchy has four levels).
 
1st. I belive that the XMLA client should not be aware that this hierarchy has 4 levels. Do yo agree? This is the way JPivot is working.  
 
Seems reasonable. How can a restricted client tell that there are 4 levels right now? I'm guessing (a) the Hierarchy.getLevels() method and (b) the Level.getDepth() method. We could add versions of those methods to SchemaReader, and make jpivot/xmla call them.
 
2nd. Provided you agree with the previous point, what do you think would be the best strategy?: On one hand, upon cube defition load we could arrange the cube definition to match the role restriction. On the other hand, we could go on all XMLA request and filter it.
Doing it with the first strategy, it looks like its easier to manage. However, I see pooled cubes and I do not know if these pooled cubes are shared among several XMLA clients. Should this be the case, we should have to go through the second way.
Doing it the second strategy, we have to deal with all different XMLA requests, which should take more work, but looks safe, since no one could workaround security writing direct MDX. 
 
It's laudable to create an entire metadata API which includes access-control. But it's a lot of work. We took the simpler route, which is the SchemaReader interface.
 
So, the client (XMLA or JPivot) is an 'insider'. It is allowed full access to the catalog, but for things it is displaying to the user, it uses the SchemaReader facade.
 
 
3rd. Is there a way to restrict a measure to a role? 
 
You can restrict access to any given set of members in a hierarchy. That includes the Measures hierarchy.
 
Take a look at the AccessControlTest. That is the spec. Anything you need but which isn't tested, please add and contribute. If anything doesn't work, contribute the test and log a bug.
 
Julian
_______________________________________________
Mondrian mailing list
Mondrian at pentaho.org
http://lists.pentaho.org/mailman/listinfo/mondrian






LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com
_______________________________________________
Mondrian mailing list
Mondrian at pentaho.org
http://lists.pentaho.org/mailman/listinfo/mondrian


		
______________________________________________ 
LLama Gratis a cualquier PC del Mundo. 
Llamadas a fijos y móviles desde 1 céntimo por minuto. 
http://es.voice.yahoo.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20070403/ad1efa48/attachment.html 


More information about the Mondrian mailing list