[Mondrian] XMLA Security

Wed Apr 4 07:03:55 EDT 2007

Thanks to your hint I realized that code changes were small. Since I have no access to CVS, I post here the changed classes. All changes are marked with this comment: //PCF : role
Besides, I attach a default callback implementation and the needed modification in web.xml.
I also attach the security role definition, that covers most of the situations:
- Grant only some measures
- Deny a hole dimension. 
- Deny part of an hierarchy, both in levels and members

Pending:
JPivot is not placing the role in the HTTP header. I will ask to Andreas which is his preferred approach, and my proposed solution.

Known bug at this moment:
- Security role definition is order dependant, more than specified in doc. For example: in my role definition, if the definition of [Estructura Comercial] is placed before Dimension definition, the latter is not taken into account!
- look at XMLA Security bug.xls attached file. If a member of a level of an hierarchy is denied, the member is computed for the totals of the ancestors (wich is wrong), but is not computed on its own level (wich is correct).

Pedro

----- Mensaje original ----
De: Julian Hyde <julianhyde at speakeasy.net>
Para: Mondrian developer mailing list <mondrian at pentaho.org>
Enviado: martes, 3 de abril, 2007 18:53:55
Asunto: RE: [Mondrian] XMLA Security

The problem with this security role is that when I try to retrieve all the children from [Estructura Comercial].[Toda la Estructura].[01] I get none, because the code navigates tries to solve the name one part at a time, but we do not have access to [Estructura Comercial].[Toda la Estructura].

Is it that the role definition is wrong or should I adjust the code (which is really complicated!!!!) 

The code which looks up the member being granted should definitely do so in a non-access-controlled context. By all means adjust the code (and be sure to add a unit test for the bug). Maybe use the global schema reader?

Julian
_______________________________________________
Mondrian mailing list
Mondrian at pentaho.org
http://lists.pentaho.org/mailman/listinfo/mondrian

______________________________________________ 
LLama Gratis a cualquier PC del Mundo. 
Llamadas a fijos y móviles desde 1 céntimo por minuto. 
http://es.voice.yahoo.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20070404/6a8564f8/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RolapSchemaReader.java
Type: application/octet-stream
Size: 20283 bytes
Desc: not available
Url : http://lists.pentaho.org/pipermail/mondrian/attachments/20070404/6a8564f8/attachment.obj 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Roles.txt
Url: http://lists.pentaho.org/pipermail/mondrian/attachments/20070404/6a8564f8/attachment.txt 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RowsetDefinition.java
Type: application/octet-stream
Size: 253138 bytes
Desc: not available
Url : http://lists.pentaho.org/pipermail/mondrian/attachments/20070404/6a8564f8/attachment-0001.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: web.xml
Type: text/xml
Size: 481 bytes
Desc: not available
Url : http://lists.pentaho.org/pipermail/mondrian/attachments/20070404/6a8564f8/attachment.xml 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: XmlaHandler.java
Type: application/octet-stream
Size: 79141 bytes
Desc: not available
Url : http://lists.pentaho.org/pipermail/mondrian/attachments/20070404/6a8564f8/attachment-0002.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: XMLA Security Bug.xls
Type: application/vnd.ms-excel
Size: 22528 bytes
Desc: not available
Url : http://lists.pentaho.org/pipermail/mondrian/attachments/20070404/6a8564f8/attachment.xls 