[Mondrian] XMLA Security

Pedro Casals pcasalsfradera at yahoo.com
Wed Apr 4 07:03:55 EDT 2007

Thanks to your hint I realized that code changes were small. Since I have no access to CVS, I post here the changed classes. All changes are marked with this comment: //PCF : role
Besides, I attach a default callback implementation and the needed modification in web.xml.
I also attach the security role definition, that covers most of the situations:
- Grant only some measures
- Deny a hole dimension. 
- Deny part of an hierarchy, both in levels and members

JPivot is not placing the role in the HTTP header. I will ask to Andreas which is his preferred approach, and my proposed solution.

Known bug at this moment:
- Security role definition is order dependant, more than specified in doc. For example: in my role definition, if the definition of [Estructura Comercial] is placed before Dimension definition, the latter is not taken into account!
- look at XMLA Security bug.xls attached file. If a member of a level of an hierarchy is denied, the member is computed for the totals of the ancestors (wich is wrong), but is not computed on its own level (wich is correct).


----- Mensaje original ----
De: Julian Hyde <julianhyde at speakeasy.net>
Para: Mondrian developer mailing list <mondrian at pentaho.org>
Enviado: martes, 3 de abril, 2007 18:53:55
Asunto: RE: [Mondrian] XMLA Security


The problem with this security role is that when I try to retrieve all the children from [Estructura Comercial].[Toda la Estructura].[01] I get none, because the code navigates tries to solve the name one part at a time, but we do not have access to [Estructura Comercial].[Toda la Estructura].
Is it that the role definition is wrong or should I adjust the code (which is really complicated!!!!) 
The code which looks up the member being granted should definitely do so in a non-access-controlled context. By all means adjust the code (and be sure to add a unit test for the bug). Maybe use the global schema reader?
Mondrian mailing list
Mondrian at pentaho.org

LLama Gratis a cualquier PC del Mundo. 
Llamadas a fijos y móviles desde 1 céntimo por minuto. 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20070404/6a8564f8/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RolapSchemaReader.java
Type: application/octet-stream
Size: 20283 bytes
Desc: not available
Url : http://lists.pentaho.org/pipermail/mondrian/attachments/20070404/6a8564f8/attachment.obj 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: Roles.txt
Url: http://lists.pentaho.org/pipermail/mondrian/attachments/20070404/6a8564f8/attachment.txt 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: RowsetDefinition.java
Type: application/octet-stream
Size: 253138 bytes
Desc: not available
Url : http://lists.pentaho.org/pipermail/mondrian/attachments/20070404/6a8564f8/attachment-0001.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: web.xml
Type: text/xml
Size: 481 bytes
Desc: not available
Url : http://lists.pentaho.org/pipermail/mondrian/attachments/20070404/6a8564f8/attachment.xml 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: XmlaHandler.java
Type: application/octet-stream
Size: 79141 bytes
Desc: not available
Url : http://lists.pentaho.org/pipermail/mondrian/attachments/20070404/6a8564f8/attachment-0002.obj 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: XMLA Security Bug.xls
Type: application/vnd.ms-excel
Size: 22528 bytes
Desc: not available
Url : http://lists.pentaho.org/pipermail/mondrian/attachments/20070404/6a8564f8/attachment.xls 

More information about the Mondrian mailing list