[Mondrian] XMLA Security

Julian Hyde julianhyde at speakeasy.net
Fri Apr 20 14:28:35 EDT 2007


I wrote a unit test and checked in your changes as change 9138: 

 <http://p4web.eigenbase.org/@md=d&c=6PU@//9138?ac=10>
http://p4web.eigenbase.org/@md=d&c=6PU@//9138?ac=10

See XmlaBasicTest.testMDLevelsAccessControlled. This only checks the
behavior of MDSCHEMA_LEVELS. Similar tests are needed for other XMLA
metadata queries. Please add more tests similar to that to match the
behavior you need.

Julian

 


  _____  

From: Pedro Casals [mailto:pcasalsfradera at yahoo.com] 
Sent: Tuesday, April 17, 2007 10:33 AM
To: Julian Hyde
Subject: Re: [Mondrian] XMLA Security


Julian:
 
You told me to provide a unit test, but the unit test is already done!
It's the access control test, with the only difference that access is
done through XMLA and not with mondrian native access. I do not know how
to define the system so it does twice the access control test, one with
the mondrian native connection and the second with XMLA connection.
 
What must I do now?
 
Yours,.
 
Pedro


----- Mensaje original ----
De: Julian Hyde <julianhyde at speakeasy.net>
Para: Pedro Casals <pcasalsfradera at yahoo.com>
Enviado: lunes, 9 de abril, 2007 10:31:09
Asunto: RE: [Mondrian] XMLA Security


Pedro,
 
Can you contribute a unit test. I will not check in this code until you
do so.
 
Julian


  _____  

From: mondrian-bounces at pentaho.org [mailto:mondrian-bounces at pentaho.org]
On Behalf Of Julian Hyde
Sent: Wednesday, April 04, 2007 11:33 PM
To: 'Mondrian developer mailing list'
Subject: RE: [Mondrian] XMLA Security


Can you also contribute a unit test, against the foodmart schema? Code
without a unit test is like a really cool Xmas present with no batteries
included! See mondrian.test.AccessControlTest and
mondrian.test.SchemaTest for some examples.
 
I don't agree that members should be the total of only their visible
children. For example, if Fred has access to only [USA].[CA].[San
Francisco] and [USA].[CA].[Oakland], I think the total for [USA].[CA]
should include all cities in California.
 
I don't deny that there are cases where you would only want to see the
total of the accessible cities. But in my opinion it shouldn't be the
default behavior. I think there is some way to write a calculated member
for that - I would be open to extending the language to make that easier
to achieve. Anyone know what MSAS does here?
 
Julian


  _____  

From: mondrian-bounces at pentaho.org [mailto:mondrian-bounces at pentaho.org]
On Behalf Of Pedro Casals
Sent: Wednesday, April 04, 2007 4:04 AM
To: Mondrian developer mailing list
Subject: Re: [Mondrian] XMLA Security


Thanks to your hint I realized that code changes were small. Since I
have no access to CVS, I post here the changed classes. All changes are
marked with this comment: //PCF : role
Besides, I attach a default callback implementation and the needed
modification in web.xml.
I also attach the security role definition, that covers most of the
situations:
- Grant only some measures
- Deny a hole dimension. 
- Deny part of an hierarchy, both in levels and members
 
Pending:
JPivot is not placing the role in the HTTP header. I will ask to Andreas
which is his preferred approach, and my proposed solution.
 
Known bug at this moment:
- Security role definition is order dependant, more than specified in
doc. For example: in my role definition, if the definition of
[Estructura Comercial] is placed before Dimension definition, the latter
is not taken into account!
- look at XMLA Security bug.xls attached file. If a member of a level of
an hierarchy is denied, the member is computed for the totals of the
ancestors (wich is wrong), but is not computed on its own level (wich is
correct).
 
Pedro
 
----- Mensaje original ----
De: Julian Hyde <julianhyde at speakeasy.net>
Para: Mondrian developer mailing list <mondrian at pentaho.org>
Enviado: martes, 3 de abril, 2007 18:53:55
Asunto: RE: [Mondrian] XMLA Security


 




The problem with this security role is that when I try to retrieve all
the children from [Estructura Comercial].[Toda la Estructura].[01] I get
none, because the code navigates tries to solve the name one part at a
time, but we do not have access to [Estructura Comercial].[Toda la
Estructura].
 
Is it that the role definition is wrong or should I adjust the code
(which is really complicated!!!!) 
 

The code which looks up the member being granted should definitely do so
in a non-access-controlled context. By all means adjust the code (and be
sure to add a unit test for the bug). Maybe use the global schema
reader?
 
Julian
_______________________________________________
Mondrian mailing list
Mondrian at pentaho.org
http://lists.pentaho.org/mailman/listinfo/mondrian


  _____  


LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com
<http://us.rd.yahoo.com/mail/es/tagline/messenger/*http://es.voice.yahoo
.com/> 



  _____  


LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com
<http://us.rd.yahoo.com/mail/es/tagline/messenger/*http://es.voice.yahoo
.com/> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20070420/046ab074/attachment.html 


More information about the Mondrian mailing list