[Mondrian] XMLA Security
Julian Hyde
julianhyde at speakeasy.net
Fri Apr 20 14:28:35 EDT 2007
I wrote a unit test and checked in your changes as change 9138:
<http://p4web.eigenbase.org/@md=d&c=6PU@//9138?ac=10>
http://p4web.eigenbase.org/@md=d&c=6PU@//9138?ac=10
See XmlaBasicTest.testMDLevelsAccessControlled. This only checks the
behavior of MDSCHEMA_LEVELS. Similar tests are needed for other XMLA
metadata queries. Please add more tests similar to that to match the
behavior you need.
Julian
_____
From: Pedro Casals [mailto:pcasalsfradera at yahoo.com]
Sent: Tuesday, April 17, 2007 10:33 AM
To: Julian Hyde
Subject: Re: [Mondrian] XMLA Security
Julian:
You told me to provide a unit test, but the unit test is already done!
It's the access control test, with the only difference that access is
done through XMLA and not with mondrian native access. I do not know how
to define the system so it does twice the access control test, one with
the mondrian native connection and the second with XMLA connection.
What must I do now?
Yours,.
Pedro
----- Mensaje original ----
De: Julian Hyde <julianhyde at speakeasy.net>
Para: Pedro Casals <pcasalsfradera at yahoo.com>
Enviado: lunes, 9 de abril, 2007 10:31:09
Asunto: RE: [Mondrian] XMLA Security
Pedro,
Can you contribute a unit test. I will not check in this code until you
do so.
Julian
_____
From: mondrian-bounces at pentaho.org [mailto:mondrian-bounces at pentaho.org]
On Behalf Of Julian Hyde
Sent: Wednesday, April 04, 2007 11:33 PM
To: 'Mondrian developer mailing list'
Subject: RE: [Mondrian] XMLA Security
Can you also contribute a unit test, against the foodmart schema? Code
without a unit test is like a really cool Xmas present with no batteries
included! See mondrian.test.AccessControlTest and
mondrian.test.SchemaTest for some examples.
I don't agree that members should be the total of only their visible
children. For example, if Fred has access to only [USA].[CA].[San
Francisco] and [USA].[CA].[Oakland], I think the total for [USA].[CA]
should include all cities in California.
I don't deny that there are cases where you would only want to see the
total of the accessible cities. But in my opinion it shouldn't be the
default behavior. I think there is some way to write a calculated member
for that - I would be open to extending the language to make that easier
to achieve. Anyone know what MSAS does here?
Julian
_____
From: mondrian-bounces at pentaho.org [mailto:mondrian-bounces at pentaho.org]
On Behalf Of Pedro Casals
Sent: Wednesday, April 04, 2007 4:04 AM
To: Mondrian developer mailing list
Subject: Re: [Mondrian] XMLA Security
Thanks to your hint I realized that code changes were small. Since I
have no access to CVS, I post here the changed classes. All changes are
marked with this comment: //PCF : role
Besides, I attach a default callback implementation and the needed
modification in web.xml.
I also attach the security role definition, that covers most of the
situations:
- Grant only some measures
- Deny a hole dimension.
- Deny part of an hierarchy, both in levels and members
Pending:
JPivot is not placing the role in the HTTP header. I will ask to Andreas
which is his preferred approach, and my proposed solution.
Known bug at this moment:
- Security role definition is order dependant, more than specified in
doc. For example: in my role definition, if the definition of
[Estructura Comercial] is placed before Dimension definition, the latter
is not taken into account!
- look at XMLA Security bug.xls attached file. If a member of a level of
an hierarchy is denied, the member is computed for the totals of the
ancestors (wich is wrong), but is not computed on its own level (wich is
correct).
Pedro
----- Mensaje original ----
De: Julian Hyde <julianhyde at speakeasy.net>
Para: Mondrian developer mailing list <mondrian at pentaho.org>
Enviado: martes, 3 de abril, 2007 18:53:55
Asunto: RE: [Mondrian] XMLA Security
The problem with this security role is that when I try to retrieve all
the children from [Estructura Comercial].[Toda la Estructura].[01] I get
none, because the code navigates tries to solve the name one part at a
time, but we do not have access to [Estructura Comercial].[Toda la
Estructura].
Is it that the role definition is wrong or should I adjust the code
(which is really complicated!!!!)
The code which looks up the member being granted should definitely do so
in a non-access-controlled context. By all means adjust the code (and be
sure to add a unit test for the bug). Maybe use the global schema
reader?
Julian
_______________________________________________
Mondrian mailing list
Mondrian at pentaho.org
http://lists.pentaho.org/mailman/listinfo/mondrian
_____
LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com
<http://us.rd.yahoo.com/mail/es/tagline/messenger/*http://es.voice.yahoo
.com/>
_____
LLama Gratis a cualquier PC del Mundo.
Llamadas a fijos y móviles desde 1 céntimo por minuto.
http://es.voice.yahoo.com
<http://us.rd.yahoo.com/mail/es/tagline/messenger/*http://es.voice.yahoo
.com/>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20070420/046ab074/attachment.html
More information about the Mondrian
mailing list