[Mondrian] XMLA Security roles
John V. Sichi
jsichi at gmail.com
Wed Feb 28 16:33:23 EST 2007
Note: I'm in the middle of reworking the XML/A tests to use
DiffRepository instead of file collections; should be done soon. So
Pedro, before updating the tests, you'll want to sync to the latest I'll
be checking in.
JVS
Julian Hyde wrote:
> Pedro,
>
> There are no instructions! But I've found out a little by reading the code.
>
> There are 3 classes which implement the callback interface, all of them
> in the test suite.
>
> If you implement your own callback, you may find it useful to also write
> new classes
>
> *
> mondrian.xmla.DefaultRequestCallback (which does nothing for each
> method) and make your implementation derive from that. (This will
> help protect your code against future changes to this interface.)
> *
> mondrian.xmla.DelegatingRequestCallback which implements each
> method by passing each request to a 'parent' callback object. This
> implements the 'decorator' pattern, and allows people to chain
> callbacks.
>
> Put your callback into mondrian.xmla.impl package. Other people will use
> it if it is useful!
>
> To register a callback. Looks like callback class names are registered
> in web.xml. I imagine that the class needs a special constructor e.g. a
> public constructor with no args. You should be able to figure all this
> out by reading XmlaServlet.initCallbacks().
>
> Hopefully you can deduce the rest. I'd be grateful if you could add
> instructions on how to write and register a callback into the javadoc of
> XmlaRequestCallback, so no one else has to ask this question.
>
> Julian
>
> ------------------------------------------------------------------------
> *From:* mondrian-bounces at pentaho.org
> [mailto:mondrian-bounces at pentaho.org] *On Behalf Of *Pedro Casals
> *Sent:* Wednesday, February 28, 2007 10:20 AM
> *To:* Mondrian developer mailing list
> *Subject:* Re: [Mondrian] XMLA Security roles
>
> Thanks Julian,
>
> I'll write a callback to process the http header (and go thru jpivot
> xmla client to see if I can put this header). The firts question
> right now is: A callback should implement the XmlaRequestCallback
> interface. But where and how do I define the callback? Could you
> give me an example, please?
> thanks in advance
>
> Pedro
> ----- Mensaje original ----
> De: Julian Hyde <julianhyde at speakeasy.net>
> Para: Mondrian developer mailing list <mondrian at pentaho.org>
> Enviado: miércoles, 28 de febrero, 2007 11:17:31
> Asunto: RE: [Mondrian] XMLA Security roles
>
>
>
> ------------------------------------------------------------------------
> *From:* Pedro Casals
>
> I cannot make security roles work properly when making a query
> through XMLA (it works OK if the query is done through
> mondrianQuery tag).
> In mondrian.xmla.impl.DefaultXmlaServlet.handleSoapBody I can
> see this code:
> // use context variable `role' as this request's
> XML/A role
> XmlaRequest xmlaReq = new
> DefaultXmlaRequest(xmlaReqElem,
> (String)
> context.get(CONTEXT_ROLE));
> However, I do not see where this context is filled besides in
> handleSoapHeader. handleSoapHeader function only puts this keys:
> CONTEXT_XMLA_SESSION_ID, CONTEXT_XMLA_SESSION_STATE.
>
>
> I think you're right. Whoever wrote DefaultXmlaServlet put in a hook
> to use the sugested role if it is present... but it is up to the
> XMLA client to set it as an attribute in the HTTP header.
>
>
> One question more: If security is not implemented I would do
> it. I have read XMLA 1.1 spec and I could not see where to
> define the role in the SOAP message. Should it be defined as a
> restriction?
>
>
> The XMLA request should specify the user (probably has part of the
> HTTP header, NOT par of the XML). I know Pentaho Spreadsheet
> Services does this, for example.
>
> The XmlaHandler should then resolve the user to a role (to be
> precise, the user and the schema resolve to a role -- a user might
> run under different roles in different schemas). We have discussed
> extending XmlaHandler to use a plugin user-to-role resolver running
> off JNDI or JAAS or extra information we might add extra fields to
> datasources.xml to define authentication and access-control lists.
>
> (I can't find that discussion right now... anyone??)
>
> Julian
> _______________________________________________
> Mondrian mailing list
> Mondrian at pentaho.org
> http://lists.pentaho.org/mailman/listinfo/mondrian
>
>
> ------------------------------------------------------------------------
>
> LLama Gratis a cualquier PC del Mundo.
> Llamadas a fijos y móviles desde 1 céntimo por minuto.
> http://es.voice.yahoo.com
> <http://us.rd.yahoo.com/mail/es/tagline/messenger/*http://es.voice.yahoo.com/>
>
>
> ------------------------------------------------------------------------
>
> _______________________________________________
> Mondrian mailing list
> Mondrian at pentaho.org
> http://lists.pentaho.org/mailman/listinfo/mondrian
More information about the Mondrian
mailing list