[Mondrian] XMLA Security roles

John V. Sichi jsichi at gmail.com
Wed Feb 28 16:33:23 EST 2007

Note:  I'm in the middle of reworking the XML/A tests to use 
DiffRepository instead of file collections; should be done soon.  So 
Pedro, before updating the tests, you'll want to sync to the latest I'll 
be checking in.


Julian Hyde wrote:
> Pedro,
> There are no instructions! But I've found out a little by reading the code.
> There are 3 classes which implement the callback interface, all of them 
> in the test suite.
> If you implement your own callback, you may find it useful to also write 
> new classes
>     *
>       mondrian.xmla.DefaultRequestCallback (which does nothing for each
>       method) and make your implementation derive from that. (This will
>       help protect your code against future changes to this interface.)
>     *
>       mondrian.xmla.DelegatingRequestCallback which implements each
>       method by passing each request to a 'parent' callback object. This
>       implements the 'decorator' pattern, and allows people to chain
>       callbacks.
> Put your callback into mondrian.xmla.impl package. Other people will use 
> it if it is useful!
> To register a callback. Looks like callback class names are registered 
> in web.xml.  I imagine that the class needs a special constructor e.g. a 
> public constructor with no args. You should be able to figure all this 
> out by reading XmlaServlet.initCallbacks().
> Hopefully you can deduce the rest. I'd be grateful if you could add 
> instructions on how to write and register a callback into the javadoc of 
> XmlaRequestCallback, so no one else has to ask this question.
> Julian
>     ------------------------------------------------------------------------
>     *From:* mondrian-bounces at pentaho.org
>     [mailto:mondrian-bounces at pentaho.org] *On Behalf Of *Pedro Casals
>     *Sent:* Wednesday, February 28, 2007 10:20 AM
>     *To:* Mondrian developer mailing list
>     *Subject:* Re: [Mondrian] XMLA Security roles
>     Thanks Julian,
>     I'll write a callback to process the http header (and go thru jpivot
>     xmla client to see if I can put this header). The firts question
>     right now is: A callback should implement the XmlaRequestCallback
>     interface. But where and how do I define the callback? Could you
>     give me an example, please?
>     thanks in advance
>     Pedro
>     ----- Mensaje original ----
>     De: Julian Hyde <julianhyde at speakeasy.net>
>     Para: Mondrian developer mailing list <mondrian at pentaho.org>
>     Enviado: miércoles, 28 de febrero, 2007 11:17:31
>     Asunto: RE: [Mondrian] XMLA Security roles
>         ------------------------------------------------------------------------
>         *From:* Pedro Casals
>         I cannot make security roles work properly when making a query
>         through XMLA (it works OK if the query is done through
>         mondrianQuery tag).
>         In mondrian.xmla.impl.DefaultXmlaServlet.handleSoapBody I can
>         see this code:
>                     // use context variable `role' as this request's
>         XML/A role
>                     XmlaRequest xmlaReq = new
>         DefaultXmlaRequest(xmlaReqElem,
>                                                (String)
>         context.get(CONTEXT_ROLE));
>         However, I do not see where this context is filled besides in
>         handleSoapHeader. handleSoapHeader function only puts this keys:
>     I think you're right. Whoever wrote DefaultXmlaServlet put in a hook
>     to use the sugested role if it is present... but it is up to the
>     XMLA client to set it as an attribute in the HTTP header.
>         One question more: If security is not implemented I would do
>         it. I have read XMLA 1.1 spec and I could not see where to
>         define the role in the SOAP message. Should it be defined as a
>         restriction? 
>     The XMLA request should specify the user (probably has part of the
>     HTTP header, NOT par of the XML). I know Pentaho Spreadsheet
>     Services does this, for example.
>     The XmlaHandler should then resolve the user to a role (to be
>     precise, the user and the schema resolve to a role -- a user might
>     run under different roles in different schemas). We have discussed
>     extending XmlaHandler to use a plugin user-to-role resolver running
>     off JNDI or JAAS or extra information we might add extra fields to
>     datasources.xml to define authentication and access-control lists.
>     (I can't find that discussion right now... anyone??)
>     Julian
>     _______________________________________________
>     Mondrian mailing list
>     Mondrian at pentaho.org
>     http://lists.pentaho.org/mailman/listinfo/mondrian
>     ------------------------------------------------------------------------
>     LLama Gratis a cualquier PC del Mundo.
>     Llamadas a fijos y móviles desde 1 céntimo por minuto.
>     http://es.voice.yahoo.com
>     <http://us.rd.yahoo.com/mail/es/tagline/messenger/*http://es.voice.yahoo.com/>
> ------------------------------------------------------------------------
> _______________________________________________
> Mondrian mailing list
> Mondrian at pentaho.org
> http://lists.pentaho.org/mailman/listinfo/mondrian

More information about the Mondrian mailing list