[Mondrian] Olap4J as JNDI datasource and passing Roles

Thomas Morgner mondrian at sherito.org
Tue Nov 10 15:12:36 EST 2009 

setRoleName(..) was what I needed. I assume that
the rolename is just vendor-specific so for Mondrian
the same rules as for the "Role" connection property
apply (which is ok by my standards).

Ahh, I wished it would be as easy as unloading all the
responsibilities to the platform. But as the mondrian-
datasources should be usable within and without the platform,
I cant take that route.

So for now, I let the user feed in the role from parameters,
fields etc. If at some later point the platform sets the
role, and the users have no own preference, then simply
not having a role-field set will give them that default.

(But from the feedback I got, Mondrian's roles are not
necessarily the same as the platform roles. So forcing
my users to rely on the platform would get me killed in the
next community meeting.)


As connections are pooled: What happens to the queries/
connections when I change the role between two queries?


Julian Hyde schrieb:
> OlapConnection has methods
> 
>   void setRoleName(String)
>   String getRoleName()
> 
> Obviously you can't pass in Mondrian Role objects, because they are
> Mondrian-specific.
> 
> Generally I'd expect you to get an olap4j connection from the pool, then
> call setRoleName on it. Or, better, get an olap4j connection by calling
> DataSource.getConnection(username, password) and rely on the server to set
> the right roles for that user.
> 
> This is going to sound like me saying 'that's not my job', but here goes.
> It's not olap4j's job to be dealing with mondrian-specific data structures.
> And because it is an engine not a server, it's not mondrian's job to be
> remembering user names, passwords, and lists of roles associated with a
> user. So, those responsibilities should fall on BISERVER.
> 
> Julian
> 
>> -----Original Message-----
>> From: mondrian-bounces at pentaho.org 
>> [mailto:mondrian-bounces at pentaho.org] On Behalf Of Thomas Morgner
>> Sent: Monday, November 09, 2009 6:49 AM
>> To: Mondrian mailing list
>> Subject: [Mondrian] Olap4J as JNDI datasource and passing Roles
>>
>> Hi,
>>
>> while working on the role-passing code for the classic
>> Mondrian connections, I realized that we have no way in
>> OLAP4J to pass in Mondrian roles.
>>
>>  From what I heard from the community, Mondrian roles are
>> not necessarily the roles used in the security system of
>> (for instance) the Pentaho Platform. In fact, they seem
>> to be rather arbitrary, come from anywhere and can be anything.
>>
>> Mondrian connections require us to pass in the roles as
>> a list of strings in one of the connection properties.
>>
>> When in OLAP4J mode, Mondrian's connection properties are
>> configured via the JDBC-Connection-properties. But when
>> we store a OLAP4J Connection into JNDI, we are no longer
>> able to access these properties, as JNDI explicitly shields
>> us from that knowledge. Therefore, we are cut off from
>> properly configuring the security settings.
>>
>> Is there an alternative way to pass in Role-information to
>> OLAP4J Mondrian connections?
>>
>> Have fun,
>> said Thomas
>> _______________________________________________
>> Mondrian mailing list
>> Mondrian at pentaho.org
>> http://lists.pentaho.org/mailman/listinfo/mondrian
>>
> 
>

More information about the Mondrian mailing list