[Mondrian] Dynamic roles

van der Werf, Guy guy.vanderwerf at wirecard.com
Wed Jul 6 04:16:12 EDT 2011


Hi Julian,

Thanks for confirming my direction. I definitely need a factory on this one. Furthermore, we’re an EE customer and my employer wants full support (we’re a bank) so I’m limited to playing with extensions of existing BI Suite EE functionality.

With only Provider and DataSource in datasources.xml->DataSourceInfo for a given catalog, and the schema caching set to true, I found an unrestricted user following a restricted user was still restricted.

I’m about to respond to Gretchen’s questions – perhaps you’ll see the error of my ways in that response :)

Guy

From: mondrian-bounces at pentaho.org [mailto:mondrian-bounces at pentaho.org] On Behalf Of Julian Hyde
Sent: Dienstag, 5. Juli 2011 19:32
To: 'Mondrian developer mailing list'
Subject: Re: [Mondrian] Dynamic roles

Guy,

You're on the right track using RoleImpl. However, I don't know the right way to configure BIServer to create the right RoleImpl objects on the fly; MondrianUserSessionUserRoleListMapper is a mapper but you need a factory, and I don't know whether there is such a thing in BIServer.

Maybe someone with more BIServer knowledge can chime in.

My recent work with Michele Rossi to refactor the XMLA server should help. We are exposing SPIs so that you can convert XMLA credentials into an authenticated olap4j connection that applies the appropriate role, so you should be able to slot into that framework. But (a) it's a work in progress on the main line, and (b) BIServer doesn't inherit it yet (it's just for raw XMLA requests to a standalone mondrian instance).

When you say "caching is stuffed", you mean that you need to create RoleImpl objects for each request? I just want to clarify that mondrian's cache is still valid for each RoleImpl, so performance should be OK unless it takes a lot of effort to create each RoleImpl.

Julian

________________________________
From: mondrian-bounces at pentaho.org [mailto:mondrian-bounces at pentaho.org] On Behalf Of van der Werf, Guy
Sent: Tuesday, July 05, 2011 7:47 AM
To: Mondrian developer mailing list
Subject: Re: [Mondrian] Dynamic roles
Hi Brian,
Thanks for that. If I wanted to just assign a different role *name* (as in ceo, dev etc) then this would be a possibility, but I’m creating a customized Mondrian role (class) which extends “RoleImpl”. I reference metadata in a DB based on user, schema and cube, and grant/revoke access to cubes, dims, hierarchies and members as required. Works, but caching is stuffed.
Guy

From: mondrian-bounces at pentaho.org [mailto:mondrian-bounces at pentaho.org] On Behalf Of Brian Hagan
Sent: Dienstag, 5. Juli 2011 15:57
To: Mondrian developer mailing list
Subject: Re: [Mondrian] Dynamic roles

Guy,

Instead of extending MDXConnection, you may want to consider using the MondrianUserSessionUserRoleListMapper (pentahoObjects.spring.xml) , which allows you to change the role of an authenticated user based upon a session variable. This technique does not require you to dynamically modify the schema. However, the role, which are you assigning to the user, must be defined in the schema. The trick is then getting the variable in the session.

Thanks,

Brian

From: mondrian-bounces at pentaho.org [mailto:mondrian-bounces at pentaho.org] On Behalf Of van der Werf, Guy
Sent: Tuesday, July 05, 2011 9:31 AM
To: Mondrian developer mailing list
Subject: [Mondrian] Dynamic roles

Hi all,

With reference to Jira BISERVER-4992, I would like ask a question regarding caching in Mondrian.

Using Pentaho 3.8, I’ve extended “MDXConnection” to allow setting a custom role (extends RoleImpl) that is configured depending on reference metadata held in an existing authorization data source. This works as planned, but caching is a problem, and I wondering if anyone could shed some light on possible caching strategies. I should add that I do not use a dynamic schema processor in this solution.

I have 1 solution so far. I switch schema cache off in the catalog, and set “UseSchemaPool=false” in “DataSourceInfo” in “datasources.xml”. To ensure the same cache behavior (i.e. effectively none) in schemas not in “datasources.xml”, I could set this in the connection properties too (but that’s not done yet). The result is: I have no useful caching and performance in dashboards is noticeably pathetic.

So… does anyone have experience in Mondrian caching when dynamically changing the role, but not the schema xml?

Thanks,
Guy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20110706/2d1ad88d/attachment.html 


More information about the Mondrian mailing list