[Mondrian] Dynamic roles

van der Werf, Guy guy.vanderwerf at wirecard.com
Wed Jul 6 04:23:54 EDT 2011


… Sorry – it helps if one clicks “paste” instead of “send” :)
I completed my email below.
Thanks
Guy

From: mondrian-bounces at pentaho.org [mailto:mondrian-bounces at pentaho.org] On Behalf Of van der Werf, Guy
Sent: Mittwoch, 6. Juli 2011 10:01
To: Mondrian developer mailing list
Subject: Re: [Mondrian] Dynamic roles

Hi Gretchen,

Important lines are:
*************
public class WirecardMdxConnection extends MDXConnection
protected void init(PropertyList properties) {
super.init(properties);
this.session = PentahoSessionHolder.getSession();
Authentication auth = SecurityHelper.getAuthentication(this.session, false);
GrantedAuthority[] platformRoles = auth.getAuthorities();
Connection connection = this.getConnection();
Role wr = new WirecardRole(connection.getSchema(), this.datasourceService, this.session);
                                                connection.setRole(wr);
                                                setRole(wr);

public class WirecardRole extends RoleImpl {
                public WirecardRole(Schema schema, IDatasourceService datasourceService, IPentahoSession session) {
                                super();
                                Cube[] cubes = schema.getCubes();
                                                Dimension[] dimensions = cube.getDimensions();
                                                                Hierarchy[] hierarchies = dimension.getHierarchies();
                                                                                Level[] levels = hierarchy.getLevels();
*************
The last 4 lines above check each cube, dim, hierarchy and level-members for authorization based on (cached) metadata from a DB. I make appropriate calls to:
grant(<cube|dim|hierarchy|level-members>, Access.NONE) OR grant(<cube|dim|hierarchy|level-members>, Access.ALL)

Only the constructor is overridden. I do not clone existing roles, and mine are mutable. I’m happy with all business logic.
Only 1 statement gives me concern as to whether the implementation is correct: grant(hierarchy, Access.NONE, null, null, null); Confirm that too if you can please.

Your time on this is appreciated.
Thanks,
Guy

From: mondrian-bounces at pentaho.org [mailto:mondrian-bounces at pentaho.org] On Behalf Of Gretchen Moran
Sent: Dienstag, 5. Juli 2011 19:51
To: Mondrian developer mailing list
Subject: Re: [Mondrian] Dynamic roles

Hi Guy,

Can you give any details on exactly what functionality in the role you are changing/extending (method overrides specifically)? We have implemented several versions of dynamic roles (specifically generating the grants/denies) with no caching issues, but the implementation has many nuances we’ve learned over time. We have descended both RoleImpl and the DelegatingRole with success.

Gretchen Moran
From: mondrian-bounces at pentaho.org [mailto:mondrian-bounces at pentaho.org] On Behalf Of van der Werf, Guy
Sent: Tuesday, July 05, 2011 10:47 AM
To: Mondrian developer mailing list
Subject: Re: [Mondrian] Dynamic roles

Hi Brian,
Thanks for that. If I wanted to just assign a different role *name* (as in ceo, dev etc) then this would be a possibility, but I’m creating a customized Mondrian role (class) which extends “RoleImpl”. I reference metadata in a DB based on user, schema and cube, and grant/revoke access to cubes, dims, hierarchies and members as required. Works, but caching is stuffed.
Guy

From: mondrian-bounces at pentaho.org [mailto:mondrian-bounces at pentaho.org] On Behalf Of Brian Hagan
Sent: Dienstag, 5. Juli 2011 15:57
To: Mondrian developer mailing list
Subject: Re: [Mondrian] Dynamic roles

Guy,

Instead of extending MDXConnection, you may want to consider using the MondrianUserSessionUserRoleListMapper (pentahoObjects.spring.xml) , which allows you to change the role of an authenticated user based upon a session variable. This technique does not require you to dynamically modify the schema. However, the role, which are you assigning to the user, must be defined in the schema. The trick is then getting the variable in the session.

Thanks,

Brian

From: mondrian-bounces at pentaho.org [mailto:mondrian-bounces at pentaho.org] On Behalf Of van der Werf, Guy
Sent: Tuesday, July 05, 2011 9:31 AM
To: Mondrian developer mailing list
Subject: [Mondrian] Dynamic roles

Hi all,

With reference to Jira BISERVER-4992, I would like ask a question regarding caching in Mondrian.

Using Pentaho 3.8, I’ve extended “MDXConnection” to allow setting a custom role (extends RoleImpl) that is configured depending on reference metadata held in an existing authorization data source. This works as planned, but caching is a problem, and I wondering if anyone could shed some light on possible caching strategies. I should add that I do not use a dynamic schema processor in this solution.

I have 1 solution so far. I switch schema cache off in the catalog, and set “UseSchemaPool=false” in “DataSourceInfo” in “datasources.xml”. To ensure the same cache behavior (i.e. effectively none) in schemas not in “datasources.xml”, I could set this in the connection properties too (but that’s not done yet). The result is: I have no useful caching and performance in dashboards is noticeably pathetic.

So… does anyone have experience in Mondrian caching when dynamically changing the role, but not the schema xml?

Thanks,
Guy

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20110706/0b1792ee/attachment.html 


More information about the Mondrian mailing list