[Mondrian] Custom role injection

Julian Hyde jhyde at pentaho.com
Sun Jan 6 16:58:32 EST 2013

On Jan 6, 2013, at 6:13 AM, William Back <wback at pentaho.com> wrote:

> I note that you specify 'session.state' when making the connection.  Does that mean that if the 'state' is set in the session it will also be automatically picked up?  Just trying to determine the right place to set that value.

How you pass in session state is the weakest part of the design right now. One way (implemented already) is to pass variables as part of the JDBC connect string. If you have 'jdbc:mondrian: ...; session.Foo=abc; session.Bar=xyz' then the map will contain {("Foo" -> "abc"), ("Bar" -> "xyz")}.

But I'd rather that the container authenticates, and returns (a) whether authentication succeeded, (b) role name(s), (c) a set of parameters. I'll talk to the Pentaho server guys in the next few days and devise a way to change the role mapper to supply parameters. Longer term I'll change MondrianOlap4jDriver to use an authentication service, of which the Pentaho role mapper will be just one implementation.

> Of course, now I need to rewrite the latter ½ of chapter 8.  But it's much cleaner and easier to explain.

Yeah, sorry, I knew I was making work for you. By the way, you should include scripts in the book. I haven't implemented scripts yet but I soon will. Then the following will work:

  <Role name='StateManager'> 
    <Script language='JavaScript'> 
      function asXml(map) {
        var state = map.get("state");
        return  "<Role name='role_" + state + "'>\n"
                + " <SchemaGrant access='none'>\n"
                + "  <CubeGrant cube='Sales' access='all'>\n"
                + "   <HierarchyGrant hierarchy='[Store].[Stores]' access='custom' rollupPolicy='partial'>\n"
                + "    <MemberGrant member='[Store].[Stores].[USA]' access='none'/>\n"
                + (state != null
                   ? "    <MemberGrant member='[Store].[Stores].[USA].["
                   + state
                   + "]' access='all'/>\n"
                   : "")
                + "   </HierarchyGrant>\n"
                + "  </CubeGrant>\n"
                + " </SchemaGrant>\n"
                + "</Role>\n";


PS I'm getting the urge to do a quick spike on http://jira.pentaho.com/browse/MONDRIAN-1356. It's part of my war against DynamicSchemaProcessors. Check with me on a status of that issue before you write on i18n.

More information about the Mondrian mailing list