[Mondrian] Security issue with roles when using user-session role mapper

Dejan Gambin dejan.gambin at coin.hr
Tue Nov 12 07:45:18 EST 2013


Oh, I set defaultRole but it doesn't help. Default role is used only if user mondrian role is not set at all. In my case all of my users have mondrian role set but it is not defined in all of the schemas. I can of course define all the roles in all the schemas but that doesn't make sense

On 12. stu. 2013., at 13:39, Ricardo Fradinho wrote:

> Hi dejan,
> I guess you are looking to set a default role at the schema level:
> <Schema name="my_schema" defaultRole="role_ABC">
> [...]
> 	<Role name="role_ABC">
> 	  <SchemaGrant access="none">
> 	  </SchemaGrant>
> 	</Role>
> 
> </Schema>
> BR,
> Ricardo Fradinho
> 
> On 12/11/2013 12:30 , Dejan Gambin wrote:
>> Hi,
>> 
>> I am using user-session role mapper to map session attribute taken from database table to mondrian role. The problem is (using Saiku) - if user mondrian role is not defined in schema, this user can see all the cubes in the schema, by default. I have made a test with one2one role mapper and the behaviour is the opposite (and correct I suppose) - the user can't see any cube in schema if his role is not defined in this schema.
>> 
>> I would just like to know if this is supposed to be so and do I have to make some workarounds - I am thinking about defining the session variable as an array (now it is a string) and give all the users additional role, for example "none" and define something like this in all of my schemas:
>> 
>> 	<Role name="none">
>> 	  <SchemaGrant access="none">
>> 	  </SchemaGrant>
>> 	</Role>
>> 
>> I think this is much simpler than defining all the roles in all schemas :-)
>> 
>> Btw, I am using mondrian from saiku 2.6, I think the version is 3.6
>> 
>> Thanks very much on any useful information
>> 
>> regards, dejan
>> 
>> 
>> _______________________________________________
>> Mondrian mailing list
>> Mondrian at pentaho.org
>> http://lists.pentaho.org/mailman/listinfo/mondrian
> 
> _______________________________________________
> Mondrian mailing list
> Mondrian at pentaho.org
> http://lists.pentaho.org/mailman/listinfo/mondrian

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.pentaho.org/pipermail/mondrian/attachments/20131112/45c2ee55/attachment.html 


More information about the Mondrian mailing list