Versions Compared

Version Old Version 25 New Version 26
Changes made by

Former user

Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

SecurityUtils is an important class because it shields client code from the complexity of the security implementation (e.g. voters, ACL holders, etc). Below is a class diagram along with the two clients that use SecurityUtils for authorization purposes.

Access Control Lists

In the Pentaho BI Platform, objects in the solution repository (e.g. files and directories) can be secured using access control lists AbstractBasicAclEntry Acegi.

Recipients

PentahoAclEntry . AclObjectIdentity Acegi.

ACL Holders

An IAclHolder AclEntry Acegi
Panel
titleSecurityUtils along with its major\ !SecurityUtils.png
aligncenter!\\ \{null
2http://en.wikipedia.org/wiki/Access_control_list] (ACLs). You can have any number of entries in an ACL--each specifying a different recipient. h3.
ACL Entries
An entry in an access control list consists of a recipient, permissions, a reference to the object to which the ACL entry applies, and optionally the parent of the object to which the ACL entry applies. The default ACL entry type in Pentaho is {{PentahoAclEntry}}. This class extends
[{{AbstractBasicAclEntry}}
3http://www.acegisecurity.org/multiproject/acegi-security/apidocs/org/acegisecurity/acl/basic/AbstractBasicAclEntry.html] ^Acegi^. h4. Recipients {{PentahoAclEntry}} stores a recipient as an {{Object}}. In practice, recipients can be of two types: a {{String}} containing a username or a [{{GrantedAuthority}}
4http://www.acegisecurity.org/multiproject/acegi-security/apidocs/org/acegisecurity/GrantedAuthority.html] containing a granted authority. h4.
Permissions
{{PentahoAclEntry}} stores permissions using [bit masks
bgColor#FFFFFF
5http://en.wikipedia.org/wiki/Bit_mask]. h4. Objects and Parents
{{PentahoAclEntry}} stores an object (and its parent) as a
[{{AclObjectIdentity}}
6http://www.acegisecurity.org/multiproject/acegi-security/apidocs/org/acegisecurity/acl/basic/AclObjectIdentity.html] ^Acegi^. h2. ACL Holders An {{IAclHolder}} does exactly what its name implies--it holds or contains an access control list. An ACL is implemented in the platform using a {{java.util.List}}. Inside this list are implementations of
Panel
bgColor#FFFFFF
[{{AclEntry}}
titleSecurityUtils along with its major \ !SecurityUtils.png
aligncenter!\ \ \ {null} h2. Access Control Lists In the Pentaho BI Platform, objects in the solution repository (e.g. files and directories) can be secured using [access control lists
http://www.acegisecurity.org/multiproject/acegi-security/apidocs/org/acegisecurity/acl/AclEntry.html] ^Acegi^{panel:titleIAclHolder Hierarchy

Panel


Image Modified


Panel

Solution Repository Objects

Once you have a container for an ACL, how is it associated with objects in the solution repository? That is where the interface IAclSolutionFile comes in. This interface extends IAclHolder and is implemented by com.pentaho.repository.dbbased.solution.RepositoryFile. RepositoryFile also implements AclObjectIdentity. So not only does a RepositoryFile store an ACL (since it implements IAclHolder), it also is a securable object (since it implements AclObjectIdentity).

Persistence

The Pentaho BI Platform uses Hibernate for reading and writing to the db-based repository. The PRO_FILES table contains solution repository objects while the PRO_ACLS_LIST table contains ACL entries associated with those objects. Below are (incomplete) listings of the columns of each of these tables.

PRO_FILES Table

FILE_ID

PARENT

FILENAME

FULLPATH

DATA

DIRECTORY

LASTMODIFIED

FILE_ID is the primary key. PARENT is a reference (by file id) to the object's parent. DIRECTORY is a boolean that is true if this object is a directory and false if this object is a file.

PRO_ACLS_LIST Table

ACL_ID

ACL_MASK

RECIPIENT

Technically, rows in this table represent ACL entries, not ACLs. An ACL for an object can be created by querying for all rows sharing the same ACL_ID. ACL_ID is a foreign key that references PRO_FILES.FILE_ID. ACL_MASK is the decimal representation of the bit mask that represents the permissions in this ACL entry. And RECIPIENT is the username or granted authority that is the recipient of this ACL entry.

Voters

For every domain object, there is exactly one access control list. Add to that a user that wants to perform some operation on that object and that adds up to three inputs: a recipient, an operation, and an ACL. But what makes the "access granted" or "access denied" decision given these three pieces of information? The answer to that question is an IAclVoter. An instance of IAclVoter contains an all-important hasAccess method. It takes the three aforementioned inputs and returns a boolean result: true meaning access granted and false meaning access denied. An ACL voter is a singleton; there is only one instance per Java virtual machine. It is specified in pentaho.xml.

One might ask: How many ways can a voter arrive at a decision? Assume that user sally has the following granted authorities: ROLE_DEV and ROLE_MGR. Also assume that the ACL for a particular object contains the following entries: (sally, read), (ROLE_DEV, readwrite). Both ACL entries are applicable to sally since the first specifies sally (and she is sally) and the second specifies ROLE_DEV (and she has been granted the ROLE_DEV authority). Should the voter grant or deny a request to write to the object associated with this ACL? This is where extensibility of the voting system comes in. The Pentaho BI Platform provides multiple implementations of IAclVoter that each make different decisions in this situation! As the user of the platform, you decide how access decisions are made through your choice of IAclVoter. For more information about IAclVoter implementations, see 12. IAclVoter Node.

Panel
bgColor#FFFFFF
titleIAclVoter Hierarchy

Panel





Granting Permissions (ACL Management)

...

Subscribe

==>

Subscribe

Execute

==>

Execute

Write

==>

Create Update Delete Subscribe Execute

Now that the "share" feature has been implemented, changes have been made to the Admin Permissions UI regarding what permissions are "exposed" and how they are set. The new Permissions UI has the following set of permissions:

Subscribe

==>

Subscribe

Execute

==>

Execute

Update

==>

Update

Create

==>

Create

Delete

==>

Delete

Manage

==>

Manage_ACL

All

==>

Create Update Delete Subscribe Execute Manage_ACL ... All

...