...
The db-based solution repository (the default) is refreshed from the file systemfilesystem. In other words, solution repository objects are created as files on the filesystem and those objects are refreshed (published) in to the db-based solution repository. In the files ystemfilesystem, solution repository objects have no associated ACLs--at least as far as the platform is concerned. But once solution repository objects are published to the db-based repository, they do have associated ACLs. So how did the objects get their ACLs? The answer is an IAclPublisher. There is only one IAclPublisher instance per JVM and the type of that instance is specified in pentahoObjects.spring.xml.
Note that an IAclPublisher is only responsible for the initial publishing of ACLs. After the file system is initially published, the Admin > Permissions interface should be used to tweak permissions.
| Anchor | ||||
|---|---|---|---|---|
|
Configuring Default ACLs
The default Pentaho ACL Publisher (defined in pentahoObjects.spring.xml) requires a section in pentaho.xml to tell it what the default ACLs are. Here is a sample properties definition for the provided default ACL Publisher (org.pentaho.platform.engine.security.acls.AclPublisher).
| Code Block | ||||
|---|---|---|---|---|
| ||||
<pentaho-system>
<acl-publisher>
<!-- These acls are used when publishing from the file system. Every folder -->
<!-- gets these ACLS. Authenticated is a "default" role that everyone -->
<!-- gets when they're authenticated (be sure to setup your bean xml properly -->
<!-- for this to work). -->
<default-acls>
<acl-entry role="Admin" acl="ADMIN_ALL" />
<acl-entry role="cto" acl="ADMIN_ALL" />
<acl-entry role="dev" acl="EXECUTE_SUBSCRIBE" />
<acl-entry role="Authenticated" acl="EXECUTE" />
</default-acls>
<!--
These acls are overrides to specific file/folders. The above default-acls will
be applied and then these overrides. This allows for specific access controls to
be loaded when the repository if first populated. Futher changes to acls can be
made in the platform GUI tool. Uncomment these and change add or delete to your hearts desire -->
<!--
<overrides>
<file path="/pentaho-solutions/samples/bursting">
<acl-entry role="Admin" acl="ADMIN_ALL" />
<acl-entry role="cto" acl="SUBSCRIBE_ADMINISTRATION" />
<acl-entry role="dev" acl="EXECUTE_SUBSCRIBE" />
<acl-entry role="Authenticated" acl="NOTHING" />
</file>
<file path="/pentaho-solutions/samples/datasources/MDX_Datasource.xaction">
<acl-entry role="Admin" acl="ADMIN_ALL" />
<acl-entry role="cto" acl="ADMIN_ALL" />
<acl-entry role="dev" acl="EXECUTE_SUBSCRIBE" />
<acl-entry role="Authenticated" acl="EXECUTE" />
</file>
</overrides>
-->
</acl-publisher>
</pentaho-system>
|
Node Name | Purpose | Required * | Values | Default |
|---|---|---|---|---|
| Parent for related elements. | No |
|
|
| Parent for related elements. This node contains default ACLs that can be overridden in the | No |
|
|
| The role to which these ACLs apply. Exactly one of | Yes 1 | string |
|
| The username to which these ACLs apply. Exactly one of | Yes 1 | string |
|
| The string representation of the ACL integers defined in | No | {{NOTHING | |
| Parent for related elements. This node contains ACLs that override those ACLs specified in | No |
|
|
| Parent for related elements. | No |
|
|
| The solution-relative path to the action sequence whose ACLs will be overriden. | Yes | filesystem path |
|
| The role to which these ACLs apply. Exactly one of | Yes 1 | string |
|
| The username to which these ACLs apply. Exactly one of | Yes 1 | string |
|
| The string representation of the ACL integers defined in | No | {{NOTHING | |
1 Either role or user is required. Specifying neither of them is invalid, as is specifying both of them.
2 The @ notation is XPath-like notation and it simply denotes an XML attribute.