Note: There have been recent changes to the Permissions Editor that are reflected in this document. See #ACL Management for updates.
Protecting Action Sequences
In a software system, you can secure elements of that system at different levels, depending on your needs. In a web application, you can secure specific URLs. Deeper in the application you might want to secure specific service method calls. And finally, you might want to secure particular instances of objects. This page talks about the last type of security. Users of the Pentaho platform might wish to have a very precise level of control over objects in their solution repository. The Pentaho BI Platform provides this control.
...
| Wiki Markup |
|---|
{poc} h1. Protecting Action Sequences In a software system, you can secure elements of that system at different levels, depending on your needs. In a web application, you can secure specific URLs. Deeper in the application you might want to secure specific service method calls. And finally, you might want to secure particular instances of objects. This page talks about the last type of security. Users of the Pentaho platform might wish to have a very precise level of control over objects in their solution repository. The Pentaho BI Platform provides this control. {quote} *Note:* This page describes key security classes in the Pentaho BI Platform. Unless otherwise noted, these classes can be found in {{org.pentaho.platform.engine.security}}. Class packages will be omitted in the discussion below. |
...
Security in the platform is based in part on the [Acegi Security System for Spring|http://www.acegisecurity.org]. Classes that are part of Acegi Security are marked |
...
SecurityHelper
...
with ^Acegi^. {quote} h2. SecurityHelper {{SecurityHelper}} is an important class because it shields client code from the complexity of the security implementation (e.g. voters, ACL holders, etc). Below is a class diagram along with the two clients that use {{SecurityHelper}} for authorization purposes. |
...
| Panel | ||||
|---|---|---|---|---|
| ||||
|
Access Control Lists
...
{panel:title=SecurityHelper along with its major clients|bgColor=#FFFFFF} !SecurityHelper.png|align=center! {panel} h2. Access Control Lists In the Pentaho BI Platform, objects in the solution repository (e.g. files and directories) can be secured using [access control |
...
lists|http://en.wikipedia.org/wiki/Access_control_list] (ACLs). You can have any number of entries in an ACL--each specifying a different recipient. h3. |
...
ACL Entries |
...
An entry in an access control list consists of a recipient, permissions, a reference to the object to which the ACL entry applies, and optionally the parent of the object to which the ACL entry applies. The default ACL entry type in Pentaho is {{PentahoAclEntry}}. This class extends |
...
Recipients
PentahoAclEntry stores a recipient as an Object. In practice, recipients can be of two types: a String containing a username or a GrantedAuthority containing a granted authority.
Permissions
PentahoAclEntry stores permissions using bit masks.
Objects and Parents
PentahoAclEntry stores an object (and its parent) as a AclObjectIdentity Acegi.
ACL Holders
An IAclHolder does exactly what its name implies--it holds or contains an access control list. An ACL is implemented in the platform using a java.util.List. Inside this list are implementations of AclEntry Acegi
| Panel | ||||
|---|---|---|---|---|
| ||||
|
Solution Repository Objects
Once you have a container for an ACL, how is it associated with objects in the solution repository? That is where the interface IAclSolutionFile comes in. This interface extends IAclHolder and is implemented by com.pentaho.repository.dbbased.solution.RepositoryFile. RepositoryFile also implements AclObjectIdentity. So not only does a RepositoryFile store an ACL (since it implements IAclHolder), it also is a securable object (since it implements AclObjectIdentity).
Persistence
The Pentaho BI Platform uses Hibernate for reading and writing to the db-based repository. The PRO_FILES table contains solution repository objects while the PRO_ACLS_LIST table contains ACL entries associated with those objects. Below are (incomplete) listings of the columns of each of these tables.
PRO_FILES Table
FILE_ID | PARENT | FILENAME | FULLPATH | DATA | DIRECTORY | LASTMODIFIED |
FILE_ID is the primary key. PARENT is a reference (by file id) to the object's parent. DIRECTORY is a boolean that is true if this object is a directory and false if this object is a file.
PRO_ACLS_LIST Table
ACL_ID | ACL_MASK | RECIPIENT |
Technically, rows in this table represent ACL entries, not ACLs. An ACL for an object can be created by querying for all rows sharing the same ACL_ID. ACL_ID is a foreign key that references PRO_FILES.FILE_ID. ACL_MASK is the decimal representation of the bit mask that represents the permissions in this ACL entry. And RECIPIENT is the username or granted authority that is the recipient of this ACL entry.
Voters
For every domain object, there is exactly one access control list. Add to that a user that wants to perform some operation on that object and that adds up to three inputs: a recipient, an operation, and an ACL. But what makes the "access granted" or "access denied" decision given these three pieces of information? The answer to that question is an IAclVoter. An instance of IAclVoter contains an all-important hasAccess method. It takes the three aforementioned inputs and returns a boolean result: true meaning access granted and false meaning access denied. An ACL voter is a singleton; there is only one instance per Java virtual machine.
One might ask: How many ways can a voter arrive at a decision? Assume that user sally has the following granted authorities: ROLE_DEV and ROLE_MGR. Also assume that the ACL for a particular object contains the following entries: (sally, read), (ROLE_DEV, readwrite). Both ACL entries are applicable to sally since the first specifies sally (and she is sally) and the second specifies ROLE_DEV (and she has been granted the ROLE_DEV authority). Should the voter grant or deny a request to write to the object associated with this ACL? This is where extensibility of the voting system comes in. The Pentaho BI Platform provides multiple implementations of IAclVoter that each make different decisions in this situation! As the user of the platform, you decide how access decisions are made through your choice of IAclVoter.
| Panel | ||||
|---|---|---|---|---|
| ||||
|
ACL Management
...
Permissions
The following permissions are available to be used in access control entries:
Permission | Meaning |
|---|---|
Schedule | Recipient is allowed to schedule a file. |
Execute | Recipient is allowed to execute a file. This is analogous to a traditional Read permission. |
Update | Recipient is allowed to overwrite a file with his/her changes. |
Create | Recipient is allowed to create files in a directory. |
Delete | Recipient is allowed to delete files or directories in a directory. |
Grant Permissions | Recipient is allowed to share a file with others. More generally, user is allowed to modify the ACL of a file. |
All | Recipient is allowed to do anything including any new permissions added in the future. |
| Panel | ||||
|---|---|---|---|---|
| ||||
|
In the sample page above, the tree on the left represents all of the solution repository objects in your solution repository. You can set permissions on any level in the solution repository object tree. Setting permissions on lower level objects in the tree overrides permission settings higher in the tree. Conversely, if you set a permission on a solution repository object that has children, and the children do not have specific permissions set, they inherit the permissions settings from their parent. So, for example, if you set Execute permissions for JoeUser on the analysis directory, then the query1.xaction object inherits that Execute permission; however, if you then set Create and Execute permission on the query1.xaction for JoeUser, these permissions are honored for that object, but other children of the analysis object would still only have their parent's (analysis directory) Execute permission.
Each solution repository object can have any number of permission-role or permission-user combinations set. The middle panel in the sample page above lists the access control list entries defined for the solution repository object selected in the tree. You can modify the permissions for the roles or users that are defined in the existing access control list entries:
- Next to the role or user you want a change to be applied, enable or disable the check box for the permission you want to grant or remove.
- Click Update... to submit the change.
- Click Reset to reverse changes that have not yet been submitted.
Follow the steps below to add a new access control list entry:
- Click Add under the access control list entry table. You see a new list appear on the right that lists all roles and users available to the system.
- Select the roles and/or users that you want to grant permissions to, and then select the permissions that you would like them to receive.
- Click Add at the bottom of the New Permission panel to add your newly defined access control list entries.
Note: If your organization has many users and/or you want to create ACL entries using roles only, you can increase performance by adjusting the settings contained in the
access-uinode inpentaho.xml file.
ACL Publishing
The db-based solution repository (the default) is refreshed from the filesystem. In other words, solution repository objects are created as files on the filesystem and those objects are refreshed (published) to the db-based solution repository. In the filesystem, solution repository objects have no associated ACLs--at least as far as the platform is concerned. But once solution repository objects are published to the db-based repository, they do have associated ACLs. So how did the objects get their ACLs? The answer is an IAclPublisher. There is only one IAclPublisher instance per JVM and the type of that instance is specified in pentahoObjects.spring.xml.
Note that an IAclPublisher is only responsible for the initial publishing of ACLs. After the file system is initially published, the Admin > Permissions interface should be used to tweak permissions.
...
Configuring Default ACLs
The default Pentaho ACL Publisher (defined in pentahoObjects.spring.xml) requires a section in pentaho.xml to tell it what the default ACLs are. Here is a sample properties definition for the provided default ACL Publisher (org.pentaho.platform.engine.security.acls.AclPublisher).
| Code Block | ||
|---|---|---|
| xml | xml | <pentaho-system> <acl-publisher> <!-- These acls are used when publishing from the file system. Every folder --> <!-- gets these ACLS. Authenticated is a "default" role that everyone --> <!-- gets when they're authenticated (be sure to setup your bean xml properly --> <!-- for this to work). --> <default-acls> <acl-entry role="Admin" acl="ADMIN_ALL" /> <acl-entry role="cto" acl="ADMIN_ALL" /> <acl-entry role="dev" acl="EXECUTE_SUBSCRIBE" /> <acl-entry role="Authenticated" acl="EXECUTE" /> </default-acls> <!-- These acls are overrides to specific file/folders. The above default-acls will be applied and then these overrides. This allows for specific access controls to be loaded when the repository if first populated. Futher changes to acls can be made in the platform GUI tool. Uncomment these and change add or delete to your hearts desire --> <!-- <overrides> <file path="/pentaho-solutions/samples/bursting"> <acl-entry role="Admin" acl="ADMIN_ALL" /> <acl-entry role="cto" acl="SUBSCRIBE_ADMINISTRATION" /> <acl-entry role="dev" acl="EXECUTE_SUBSCRIBE" /> <acl-entry role="Authenticated" acl="NOTHING" /> </file> <file path="/pentaho-solutions/samples/datasources/MDX_Datasource.xaction"> <acl-entry role="Admin" acl="ADMIN_ALL" /> <acl-entry role="cto" acl="ADMIN_ALL" /> <acl-entry role="dev" acl="EXECUTE_SUBSCRIBE" /> <acl-entry role="Authenticated" acl="EXECUTE" /> </file> </overrides> [{{AbstractBasicAclEntry}}|http://www.acegisecurity.org/multiproject/acegi-security/apidocs/org/acegisecurity/acl/basic/AbstractBasicAclEntry.html] ^Acegi^. h4. Recipients {{PentahoAclEntry}} stores a recipient as an {{Object}}. In practice, recipients can be of two types: a {{String}} containing a username or a [{{GrantedAuthority}}|http://www.acegisecurity.org/multiproject/acegi-security/apidocs/org/acegisecurity/GrantedAuthority.html] containing a granted authority. h4. Permissions {{PentahoAclEntry}} stores permissions using [bit masks|http://en.wikipedia.org/wiki/Bit_mask]. h4. Objects and Parents {{PentahoAclEntry}} stores an object (and its parent) as a [{{AclObjectIdentity}}|http://www.acegisecurity.org/multiproject/acegi-security/apidocs/org/acegisecurity/acl/basic/AclObjectIdentity.html] ^Acegi^. h2. ACL Holders An {{IAclHolder}} does exactly what its name implies--it holds or contains an access control list. An ACL is implemented in the platform using a {{java.util.List}}. Inside this list are implementations of [{{AclEntry}}|http://www.acegisecurity.org/multiproject/acegi-security/apidocs/org/acegisecurity/acl/AclEntry.html] ^Acegi^ {panel:title=IAclHolder Hierarchy|bgColor=#FFFFFF} !IAclHolder-hierarchy.png|align=center,width=900,height=900|thumbnail!\\ {panel} h2. Solution Repository Objects Once you have a container for an ACL, how is it associated with objects in the solution repository? That is where the interface {{IAclSolutionFile}} comes in. This interface extends {{IAclHolder}} and is implemented by {{com.pentaho.repository.dbbased.solution.RepositoryFile}}. {{RepositoryFile}} also implements {{AclObjectIdentity}}. So not only does a {{RepositoryFile}} store an ACL (since it implements {{IAclHolder}}), it also is a securable object (since it implements {{AclObjectIdentity}}). h3. Persistence The Pentaho BI Platform uses [Hibernate|http://www.hibernate.org] for reading and writing to the db-based repository. The {{PRO_FILES}} table contains solution repository objects while the {{PRO_ACLS_LIST}} table contains ACL entries associated with those objects. Below are (incomplete) listings of the columns of each of these tables. h4. {{PRO_FILES}} Table | FILE_ID | PARENT | FILENAME | FULLPATH | DATA | DIRECTORY | LASTMODIFIED | {{FILE_ID}} is the primary key. {{PARENT}} is a reference (by file id) to the object's parent. {{DIRECTORY}} is a boolean that is true if this object is a directory and false if this object is a file. h4. {{PRO_ACLS_LIST}} Table | ACL_ID | ACL_MASK | RECIPIENT | Technically, rows in this table represent ACL entries, not ACLs. An ACL for an object can be created by querying for all rows sharing the same {{ACL_ID}}. {{ACL_ID}} is a foreign key that references {{PRO_FILES.FILE_ID}}. {{ACL_MASK}} is the decimal representation of the bit mask that represents the permissions in this ACL entry. And {{RECIPIENT}} is the username or granted authority that is the recipient of this ACL entry. h2. Voters For every domain object, there is exactly one access control list. Add to that a user that wants to perform some operation on that object and that adds up to three inputs: a recipient, an operation, and an ACL. But what makes the "access granted" or "access denied" decision given these three pieces of information? The answer to that question is an {{IAclVoter}}. An instance of {{IAclVoter}} contains an all-important {{hasAccess}} method. It takes the three aforementioned inputs and returns a boolean result: {{true}} meaning access granted and {{false}} meaning access denied. An ACL voter is a singleton; there is only one instance per Java virtual machine. One might ask: How many ways can a voter arrive at a decision? Assume that user {{sally}} has the following granted authorities: {{ROLE_DEV}} and {{ROLE_MGR}}. Also assume that the ACL for a particular object contains the following entries: ({{sally}}, {{read}}), ({{ROLE_DEV}}, {{readwrite}}). Both ACL entries are applicable to {{sally}} since the first specifies {{sally}} (and she is {{sally}}) and the second specifies {{ROLE_DEV}} (and she has been granted the {{ROLE_DEV}} authority). Should the voter grant or deny a request to write to the object associated with this ACL? This is where extensibility of the voting system comes in. The Pentaho BI Platform provides multiple implementations of {{IAclVoter}} that each make different decisions in this situation\! As the user of the platform, you decide how access decisions are made through your choice of {{IAclVoter}}. {panel:title=IAclVoter Hierarchy|bgColor=#FFFFFF} !IAclVoter-hierarchy.png|align=center,width=900,height=900! {panel} h2. ACL Management There are multiple ways to make changes to ACLs. The first is called ACL Publishing and is a "batch-mode" method. Batch-mode means that ACLs are applied to the entire solution repository according to some rules. This is the method that the platform itself uses to apply the initial set of ACLs when the platform first starts up. The final two ways to make changes to ACLs allow you to change the ACL of a single folder or file using a graphical user interface. The following permissions are available to be used in access control entries: || Permission || Meaning || | Schedule | Recipient is allowed to schedule a file. | | Execute | Recipient is allowed to execute a file. This is analogous to a traditional Read permission. | | Update | Recipient is allowed to overwrite a file with his/her changes. | | Create | Recipient is allowed to create files in a directory. | | Delete | Recipient is allowed to delete files or directories in a directory. | | Grant Permissions | Recipient is allowed to share a file with others. More generally, user is allowed to modify the ACL of a file. | | All | Recipient is allowed to do anything including any new permissions added in the future. | h3. ACL Publishing (Batch Mode) The db-based solution repository (the default) is refreshed from the filesystem. In other words, solution repository objects are created as files on the filesystem and those objects are refreshed (published) to the db-based solution repository. In the filesystem, solution repository objects have no associated ACLs--at least as far as the platform is concerned. But once solution repository objects are published to the db-based repository, they do have associated ACLs. So how did the objects get their ACLs? The answer is an {{IAclPublisher}}. There is only one {{IAclPublisher}} instance per JVM and the type of that instance is specified in {{pentahoObjects.spring.xml}}. Note that an {{IAclPublisher}} is only responsible for the initial publishing of ACLs. After the file system is initially published, the Admin > Permissions interface should be used to tweak permissions. {anchor:configure_default_acls} h4. Configuring Default ACLs The default Pentaho ACL Publisher (defined in {{pentahoObjects.spring.xml}}) requires a section in {{pentaho.xml}} to tell it what the default ACLs are. Here is a sample properties definition for the provided default ACL Publisher ({{org.pentaho.platform.engine.security.acls.AclPublisher}}). {code:xml} <pentaho-system> <acl-publisher> <!-- These acls are used when publishing from the file system. Every folder --> <!-- gets these ACLS. Authenticated is a "default" role that everyone --> <!-- gets when they're authenticated (be sure to setup your bean xml properly --> <!-- for this to work). --> </acl-publisher> </pentaho-system> |
Node Name | Purpose | Required * | Values | Default |
|---|---|---|---|---|
| Parent for related elements. | No |
|
|
| Parent for related elements. This node contains default ACLs that can be overridden in the | No |
|
|
| The role to which these ACLs apply. Exactly one of | Yes 1 | string |
|
| The username to which these ACLs apply. Exactly one of | Yes 1 | string |
|
| The string representation of the ACL integers defined in | No | {{NOTHING | |
| Parent for related elements. This node contains ACLs that override those ACLs specified in | No |
|
|
| Parent for related elements. | No |
|
|
| The solution-relative path to the action sequence whose ACLs will be overriden. | Yes | filesystem path |
|
| The role to which these ACLs apply. Exactly one of | Yes 1 | string |
|
| The username to which these ACLs apply. Exactly one of | Yes 1 | string |
|
| The string representation of the ACL integers defined in | No | {{NOTHING | |
...
<default-acls>
<acl-entry role="Admin" acl="ADMIN_ALL" />
<acl-entry role="cto" acl="ADMIN_ALL" />
<acl-entry role="dev" acl="EXECUTE_SUBSCRIBE" />
<acl-entry role="Authenticated" acl="EXECUTE" />
</default-acls>
<!--
These acls are overrides to specific file/folders. The above default-acls will
be applied and then these overrides. This allows for specific access controls to
be loaded when the repository if first populated. Futher changes to acls can be
made in the platform GUI tool. Uncomment these and change add or delete to your hearts desire -->
<!--
<overrides>
<file path="/pentaho-solutions/samples/bursting">
<acl-entry role="Admin" acl="ADMIN_ALL" />
<acl-entry role="cto" acl="SUBSCRIBE_ADMINISTRATION" />
<acl-entry role="dev" acl="EXECUTE_SUBSCRIBE" />
<acl-entry role="Authenticated" acl="NOTHING" />
</file>
<file path="/pentaho-solutions/samples/datasources/MDX_Datasource.xaction">
<acl-entry role="Admin" acl="ADMIN_ALL" />
<acl-entry role="cto" acl="ADMIN_ALL" />
<acl-entry role="dev" acl="EXECUTE_SUBSCRIBE" />
<acl-entry role="Authenticated" acl="EXECUTE" />
</file>
</overrides>
-->
</acl-publisher>
</pentaho-system>
{code}
|| Node Name || Purpose || Required ^\*^ || Values || Default ||
| {{acl-publisher}} | Parent for related elements. | No | | |
| {{acl-publisher/default-acls}} | Parent for related elements. This node contains default ACLs that can be overridden in the {{overrides}} element. | No | | |
| {{acl-publisher/default-acls/acl-entry@role ^2{^}}} | The role to which these ACLs apply. *Exactly one of* {{{*}role{*}}} *and* {{{*}user{*}}} *is required.* | Yes ^1^ | _string_ | |
| {{acl-publisher/default-acls/acl-entry@user ^2{^}}} | The username to which these ACLs apply. *Exactly one of* {{{*}role{*}}} *and* {{{*}user{*}}} *is required.* | Yes ^1^ | _string_ | |
| {{acl-publisher/default-acls/acl-entry@acl ^2{^}}} | The string representation of the ACL integers defined in {{PentahoAclEntry}}. | No | {{NOTHING \\
ADMINISTRATION \\
EXECUTE \\
EXECUTE_ADMINISTRATION \\
SUBSCRIBE \\
CREATE \\
UPDATE \\
DELETE \\
SUBSCRIBE_ADMINISTRATION \\
EXECUTE_SUBSCRIBE \\
ADMIN_ALL}} | {{\-1}} \\ _this is the numerical equivalent of "none of the above"_ |
| {{acl-publisher/overrides}} | Parent for related elements. This node contains ACLs that override those ACLs specified in {{default-acls}}. | No | | |
| {{acl-publisher/overrides/file}} | Parent for related elements. | No | | |
| {{acl-publisher/overrides/file@path ^2{^}}} | The solution-relative path to the action sequence whose ACLs will be overriden. | Yes | _filesystem path_ | |
| {{acl-publisher/overrides/file/acl-entry@role ^2{^}}} | The role to which these ACLs apply. *Exactly one of* {{{*}role{*}}} *and* {{{*}user{*}}} *is required.* | Yes ^1^ | _string_ | |
| {{acl-publisher/overrides/file/acl-entry@user ^2{^}}} | The username to which these ACLs apply. *Exactly one of* {{{*}role{*}}} *and* {{{*}user{*}}} *is required.* | Yes ^1^ | _string_ | |
| {{acl-publisher/overrides/file/acl-entry@acl ^2{^}}} | The string representation of the ACL integers defined in {{PentahoAclEntry}}. | No | {{NOTHING \\
ADMINISTRATION \\
EXECUTE \\
EXECUTE_ADMINISTRATION \\
SUBSCRIBE \\
CREATE \\
UPDATE \\
DELETE \\
SUBSCRIBE_ADMINISTRATION \\
EXECUTE_SUBSCRIBE \\
ADMIN_ALL}} | {{\-1}} \\ _this is the numerical equivalent of "none of the above"_ |
^1^ Either {{role}} or {{user}} is required. Specifying neither of them is invalid, as is specifying both of them.
^2^ The {{@}} notation is XPath-like notation and it simply denotes an XML attribute.
Administrators can manage ACLs using a graphical interface available through the Admin menu. Once inside Admin, click *Permissions* to start the manager. To access the Permissions Editor, you must be logged in as an administrator to the platform. Also, ACLs are available only if you are using the RDBMS solution repository. This feature is not available for the file-based solution repository implementation.
h3. Permissions Editor via the Legacy Admin Menu
This graphical user interface {{http://host/pentaho/PropertiesEditor}} is accessible via the legacy Admin menu {{http://host/pentaho/Admin}}.
{panel:title=Permissions Editor|bgColor=#FFFFFF}
!acl_gui_02.png|align=center!
{panel}
In the sample page above, the tree on the left represents all of the solution repository objects in your solution repository. You can set permissions on any level in the solution repository object tree. Setting permissions on lower level objects in the tree overrides permission settings higher in the tree. Conversely, if you set a permission on a solution repository object that has children, and the children do not have specific permissions set, they inherit the permissions settings from their parent. So, for example, if you set Execute permissions for JoeUser on the analysis directory, then the query1.xaction object inherits that Execute permission; however, if you then set Create and Execute permission on the query1.xaction for JoeUser, these permissions are honored for that object, but other children of the analysis object would still only have their parent's (analysis directory) Execute permission.
Each solution repository object can have any number of permission-role or permission-user combinations set. The middle panel in the sample page above lists the access control list entries defined for the solution repository object selected in the tree. You can modify the permissions for the roles or users that are defined in the existing access control list entries:
# Next to the role or user you want a change to be applied, enable or disable the check box for the permission you want to grant or remove.
# Click *Update...* to submit the change.
# Click *Reset* to reverse changes that have *not yet* been submitted.
Follow the steps below to add a new access control list entry:
# Click *Add* under the access control list entry table. You see a new list appear on the right that lists all roles and users available to the system.
# Select the roles and/or users that you want to grant permissions to, and then select the permissions that you would like them to receive.
# Click *Add* at the bottom of the *New Permission* panel to add your newly defined access control list entries.
{quote}
*Note:* If your organization has many users and/or you want to create ACL entries using roles only, you can increase performance by adjusting the settings contained in the {{access-ui}} node in {{pentaho.xml file}}.
{quote}
h3. Pentaho User Console Share Dialog
{panel:title=Share Menu in Pentaho User Console|bgColor=#FFFFFF}
!share-menu.png|align=center!
{panel}
{panel:title=Share Dialog in Pentaho User Console|bgColor=#FFFFFF}
!share-dialog.png|align=center!
{panel} |