Versions Compared

Old Version 46

changes.mady.by.user Former user

Saved on

compared with

New Version 47

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

Protecting Action Sequences

In a software system, you can secure elements of that system at different levels, depending on your needs. In a web application, you can secure specific URLs. Deeper in the application you might want to secure specific service method calls. And finally, you might want to secure particular instances of objects. This page talks about the last type of security. Users of the Pentaho platform might wish to have a very precise level of control over objects in their solution repository. The Pentaho BI Platform provides this control.

Note: This page describes key security classes in the Pentaho BI Platform. Unless otherwise noted, these classes can be found in org.pentaho.platform.engine.security. Class packages will be omitted in the discussion below.

Security in the platform is based in part on the Acegi Security System for Spring. Classes that are part of Acegi Security are marked with Acegi.

SecurityHelper

SecurityHelper is an important class because it shields client code from the complexity of the security implementation (e.g. voters, ACL holders, etc). Below is a class diagram along with the two clients that use SecurityHelper for authorization purposes.

Panel
bgColor#FFFFFF
titleSecurityHelper along with its major clients

Access Control Lists

In the Pentaho BI Platform, objects in the solution repository (e.g. files and directories) can be secured using access control lists (ACLs). You can have any number of entries in an ACL--each specifying a different recipient.

ACL Entries

An entry in an access control list consists of a recipient, permissions, a reference to the object to which the ACL entry applies, and optionally the parent of the object to which the ACL entry applies. The default ACL entry type in Pentaho is PentahoAclEntry. This class extends AbstractBasicAclEntry Acegi.

Recipients

PentahoAclEntry stores a recipient as an Object. In practice, recipients can be of two types: a String containing a username or a GrantedAuthority containing a granted authority.

Permissions

PentahoAclEntry stores permissions using bit masks.

Objects and Parents

PentahoAclEntry stores an object (and its parent) as a AclObjectIdentity Acegi.

ACL Holders

An IAclHolder does exactly what its name implies--it holds or contains an access control list. An ACL is implemented in the platform using a java.util.List. Inside this list are implementations of AclEntry Acegi

Panel
bgColor#FFFFFF
titleIAclHolder Hierarchy


Solution Repository Objects

Once you have a container for an ACL, how is it associated with objects in the solution repository? That is where the interface IAclSolutionFile comes in. This interface extends IAclHolder and is implemented by com.pentaho.repository.dbbased.solution.RepositoryFile. RepositoryFile also implements AclObjectIdentity. So not only does a RepositoryFile store an ACL (since it implements IAclHolder), it also is a securable object (since it implements AclObjectIdentity).

Persistence

The Pentaho BI Platform uses Hibernate for reading and writing to the db-based repository. The PRO_FILES table contains solution repository objects while the PRO_ACLS_LIST table contains ACL entries associated with those objects. Below are (incomplete) listings of the columns of each of these tables.

PRO_FILES Table

FILE_ID

PARENT

FILENAME

FULLPATH

DATA

DIRECTORY

LASTMODIFIED

FILE_ID is the primary key. PARENT is a reference (by file id) to the object's parent. DIRECTORY is a boolean that is true if this object is a directory and false if this object is a file.

PRO_ACLS_LIST Table

ACL_ID

ACL_MASK

RECIPIENT

Technically, rows in this table represent ACL entries, not ACLs. An ACL for an object can be created by querying for all rows sharing the same ACL_ID. ACL_ID is a foreign key that references PRO_FILES.FILE_ID. ACL_MASK is the decimal representation of the bit mask that represents the permissions in this ACL entry. And RECIPIENT is the username or granted authority that is the recipient of this ACL entry.

Voters

For every domain object, there is exactly one access control list. Add to that a user that wants to perform some operation on that object and that adds up to three inputs: a recipient, an operation, and an ACL. But what makes the "access granted" or "access denied" decision given these three pieces of information? The answer to that question is an IAclVoter. An instance of IAclVoter contains an all-important hasAccess method. It takes the three aforementioned inputs and returns a boolean result: true meaning access granted and false meaning access denied. An ACL voter is a singleton; there is only one instance per Java virtual machine.

...

Panel
bgColor#FFFFFF
titleIAclVoter Hierarchy

ACL Management

There are multiple ways to make changes to ACLs. The first is called ACL Publishing and is a "batch-mode" method. Batch-mode means that ACLs are applied to all files and folders in the solution repository according to some rules in a single operation. This is the method that the platform itself uses to apply the initial set of ACLs when the platform first starts up. The final two ways to make changes to ACLs allow you to change the ACL of a single folder or file using a graphical user interface.

...

Permission

Meaning

Schedule

Recipient is allowed to schedule a file.

Execute

Recipient is allowed to execute a file. This is analogous to a traditional Read permission.

Update

Recipient is allowed to overwrite a file with his/her changes.

Create

Recipient is allowed to create files in a directory.

Delete

Recipient is allowed to delete files or directories in a directory.

Grant Permissions

Recipient is allowed to share a file with others. More generally, user is allowed to modify the ACL of a file.

All

Recipient is allowed to do anything including any new permissions added in the future.

ACL Publishing (Batch Mode)

The db-based solution repository (the default) is refreshed from the filesystem. In other words, solution repository objects are created as files on the filesystem and those objects are refreshed (published) to the db-based solution repository. In the filesystem, solution repository objects have no associated ACLs--at least as far as the platform is concerned. But once solution repository objects are published to the db-based repository, they do have associated ACLs. So how did the objects get their ACLs? The answer is an IAclPublisher. There is only one IAclPublisher instance per JVM and the type of that instance is specified in pentahoObjects.spring.xml.

...

Anchor
configure_default_acls
configure_default_acls

Configuring Default ACLs

The default Pentaho ACL Publisher (defined in pentahoObjects.spring.xml) requires a section in pentaho.xml to tell it what the default ACLs are. Here is a sample properties definition for the provided default ACL Publisher (org.pentaho.platform.engine.security.acls.AclPublisher).

...

Administrators can manage ACLs using a graphical interface available through the Admin menu. Once inside Admin, click Permissions to start the manager. To access the Permissions Editor, you must be logged in as an administrator to the platform. Also, ACLs are available only if you are using the RDBMS solution repository. This feature is not available for the file-based solution repository implementation.

Permissions Editor via the Legacy Admin Menu

This graphical user interface is accessible via the legacy Admin menu http://host:port/pentaho/Admin.

...

  1. Click Add under the access control list entry table. You see a new list appear on the right that lists all roles and users available to the system.
  2. Select the roles and/or users that you want to grant permissions to, and then select the permissions that you would like them to receive.
  3. Click Add at the bottom of the New Permission panel to add your newly defined access control list entries.

    Note: If your organization has many users and/or you want to create ACL entries using roles only, you can increase performance by adjusting the settings contained in the access-ui node in pentaho.xml file.

Share Tab on the Properties Dialog within Pentaho User Console

In the Pentaho User Console, use the Browse pane to locate a folder. If you want to manage the ACL of a folder, right-click the folder and click Properties. If you want to manage the ACL of a file, right-click the file in the Files pane and click Properties.

...