Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

The security features of the Pentaho Professional BI Platform cannot be removed. However, they can be effectively removed by using the following steps. Essentially, the idea is to create a single user and role and give system-wide access to that user. The anonymous processing filter provides a nice way of guaranteeing that even unauthenticated users have a username and role.

  1. Define the anonymous role. Note that this is already defined by default. If you must change it, change it here. Note also that the username assigned by the anonymous processing filter is not relevant to Pentaho security code that runs later in the request. Only the anonymous role is relevant. In this example, the anonymous username is anonymousUser and the anonymous role is Anonymous. Note where the role Anonymous occurs in subsequent examples. Note finally that role names are case-sensitive.
    Code Block
    xml
    xml
    titleapplicationContext-acegi-security.xml
    
    <bean id="anonymousProcessingFilter" class="org.acegisecurity.providers.anonymous.AnonymousProcessingFilter">
      <!-- omitted -->
      <property name="userAttribute" value="anonymousUser,Anonymous" />
    </bean>
    
  2. Allow anonymous access to all web resources by editing the objectDefinitionSource on the FilterSecurityInterceptor to look like the example below. Assign ACLs using the user and role defined in the previous step
  3. Use PentahoAllowAnonymousAclVoter as your IAclVoter implementation. See 03. pentaho.xml for a description of how to configure this voter. When configuring this voter, you will define the anonymous user and role. That user and/or role should be used when assigning ACLs.
  4. Note: Why does Authenticated appear in XML below? Because some client tools (for example, Schema Workbench) require a username and password to publish to the server. If you supply a username and password, then you are no longer anonymous.

    Code Block
    xml
    xml
    titleapplicationContext-acegi-security.xml
    
    <bean id="filterInvocationInterceptor"
      class="org.acegisecurity.intercept.web.FilterSecurityInterceptor">
      <property name="authenticationManager">
        <ref local="authenticationManager" />
      </property>
      <property name="accessDecisionManager">
        <ref local="httpRequestAccessDecisionManager" />
      </property>
      <property name="objectDefinitionSource">
        <value>
          <![CDATA[
            CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON
            \A/.*\Z=Anonymous,Authenticated
          ]]>
        </value>
      </property>
    </bean>
    
  5. Use PentahoAllowAnonymousAclVoter as your IAclVoter implementation. You configure your IAclVoter implementation partially in pentahoObjects.spring.xml and partially in pentaho.xml. When configuring this voter, you will define the anonymous user and role. That user and/or role should be used when assigning ACLs.
    Code Block
    xml
    xml
    titlepentaho.xml
    
    <pentaho-system>
    
      <!-- omitted -->
    
      <anonymous-authentication>
        <anonymous-user>anonymous</anonymous-user>
        <anonymous-role>Anonymous</anonymous-role>
      </anonymous-authentication>
    
      <!-- 

...

  1. omitted -->
    
    </pentaho-system>
    
    Code Block
    xml
    xml
    titlepentahoObjects.spring.xml
    
    <beans>
    
      <!-- omitted -->
    
      <bean id="IAclVoter" class="org.pentaho.platform.engine.security.acls.voter.PentahoAllowAnonymousAclVoter" scope="singleton" />
    
      <!-- omitted -->
    
    </beans>
    
  2. Assign ACLs using the user and role defined in the previous step. Use these steps along with the settings below. Be sure to remove any active override entries.

    Note: Why does Authenticated appear in XML below? Because some client tools (for example, Schema Workbench) require a username and password to publish to the server. If you supply a username and password, then you are no longer anonymous.

    Code Block
    xml
    xml
    titlepentaho.xml
    
    <pentaho-system>
    
      <!-- omitted -->
    
      <acl-publisher>
        <default-acls>
          <acl-entry role="Anonymous" acl="ADMIN_ALL" />
          <acl-entry 

...

  1. role="Authenticated" acl="ADMIN_ALL" />
        </default-acls>
    
        <!-- remove any active overrides entries -->
      </acl-publisher>
    
      <!-- omitted 

...

  1. -->
    </pentaho-system>
    
  2. Finally, tell Pentaho the role that should be treated as the Pentaho administrator. In this case, it's the anonymous role mentioned earlier.
    Code Block
    xml
    xml
    titlepentaho.xml
    
    <pentaho-system>
    
      <

...

  1. !-- omitted -->
    
      <acl-voter>
        <admin-role>Anonymous</admin-role>
      </

...

  1. acl-voter>
    
      <!-- omitted -->
    
    </

...

  1. pentaho-system>