Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

Suppose you want to have a role as an occupant of another role. For example, suppose there is a role called bireporting and you wish for all the occupants of the ceo role to also be occupants of the bireporting role. One way to accomplish this would be to manually add all of the occupants of ceo as occupants of the bireporting role. Unfortunately, this solution does not reuse existing roles. Instead, you should be able to add the ceo role as an occupant just as you would add a user as an occupant. Why would you need to do this? Because your Pentaho security configuration can simply reference the bireporting role instead of a multitude of occupant roles.

The instructions below describe how to implement nested roles or groups by describing the nesting structure outside of the LDAP directory. Why would you want to describe the nesting (i.e. what role is an occupant of what other role) outside of the LDAP directory? Because it is potentially prohibitive to repeatedly query the directory to recursively find all parents of a given child role.

The two classes (NestedLdapAuthoritiesPopulator and ExtraRoles) introduced below are attached to this page and are also available in the trunk.

Describing the Nesting

Notice the populator is no longer DefaultLdapAuthoritiesPopulator. Instead, we've defined NestedLdapAuthoritiesPopulator which subclasses DefaultLdapAuthoritiesPopulator and adds a mapping for extra roles. In this map, the keys are child roles and the values are parent roles.

applicationContext-acegi-security.xml
<bean id="populator" class="com.pentaho.security.ldap.NestedLdapAuthoritiesPopulator">
  <!-- omitted -->
  <property name="extraRolesMapping">
    <map>
      <entry key="ceo" value="bireporting" />
      <entry key="cto" value="bireporting" />
    </map>
  </property>
</bean>

All Authorities Search

If the roles that serve as "parents" to nested roles will not be returned in the all authorities search, you'll need to add it after the search using a transformer. The ExtraRoles transformer handles this.

applicationContext-pentaho-security.xml
<bean id="allAuthoritiesSearch" class="com.pentaho.security.ldap.search.GenericLdapSearch">
<!-- omitted -->
  <constructor-arg index="2">
    <bean class="org.apache.commons.collections.functors.ChainedTransformer">
      <constructor-arg index="0">
        <list>
          <bean class="com.pentaho.security.ldap.transform.SearchResultToAttrValueList">
            <!-- omitted -->
          </bean>
          <bean class="com.pentaho.security.ldap.transform.ExtraRoles">
            <property name="extraRoles">
              <set>
                <value>bireporting</value>
              </set>
            </property>
          </bean>
          <bean class="com.pentaho.security.ldap.transform.StringToGrantedAuthority">
            <!-- omitted -->
          </bean>
        </list>
      </constructor-arg>
    </bean>
  </constructor-arg>
</bean>

References

http://forum.springframework.org/showthread.php?t=28007

  • No labels