Opening Up Some Action Sequences for Anonymous Access

If you want to disable security for a particular action sequence, you'll need to (1) set the appropriate access control list (ACL) entries on the action sequence, (2) switch your IAclVoter implementation, and (3) adjust the authorization rules for the ViewAction servlet in applicationContext-spring-security.xml.

Assume that you have a folder named public in the solution named myorgfinance that you want to open up to unauthenticated (i.e. anonymous) users. In other words, you want to allow anonymous users to run any action sequence in the public folder of the myorgfinance solution.

  1. Login to the Pentaho User Console as a Pentaho administrator.
  2. Navigate to the public folder in the myorgfinance solution.
  3. Right-click the public folder and click Properties.
  4. Click on the Share tab.
  5. Grant appropriate permissions (for example, Execute) to the role named Anonymous.
  6. Open pentahoObjects.spring.xml and change the IAclVoter implementation class to org.pentaho.platform.engine.security.acls.voter.PentahoAllowAnonymousAclVoter. Note that PentahoAllowAnonymousAclVoter does not by itself allow access by anonymous users to anything--it simply creates an anonymous token for use in voting decisions. You still have to grant access to the Anonymous role (like you did in the steps above).
    1. If your file makes use of metadata, you will need to adjust the protections accordingly. As an alternative, you can disable metadata security completely by changing the class of the bean with id IMetadataDomainRepository to org.pentaho.platform.plugin.services.metadata.MetadataDomainRepository. This will apply for all files!
  7. Open applicationContext-spring-security.xml, located in the pentaho-solutions/system, and edit the filterInvocationInterceptor bean's objectDefinitionSource property.

    Warning: All characters between the \A and \Z must be lowercase in order for a match to occur.

    applicationContext-spring-security.xml
    ...
    \A/viewaction.*solution.myorgfinance.*path.public.*\Z=Anonymous,Authenticated
    ...
    \A/.*\Z=Authenticated
    
    1. Example to open up ALL PRPTs:
      applicationContext-spring-security.xml
      ...
      \A/js.browserlocale.js.*\Z=Anonymous,Authenticated
      \A/content/reporting.*\Z=Anonymous,Authenticated
      ...
      \A/.*\Z=Authenticated
      
  8. Restart the Pentaho BI Server.

Known Issues

Anonymous access to PRPTs doesn't work in 3.5.2