Configuring Security with Pentaho Administration Console

Introduction

This guide will help you configure security in your pentaho administration console.  The information provided here is based on Jetty 6.12 and JettyPlus 6.12 release, as pentaho administration  console uses an embedded jetty server. Out of the box pentaho administration console using a properties based login module but you can plugin any of the login module from below or write your own.

Sample Login Modules

* org.mortbay.jetty.plus.jaas.spi.JDBCLoginModule
* org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule
* org.mortbay.jetty.plus.jaas.spi.DataSourceLoginModule

We'll take a look at all of these, but first, a word about password handling in pentaho administration console, as it applies to all LoginModules.

Passwords/Credentials

Passwords can be stored in clear text, obfuscated or checksummed. The class org.mortbay.util.Password should be used to generate all varieties of passwords,the output from which can be cut and pasted into property files or entered into database tables.

> java \-cp lib/jetty-6.1.2.jar org.mortbay.jetty.security.Password
Usage - java org.mortbay.util.Password \[<user>\] <password>
> java \-cp lib/jetty-6.1.2.jar;lib/jetty-util-6.1.9.jar org.mortbay.jetty.security.Password me you
you
OBF:20771x1b206z
MD5:639bae9ac6b3e1a84cebb7b403297b79
CRYPT:me/ks90E221EY

JDBCLoginModule

The JDBCLoginModule stores user passwords and roles in a database that are accessed via JDBC calls. You can configure the JDBC connection information, as well as the names of the table and columns storing the username and credential, and the name of the table and columns storing the roles.

Here is an example login module configuration file entry for it using an HSQLDB driver:

login.conf
JDBCLoginModule {
    org.mortbay.jetty.plus.jaas.spi.JDBCLoginModule required
    debug="true"
    dbUrl="jdbc:hsqldb:."
    dbUserName="sa"
    dbPassword="password"
    dbDriver="org.hsqldb.jdbcDriver"
    userTable="myusers"
    userField="myuser"
    credentialField="mypassword"
    userRoleTable="myuserroles"
    userRoleUserField="myuser"
    userRoleRoleField="myrole";
};

There is no particular schema required for the database tables storing the authentication and role information. The properties userTable, userField, credentialField, userRoleTable, userRoleUserField, userRoleRoleField configure the names of the tables and the columns within them that are used to format the following queries:

database query
select <credentialField> from <userTable> where <userField> =?
select <userRoleRoleField> from <userRoleTable> where <userRoleUserField> =?

Credential and role information is lazily read from the database when a previously unauthenticated user requests authentication. Note that this information is only cached for the length of the authenticated session. When the user logs out or the session expires, the information is flushed from memory.

Be Careful

Pay and extra attention to the semi-colon at the end of last entry in the login.conf. Without that you will get error in authentication. JDBCLoginModule key in the login.conf needs to be exactly same as the value in console.properties. Here is the snippet of a correct console.properties in this case

console.properties
# Security Authentication Section for Enterprise Console
console.security.enabled=true
console.security.roles.allowed=Admin,server-administrator,content-administrator
console.security.roles.delimiter=,
console.security.realm.name=Pentaho
console.security.login.module.name=JDBCLoginModule
console.security.auth.config.path=resource/config/login.conf
console.security.callback.handler=org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler

Note that passwords can be stored in the database in plain text or encoded formats, using the org.mortbay.jetty.security.Password class.

DataSourceLoginModule

Similar to the JDBCLoginModule, but this LoginModule uses a DataSource to connect to the database instead of a jdbc driver. The DataSource is obtained by doing a jndi lookup on java:comp/env/$dnJNDIName

Here is a sample login module configuration for it:

login.conf
ds {
   org.mortbay.jetty.plus.jaas.spi.DataSourceLoginModule required
   debug="true"
   dbJNDIName="ds"
   userTable="myusers"
   userField="myuser"
   credentialField="mypassword"
   userRoleTable="myuserroles"
   userRoleUserField="myuser"
   userRoleRoleField="myrole";
 };

PropertyFileLoginModule

With this login module implementation, the authentication and role information is read from a property file.

login.conf
props {
   org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule required
   debug="true"
   file="/somewhere/somefile.props";
 };

The file parameter is the location of a properties file of the same format as the etc/realm.properties example file. The format is:

<username>: <password>\[,<rolename> ...\]

Here's an example:

login.properties
admin: OBF:1xmk1w261u9r1w1c1xmq,user,admin
superadmin: changeme,user,developer
master: MD5:164c88b302622e17050af52c89945d44,user
: CRYPT:adpexzg3FUZAk,admin

The contents of the file are fully read in and cached in memory the first time a user requests authentication.

Changing the admin password

Since Pentaho Administration Console is based on Jetty, the password can be changed according to Jetty's Securing Passwords instructions. The only caveat is that the jetty*.jar files mentioned in the instructions are found in the enterprise-console/lib folder.

Example

java -cp enterprise-console/lib/jetty-xxx.jar:enterprise-console/lib/jetty-util-xxx.jar org.mortbay.jetty.security.Password admin password1

Changing the default security settings

The configuration for the security setting is stored in the security section of console.properties

console.properties
\# Pentaho Administration Console's Jetty Server Settings
console.start.port.number=8088
console.stop.port.number=8033

\# SSL Section for Pentaho Administration Console
console.ssl.enabled=false
console.ssl.port.number=8143
keyAlias=jetty
keyPassword=changeit
keyStore=resource/config/keystore
keyStorePassword=changeit
trustStore=resource/config/keystore
trustStorePassword=changeit
wantClientAuth=false
needClientAuth=false

\# Security Authentication Section for Pentaho Administration Console
console.security.enabled=true
console.security.roles.allowed=admin
console.security.roles.delimiter=,
console.security.realm.name=Pentaho
console.security.login.module.name=PropertiesFileLoginModule
console.security.auth.config.path=resource/config/login.conf

By default the security is enabled. To change the roles you want to allow the application to access provide your list of roles in the console.security.roles.allowed property. By default the roles are comma separated but you can change that configuration also by providing your delimiter in the console.security.roles.delimiter property. The login module name needs to be provided for the property name console.security.login.module.name. This is the name you have given to your login module in the login.conf file. Finally you have to provide the location of your login.conf file in the console.security.auth.config.path property.

Writing Your Own

If you want to implement your own custom LoginModule, there are two classes to be familiar with:

AbstractLoginModule.java
package org.mortbay.jetty.plus.jaas.spi;

public abstract class AbstractLoginModule implements LoginModule
{
&nbsp; ...
&nbsp; public abstract UserInfo getUserInfo (String username) throws Exception;
}
UserInfo.java
package org.mortbay.jetty.plus.jaas.spi;

public class UserInfo
{

  public UserInfo (String userName, Credential credential, List roleNames)
  {
  ...
  }

  public String getUserName()
  {
  ...
  }

  public List getRoleNames ()
  {
  ...
  }

  public boolean checkCredential (Object suppliedCredential)
  {
  ...
  }
}

The org.mortbay.jetty.plus.jaas.spi.AbstractLoginModule implements all of the javax.security.auth.spi.LoginModule methods. All you need to do is to implement the getUserInfo method to return a org.mortbay.jetty.plus.jaas.UserInfo instance which encapsulates the username, password and role names (note: as {{java.lang.String}}s) for a user.

The AbstractLoginModule does not support any caching, so if you want to cache UserInfo (eg as does the org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule) then you must provide this yourself.