Removing Security
- Former user (Deleted)
Owned by Former user (Deleted)
The security features of the Pentaho BI Platform cannot be removed. However, they can be effectively removed using the following steps. Essentially, the idea is to create a single user and role and give system-wide access to that user. The anonymous processing filter provides a nice way of guaranteeing that even unauthenticated users have a username and role.
- Define the anonymous role. Note that this is already defined by default. If you must change it, change it here. Note also that the username assigned by the anonymous processing filter is not relevant to Pentaho security code that runs later in the request. Only the anonymous role is relevant. In this example, the anonymous username is
anonymousUserand the anonymous role isAnonymous. Note where the roleAnonymousoccurs in subsequent examples. Note finally that role names are case-sensitive.applicationContext-spring-security.xml<bean id="anonymousProcessingFilter" class="org.springframework.security.providers.anonymous.AnonymousProcessingFilter"> <!-- omitted --> <property name="userAttribute" value="anonymousUser,Anonymous" /> </bean>
- Allow anonymous access to all web resources by editing the
objectDefinitionSourceon theFilterSecurityInterceptorto look like the example below.Note: Why does Authenticated appear in XML below? Because some client tools (for example, Pentaho Report Designer) require a username and password to publish to the server. If you supply a username and password, then you are no longer anonymous.
applicationContext-spring-security.xml<bean id="filterInvocationInterceptor" class="org.springframework.security.intercept.web.FilterSecurityInterceptor"> <property name="authenticationManager"> <ref local="authenticationManager" /> </property> <property name="accessDecisionManager"> <ref local="httpRequestAccessDecisionManager" /> </property> <property name="objectDefinitionSource"> <value> <![CDATA[ CONVERT_URL_TO_LOWERCASE_BEFORE_COMPARISON \A/.*\Z=Anonymous,Authenticated ]]> </value> </property> </bean> - Use
PentahoAllowAnonymousAclVoteras yourIAclVoterimplementation. You configure yourIAclVoterimplementation partially inpentahoObjects.spring.xmland partially inpentaho.xml. When configuring this voter, you will define the anonymous user and role. That user and/or role should be used when assigning ACLs.pentaho.xml<pentaho-system> <!-- omitted --> <anonymous-authentication> <anonymous-user>anonymousUser</anonymous-user> <anonymous-role>Anonymous</anonymous-role> </anonymous-authentication> <!-- omitted --> </pentaho-system>pentahoObjects.spring.xml<beans> <!-- omitted --> <bean id="IAclVoter" class="org.pentaho.platform.engine.security.acls.voter.PentahoAllowAnonymousAclVoter" scope="singleton" /> <!-- omitted --> </beans>
- Tell Pentaho the role that should be treated as the Pentaho administrator. In this case, it's the anonymous role mentioned earlier.
pentaho.xml
<pentaho-system> <!-- omitted --> <acl-voter> <admin-role>Anonymous</admin-role> </acl-voter> <!-- omitted --> </pentaho-system> - Switch to the file-based solution repository. (The default is the database-based solution repository, whose only feature difference is access control for solution files.) Replace the bean with id
ISolutionRepositorywith the bean below.<bean id="ISolutionRepository" class="org.pentaho.platform.repository.solution.filebased.FileBasedSolutionRepository" scope="session" />
- Switch to the security-unaware metadata domain repository. (The default is the security-aware metadata domain repository, whose only feature difference is access control for metadata objects.) Replace the bean with id
IMetadataDomainRepositorywith the bean below.<bean id="IMetadataDomainRepository" class="org.pentaho.platform.plugin.services.metadata.MetadataDomainRepository" scope="singleton"/>