Security and Authentication in Pentaho
Authorisation
Pentaho uses two types of authorisation, Web resource authorisation and domain object authorisation. Web resource authorisation is enabled by default, meaning that users must log in to access the Pentaho Web interface. Domain object authorisation is disabled by default, meaning that action sequences (xaction files) can be directly executed without permission. Pentaho have an extensive set of Security documentation and HOWTOs.User/Role security
There are three main ways to implement user/role security in Pentaho: You can also remove security entirely.Memory
A default installation of Pentaho CE 1.x will use in-memory security by default. This is sufficient for testing/evaluation, but for a production system you should use a relational database (JDBC) or directory (LDAP) back-end.JDBC
This uses a relational database to manage authentication. It is the default for Pentaho EE.LDAP
This uses a directory to manage authentication.- Changing to the LDAP Security DAO (Pentaho wiki)
- LDAP Search Filter Syntax (Pentaho wiki)
- Retrieving Roles Using Multiple LDAP Search Filter (Pentaho wiki)
- Configure LDAP in the Enterprise Console (BizCubed Enterprise login required)
- Configuring LDAP in Enterprise Console (Pentaho Knowledge Base — Pentaho Enterprise login required)
Troubleshooting
Before modifying any security files, test your queries using a tool like Apache Directory Studio. Verifying with a third-party tool removes Pentaho as a possible source of problems and can save you a lot of time. You should also try enabling verbose LDAP logging. Be warned that this logs passwords in plain text, so don't leave it running on a production system.Some more troubleshooting
This can be viewed at Pentaho LDAPAction sequence security
Once you have defined user/role security, you can assign permissions to individual action sequences using access control lists (ACLs). You can also use security within the action sequence itself, based on the credentials of the logged-in user. Conversely, you can remove security from an action sequence for anonymous access. You can also use system actions to control data access. For Mondrian Security, There is access control tutorial on pentaho wiki already. A role only has effect when it is associated with a connection. However, it is not clear in how to implement connect string. Actually, I found it is not hard. For each report (xaction), which you like mondrian security been implement, just add role(principalName) to output string.Troubleshooting
You can use the security logs to track down errors. These are some errors we found during Pentaho 1.6 development. They may be fixed in later versions.
on 14/12/2009 at 13:29
