What good is a report if no one can access it?
If you are using Pentaho Business Analytic Suite, at times you may want to create a report and allow anyone in the world to view it. Typically, government agencies or non-profit organizations with no major proprietary data which requires security, are in this category.
By default, to access a report or content, a user must at least have a valid session to PUC either through direct access to http:...../pentaho/Login or SSO. In another words, access requires authentication and authorization.
 | ||
| 1) Spring Security 2) ACL Control 3) datasource access 4) Role mapper |
There are 4 level of security that need to work together to provide access to a user for a content.
1) Spring Security: protected URLs.
2) ACL Control: which dictates who and which roles have access to which reports or directories in the repository
3) datasource access, which is more for Mondrian reports.
4) Role mapper security, which again is more for Mondrian reports.
All 4 of the above need to be configured properly so external users can get access to a content anonymously.
Let's discuss how it can be achieved using this example...
http://localhost:8082/pentaho/content/analyzer/viewer?
command=open&
solution=steel-wheels&
path=/analysis&
action=Top%205%20Product%20Lines%20by%20Territory.xanalyzer
First step we need to configure the Spring security to allow the URL to be invoked without authentication.
open ....../pentaho-solutions/system/applicationContext-spring-security.xml in an editor and add the following pattern for the filterInvocationInterceptor.
\A/content/analyzer/viewer.*.solution=steel-wheels.*\Z=Anonymous,Authenticated
You need to add additional url patterns as the page will access other resources such as .css or .js files.
\A/content/analyzer/ajax/.*\Z=Anonymous,Authenticated
\A/content/analyzer/images/.*\Z=Anonymous,Authenticated
...
version to version, this list of additional urls may change. The best way to figure it out, is to turn on Spring security logging. As the URL which require authentication for access are caught by the filter, you can monitor the log files and add them the the applicationContext-spring-security.xml.
Next step is to allow the report to be executed by the Anonymous users. Login to PUC, and browser for the report that needs to be viewed anonymously. Select the report and set its permissions such that the Anonymous role can invoke it.
We are almost done! If you try to invoke URL specified above, It may work, depending if the Mondrian role mapper is enabled or not. If it is enabled, Mondrian tries to access the user's HTTP session in order the the user's roles and map them to the roles specified in the Mondrian schema. Since this is a anonymous access, there is not session, and you might get an exception stack trace on your browser. The final step here is to disable the role mapper.
WHAT IF??
what if the role mapper is needed? Alternatively, a filter can be implemented such that it creates a session for the anonymous user, WITH THE ANONYMOUS ROLE. Another suggestion is to play around with the MDX connection. I don't know how that would work, but if I find out, another blog will be posted.
Hope you find this posting helpful.
No comments:
Post a Comment