Pentaho Analysis - Mondrian
  1. Pentaho Analysis - Mondrian
  2. MONDRIAN-1259

Mondrian security: access leaks from one user to another

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Component/s: None
    • Labels:
      None
    • Customer Case:
    • Notice:
      When an issue is open, the "Fix Version/s" field conveys a target, not necessarily a commitment. When an issue is closed, the "Fix Version/s" field conveys the version that the issue was fixed in.
    • QA Validation Status:
      Not Yet Validated

      Description

      In version starting with the patch for MONDRIAN-1241 on Sept. 19, we see issues where access leaks from one request to another.

         1) We run query A with role X which has access to member m1
         2) We run query B with role Y which has access to member m2
         3) Query B is run with access to m1 rather than m2

      We have not tested updates to trunk for the last week or so (because of this and other issues).

      https://github.com/pentaho/mondrian/commit/cff0b3da7b72c3f5cf5070ad5b03c5c8d12d09ad
      1. FoodMart.xml
        34 kB
        Li Deng
      1. screenshot-1.jpg
        83 kB
      2. screenshot-2.jpg
        52 kB

        Activity

        Hide
        Julian Hyde added a comment -
        Customer believes this was introduced by a change on 2012/9/19.
        Show
        Julian Hyde added a comment - Customer believes this was introduced by a change on 2012/9/19.
        Hide
        Luc Boudreau added a comment -
        I need more details on this case. I've created the following test and it passes. I need to know what MDX was used and what the role definitions were. This could also be caused by some caching done by the customer's custom implementation of Role.

        public void testMondrian1259() throws Exception {
                final TestContext testContext = TestContext.instance().create(
                    null, null, null, null, null,
                    "<Role name=\"Role1\">\n"
                    + " <SchemaGrant access=\"none\">\n"
                    + " <CubeGrant cube=\"Sales\" access=\"all\">\n"
                    + " <HierarchyGrant hierarchy=\"[Store]\" access=\"custom\" rollupPolicy=\"partial\">\n"
                    + " <MemberGrant member=\"[Store].[USA].[CA]\" access=\"all\"/>\n"
                    + " </HierarchyGrant>\n"
                    + " </CubeGrant>\n"
                    + " </SchemaGrant>\n"
                    + "</Role>"
                    + "<Role name=\"Role2\">\n"
                    + " <SchemaGrant access=\"none\">\n"
                    + " <CubeGrant cube=\"Sales\" access=\"all\">\n"
                    + " <HierarchyGrant hierarchy=\"[Store]\" access=\"custom\" rollupPolicy=\"partial\">\n"
                    + " <MemberGrant member=\"[Store].[USA].[OR]\" access=\"all\"/>\n"
                    + " </HierarchyGrant>\n"
                    + " </CubeGrant>\n"
                    + " </SchemaGrant>\n"
                    + "</Role>");
                testContext.withRole("Role1").assertQueryReturns(
                    "select {[Store].Members} on columns from [Sales]",
                    "Axis #0:\n"
                    + "{}\n"
                    + "Axis #1:\n"
                    + "{[Store].[All Stores]}\n"
                    + "{[Store].[USA]}\n"
                    + "{[Store].[USA].[CA]}\n"
                    + "{[Store].[USA].[CA].[Alameda]}\n"
                    + "{[Store].[USA].[CA].[Alameda].[HQ]}\n"
                    + "{[Store].[USA].[CA].[Beverly Hills]}\n"
                    + "{[Store].[USA].[CA].[Beverly Hills].[Store 6]}\n"
                    + "{[Store].[USA].[CA].[Los Angeles]}\n"
                    + "{[Store].[USA].[CA].[Los Angeles].[Store 7]}\n"
                    + "{[Store].[USA].[CA].[San Diego]}\n"
                    + "{[Store].[USA].[CA].[San Diego].[Store 24]}\n"
                    + "{[Store].[USA].[CA].[San Francisco]}\n"
                    + "{[Store].[USA].[CA].[San Francisco].[Store 14]}\n"
                    + "Row #0: 74,748\n"
                    + "Row #0: 74,748\n"
                    + "Row #0: 74,748\n"
                    + "Row #0: \n"
                    + "Row #0: \n"
                    + "Row #0: 21,333\n"
                    + "Row #0: 21,333\n"
                    + "Row #0: 25,663\n"
                    + "Row #0: 25,663\n"
                    + "Row #0: 25,635\n"
                    + "Row #0: 25,635\n"
                    + "Row #0: 2,117\n"
                    + "Row #0: 2,117\n");
                testContext.withRole("Role2").assertQueryReturns(
                    "select {[Store].Members} on columns from [Sales]",
                    "Axis #0:\n"
                    + "{}\n"
                    + "Axis #1:\n"
                    + "{[Store].[All Stores]}\n"
                    + "{[Store].[USA]}\n"
                    + "{[Store].[USA].[OR]}\n"
                    + "{[Store].[USA].[OR].[Portland]}\n"
                    + "{[Store].[USA].[OR].[Portland].[Store 11]}\n"
                    + "{[Store].[USA].[OR].[Salem]}\n"
                    + "{[Store].[USA].[OR].[Salem].[Store 13]}\n"
                    + "Row #0: 74,748\n"
                    + "Row #0: 74,748\n"
                    + "Row #0: 67,659\n"
                    + "Row #0: 26,079\n"
                    + "Row #0: 26,079\n"
                    + "Row #0: 41,580\n"
                    + "Row #0: 41,580\n");
            }
        Show
        Luc Boudreau added a comment - I need more details on this case. I've created the following test and it passes. I need to know what MDX was used and what the role definitions were. This could also be caused by some caching done by the customer's custom implementation of Role. public void testMondrian1259() throws Exception {         final TestContext testContext = TestContext.instance().create(             null, null, null, null, null,             "<Role name=\"Role1\">\n"             + " <SchemaGrant access=\"none\">\n"             + " <CubeGrant cube=\"Sales\" access=\"all\">\n"             + " <HierarchyGrant hierarchy=\"[Store]\" access=\"custom\" rollupPolicy=\"partial\">\n"             + " <MemberGrant member=\"[Store].[USA].[CA]\" access=\"all\"/>\n"             + " </HierarchyGrant>\n"             + " </CubeGrant>\n"             + " </SchemaGrant>\n"             + "</Role>"             + "<Role name=\"Role2\">\n"             + " <SchemaGrant access=\"none\">\n"             + " <CubeGrant cube=\"Sales\" access=\"all\">\n"             + " <HierarchyGrant hierarchy=\"[Store]\" access=\"custom\" rollupPolicy=\"partial\">\n"             + " <MemberGrant member=\"[Store].[USA].[OR]\" access=\"all\"/>\n"             + " </HierarchyGrant>\n"             + " </CubeGrant>\n"             + " </SchemaGrant>\n"             + "</Role>");         testContext.withRole("Role1").assertQueryReturns(             "select {[Store].Members} on columns from [Sales]",             "Axis #0:\n"             + "{}\n"             + "Axis #1:\n"             + "{[Store].[All Stores]}\n"             + "{[Store].[USA]}\n"             + "{[Store].[USA].[CA]}\n"             + "{[Store].[USA].[CA].[Alameda]}\n"             + "{[Store].[USA].[CA].[Alameda].[HQ]}\n"             + "{[Store].[USA].[CA].[Beverly Hills]}\n"             + "{[Store].[USA].[CA].[Beverly Hills].[Store 6]}\n"             + "{[Store].[USA].[CA].[Los Angeles]}\n"             + "{[Store].[USA].[CA].[Los Angeles].[Store 7]}\n"             + "{[Store].[USA].[CA].[San Diego]}\n"             + "{[Store].[USA].[CA].[San Diego].[Store 24]}\n"             + "{[Store].[USA].[CA].[San Francisco]}\n"             + "{[Store].[USA].[CA].[San Francisco].[Store 14]}\n"             + "Row #0: 74,748\n"             + "Row #0: 74,748\n"             + "Row #0: 74,748\n"             + "Row #0: \n"             + "Row #0: \n"             + "Row #0: 21,333\n"             + "Row #0: 21,333\n"             + "Row #0: 25,663\n"             + "Row #0: 25,663\n"             + "Row #0: 25,635\n"             + "Row #0: 25,635\n"             + "Row #0: 2,117\n"             + "Row #0: 2,117\n");         testContext.withRole("Role2").assertQueryReturns(             "select {[Store].Members} on columns from [Sales]",             "Axis #0:\n"             + "{}\n"             + "Axis #1:\n"             + "{[Store].[All Stores]}\n"             + "{[Store].[USA]}\n"             + "{[Store].[USA].[OR]}\n"             + "{[Store].[USA].[OR].[Portland]}\n"             + "{[Store].[USA].[OR].[Portland].[Store 11]}\n"             + "{[Store].[USA].[OR].[Salem]}\n"             + "{[Store].[USA].[OR].[Salem].[Store 13]}\n"             + "Row #0: 74,748\n"             + "Row #0: 74,748\n"             + "Row #0: 67,659\n"             + "Row #0: 26,079\n"             + "Row #0: 26,079\n"             + "Row #0: 41,580\n"             + "Row #0: 41,580\n");     }
        Hide
        Luc Boudreau added a comment - - edited
        Fixed in
        https://github.com/pentaho/mondrian/commit/e6e05c0ec3ef7126c23ccc04b0aa4b1663c30195
        https://github.com/pentaho/mondrian/commit/9813ac322387083c6250e840e0d89c090194de5e

        To reproduce, add the following roles to Foodmart:

        ---------------------------------
        <Role name="Role1">
          <SchemaGrant access="none">
            <CubeGrant cube="Sales" access="all">
              <HierarchyGrant hierarchy="[Store]" access="custom" rollupPolicy="partial">
                <MemberGrant member="[Store].[USA].[CA]" access="all"/>
              </HierarchyGrant>
            </CubeGrant>
          </SchemaGrant>
        </Role><Role name="Role2">
          <SchemaGrant access="none">
            <CubeGrant cube="Sales" access="all">
              <HierarchyGrant hierarchy="[Store]" access="custom" rollupPolicy="partial">
                <MemberGrant member="[Store].[USA].[OR]" access="all"/>
              </HierarchyGrant>
            </CubeGrant>
          </SchemaGrant>
        </Role>
        ---------------------------------

        Now run the following query as both Role1 and Role 2:

        ---------------------------------
        select non empty {[Store].Members} on columns from [Sales]
        ---------------------------------

        If the issue is fixed, when running as Role1, you get the children of California and as Role2 you get the children of Oregon.
        Show
        Luc Boudreau added a comment - - edited Fixed in https://github.com/pentaho/mondrian/commit/e6e05c0ec3ef7126c23ccc04b0aa4b1663c30195 https://github.com/pentaho/mondrian/commit/9813ac322387083c6250e840e0d89c090194de5e To reproduce, add the following roles to Foodmart: --------------------------------- <Role name="Role1">   <SchemaGrant access="none">     <CubeGrant cube="Sales" access="all">       <HierarchyGrant hierarchy="[Store]" access="custom" rollupPolicy="partial">         <MemberGrant member="[Store].[USA].[CA]" access="all"/>       </HierarchyGrant>     </CubeGrant>   </SchemaGrant> </Role><Role name="Role2">   <SchemaGrant access="none">     <CubeGrant cube="Sales" access="all">       <HierarchyGrant hierarchy="[Store]" access="custom" rollupPolicy="partial">         <MemberGrant member="[Store].[USA].[OR]" access="all"/>       </HierarchyGrant>     </CubeGrant>   </SchemaGrant> </Role> --------------------------------- Now run the following query as both Role1 and Role 2: --------------------------------- select non empty {[Store].Members} on columns from [Sales] --------------------------------- If the issue is fixed, when running as Role1, you get the children of California and as Role2 you get the children of Oregon.
        Hide
        Li Deng added a comment -
        Testing completed. Testing steps:
        1. Add two roles to FoodMart.xml. file attached
        2. Login as joe and run the query above on MDX. Verify only children of CA display. See attached screenshot
        3. Modify the schema, that Admin Member Grant = ‘OR’ (since only Admin can run the MDX )
        4. Publish the schema.
        5. Login as joe and run the query above on MDX. Verify only children of OR display. See attached screenshot.
        Show
        Li Deng added a comment - Testing completed. Testing steps: 1. Add two roles to FoodMart.xml. file attached 2. Login as joe and run the query above on MDX. Verify only children of CA display. See attached screenshot 3. Modify the schema, that Admin Member Grant = ‘OR’ (since only Admin can run the MDX ) 4. Publish the schema. 5. Login as joe and run the query above on MDX. Verify only children of OR display. See attached screenshot.

          People

          • Assignee:
            Li Deng
            Reporter:
            Sarah Gerweck
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: