Pentaho Analysis - Mondrian
  1. Pentaho Analysis - Mondrian
  2. MONDRIAN-691

RolapSchemaReader is not enforcing access control on two APIs

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.1.5 GA
    • Component/s: None
    • Labels:
      None
    • Notice:
      When an issue is open, the "Fix Version/s" field conveys a target, not necessarily a commitment. When an issue is closed, the "Fix Version/s" field conveys the version that the issue was fixed in.

      Description

      There are two method in RolapSchemaReader where the APIs are not enforcing access control.

      They are:
      RolapSchemaReader::getCubeDimensions
      RolapSchemaReader::getDimensionHierarchies

        Issue Links

          Activity

          Hide
          Julian Hyde added a comment -
          Fixed in change 13555.
          Show
          Julian Hyde added a comment - Fixed in change 13555.
          Hide
          Mat Lowery added a comment -
          Is there any way to validate this?
          Show
          Mat Lowery added a comment - Is there any way to validate this?
          Hide
          Rob Fellows added a comment -
          Benny, can you validate this? If not, can you provide instructions on how to validate it?
          Show
          Rob Fellows added a comment - Benny, can you validate this? If not, can you provide instructions on how to validate it?
          Hide
          Mat Lowery added a comment - - edited
          From Benny:

          Here are the QA steps to verify:

          1. Add a new role to Mondrian schema that restricts access to a dimension by not allowing the user to access that dimensions - http://mondrian.pentaho.org/documentation/schema.php#Access_control
          2. Enable the Mondrian one to one platform role mapper in the Pentaho Spring configuration file
          3. Create a new platform role with the same name as the Mondrian role created in step 1.
          4. Associate the platform role to a user and log in as that user
          5. Verify that in Analyzer - the field list does not include the dimension which has no access

          BTW, I helped Golda a few weeks ago with a similar JIRA where she was verifying that certain members were not visible. This JIRA verifies that whole hierarchy levels are not visible.
          Show
          Mat Lowery added a comment - - edited From Benny: Here are the QA steps to verify: 1. Add a new role to Mondrian schema that restricts access to a dimension by not allowing the user to access that dimensions - http://mondrian.pentaho.org/documentation/schema.php#Access_control 2. Enable the Mondrian one to one platform role mapper in the Pentaho Spring configuration file 3. Create a new platform role with the same name as the Mondrian role created in step 1. 4. Associate the platform role to a user and log in as that user 5. Verify that in Analyzer - the field list does not include the dimension which has no access BTW, I helped Golda a few weeks ago with a similar JIRA where she was verifying that certain members were not visible. This JIRA verifies that whole hierarchy levels are not visible.
          Hide
          Mat Lowery added a comment -
          Validating
          Show
          Mat Lowery added a comment - Validating
          Hide
          Mat Lowery added a comment -
          Validated by publishing FoodMart.xml with default Role elements removed and in place a single Role element:

            <Role name="dev">
              <SchemaGrant access="all">
                <CubeGrant cube="Sales" access="all">
                  <HierarchyGrant hierarchy="[Store]" access="none" />
                </CubeGrant>
              </SchemaGrant>
            </Role>

          Enabled MondrianOneToOneUserRoleListMapper in pentahoObjects.spring.xml.

          Was correctly able to see Store dim with joe and suzy. Was correctly not able to see Store dim with pat and tiffany.
          Show
          Mat Lowery added a comment - Validated by publishing FoodMart.xml with default Role elements removed and in place a single Role element:   <Role name="dev">     <SchemaGrant access="all">       <CubeGrant cube="Sales" access="all">         <HierarchyGrant hierarchy="[Store]" access="none" />       </CubeGrant>     </SchemaGrant>   </Role> Enabled MondrianOneToOneUserRoleListMapper in pentahoObjects.spring.xml. Was correctly able to see Store dim with joe and suzy. Was correctly not able to see Store dim with pat and tiffany.
          Hide
          Mat Lowery added a comment -
          Validated in biserver-ee-3.6 nightly may 24
          Show
          Mat Lowery added a comment - Validated in biserver-ee-3.6 nightly may 24

            People

            • Assignee:
              Mat Lowery
              Reporter:
              Benny Chow
            • Votes:
              0 Vote for this issue
              Watchers:
              0 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: