Security Issues

Last updated
Save as PDF

The following tips provide help with adjusting log file output, examining logs for signs of configuration errors, and possible issues and related solutions during LDAP configuration:

Increase Security Log Levels in the Pentaho Server
Log Output Security Analysis
LDAP Roles Issues with Admin and Authenticated
With LDAP Authentication, the PDI Repository Explorer is Empty
LDAP Incorrectly Authenticates User IDs That Do Not Match Letter Case

See Pentaho Troubleshooting articles for additional topics.

Increase Security Log Levels in the Pentaho Server

The security logging facilities of the Pentaho Server are set to ERROR by default, which may not supply enough details for troubleshooting and testing.

The following procedure explains how to set up verbose logging which increases the level of detail in the Pentaho Server logs for security-related messages.

Stop the Pentaho Server with the following script:

sh /usr/local/pentaho/server/pentaho-server/stop-pentaho.sh

Open the /pentaho/server/pentaho-server/tomcat/webapps/pentaho/WEB-INF/classes/log4j.xml file with a text editor.
Use XML comments () to disable all of the Threshold parameters in all of the appender elements.
Change the priority value in the <root> section to one of the following logging levels: WARN, ERROR, FATAL, or DEBUG (depending on which level you prefer):
```
<root>
  <priority value="DEBUG" />
  <appender-ref ref="PENTAHOCONSOLE"/>
  <appender-ref ref="PENTAHOFILE"/>
</root>
```

Add the following log statements directly above the root element:

<!-- all Spring Security classes will be set to DEBUG -->
<category name="org.springframework.security">
  <priority value="DEBUG" />
</category>

<!-- all Pentaho security-related classes will be set to DEBUG -->
<category name="org.pentaho.platform.engine.security">
  <priority value="DEBUG" />
</category>
<category name="org.pentaho.platform.plugin.services.security">
  <priority value="DEBUG" />
</category>

Save and close the file, then edit the Spring Security configuration file that corresponds with your security back end in the /pentaho/server/pentaho-server/pentaho-solutions/system/ directory. The file will be one of the following options:
- applicationContext-spring-security-memory.xml
- applicationContext-spring-security-jdbc.xml
- applicationContext-spring-security-ldap.xml
Find the daoAuthenticationProvider bean definition, then add the following property anywhere inside of it (before the </bean> tag):
```
<property name="hideUserNotFoundExceptions" value="false" />
```
Save the file and close the text editor.

Start the Pentaho Server with the following script:

sh /usr/local/pentaho/server/pentaho-server/start-pentaho.sh

For this example, Pentaho Server security logging is now globally set to DEBUG, which provides verbose logging for debugging security configuration problems. All Pentaho Server messages will be collected in the /pentaho/server/pentaho-server/logs/pentaho.log file.

When you are finished configuring and testing the Pentaho Server, you should decrease verbose logging down to a less detailed level, such as ERROR, to prevent pentaho.log from growing too large.

Enable Extra LDAP Security Logging

If you need more LDAP-related security details in pentaho.log, or if you are specifically having difficulty with LDAP authentication configuration, perform the following steps to set up verbose logging.

These instructions are for testing and pre-production only. User names and passwords will be displayed in the log file in plain text.

Stop the Pentaho Server.
Go to the /pentaho/server/pentaho-server/pentaho-solutions/system directory and open the applicationContext-spring-security-ldap.xml file with a text editor.
Locate the bean declaration for DefaultLdapAuthenticationProvider and replace the constructor-arg bean with the following new bean:
Old Bean:
```
<constructor-arg>
<ref bean="authenticator" />
</constructor-arg>
```
New Bean:
```
<constructor-arg>
<ref bean="ldapAuthenticatorProxy" />
</constructor-arg>
```
In the same directory, locate and open the pentaho-spring-beans.xml file.

Add the following import line to the list of files:

<import resource="applicationContext-logging.xml" />

Save and close the file.
Locate the /pentaho-server/tomcat/webapps/pentaho/WEB-INF/classes directory and open the log4j.xml file with a text editor.

Add this category to the log4j.xml file.

<category name="org.springframework.security.providers">
<priority value="DEBUG"/>
</category>

Save and close the file, then start the Pentaho Server.

You will now have verbose LDAP-specific log messages in pentaho.log, which include login credentials for every user that tries to log on.

Log Output Security Analysis

The following examples help to determine the location of security configuration issues in the pentaho.log:

When you request a page that is protected, but you are not yet logged on, you should see an exception in the log which looks like the following text:

DEBUG [ExceptionTranslationFilter] Access is denied (user is anonymous);
            redirecting to authentication entry point org.springframework.security.AccessDeniedException:
            Access is denied

When the user name and/or password does not match what is stored in the back end, you should see a log message like the following text:

WARN [LoggerListener] Authentication event
            AuthenticationFailureBadCredentialsEvent: suzy; details:
            org.springframework.security.ui.WebAuthenticationDetails@fffd148a: RemoteIpAddress: 127.0.0.1;
            SessionId: 976C95033136070E0200D6DA26CB0277; exception: Bad credentials

When the user name and password match, you should see a log message that looks like the following example:

WARN [LoggerListener] Authentication event InteractiveAuthenticationSuccessEvent:
            suzy; details: org.springframework.security.ui.WebAuthenticationDetails@fffd148a: RemoteIpAddress:
            127.0.0.1; SessionId: 976C95033136070E0200D6DA26CB0277 DEBUG
            [HttpSessionContextIntegrationFilter] SecurityContext stored to HttpSession:
            'org.springframework.security.context.SecurityContextImpl@2b86afeb: Authentication:
            org.springframework.security.providers.UsernamePasswordAuthenticationToken@2b86afeb: Username:
            org.springframework.security.userdetails.ldap.LdapUserDetailsImpl@d7f51e; Password: [PROTECTED];
            Authenticated: true; Details: org.springframework.security.ui.WebAuthenticationDetails@fffd148a:
            RemoteIpAddress: 127.0.0.1; SessionId: 976C95033136070E0200D6DA26CB0277; Granted
            Authorities: ROLE_CTO, ROLE_IS, ROLE_AUTHENTICATED'

After the InteractiveAuthenticationSuccessEvent, one of the filters will show the roles fetched for the authenticated user. Compare these roles to the page-role mapping found in the filterInvocationInterceptor bean in applicationContext-spring-security.xml.

If you are troubleshooting LDAP problems, look for log output similar to the following text:

DEBUG [DirMgrBindAuthenticator] (LoggingInterceptor) Return value: LdapUserInfo:
            org.springframework.security.providers.ldap.LdapUserInfo@1f31c64[dn=uid=suzy,ou=users,ou=system,attributes={mail=mail:
            suzy.pentaho@pentaho.org, uid=uid: suzy, userpassword=userpassword: [B@e17c9c,
            businesscategory=businesscategory: cn=cto,ou=roles,ou=system, cn=is,ou=roles,ou=system,
            objectclass=objectClass: organizationalPerson, person, groupOfUniqueNames,
            inetOrgPerson, top, uniquemember=uniquemember: cn=cto, ou=roles, cn = is , ou = roles,
            sn=sn: Pentaho, cn=cn: suzy}]

LDAP Roles Issues with Admin and Authenticated

You must not use Admin and Authenticated roles in your LDAP. Instead, you must configure your system to use pentahoAdmins and pentahoUsers or other easily identifiable role names.

Open /pentaho-solutions/system/applicationContext-spring-security.xml in a text editor. At the bottom of this file, you will find a number of entries that look like:

A/docs/.*Z=Anonymous,Authenticated

These are entries for URL security. They are regular expressions to match a path on the browser’s URL that require the user to be a member of the defined role to gain access. For this example, both Anonymous and Authenticated gain access.

We replace Authenticated with pentahoUsers by entering A/docs/.*Z=Anonymous,pentahoUsers. For all entries that show Authenticated, replace it with pentahoUsers or your chosen name. Replace Admin with pentahoAdmins or your chosen name.

For the change from Authenticated to pentahoUsers, replace all occurrences. For Admin to pentahoAdmins you need to be a little more careful because there are some entries that look like this: A/admin.*Z=pentahoAdmins.

Edit the /pentaho-solutions/system/repository.spring.xml file and make the following changes.

From:

<bean id="singleTenantAuthenticatedAuthorityName" class="java.lang.String">
    <constructor-arg value="Authenticated" />
   </bean>

To:

<bean id="singleTenantAuthenticatedAuthorityName" class="java.lang.String">
    <constructor-arg value="pentahoUsers" />
   </bean>

From:

<bean id="singleTenantAdminAuthorityName" class="java.lang.String">
    <constructor-arg value="Admin" />
   </bean>

To:

<bean id="singleTenantAdminAuthorityName" class="java.lang.String">
    <constructor-arg value="pentahoAdmins" />
   </bean>

With LDAP Authentication, the PDI Repository Explorer is Empty

If you log on to a solution repository from the PDI client before you switch authentication to LDAP, then the repository IDs and security structures will be broken. You will not see an error message, but the solution repository explorer will be empty and you will not be able to create new folders or save PDI content.

To fix the problem, you will have to delete the security settings established with the previously used authentication method, which will force the Pentaho Server to regenerate them for LDAP.

Following this procedure will destroy any previously defined Pentaho Repository users, roles, and access controls. You should back up the files that you delete in these instructions.

Stop the Pentaho Server.
Delete the security and default directories from the following directory: /pentaho-solutions/system/jackrabbit/repository/workspaces/.
Start the Pentaho Server.

You should now have a proper LDAP-based Pentaho Repository that can store content and create new directories.

LDAP Incorrectly Authenticates User IDs That Do Not Match Letter Case

Some LDAP implementations are case-insensitive, most notably Microsoft Active Directory. When using one of these LDAP distributions as a Pentaho Server authentication back end, you might run into an issue where a valid user name with invalid letter cases will improperly validate. For instance, if Bill is the valid user ID, and someone types in bILL at the User Console login screen, that name will authenticate, but it might have improper access to parts of the Pentaho Server.

Perform the following steps to force case-sensitivity for user names and fix this potential security risk:

Stop the Pentaho Server.
Edit the /pentaho/server/pentaho-server/pentaho-solutions/system/applicationContext-spring-security-ldap.xml file.
Find <bean class="org.pentaho.platform.plugin.services.security.userrole.ldap.DefaultLdapAuthenticationProvider">, and below the last </constructor-arg> element therein, and add the <property> definition shown in the following example:
```
<property name="userDetailsContextMapper">
    <ref bean="ldapContextMapper" />
</property>
```

After the </bean> tag for daoAuthenticationProvider, add the following bean definition, changing the ldapUsernameAttribute from samAccountName to the value that matches your environment:

<bean id="ldapContextMapper" class="org.pentaho.platform.engine.security.UseridAttributeLdapContextMapper">
    <property name="ldapUsernameAttribute" value="samAccountName" />
</bean>

Start the Pentaho Server.

The Pentaho Server will now force case sensitivity in LDAP user names.