Pentaho Server security
Pentaho Security is the easiest way to configure security quickly. Pentaho Security works well if you do not have a security provider or if you have a user community with less than 100 users.
The User Console enables you to define security by users and roles. The Pentaho Server controls which users and roles can access web resources through the User Console or resources in the Pentaho Repository.
Restrict or share files and folders
Before you begin
Procedure
Log in to the User Console using the administrator role.
From the Browse Files page, choose the folder you want to set permissions on from the Folders pane.
If you want to set permissions on a specific file within that folder, click to highlight the file in the center Files pane.Click Properties in the Actions pane on the right.
The Properties window appears.On the Share tab, highlight the Role that you want to set permissions for, then clear the check box next to Inherits folder permissions.
The Permissions for [Role] field becomes accessible.Select the permissions for that role using the check boxes and click OK.
Results
Next steps
Pass authentication credentials in URL parameters
By default, the Pentaho Server does not accept authentication credentials passed as URL parameters. To enable this, modify the security properties file on the Pentaho Server. Here is how to configure the Pentaho Server to accept credentials in a URL.
Procedure
Go to the pentaho-server/pentaho-solutions/system directory and open the security.properties file.
Set the requestParameterAuthenticationEnabled property to true like this:
requestParameterAuthenticationEnabled=true
Save and close the file.
Stop and restart the Pentaho Server.
Test the configuration by passing a username and password as URL parameters to one of the already-installed sample reports, like this:
http://localhost:8080/pentaho/api/repos/%3Apublic%3ASteel%20Wheels%3ACountry%20Performance%20%28heat%20grid%29.xanalyzer/editor?userid=admin&password=password
Results
Remove security
You can remove security by enabling anonymous access or by modifying data source management.
Enable anonymous access
You can bypass the built-in security on the Pentaho Server by giving all permissions to anonymous users. An "anonymousUser" is any user, either existing or newly created, that you specify as an all-permissions, no-login user, and to whom you grant the Anonymous role.
All of the files you will be using are located in the /pentaho/server/pentaho-server/pentaho-solutions/system directory. Before you begin, stop the Pentaho Server.
Modify application security
Procedure
Open the applicationContext-spring-security.xml file with any text editor.
Make sure that a default anonymous role is defined. Match your bean definition and property value to the code shown in the following example:
<bean id="anonymousProcessingFilter" class="org.springframework.security.web.authentication.AnonymousAuthenticationFilter"> <constructor-arg value="foobar" /> <constructor-arg value="anonymousUser" /> <constructor-arg> <list> <bean class="org.springframework.security.core.authority.SimpleGrantedAuthority"> <constructor-arg value="Anonymous" /> </bean> </list> </constructor-arg> </bean>
NoteThese next steps permit PDI client tools to publish to the Pentaho Server without having to supply a user name and password.Find these two beans in the same file from the previous step.
filterInvocationInterceptor
filterInvocationInterceptorForWS
Locate the securityMetadataSource property inside the beans and match the contents to the code shown in the following example:
<bean id="filterInvocationInterceptor" class="org.springframework.security.web.access.intercept.FilterSecurityInterceptor"> <property name="authenticationManager" ref="authenticationManager" /> <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager" /> <property name="securityMetadataSource"> <sec:filter-security-metadata-source request-matcher="ciRegex" use-expressions="false"> <!-- all patterns have Anonymous role access --> <sec:intercept-url pattern="\A/.*\Z" access="Anonymous,Authenticated" /> </sec:filter-security-metadata-source> </property> </bean>
Save and close the applicationContext-spring-security.xml file.
Modify Pentaho configuration
Procedure
Open the pentaho.xml file with the text editor.
Find the
anonymous-authentication
lines of thepentaho-system
section, and define the anonymous user and role as shown in the following code example:<pentaho-system> <!-- omitted --> <anonymous-authentication> <anonymous-user>anonymousUser</anonymous-user> <anonymous-role>Anonymous</anonymous-role> </anonymous-authentication> <!-- omitted --> </pentaho-system>
Save and close the pentaho.xml file.
Modify repository properties
Procedure
Open the repository-spring.properties file with the text editor.
Find the singleTenantAdminAuthorityName and replace the value with Anonymous.
Find the singleTenantAdminUserName and replace the value with the name <your anonymous user>.
Save and close the repository-spring.properties file.
Map the appropriate role
Procedure
Find all references to the bean
id="Mondrian-UserRoleMapper"
and make sure that the only mapper uncommented (active) is the one shown in the following code example:<bean id="Mondrian-UserRoleMapper" name="Mondrian-SampleUserSession-UserRoleMapper" class="org.pentaho.platform.plugin.action.mondrian.mapper.MondrianUserSessionUserRoleListMapper" scope="singleton"> <property name="sessionProperty" value="MondrianUserRoles" /> </bean>
If you have made any changes to pentahoObjects.spring.xml, save and close the file.
Results
Remove security from data source management
Perform the following steps to completely remove security from the Pentaho Server:
Procedure
If you need to, stop the Pentaho Server
Open /pentaho/server/pentaho-server/pentaho-solutions/system/data-access/settings.xml file with a text editor.
Find the
<data-access-roles>Administrator</data-access-roles>
line in the file and change the following text:Administrator to Anonymous
Find the
<data-access-view-roles>Authenticated,Administrator</data-access-view-roles>
line in the file and change the following text:Authenticated,Administrator to Anonymous
Find the
<data-access-view-users>suzy</data-access-view-users>
line and change the following text:suzy to anonymousUser
Find the
<data-access-datasource-solution-storage>admin</data-access-datasource-solution-storage>
line and change the following text:admin to anonymousUser
Save and close the file.
Restart the Pentaho Server.