Pentaho metadata provides a Security Information property that allows you to define table or column level security that the Pentaho BI Server can make use of. Before you can use this property, you need to tell the Pentaho Metadata Editor about your Pentaho BI Server, so that the program can retrieve the list of Users, Roles and Access Control Lists needed.
Setting Up the Security Service
The security information used in the business model needs to be retrieved from a Pentaho BI Server, so make sure you have the following information available before you attempt to configure security:
- The base URL to the Pentaho BI Server, as well as the name of the service to execute security information retrieval. In the demo server, the base URL is http://localhost:8080/pentaho, and the default name for the service is ServiceAction. Ask your server administrator if changes were made to this service.
- An admin set of credentials for the server.
Security Service Settings
- From the main menu, select the Security Service option from the Tools menu.
- The Security Service dialog displays.
- On the Service tab, enter the Service URL for your server. This is a URL combining the base URL and the service name. The demo server's Service URL is http://localhost:8080/pentaho/ServiceAction .
- Next, select the level of detailed security information you want: All, Users or Roles. If you have hundreds of users in your system, you probably only want to return the roles, and use roles for security information properties. The access control lists are returned with all three options.
- In the username field, provide an admin level username to authenticate with the server.
- And last, enter the password for the user specified above.
You can click the Test button to be sure the settings are correct, and your server is accessible. You should see a message similar to the following:
You will at times want to work on your model, and may not have access to your Pentaho BI Server. You can save your security information in a file, and the Pentaho Metadata Editor will be just as happy to retrieve your settings from that file instead of making a trip to the server every time you open this domain.
- Follow the steps above to configure your security settings.
- Click the Test button, to show the security information from the server.
- Copy all of the XML between the <content></content> tags, including content the tags themselves.
- Paste the XML into your favorite text editor, and save the file as metadata_security.xml, in a location of your choosing.
- Switch to the File tab in the Security Service dialog.
- Browse to the file that you just saved.
- Click OK when you are done.
Modifying Security Constraints
To add security constraints to a specific business table or column, first bring up the properties dialog, and then click the add property button:
Select the Security Information property and click OK
With the security property available, now add the individual role or user permissions to the business model, table, or column. These permissions will then be enforced within Pentaho's BI Platform after publishing the new metadata model.
Configuring the Pentaho BI Server
(This section is obsolete, as of 3.7 or earlier. SecurityAwareCwmSchemaFactory was deprecated according to Javadoc. Does anybody know the new config required?)
By default, the Pentaho BI Server's Metadata configuration is not security aware. To enable security aware metadata on the Pentaho BI Server, modify the pentaho-solutions/system/pentaho.xml:
replace this line:
- Note that permissions must be explicitly defined in metadata when using the SecurityAwareCwmSchemaFactory. Existing metadata model files that do not specify security constraints will not appear until configured correctly.