Hitachi Vantara Pentaho Community Wiki
Child pages
  • How to register a new action based security (ABS) permission from a plugin

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Migration of unmigrated content due to installation of a new plugin

To add a new action based security permission, 

Create an implementation of IAuthorizationAction

Code Block
package org.pentaho.platform.api.engine;

/**
 *
 * Represents a Logical Role name used by some IAuthorizationPolicy implementations. Also known as Action-Based
 * Security
 *
 * User: nbaker Date: 3/19/13
 */
public interface IAuthorizationAction {
  /**
   * Get the name of the action
   *
   * @return action name
   */
  String getName();

  /**
   * Get the localized display name of action for a specific locale. If null is passed then default locale will be used
   *
   * @param locale
   * @return localized name
   */
  String getLocalizedDisplayName(String locale);
}

This is an example of a EXECUTE permission implementation. The interface allows a localized name which the implementation fetches in a local messages.properties.

Code Block
package org.pentaho.platform.plugin.kettle.security.policy.rolebased.actions;

import java.util.ResourceBundle;

import org.pentaho.platform.plugin.kettle.messages.Messages;
import org.pentaho.platform.security.policy.rolebased.actions.AbstractAuthorizationAction;

public class RepositoryExecuteAction extends AbstractAuthorizationAction {
  public static final String NAME = "org.pentaho.repository.execute";
  ResourceBundle resourceBundle;

  @Override
  public String getName() {
    return NAME;
  }

  @Override
  public String getLocalizedDisplayName(String localeString) {
    return Messages.getInstance().getString(NAME);
  }

}


The last step is to add this new permission in the plugin.spring.xml. In order for the register to work properly,  make sure the ApplicationContextPentahoSystemRegisterer bean class is present in the plugin.spring.xml

Code Block
  <bean class="org.pentaho.platform.engine.core.system.objfac.spring.ApplicationContextPentahoSystemRegisterer" scope="singleton"/>

  <bean class="org.pentaho.platform.plugin.kettle.security.policy.rolebased.actions.RepositoryExecuteAction">
    <pen:publish as-type="INTERFACES">
      <pen:attributes>
        <pen:attr key="priority" value="70"/>
      </pen:attributes>
    </pen:publish>
  </bean>

The new permission is now available in the platform. 

The new permission is now available in the platform.

To enforce this newly registered permission you will just need to invoke the isAllowed method on IAuthorizationPolicy

Code Block
titleEnforcing new permission
IAuthorizationPolicy authorizationPolicy = PentahoSystem.get(IAuthorizationPolicy.class, PentahoSessionHolder.getSession());

if(!authorizationPolicy.isAllowed(RepositoryExecuteAction.NAME)) {
  throw new IllegalStateException(org.pentaho.platform.plugin.kettle.messages.Messages.getInstance().getErrorString(
      "PdiAction.ERROR_0010_NO_PERMISSION_TO_EXECUTE")); //$NON-NLS-1$
}