Hi - thanks! Regarding my first question - I tried as follows:
#properties: acl.adminRole=ROLE_KYLIN_ADMINS #LDAP: [image: Obraz w treści 1] Debug output: [http-bio-7070-exec-5]:[2015-12-14 12:57:14,757][DEBUG][org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:152)] - Using filter: (member=uid=kylinadmin,ou=users,dc=example,dc=net) [http-bio-7070-exec-5]:[2015-12-14 12:57:14,757][DEBUG][org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:152)] - Using filter: (member=uid=kylinadmin,ou=users,dc=example,dc=net) [http-bio-7070-exec-5]:[2015-12-14 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:219)] - Roles from search: [KYLIN_ADMINS] [http-bio-7070-exec-5]:[2015-12-14 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:219)] - Roles from search: [KYLIN_ADMINS] [http-bio-7070-exec-5]:[2015-12-14 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.LdapUserDetailsMapper.mapUserFromContext(LdapUserDetailsMapper.java:51)] - Mapping user details from context with DN: uid=kylinadmin,ou=users,dc=example,dc=net [http-bio-7070-exec-5]:[2015-12-14 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.LdapUserDetailsMapper.mapUserFromContext(LdapUserDetailsMapper.java:51)] - Mapping user details from context with DN: uid=kylinadmin,ou=users,dc=example,dc=net still I do not have admin rights (particulary I cannot see admin tab in the UI) 2)What I meant is that cubes ACL do not work for me as well. I'm calling REST api with a sql query with a user that isn't in any ACL - so does not have even read right. User is authenticated using LDAP, isn't a member of any group, default acl role isn't set at all but the call does not fail - user can read data from the cube via rest api. I assume it's wrong and by default no one should be allowed to read the data unless is a member of a group that has at least CUBE_READ privilege, right? Marek 2015-12-13 13:41 GMT+01:00 ShaoFeng Shi <[email protected]>: > > For question 1) map a LDAP group to admin role in Kylin > > In conf/kylin.properties there are two properties: > acl.adminRole= > acl.defaultRole= > > "acl.adminRole" is mapped to the LDAP group which you want to grant the admin role in Kylin. For example, in LDAP you create a group called "KYLIN_ADMINS", then here you should set the property value to "ROLE_KYLIN_ADMINS". Then when a user from this group logins Kylin, he will have the admin authority (can see the "Admin" tab and doing all actions) > > "acl.defaultRole" is the default roles that you want to grant to all authenticated user; In our case, we set this property to "ROLE_ANALYST,ROLE_MODELER", which means every login user has analyst and modeler role. > > Beside this, you can grant the permissions at cube level, please find the "Access" tab when expanding a cube. > > For question 2), I didn't get your point, a sample case should be helpful. > > 2015-12-12 22:03 GMT+08:00 Marek Wiewiorka <[email protected]>: >> >> I would be extreme grateful!!! >> In the first place if you could please write a few hints on how to configure cubes ACLs + admin role mapping with LDAP. >> >> Many thanks in advance! >> Marek >> >> 2015-12-12 12:28 GMT+01:00 Shaofeng Shi <[email protected]>: >>> >>> I planned to write a doc on this, but seems it need be prioritized now. >>> >>> Marek Wiewiorka <[email protected]>编写: >>> >>> >>> Hi All - I managed to get LDAP authentication working but I'm unable to setup proper authorization. >>> >>> Does anybody of you got it working properly - roles mapping, privileges on cubes with LDAP? >>> >>> I will summarize briefly what I wasn't able to do: >>> 1)map a LDAP group to admin role in Kylin >>> 2)Despite granting only one group 'cube query' privilege on a cube everyone who is properly authenticated can query the data which is obviously wrong. >>> >>> Any help more than welcome! >>> >>> Marek >>> >>> >> >> > > > > -- > Best regards, > > Shaofeng Shi >
