Ok - I found the rootcause for the point 1-it was just a typo. But I still do not understand how to proceed with ACLs.
Thanks and I'm sorry for the confusion. BTW the part with prefixing entries with "ROLE_" is tricky and I do not it it's documented anywhere. Regards, Marek 2015-12-14 14:07 GMT+01:00 Marek Wiewiorka <[email protected]>: > Hi - thanks! > > Regarding my first question - I tried as follows: > > #properties: > acl.adminRole=ROLE_KYLIN_ADMINS > > #LDAP: > [image: Obraz w treści 1] > > Debug output: > > [http-bio-7070-exec-5]:[2015-12-14 > 12:57:14,757][DEBUG][org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:152)] > - Using filter: (member=uid=kylinadmin,ou=users,dc=example,dc=net) > [http-bio-7070-exec-5]:[2015-12-14 > 12:57:14,757][DEBUG][org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:152)] > - Using filter: (member=uid=kylinadmin,ou=users,dc=example,dc=net) > [http-bio-7070-exec-5]:[2015-12-14 > 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:219)] > - Roles from search: [KYLIN_ADMINS] > [http-bio-7070-exec-5]:[2015-12-14 > 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:219)] > - Roles from search: [KYLIN_ADMINS] > [http-bio-7070-exec-5]:[2015-12-14 > 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.LdapUserDetailsMapper.mapUserFromContext(LdapUserDetailsMapper.java:51)] > - Mapping user details from context with DN: > uid=kylinadmin,ou=users,dc=example,dc=net > [http-bio-7070-exec-5]:[2015-12-14 > 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.LdapUserDetailsMapper.mapUserFromContext(LdapUserDetailsMapper.java:51)] > - Mapping user details from context with DN: > uid=kylinadmin,ou=users,dc=example,dc=net > > still I do not have admin rights (particulary I cannot see admin tab in > the UI) > > 2)What I meant is that cubes ACL do not work for me as well. > I'm calling REST api with a sql query with a user that isn't in any ACL - > so does not have even read right. > User is authenticated using LDAP, isn't a member of any group, default acl > role isn't set at all but the call does not fail - user can read data from > the cube via rest api. > I assume it's wrong and by default no one should be allowed to read the > data unless is a member of a group that has at least CUBE_READ privilege, > right? > > > Marek > > > > > > 2015-12-13 13:41 GMT+01:00 ShaoFeng Shi <[email protected]>: > > > > For question 1) map a LDAP group to admin role in Kylin > > > > In conf/kylin.properties there are two properties: > > acl.adminRole= > > acl.defaultRole= > > > > "acl.adminRole" is mapped to the LDAP group which you want to grant the > admin role in Kylin. For example, in LDAP you create a group called > "KYLIN_ADMINS", then here you should set the property value to > "ROLE_KYLIN_ADMINS". Then when a user from this group logins Kylin, he will > have the admin authority (can see the "Admin" tab and doing all actions) > > > > "acl.defaultRole" is the default roles that you want to grant to all > authenticated user; In our case, we set this property to > "ROLE_ANALYST,ROLE_MODELER", which means every login user has analyst and > modeler role. > > > > Beside this, you can grant the permissions at cube level, please find > the "Access" tab when expanding a cube. > > > > For question 2), I didn't get your point, a sample case should be > helpful. > > > > 2015-12-12 22:03 GMT+08:00 Marek Wiewiorka <[email protected]>: > >> > >> I would be extreme grateful!!! > >> In the first place if you could please write a few hints on how to > configure cubes ACLs + admin role mapping with LDAP. > >> > >> Many thanks in advance! > >> Marek > >> > >> 2015-12-12 12:28 GMT+01:00 Shaofeng Shi <[email protected]>: > >>> > >>> I planned to write a doc on this, but seems it need be prioritized now. > >>> > >>> Marek Wiewiorka <[email protected]>编写: > >>> > >>> > >>> Hi All - I managed to get LDAP authentication working but I'm unable > to setup proper authorization. > >>> > >>> Does anybody of you got it working properly - roles mapping, > privileges on cubes with LDAP? > >>> > >>> I will summarize briefly what I wasn't able to do: > >>> 1)map a LDAP group to admin role in Kylin > >>> 2)Despite granting only one group 'cube query' privilege on a cube > everyone who is properly authenticated can query the data which is > obviously wrong. > >>> > >>> Any help more than welcome! > >>> > >>> Marek > >>> > >>> > >> > >> > > > > > > > > -- > > Best regards, > > > > Shaofeng Shi > > >
