Hi Marek, If you're familiar with Spring Security framework, the "ROLE_" prefix is added by that when converting the user groups to role authorities. You can check http://fmanea.blogspot.com/2015/04/spring-security-role-prefix.html, or search Google for more discussions. It is a little tricky, we should have a specific document on this. And we welcome contribution from the community, if you'd like to do a summary from an Kylin end user's pespective, that would be very nice. I believe you know more about LDAP setup and configurations than me :)
Regarding the problem you described, we will double check. In the meanwhile you can report a JIRA at https://issues.apache.org/jira/browse/KYLIN and we will follow up it there. Thanks! 2015-12-14 21:25 GMT+08:00 Marek Wiewiorka <[email protected]>: > Ok - I found the rootcause for the point 1-it was just a typo. > But I still do not understand how to proceed with ACLs. > > Thanks and I'm sorry for the confusion. > BTW the part with prefixing entries with "ROLE_" is tricky and I do not it > it's documented anywhere. > > Regards, > Marek > > > 2015-12-14 14:07 GMT+01:00 Marek Wiewiorka <[email protected]>: > >> Hi - thanks! >> >> Regarding my first question - I tried as follows: >> >> #properties: >> acl.adminRole=ROLE_KYLIN_ADMINS >> >> #LDAP: >> [image: Obraz w treści 1] >> >> Debug output: >> >> [http-bio-7070-exec-5]:[2015-12-14 >> 12:57:14,757][DEBUG][org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:152)] >> - Using filter: (member=uid=kylinadmin,ou=users,dc=example,dc=net) >> [http-bio-7070-exec-5]:[2015-12-14 >> 12:57:14,757][DEBUG][org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:152)] >> - Using filter: (member=uid=kylinadmin,ou=users,dc=example,dc=net) >> [http-bio-7070-exec-5]:[2015-12-14 >> 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:219)] >> - Roles from search: [KYLIN_ADMINS] >> [http-bio-7070-exec-5]:[2015-12-14 >> 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:219)] >> - Roles from search: [KYLIN_ADMINS] >> [http-bio-7070-exec-5]:[2015-12-14 >> 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.LdapUserDetailsMapper.mapUserFromContext(LdapUserDetailsMapper.java:51)] >> - Mapping user details from context with DN: >> uid=kylinadmin,ou=users,dc=example,dc=net >> [http-bio-7070-exec-5]:[2015-12-14 >> 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.LdapUserDetailsMapper.mapUserFromContext(LdapUserDetailsMapper.java:51)] >> - Mapping user details from context with DN: >> uid=kylinadmin,ou=users,dc=example,dc=net >> >> still I do not have admin rights (particulary I cannot see admin tab in >> the UI) >> >> 2)What I meant is that cubes ACL do not work for me as well. >> I'm calling REST api with a sql query with a user that isn't in any ACL - >> so does not have even read right. >> User is authenticated using LDAP, isn't a member of any group, default >> acl role isn't set at all but the call does not fail - user can read data >> from the cube via rest api. >> I assume it's wrong and by default no one should be allowed to read the >> data unless is a member of a group that has at least CUBE_READ privilege, >> right? >> >> >> Marek >> >> >> >> >> >> 2015-12-13 13:41 GMT+01:00 ShaoFeng Shi <[email protected]>: >> > >> > For question 1) map a LDAP group to admin role in Kylin >> > >> > In conf/kylin.properties there are two properties: >> > acl.adminRole= >> > acl.defaultRole= >> > >> > "acl.adminRole" is mapped to the LDAP group which you want to grant the >> admin role in Kylin. For example, in LDAP you create a group called >> "KYLIN_ADMINS", then here you should set the property value to >> "ROLE_KYLIN_ADMINS". Then when a user from this group logins Kylin, he will >> have the admin authority (can see the "Admin" tab and doing all actions) >> > >> > "acl.defaultRole" is the default roles that you want to grant to all >> authenticated user; In our case, we set this property to >> "ROLE_ANALYST,ROLE_MODELER", which means every login user has analyst and >> modeler role. >> > >> > Beside this, you can grant the permissions at cube level, please find >> the "Access" tab when expanding a cube. >> > >> > For question 2), I didn't get your point, a sample case should be >> helpful. >> > >> > 2015-12-12 22:03 GMT+08:00 Marek Wiewiorka <[email protected]>: >> >> >> >> I would be extreme grateful!!! >> >> In the first place if you could please write a few hints on how to >> configure cubes ACLs + admin role mapping with LDAP. >> >> >> >> Many thanks in advance! >> >> Marek >> >> >> >> 2015-12-12 12:28 GMT+01:00 Shaofeng Shi <[email protected]>: >> >>> >> >>> I planned to write a doc on this, but seems it need be prioritized >> now. >> >>> >> >>> Marek Wiewiorka <[email protected]>编写: >> >>> >> >>> >> >>> Hi All - I managed to get LDAP authentication working but I'm unable >> to setup proper authorization. >> >>> >> >>> Does anybody of you got it working properly - roles mapping, >> privileges on cubes with LDAP? >> >>> >> >>> I will summarize briefly what I wasn't able to do: >> >>> 1)map a LDAP group to admin role in Kylin >> >>> 2)Despite granting only one group 'cube query' privilege on a cube >> everyone who is properly authenticated can query the data which is >> obviously wrong. >> >>> >> >>> Any help more than welcome! >> >>> >> >>> Marek >> >>> >> >>> >> >> >> >> >> > >> > >> > >> > -- >> > Best regards, >> > >> > Shaofeng Shi >> > >> > > -- Best regards, Shaofeng Shi
