Sure I can do that :) ! Just could you please try to double check the second problem because maybe I do not get something and I wouldn't like to confuse anyone. Once I know how to set up security e2e with ACLs correctly I will draft the Kylin security manual :)
Thanks again! Marek 2015-12-14 15:58 GMT+01:00 ShaoFeng Shi <[email protected]>: > Hi Marek, > > If you're familiar with Spring Security framework, the "ROLE_" prefix is > added by that when converting the user groups to role authorities. You can > check http://fmanea.blogspot.com/2015/04/spring-security-role-prefix.html, > or search Google for more discussions. It is a little tricky, we should > have a specific document on this. And we welcome contribution from the > community, if you'd like to do a summary from an Kylin end user's > pespective, that would be very nice. I believe you know more about LDAP > setup and configurations than me :) > > Regarding the problem you described, we will double check. In the > meanwhile you can report a JIRA at > https://issues.apache.org/jira/browse/KYLIN and we will follow up it > there. Thanks! > > > 2015-12-14 21:25 GMT+08:00 Marek Wiewiorka <[email protected]>: > >> Ok - I found the rootcause for the point 1-it was just a typo. >> But I still do not understand how to proceed with ACLs. >> >> Thanks and I'm sorry for the confusion. >> BTW the part with prefixing entries with "ROLE_" is tricky and I do not >> it it's documented anywhere. >> >> Regards, >> Marek >> >> >> 2015-12-14 14:07 GMT+01:00 Marek Wiewiorka <[email protected]>: >> >>> Hi - thanks! >>> >>> Regarding my first question - I tried as follows: >>> >>> #properties: >>> acl.adminRole=ROLE_KYLIN_ADMINS >>> >>> #LDAP: >>> [image: Obraz w treści 1] >>> >>> Debug output: >>> >>> [http-bio-7070-exec-5]:[2015-12-14 >>> 12:57:14,757][DEBUG][org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:152)] >>> - Using filter: (member=uid=kylinadmin,ou=users,dc=example,dc=net) >>> [http-bio-7070-exec-5]:[2015-12-14 >>> 12:57:14,757][DEBUG][org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:152)] >>> - Using filter: (member=uid=kylinadmin,ou=users,dc=example,dc=net) >>> [http-bio-7070-exec-5]:[2015-12-14 >>> 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:219)] >>> - Roles from search: [KYLIN_ADMINS] >>> [http-bio-7070-exec-5]:[2015-12-14 >>> 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:219)] >>> - Roles from search: [KYLIN_ADMINS] >>> [http-bio-7070-exec-5]:[2015-12-14 >>> 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.LdapUserDetailsMapper.mapUserFromContext(LdapUserDetailsMapper.java:51)] >>> - Mapping user details from context with DN: >>> uid=kylinadmin,ou=users,dc=example,dc=net >>> [http-bio-7070-exec-5]:[2015-12-14 >>> 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.LdapUserDetailsMapper.mapUserFromContext(LdapUserDetailsMapper.java:51)] >>> - Mapping user details from context with DN: >>> uid=kylinadmin,ou=users,dc=example,dc=net >>> >>> still I do not have admin rights (particulary I cannot see admin tab in >>> the UI) >>> >>> 2)What I meant is that cubes ACL do not work for me as well. >>> I'm calling REST api with a sql query with a user that isn't in any ACL >>> - so does not have even read right. >>> User is authenticated using LDAP, isn't a member of any group, default >>> acl role isn't set at all but the call does not fail - user can read data >>> from the cube via rest api. >>> I assume it's wrong and by default no one should be allowed to read the >>> data unless is a member of a group that has at least CUBE_READ privilege, >>> right? >>> >>> >>> Marek >>> >>> >>> >>> >>> >>> 2015-12-13 13:41 GMT+01:00 ShaoFeng Shi <[email protected]>: >>> > >>> > For question 1) map a LDAP group to admin role in Kylin >>> > >>> > In conf/kylin.properties there are two properties: >>> > acl.adminRole= >>> > acl.defaultRole= >>> > >>> > "acl.adminRole" is mapped to the LDAP group which you want to grant >>> the admin role in Kylin. For example, in LDAP you create a group called >>> "KYLIN_ADMINS", then here you should set the property value to >>> "ROLE_KYLIN_ADMINS". Then when a user from this group logins Kylin, he will >>> have the admin authority (can see the "Admin" tab and doing all actions) >>> > >>> > "acl.defaultRole" is the default roles that you want to grant to all >>> authenticated user; In our case, we set this property to >>> "ROLE_ANALYST,ROLE_MODELER", which means every login user has analyst and >>> modeler role. >>> > >>> > Beside this, you can grant the permissions at cube level, please find >>> the "Access" tab when expanding a cube. >>> > >>> > For question 2), I didn't get your point, a sample case should be >>> helpful. >>> > >>> > 2015-12-12 22:03 GMT+08:00 Marek Wiewiorka <[email protected] >>> >: >>> >> >>> >> I would be extreme grateful!!! >>> >> In the first place if you could please write a few hints on how to >>> configure cubes ACLs + admin role mapping with LDAP. >>> >> >>> >> Many thanks in advance! >>> >> Marek >>> >> >>> >> 2015-12-12 12:28 GMT+01:00 Shaofeng Shi <[email protected]>: >>> >>> >>> >>> I planned to write a doc on this, but seems it need be prioritized >>> now. >>> >>> >>> >>> Marek Wiewiorka <[email protected]>编写: >>> >>> >>> >>> >>> >>> Hi All - I managed to get LDAP authentication working but I'm unable >>> to setup proper authorization. >>> >>> >>> >>> Does anybody of you got it working properly - roles mapping, >>> privileges on cubes with LDAP? >>> >>> >>> >>> I will summarize briefly what I wasn't able to do: >>> >>> 1)map a LDAP group to admin role in Kylin >>> >>> 2)Despite granting only one group 'cube query' privilege on a cube >>> everyone who is properly authenticated can query the data which is >>> obviously wrong. >>> >>> >>> >>> Any help more than welcome! >>> >>> >>> >>> Marek >>> >>> >>> >>> >>> >> >>> >> >>> > >>> > >>> > >>> > -- >>> > Best regards, >>> > >>> > Shaofeng Shi >>> > >>> >> >> > > > -- > Best regards, > > Shaofeng Shi > >
