Hi - I opened a jira for that: https://issues.apache.org/jira/browse/KYLIN-1234
Thanks! Marek 2015-12-14 16:03 GMT+01:00 Marek Wiewiorka <[email protected]>: > Sure I can do that :) ! > Just could you please try to double check the second problem because > maybe I do not get something and I wouldn't like to confuse anyone. > Once I know how to set up security e2e with ACLs correctly I will draft > the Kylin security manual :) > > Thanks again! > Marek > > 2015-12-14 15:58 GMT+01:00 ShaoFeng Shi <[email protected]>: > >> Hi Marek, >> >> If you're familiar with Spring Security framework, the "ROLE_" prefix is >> added by that when converting the user groups to role authorities. You can >> check http://fmanea.blogspot.com/2015/04/spring-security-role-prefix.html, >> or search Google for more discussions. It is a little tricky, we should >> have a specific document on this. And we welcome contribution from the >> community, if you'd like to do a summary from an Kylin end user's >> pespective, that would be very nice. I believe you know more about LDAP >> setup and configurations than me :) >> >> Regarding the problem you described, we will double check. In the >> meanwhile you can report a JIRA at >> https://issues.apache.org/jira/browse/KYLIN and we will follow up it >> there. Thanks! >> >> >> 2015-12-14 21:25 GMT+08:00 Marek Wiewiorka <[email protected]>: >> >>> Ok - I found the rootcause for the point 1-it was just a typo. >>> But I still do not understand how to proceed with ACLs. >>> >>> Thanks and I'm sorry for the confusion. >>> BTW the part with prefixing entries with "ROLE_" is tricky and I do not >>> it it's documented anywhere. >>> >>> Regards, >>> Marek >>> >>> >>> 2015-12-14 14:07 GMT+01:00 Marek Wiewiorka <[email protected]>: >>> >>>> Hi - thanks! >>>> >>>> Regarding my first question - I tried as follows: >>>> >>>> #properties: >>>> acl.adminRole=ROLE_KYLIN_ADMINS >>>> >>>> #LDAP: >>>> [image: Obraz w treści 1] >>>> >>>> Debug output: >>>> >>>> [http-bio-7070-exec-5]:[2015-12-14 >>>> 12:57:14,757][DEBUG][org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:152)] >>>> - Using filter: (member=uid=kylinadmin,ou=users,dc=example,dc=net) >>>> [http-bio-7070-exec-5]:[2015-12-14 >>>> 12:57:14,757][DEBUG][org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:152)] >>>> - Using filter: (member=uid=kylinadmin,ou=users,dc=example,dc=net) >>>> [http-bio-7070-exec-5]:[2015-12-14 >>>> 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:219)] >>>> - Roles from search: [KYLIN_ADMINS] >>>> [http-bio-7070-exec-5]:[2015-12-14 >>>> 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:219)] >>>> - Roles from search: [KYLIN_ADMINS] >>>> [http-bio-7070-exec-5]:[2015-12-14 >>>> 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.LdapUserDetailsMapper.mapUserFromContext(LdapUserDetailsMapper.java:51)] >>>> - Mapping user details from context with DN: >>>> uid=kylinadmin,ou=users,dc=example,dc=net >>>> [http-bio-7070-exec-5]:[2015-12-14 >>>> 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.LdapUserDetailsMapper.mapUserFromContext(LdapUserDetailsMapper.java:51)] >>>> - Mapping user details from context with DN: >>>> uid=kylinadmin,ou=users,dc=example,dc=net >>>> >>>> still I do not have admin rights (particulary I cannot see admin tab in >>>> the UI) >>>> >>>> 2)What I meant is that cubes ACL do not work for me as well. >>>> I'm calling REST api with a sql query with a user that isn't in any ACL >>>> - so does not have even read right. >>>> User is authenticated using LDAP, isn't a member of any group, default >>>> acl role isn't set at all but the call does not fail - user can read data >>>> from the cube via rest api. >>>> I assume it's wrong and by default no one should be allowed to read the >>>> data unless is a member of a group that has at least CUBE_READ privilege, >>>> right? >>>> >>>> >>>> Marek >>>> >>>> >>>> >>>> >>>> >>>> 2015-12-13 13:41 GMT+01:00 ShaoFeng Shi <[email protected]>: >>>> > >>>> > For question 1) map a LDAP group to admin role in Kylin >>>> > >>>> > In conf/kylin.properties there are two properties: >>>> > acl.adminRole= >>>> > acl.defaultRole= >>>> > >>>> > "acl.adminRole" is mapped to the LDAP group which you want to grant >>>> the admin role in Kylin. For example, in LDAP you create a group called >>>> "KYLIN_ADMINS", then here you should set the property value to >>>> "ROLE_KYLIN_ADMINS". Then when a user from this group logins Kylin, he will >>>> have the admin authority (can see the "Admin" tab and doing all actions) >>>> > >>>> > "acl.defaultRole" is the default roles that you want to grant to all >>>> authenticated user; In our case, we set this property to >>>> "ROLE_ANALYST,ROLE_MODELER", which means every login user has analyst and >>>> modeler role. >>>> > >>>> > Beside this, you can grant the permissions at cube level, please find >>>> the "Access" tab when expanding a cube. >>>> > >>>> > For question 2), I didn't get your point, a sample case should be >>>> helpful. >>>> > >>>> > 2015-12-12 22:03 GMT+08:00 Marek Wiewiorka <[email protected] >>>> >: >>>> >> >>>> >> I would be extreme grateful!!! >>>> >> In the first place if you could please write a few hints on how to >>>> configure cubes ACLs + admin role mapping with LDAP. >>>> >> >>>> >> Many thanks in advance! >>>> >> Marek >>>> >> >>>> >> 2015-12-12 12:28 GMT+01:00 Shaofeng Shi <[email protected]>: >>>> >>> >>>> >>> I planned to write a doc on this, but seems it need be prioritized >>>> now. >>>> >>> >>>> >>> Marek Wiewiorka <[email protected]>编写: >>>> >>> >>>> >>> >>>> >>> Hi All - I managed to get LDAP authentication working but I'm >>>> unable to setup proper authorization. >>>> >>> >>>> >>> Does anybody of you got it working properly - roles mapping, >>>> privileges on cubes with LDAP? >>>> >>> >>>> >>> I will summarize briefly what I wasn't able to do: >>>> >>> 1)map a LDAP group to admin role in Kylin >>>> >>> 2)Despite granting only one group 'cube query' privilege on a cube >>>> everyone who is properly authenticated can query the data which is >>>> obviously wrong. >>>> >>> >>>> >>> Any help more than welcome! >>>> >>> >>>> >>> Marek >>>> >>> >>>> >>> >>>> >> >>>> >> >>>> > >>>> > >>>> > >>>> > -- >>>> > Best regards, >>>> > >>>> > Shaofeng Shi >>>> > >>>> >>> >>> >> >> >> -- >> Best regards, >> >> Shaofeng Shi >> >> >
