I added a comment there please check. Thanks for the feedbacks! 2015-12-15 21:54 GMT+08:00 Marek Wiewiorka <[email protected]>:
> Hi - I opened a jira for that: > https://issues.apache.org/jira/browse/KYLIN-1234 > > Thanks! > Marek > > 2015-12-14 16:03 GMT+01:00 Marek Wiewiorka <[email protected]>: > >> Sure I can do that :) ! >> Just could you please try to double check the second problem because >> maybe I do not get something and I wouldn't like to confuse anyone. >> Once I know how to set up security e2e with ACLs correctly I will draft >> the Kylin security manual :) >> >> Thanks again! >> Marek >> >> 2015-12-14 15:58 GMT+01:00 ShaoFeng Shi <[email protected]>: >> >>> Hi Marek, >>> >>> If you're familiar with Spring Security framework, the "ROLE_" prefix is >>> added by that when converting the user groups to role authorities. You can >>> check >>> http://fmanea.blogspot.com/2015/04/spring-security-role-prefix.html, or >>> search Google for more discussions. It is a little tricky, we should have a >>> specific document on this. And we welcome contribution from the community, >>> if you'd like to do a summary from an Kylin end user's pespective, that >>> would be very nice. I believe you know more about LDAP setup and >>> configurations than me :) >>> >>> Regarding the problem you described, we will double check. In the >>> meanwhile you can report a JIRA at >>> https://issues.apache.org/jira/browse/KYLIN and we will follow up it >>> there. Thanks! >>> >>> >>> 2015-12-14 21:25 GMT+08:00 Marek Wiewiorka <[email protected]>: >>> >>>> Ok - I found the rootcause for the point 1-it was just a typo. >>>> But I still do not understand how to proceed with ACLs. >>>> >>>> Thanks and I'm sorry for the confusion. >>>> BTW the part with prefixing entries with "ROLE_" is tricky and I do not >>>> it it's documented anywhere. >>>> >>>> Regards, >>>> Marek >>>> >>>> >>>> 2015-12-14 14:07 GMT+01:00 Marek Wiewiorka <[email protected]>: >>>> >>>>> Hi - thanks! >>>>> >>>>> Regarding my first question - I tried as follows: >>>>> >>>>> #properties: >>>>> acl.adminRole=ROLE_KYLIN_ADMINS >>>>> >>>>> #LDAP: >>>>> [image: Obraz w treści 1] >>>>> >>>>> Debug output: >>>>> >>>>> [http-bio-7070-exec-5]:[2015-12-14 >>>>> 12:57:14,757][DEBUG][org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:152)] >>>>> - Using filter: (member=uid=kylinadmin,ou=users,dc=example,dc=net) >>>>> [http-bio-7070-exec-5]:[2015-12-14 >>>>> 12:57:14,757][DEBUG][org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:152)] >>>>> - Using filter: (member=uid=kylinadmin,ou=users,dc=example,dc=net) >>>>> [http-bio-7070-exec-5]:[2015-12-14 >>>>> 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:219)] >>>>> - Roles from search: [KYLIN_ADMINS] >>>>> [http-bio-7070-exec-5]:[2015-12-14 >>>>> 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:219)] >>>>> - Roles from search: [KYLIN_ADMINS] >>>>> [http-bio-7070-exec-5]:[2015-12-14 >>>>> 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.LdapUserDetailsMapper.mapUserFromContext(LdapUserDetailsMapper.java:51)] >>>>> - Mapping user details from context with DN: >>>>> uid=kylinadmin,ou=users,dc=example,dc=net >>>>> [http-bio-7070-exec-5]:[2015-12-14 >>>>> 12:57:14,763][DEBUG][org.springframework.security.ldap.userdetails.LdapUserDetailsMapper.mapUserFromContext(LdapUserDetailsMapper.java:51)] >>>>> - Mapping user details from context with DN: >>>>> uid=kylinadmin,ou=users,dc=example,dc=net >>>>> >>>>> still I do not have admin rights (particulary I cannot see admin tab >>>>> in the UI) >>>>> >>>>> 2)What I meant is that cubes ACL do not work for me as well. >>>>> I'm calling REST api with a sql query with a user that isn't in any >>>>> ACL - so does not have even read right. >>>>> User is authenticated using LDAP, isn't a member of any group, default >>>>> acl role isn't set at all but the call does not fail - user can read data >>>>> from the cube via rest api. >>>>> I assume it's wrong and by default no one should be allowed to read >>>>> the data unless is a member of a group that has at least CUBE_READ >>>>> privilege, right? >>>>> >>>>> >>>>> Marek >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> 2015-12-13 13:41 GMT+01:00 ShaoFeng Shi <[email protected]>: >>>>> > >>>>> > For question 1) map a LDAP group to admin role in Kylin >>>>> > >>>>> > In conf/kylin.properties there are two properties: >>>>> > acl.adminRole= >>>>> > acl.defaultRole= >>>>> > >>>>> > "acl.adminRole" is mapped to the LDAP group which you want to grant >>>>> the admin role in Kylin. For example, in LDAP you create a group called >>>>> "KYLIN_ADMINS", then here you should set the property value to >>>>> "ROLE_KYLIN_ADMINS". Then when a user from this group logins Kylin, he >>>>> will >>>>> have the admin authority (can see the "Admin" tab and doing all actions) >>>>> > >>>>> > "acl.defaultRole" is the default roles that you want to grant to all >>>>> authenticated user; In our case, we set this property to >>>>> "ROLE_ANALYST,ROLE_MODELER", which means every login user has analyst and >>>>> modeler role. >>>>> > >>>>> > Beside this, you can grant the permissions at cube level, please >>>>> find the "Access" tab when expanding a cube. >>>>> > >>>>> > For question 2), I didn't get your point, a sample case should be >>>>> helpful. >>>>> > >>>>> > 2015-12-12 22:03 GMT+08:00 Marek Wiewiorka < >>>>> [email protected]>: >>>>> >> >>>>> >> I would be extreme grateful!!! >>>>> >> In the first place if you could please write a few hints on how to >>>>> configure cubes ACLs + admin role mapping with LDAP. >>>>> >> >>>>> >> Many thanks in advance! >>>>> >> Marek >>>>> >> >>>>> >> 2015-12-12 12:28 GMT+01:00 Shaofeng Shi <[email protected]>: >>>>> >>> >>>>> >>> I planned to write a doc on this, but seems it need be prioritized >>>>> now. >>>>> >>> >>>>> >>> Marek Wiewiorka <[email protected]>编写: >>>>> >>> >>>>> >>> >>>>> >>> Hi All - I managed to get LDAP authentication working but I'm >>>>> unable to setup proper authorization. >>>>> >>> >>>>> >>> Does anybody of you got it working properly - roles mapping, >>>>> privileges on cubes with LDAP? >>>>> >>> >>>>> >>> I will summarize briefly what I wasn't able to do: >>>>> >>> 1)map a LDAP group to admin role in Kylin >>>>> >>> 2)Despite granting only one group 'cube query' privilege on a cube >>>>> everyone who is properly authenticated can query the data which is >>>>> obviously wrong. >>>>> >>> >>>>> >>> Any help more than welcome! >>>>> >>> >>>>> >>> Marek >>>>> >>> >>>>> >>> >>>>> >> >>>>> >> >>>>> > >>>>> > >>>>> > >>>>> > -- >>>>> > Best regards, >>>>> > >>>>> > Shaofeng Shi >>>>> > >>>>> >>>> >>>> >>> >>> >>> -- >>> Best regards, >>> >>> Shaofeng Shi >>> >>> >> > -- Best regards, Shaofeng Shi
