Setting up users in opentaps analytics

From Opentaps Wiki

1 Setting up users in Pentaho
2 References

Setting up users in Pentaho

Security in the platform is based in part on the Acegi Security System for Spring [1]

There is various security scenarios: memory (default configuration), jdbc, ldap.

Memory security

You can configure users simply by creating them in configuration files. There are two files which you need to change:

pentaho.war/WEB-INF/applicationContext-acegi-security-memory.xml is used to setup usernames and password. To add a new user in the groups "ceo, Admin, User, Authenticated" to pentaho, you have to go to the section

  <bean id="userMap" class="java.lang.String">
    <constructor-arg type="java.lang.String">
      <!-- case matters -->
      <value>
        <![CDATA[
          analytics=opentaps,ceo,Admin,User,Authenticated
        ]]>
      </value>
    </constructor-arg>
  </bean>

Change that section to look like:

  <bean id="userMap" class="java.lang.String">
    <constructor-arg type="java.lang.String">
      <!-- case matters -->
      <value>
        <![CDATA[
          analytics=opentaps,ceo,Admin,User,Authenticated
          newAdminUser=password,ceo,Admin,User,Authenticated
        ]]>
      </value>
    </constructor-arg>
  </bean>

pentaho.war/WEB-INF/applicationContext-pentaho-security-memory.xml is used to setup group. To add a new group called myNewGroup to pentaho, you have to go to the section

	<bean id="inMemoryUserRoleListService"
              class="com.pentaho.security.memory.InMemoryUserRoleListService">
          <property name="userRoleListEnhancedUserMap">
            <ref local="userRoleListEnhancedUserMapFactoryBean" />
          </property>
          <property name="userDetailsService" ref="userDetailsService" />
          <property name="allAuthorities">
            <list>
              <bean class="org.acegisecurity.GrantedAuthorityImpl">
                <constructor-arg value="Authenticated" />
              </bean>

And just under this section add this

              <bean class="org.acegisecurity.GrantedAuthorityImpl">
                <constructor-arg value="myNewGroup" />
              </bean>

JDBC security

By default, the Pentaho distribution comes with the "in-memory" security data access object (DAO) enabled.

To change for "jdbc" security data access object, you have to edit the web.xml of the pentaho.war application and look for the following section:

  <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/applicationContext-acegi-security.xml /WEB-INF/applicationContext-common-authorization.xml /WEB-INF/applicationContext-acegi-security-memory.xml /WEB-INF/applicationContext-pentaho-security-memory.xml</param-value>
  </context-param>

Change that section to look like:

  <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/applicationContext-acegi-security.xml /WEB-INF/applicationContext-common-authorization.xml /WEB-INF/applicationContext-acegi-security-jdbc.xml /WEB-INF/applicationContext-pentaho-security-jdbc.xml</param-value>
  </context-param>

There are two files involved:

/WEB-INF/applicationContext-acegi-security-jdbc.xml is the file where the dataSource and the query to find all the users which are defined.
/WEB-INF/applicationContext-pentaho-security-jdbc.xml is the file where the query to find all the groups which are defined

Configuring the Users Database

For Pentaho 1.6, which is used for the current version of opentaps analytics, there are no screens to add or update users. It has to be done manually in the database. For pentaho 1.7, there is a new application called Pentaho Administration console. It has to be separately installed and can be used to manage users.

The database For storing user access information is defined in /WEB-INF/applicationContext-acegi-security-jdbc.xml

	<bean id="dataSource"
		class="org.springframework.jdbc.datasource.DriverManagerDataSource">
		<property name="driverClassName" value="org.hsqldb.jdbcDriver" />
		<property name="url"
			value="jdbc:hsqldb:hsql://localhost:9002/userdb" />
		<property name="username" value="sa" />
		<property name="password" value="" />
	</bean>

This has to be changed for the database where you want to have your users.

By default, user information is stored in tables granted_authorities and users. The queries used to find the users are

SELECT username, authority FROM granted_authorities WHERE username = ?
SELECT username, password, enabled FROM users WHERE username = ?

This can also be configured differently. See the default schema for more information.

LDAP security

By default, the Pentaho distribution comes with the "in-memory" security data access object (DAO) enabled.

To change for "ldap" security data access object, you have to edit the web.xml of the pentaho.war application and look for the following section:

  <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/applicationContext-acegi-security.xml /WEB-INF/applicationContext-common-authorization.xml /WEB-INF/applicationContext-acegi-security-memory.xml /WEB-INF/applicationContext-pentaho-security-memory.xml</param-value>
  </context-param>

Change that section to look like:

  <context-param>
    <param-name>contextConfigLocation</param-name>
    <param-value>/WEB-INF/applicationContext-acegi-security.xml /WEB-INF/applicationContext-common-authorization.xml /WEB-INF/applicationContext-acegi-security-ldap.xml /WEB-INF/applicationContext-pentaho-security-ldap.xml</param-value>
  </context-param>

There are two files involved:

/WEB-INF/applicationContext-acegi-security-ldap.xml is the file where the access to the ldap server and the query to find all the users which are defined.