Security issues

Tune security logging and troubleshoot authentication issues.

In this topic

• Increase security log levels in the Pentaho Server

• Log output security analysis

• LDAP roles issues with Admin and Authenticated

• With LDAP authentication, the PDI Repository Explorer is empty

• LDAP incorrectly authenticates user IDs that do not match letter case

• Connection timeout issues when using CAS

• Cannot change Administrator password in PUC

• Snowflake logging errors

Increase security log levels in the Pentaho Server

The security logging facilities of the Pentaho Server are set to ERROR by default. This level might not provide enough detail for troubleshooting.

Use this procedure to enable verbose security logging.

1. Stop the Pentaho Server.

   Copy

   sh /usr/local/pentaho/server/pentaho-server/stop-pentaho.sh

2. Open /pentaho/server/pentaho-server/tomcat/webapps/pentaho/WEB-INF/classes/log4j2.xml.

3. Change or add the ThresholdFilter value in the <Console> or <RollingFile> sections. Use WARN, ERROR, FATAL, or DEBUG.

   Copy

   <Console name="PENTAHOCONSOLE">
     <ThresholdFilter level="ERROR"/>
     <PatternLayout>
       <Pattern>%d{ABSOLUTE} %-5p [%c{1}] %m%n</Pattern>
     </PatternLayout>
   </Console>

4. Add the following log statements directly above the Root element:

   Copy

   <!-- all Spring Security classes will be set to DEBUG -->
   <Logger name="org.springframework.security" level="DEBUG"/>
   
   <!-- all Pentaho security-related classes will be set to DEBUG -->
   <Logger name="org.pentaho.platform.engine.security" level="DEBUG"/>
   <Logger name="org.pentaho.platform.plugin.services.security" level="DEBUG"/>

5. Save the file.

6. Edit the Spring Security configuration file for your security provider in /pentaho/server/pentaho-server/pentaho-solutions/system/.

   • applicationContext-spring-security-memory.xml

   • applicationContext-spring-security-jdbc.xml

   • applicationContext-spring-security-ldap.xml

7. Find the daoAuthenticationProvider bean definition.

8. Add this property anywhere inside the bean, before </bean>:

   Copy

   <property name="hideUserNotFoundExceptions" value="false" />

9. Save the file.

10. Start the Pentaho Server.

    Copy

    sh /usr/local/pentaho/server/pentaho-server/start-pentaho.sh

Verbose security messages are written to /pentaho/server/pentaho-server/logs/pentaho.log. Reduce logging when you finish testing to prevent the log from growing too large.

Enable extra LDAP security logging

Use this procedure when you need more LDAP details in pentaho.log.

1. Stop the Pentaho Server.

2. Open applicationContext-spring-security-ldap.xml from /pentaho/server/pentaho-server/pentaho-solutions/system.

3. Locate the bean declaration for DefaultLdapAuthenticationProvider.

4. Replace the constructor-arg bean.

   Old bean:

   New bean:

5. Open pentaho-spring-beans.xml in the same directory.

6. Add this import line:

7. Save the file.

8. Open log4j2.xml from /pentaho-server/tomcat/webapps/pentaho/WEB-INF/classes.

9. Add this logger:

10. Save the file.

11. Start the Pentaho Server.

Log output security analysis

Use these examples to locate security configuration issues in pentaho.log.

• When you request a protected page while not signed in:

• When the user name or password does not match what is stored in the back end:

• When authentication succeeds:

After InteractiveAuthenticationSuccessEvent, the filters show the roles fetched for the user. Compare these roles to the page-role mapping in the filterInvocationInterceptor bean in applicationContext-spring-security.xml.

If you are troubleshooting LDAP, look for output like this:

LDAP roles issues with Admin and Authenticated

Do not use Admin and Authenticated roles in LDAP. Use pentahoAdmins and pentahoUsers, or other clear names.

1. Open /pentaho-solutions/system/applicationContext-spring-security.xml.

2. At the bottom, find URL security entries like:

3. Replace Authenticated with pentahoUsers (or your chosen name).

   Example:

   A/docs/.*Z=Anonymous,pentahoUsers

4. Replace Admin with pentahoAdmins (or your chosen name).

5. Edit /pentaho-solutions/system/repository.spring.xml.

6. Change the authenticated role name.

   From:

   To:

7. Change the admin role name.

   From:

   To:

With LDAP authentication, the PDI Repository Explorer is empty

This can happen when you log on to a solution repository from the PDI client, then later switch authentication to LDAP. Repository IDs and security structures can become inconsistent.

To fix it, delete security settings created by the previous authentication method. This forces the server to regenerate settings for LDAP.

1. Stop the Pentaho Server.

2. Delete the security and default directories from:

   /pentaho-solutions/system/jackrabbit/repository/workspaces/

3. Start the Pentaho Server.

LDAP incorrectly authenticates user IDs that do not match letter case

Some LDAP implementations are case-insensitive. This is common in Microsoft Active Directory.

This can allow bILL to authenticate as Bill. It can also grant incorrect access.

1. Stop the Pentaho Server.

2. Edit /pentaho/server/pentaho-server/pentaho-solutions/system/applicationContext-spring-security-ldap.xml.

3. Find this bean:

   <bean class="org.pentaho.platform.plugin.services.security.userrole.ldap.DefaultLdapAuthenticationProvider">

4. Below the last </constructor-arg> in that bean, add:

5. After the </bean> tag for daoAuthenticationProvider, add this bean. Set ldapUsernameAttribute to match your environment:

6. Start the Pentaho Server.

Connection timeout issues when using CAS

CAS session timeouts can prevent sign-in. They can also block data reloads until users refresh the page.

Configure the Pentaho session timeout to exceed the CAS session timeout.

1. Stop the Pentaho Server.

2. Open pentaho-server/tomcat/webapps/pentaho/WEB-INF/web.xml.

3. Find session-config.

4. Increase session-timeout (default is 120 minutes).

5. Locate the Pentaho Web Context Filter.

6. Add this init-param:

7. Save the file.

8. Open pentaho-server/pentaho-solutions/system/applicationContext-spring-security-cas.xml.

9. Locate the httpSessionPentahoSessionContextIntegrationFilter bean.

10. Set ssoEnabled from true to false.

11. Save the file.

12. Restart the Pentaho Server.

When the session expires, users see a timeout dialog. Closing the dialog triggers CAS reauthentication.

Cannot change Administrator password in PUC

When you add an administrator account in the Pentaho User Console (PUC), you have:

• the default admin password

• a password for the additional administrator account

When you change the password for the additional administrator account, you might see an error. Enter the password of the currently signed-in administrator in Administrator password.

Snowflake logging errors

You might see this warning while connecting to Snowflake:

WARNING: Connect strings must start with jdbc:snowflake://

Pentaho 9.5 upgraded the Snowflake JDBC driver to 3.13.29 to address security concerns.

To resolve the warning, download Snowflake JDBC driver 3.13.30 from:

https://repo1.maven.org/maven2/net/snowflake/snowflake-jdbc/3.13.30/snowflake-jdbc-3.13.30.jar

Replace the existing JAR in:

pentaho-server/tomcat/webapps/pentaho/WEB-INF/lib/