search
Try Pentaho! - Start your 30 day evaluation today

Pentaho Server security

Pentaho Security is a quick way to configure security. It works well without a security provider. It also works well for communities under 100 users.

The Pentaho User Console (PUC) lets you define security by users and roles. The Pentaho Server controls which users and roles can access web resources and repository content.

hashtag
Hiding user folders in PUC and PDI

One way you can centralize and secure content created by users is to hide individual users' Home folders in the Pentaho User Console (PUC) or in the PDI client. For example, if your organization implements multi-tenancy, you may want to prevent individual users from viewing their Home folders for security reasons.

You can configure your server to hide the Home folders by default for both PUC and PDI. When you create new users in your system, their Home folders will be hidden. If a user needs to create, edit, or save content, you can provide the Write permission in a folder that is visible to that user. Those users can then view the folder and access the content. You can add the Write permission in PUC and in the PDI client.

These tasks assume you are a Pentaho Administrator.

Perform the following steps to edit the system.properties file so that when you create new users, their Home folders will be hidden by default.

  1. Stop the Pentaho Server.

    See the Install Pentaho Data Integration and Analytics document for instructions on starting and stopping the Pentaho Server.

  2. Navigate to /Pentaho/server/pentaho-server/pentaho-solutions/system and open system.properties in a text editor.

  3. Locate the hideUserHomeFolderOnCreate property. By default, this property is set to false.

  4. Change the setting to true:

    hideUserHomeFolderOnCreate=true

  5. Save and close system.properties.

  6. Start the Pentaho Server.

    See the Install Pentaho Data Integration and Analytics document for instructions on starting and stopping the Pentaho Server.

Now when you add a new user in either PUC or the PDI client, that user's Home folder is hidden by default.

Next steps:

hashtag
Override the hidden Home folder for a user

Follow these steps to override the hidden Home folder for a specific user.

  1. Log in to PUC with your Pentaho Administrator credentials.

  2. Go to Browse Files.

  3. Select the user’s Home folder.

  4. In the Properties dialog box, clear Hidden.

The user's Home folder is now visible.

hashtag
Stop hiding the Home folder for new users

Follow these steps to stop creating users with their Home folders hidden by default.

  1. Stop the Pentaho Server.

  2. Navigate to /Pentaho/server/pentaho-server/pentaho-solutions/system and open system.properties in a text editor.

  3. Locate the hideUserHomeFolderOnCreate property.

  4. Change the setting to false:

    hideUserHomeFolderOnCreate=false

  5. Save and close system.properties.

  6. Start the Pentaho Server.

When you add a new user in either PUC or the PDI client, that user's Home folder is now visible.

See the Install Pentaho Data Integration and Analytics document for instructions on starting and stopping the Pentaho Server.

hashtag
Assign the Write permission to a user folder in PUC

In PUC you can assign Write permission in a public folder to a user whose Home folder is hidden. When this permission is granted, the user can save and edit content they create using PUC.

  1. Log in to PUC with your Pentaho Administrator credentials.

  2. Select the Public folder, and then select or create the folder you want the user to access.

  3. Assign Write permission:

    1. Click Properties > Share and clear Inherits folder permissions.

    2. Click Add and select the user.

    3. Select Write for the user.

    4. Click OK to save your changes.

The user can now save content in the assigned folder.

hashtag
Assign the Write permission to a user folder in the PDI client

In the PDI client you can assign the Write permission in a public folder to a user whose Home folder is hidden. When this permission is granted, the user can save and edit content they create using the PDI client.

  1. Start the PDI client.

    See the Pentaho Data Integration document for instructions on starting the PDI client.

  2. Connect to a Pentaho Repository with your Pentaho Administrator credentials.

  3. Open the Repository Explorer: Tools > Repository > Explore.

  4. On the Browse tab, select the Public folder, and then select or create the folder you want the user to access.

  5. Select the folder and grant Write permission:

    1. On the Access Control panel, clear Inherit access control from parent.

    2. Click the Plus sign to add a user.

    3. Select the user and move them to Selected. Click OK.

    4. Select the user in User/Role and select Write.

    5. Click Apply, then click OK.

  6. Close the Repository Explorer.

The user can now save content in the assigned folder.

hashtag
Restrict or share files and folders

Access to files or folders can be refined using the Pentaho User Console. Each file or folder can either use the default permissions or you can tailor them for specific users and roles.

Prior to performing this task, determine whether you will use the default Pentaho roles or create custom users and roles. You must also have successfully set up your security back end.

  1. Log in to the User Console using the administrator role.

  2. From Browse Files, choose the folder you want to set permissions on from the Folders pane.

    If you want to set permissions on a specific file in that folder, highlight the file in the Files pane.

  3. Click Properties in the Actions pane.

    The Properties window appears.

  4. On the Share tab, select the Role that you want to set permissions for. Then clear Inherits folder permissions.

    Permissions for [Role] becomes available.

  5. Select permissions for that role, then click OK.

The permissions are set for that file or folder and are associated with the selected role.

For additional security in multi-tenancy organizations, you can hide individual users' Home folders. See Hiding user folders in PUC and PDI.

hashtag
Pass authentication credentials in URL parameters

circle-info

This section is currently a placeholder. Add the approved guidance for passing credentials in URL parameters.

hashtag
Remove Pentaho Server security

You can remove Pentaho Server security by enabling anonymous access or by modifying data source management.

hashtag
Enable anonymous access

You can bypass built-in security on the Pentaho Server by giving all permissions to anonymous users. An "anonymousUser" is any user, either existing or newly created, that you specify as an all-permissions, no-login user, and to whom you grant the Anonymous role.

triangle-exclamation

This procedure grants full Pentaho Server access to the Anonymous role. It also removes the login requirement.

All of the files you will be using are located in /pentaho/server/pentaho-server/pentaho-solutions/system. Before you begin, stop the Pentaho Server.

hashtag
Modify application security

Perform the following steps to modify application security:

  1. Open applicationContext-spring-security.xml in a text editor.

  2. Make sure a default anonymous role is defined. Match your bean definition and property value to the following example:

    Note: These next steps permit PDI client tools to publish to the Pentaho Server without a user name and password.

  3. Find these two beans in the same file:

    • filterInvocationInterceptor

    • filterInvocationInterceptorForWS

  4. Locate the securityMetadataSource property in the beans and match the contents to the following example:

  5. Save and close applicationContext-spring-security.xml.

hashtag
Modify Pentaho configuration

Perform the following steps to modify the Pentaho configuration:

  1. Open pentaho.xml in a text editor.

  2. Find the anonymous-authentication section under pentaho-system, and define the anonymous user and role as shown in the following example:

  3. Save and close pentaho.xml.

hashtag
Modify repository properties

Perform the following steps to modify the repository properties:

  1. Open repository-spring.properties in a text editor.

  2. Find singleTenantAdminAuthorityName and replace the value with Anonymous.

  3. Find singleTenantAdminUserName and replace the value with your anonymous user name.

  4. Save and close the file.

hashtag
Map the appropriate role

Perform the following steps to map roles:

  1. Find all references to the bean id="Mondrian-UserRoleMapper". Make sure the only active mapper is the one shown in the following example:

  2. If you changed pentahoObjects.spring.xml, save and close the file.

You have now worked around Pentaho Server security. If you use the relational metadata database model, refer to Remove Security from Metadata Domain Repository for the next steps.

hashtag
Remove security from data source management

This procedure changes your data source management so that an anonymous user can access it. These steps are necessary to completely remove security from the Pentaho Server. However, this procedure does not remove all security. If you need to remove all security, enable anonymous access as described above.

Perform the following steps to completely remove security from the Pentaho Server:

  1. Stop the Pentaho Server (if needed).

  2. Open /pentaho/server/pentaho-server/pentaho-solutions/system/data-access/settings.xml in a text editor.

    1. Find <data-access-roles>Administrator</data-access-roles> and change Administrator to Anonymous.

    2. Find <data-access-view-roles>Authenticated,Administrator</data-access-view-roles> and change Authenticated,Administrator to Anonymous.

    3. Find <data-access-view-users>suzy</data-access-view-users> and change suzy to anonymousUser.

    4. Find <data-access-datasource-solution-storage>admin</data-access-datasource-solution-storage> and change admin to anonymousUser.

  3. Save and close the file.

  4. Restart the Pentaho Server.

Last updated

Was this helpful?