.01 Introduction  The Pentaho Administration Console

 .02 Installing and Configuring the PentahoAdministration Console

Note: The content on this page is not complete. The community is actively encouraged to add to, edit, and improve thisdocument.

The Pentaho Administration Console provides you with a central location from which to administer your Pentaho deployments. The consoleaggregates and simplifies many common administrative tasks such as managing users and roles, scheduling jobs, and managing services. TheAdministration Console changes how you interact with your Pentaho deployments by automating some of the tasks that you now performmanually.

 The Pentaho Administration Console offers limited functionality compared to the feature-rich, subscription-only, Pentaho Enterprise Console. ThePentaho Enterprise Console provides additional functionality that allows you to monitor performance, remotely monitor activity on a Carte serverinstance (for Pentaho Data Integration), verify connections, test configuration settings, configure security, and much more. For more informationabout the Pentaho Enterprise Console, . contact us

Overview of Console Components

Below is a short description of each page in the Pentaho Administration Console:

Home

From your console home page (shown above), you are able access to important information about your Pentaho deployment. For example, statusindicators appear in the tool bar when there is a critical error, a process that is currently running, or a warning you must research.

Console tool bar

The console tool bar provides you with icons that help you determine the status of your server, console-related errors, console set up, and more.The table below contains a brief description of each icon in the tool bar, from left to right:

Icon Description

Server online/Server offline.

Indicates whether the server is online or offline

Console setup.

Opens the console configuration setup page

Refresh console.

Refreshes console-related data

Documentation help.

Opens this document

Administration

From the Administration page you can manage users and roles, define data sources, manage admin services, and manage public (subscription)and private (regular) schedules.

 

.02 Installing and Configuring the PentahoAdministration Console

.01 Introduction  The Pentaho Administration Console  .03 Managing Users and Roles

: The content on this page is not complete. The community is actively encouraged to add to, edit, and improve thisImportantdocument. Installation and configuration instructions are documented for Release Candidate 2.0.0.

OverviewThis section provides you with information and instructions for installing and configuring your Pentaho Administration Console. The followingtopics are covered here:

System RequirementsOpening the Installation Zip FileSecuring the ConsoleEnabling SSL in Pentaho Administration ConsoleStarting the Pentaho Administration ConsoleStopping the Pentaho Administration ConsoleConfiguring the Pentaho Administration ConsoleEstablishing a Trusted Proxy 

System Requirements

The Pentaho Administration Console requires Java SE runtime version 1.5 or later. The console has been tested with the Sun HotSpot Client VM.The default memory system parameters of the JVM (such as those parameters specifying maximum heap size) are adequate for running theconsole. Specifically, Pentaho recommends that you have at least 100MBs of free physical memory.

Opening the Installation Zip File

The , (.tar or .gz), file contains all the libraries and script files necessary to run the console. The file is available on biserver-ce-3.5.2.stable.zip. To install the console, unzip this file into an empty directory.Sourceforge

Securing the Console

Before you start the Pentaho Administration Services Console, you must make sure that it is running on a secure server. The console runs as aWeb server on the device on which it is started. Please follow the " " document to ensureConfiguring Security in Pentaho Administration Consolethat you have configured security the console correctly.

Running the Console Locally

By default the Pentaho Administration Console starts up on port 8099. In most instances servers run with a firewall and this port is blocked fromexternal devices unless explicitly configured. Running the console locally provides the highest degree of security. Pentaho strongly recommendsthat you have a firewall installed on the server running the console.

You can have the console run on an alternate port by editing the page located at console.properties....\pentaho-open-admin-console\resource\config

Enabling SSL in Pentaho Administration Console

By default the Pentaho Administration Console has ssl disabled. You can by following few veryenable ssl in Pentaho Administration Consoleeasy steps.

1. 2. 3.

Starting the Pentaho Administration Console

Follow the instructions below to start the Pentaho Administration Console in the operating system of your choice.

If you are using thisoperating system...

Then follow these instructions...

Windows 1. Open the command window. 2. Go to the install directory. This directory contains the file, console.bat. 3. Type and press . startup.bat ENTER

Once the console is running, the following line appears in the command window: Administration console isnow started. Console can be accessed  using http://<host-name>:8099 or http://<IP Address>:8099

Linux 1. Open the command window. 2. Go to the install directory. This directory contains the file, console.bat. 3. Type and press . (You might need to run before running.)./startup.sh ENTER chmod +x console.sh

Once the console is running, the following line appears in the command window: Administration console isnow started. Console can be accessed  using http://<host-name>:8099 or http://<IP Address>:8099

Mac OS X 1. Open a command window. 2. Go to the install directory. This directory contains the file, console.bat. 3. Type and press . java -jar lib/startup.jar RETURN

Once the console is running, the following line appears in the command window: Administration console isnow started. Console can be accessed  using http://<host-name>:8099 or http://<IP Address>:8099

Note: The message as the console starts, indicates that another program is usingAddress already in use: JVM_Bindthe port required by the The Pentaho Administration Console (8099). This port is currently not configurable.

Note 2: The username / password combination for a fresh installation is 'admin' / 'password'. The login details are stored in'pentaho_dir/administration-console/resource/config/login.properties'. See for more information.Configuring Security

Stopping the Pentaho Administration Console

To stop the server:

Open a command window.Go to the install directory that contains the file, stop.bat (or .sh).Type and the console will be stopped.stop.bat 

Configuring the Pentaho Administration Console

Before you use the Pentaho Administration Console to administer a BI Server installation you must edit the default entries in the fileconsole.xml(located at ) so that the console can locate the necessary BI platform files....\pentaho-open-admin-console\resource\config 

 

Setting Description

<platform-username> Enter the name of the administrative user.

<biServer-status-check-period> Enter the time period in which the The Pentaho Administration Console console will ping the PCI to check ifthe server is running

<homepage-timeout> Enter length of time the The Pentaho Administration Console will wait for home page content from theserver before displaying static HTML content.

<solution-path> Paste the path to the solutions directory of the BI Server you want to administer.

<war-path> Paste the path to the Web application directory of the BI Server you want to administer into the Pentaho text box.Web-App Path

Establishing a Trusted Proxy

In instances where the BI Server and the Pentaho Administration Console are running on separate devices, you must edit the file toweb.xmlestablish a trusted proxy between the PCI and the console. Go to , where x:\\pentaho-demo\name_of_app_server\webapps\pentaho\WEB-INF xcorresponds to the drive on which the PCI is installed. In the file, replace the IP address (localhost) of the device running the Pentahoweb.xmlAdministration Console: 

1. 2. 3. 4. 5.

1. 2. 3.

4.

.03 Managing Users and Roles.02 Installing and Configuring the PentahoAdministration Console  The Pentaho Administration Console  .04 Configuring Data Sources

: The content on this page is not complete. The community is actively encouraged to add to, edit, and improve thisImportantdocument. Installation and configuration instructions are documented for Release Candidate 2.0.0.

Managing Users and RolesThe Pentaho Pre-Configured Installation (PCI) includes sample data and a group of fictitious users. If you are new to Pentaho, you can use theAdministration Console to manage real users (and roles) in the BI Platform without having to configure an LDAP-compliant directory such asMSAD (Microsoft Active Directory) while you are performing a proof of concept.

Note: You must have administrative privileges (Admin) to manage users and roles.

Adding Users

Follow the instructions below to add users to the BI Platform:

In the Administration Console go to > .Administration Users & RolesClick the icon if you are not in mode.Users UsersClick the plus sign ( ) next to . + UsersIn the pane, enter the , , , and .Details User Name Password Password Confirmation DescriptionClick . The new user's name appears in the list of users.OK 

 

Editing User Information

Follow the instructions below to edit user information:

In the Administration Console go to > .Administration Users & RolesSelect the user whose information you want to edit.In the pane, edit the user details as needed.Details

4.

1. 2. 3. 4.

1. 2. 3. 4. 5.

1.

2.

Click .Update 

Deleting Users

Follow the instructions below to delete users and roles from the BI Platform:

In the Administration Console go toSelect the user or users you want to delete from the list.UsersClick the minus sign ( ) next to to delete the users you selected. A confirm message appears.- UsersClick to refresh the user list.OK 

Finding Users

The User List Filter allows you to find specific users in the list of current users. To find a user, enter the first few letters of the user's name in thetext box. A list of names matching your entry appears.

Managing Roles

Adding Roles

Follow the instructions below to add roles to the BI Platform:

In the Administration Console go to > .Administration Users & RolesClick the icon if you are not in mode.Roles RolesClick the plus sign ( ) next to .+ RolesIn the new window, type a new and .Role Name DescriptionClick . The new role appears in the list of roles.OK 

 

Editing Roles

Follow the instructions below to edit roles:

In the Administration Console go to > .Administration Users & Roles

2. 3. 4.

1. 2. 3. 4.

Select the role you want to edit.In the right pane, edit the details as needed.Click .Update 

Deleting Roles

Follow the instructions below to roles from the BI Platform:

In the Administration Console go to > .Administration Users & RolesSelect role or roles you want to delete from the list.RolesClick the minus sign ( ) next to to delete the roles you selected. A confirm message appears.- RolesClick to refresh the roles list.OK 

Finding Roles

The Role List Filter allows you to find specific roles in the list of current roles. To find a role, enter the first few letters of the role name in the textbox. A list of role names matching your entry appears.

1. 2. 3. 4. 5.

6. 7.

8. 9.

1. 2.

.04 Configuring Data Sources.03 Managing Users and Roles  The Pentaho Administration Console  .05 Using Administration Services

: The content on this page is not complete. The community is actively encouraged to add to, edit, and improve thisImportantdocument. Installation and configuration instructions are documented for Release Candidate 2.0.0.

Defining a data sourceThe Pre-configured Installation (PCI) includes sample data and reports; however, if you are evaluating Pentaho you will want to use and displayyour own data in the BI Platform. Defining a data source requires JDBC class name for the database driver, data source URL (server name, portnumber, database name) and the user ID and password needed to connect the database. Contact your database administrator to get the specificdetails about your database. 

  Follow the instructions below to  configure a "General" data source:

In the Administration Console go to > s.Administration Data SourceClick to display basic configuration options.GeneralClick + (add) if you cannot find your data source in the list.In the left panel, type an easy-to-remember .Connection NameType or select the from the list. The database driver name you select depends on the type of database you are accessing.Driver ClassFor example, is a sample driver name for a HypersonicSQL database.org.hsqldb.jdbcDriverType the and required to access your database.User Name PasswordType or select the from the list. This is the URL of your database. For example, . JDBCURL jdbc:hsqldb:hsql://localhost/sampledataestablishes a connection to a SQL-based database and sends and processes SQL statements.Click . A success message appears if the connection is established.TestClick to save your entries.OK 

Advanced Configuration

Follow the instructions below complete an advanced configuration:

In the Administration Console go to > s.Administration Data Source

2. 3. 4. 5.

6.

7. 8.

1. 2. 3. 4.

1. 2. 3.

Click to display advanced configuration options.AdvancedEnter the maximum number of active instances, ( ), that can be allocated from this pool at the same time.Max Active ConnEnter the maximum number of connections that can sit idle ( ) in this pool at the same time.# Idle ConnEnter a . This SQL query that can be used by the pool to validate connections before they are returned to theValidation Queryapplication. If specified, this query be an SQL SELECT statement that returns at least one row.mustEnter the maximum number of milliseconds that the pool will "wait" (when there are no available connections) for a connection to bereturned before throwing an exception.Click . A success message appears if the connection is established.TestClick to save your entries.OK 

Editing and Deleting Data Source Configurations

You can edit or delete a data source configuration when necessary.

Editing a Data Source Configuration

To edit a data source configuration:

Select the data source name from the list under .Data SourcesMake the appropriate changes in the right pane.Click to test the connection.TestClick to save your changes.Update 

To delete a data source configuration:

Select the data source name from the list under .Data SourcesClick the minus sign ( ) to delete the configuration. A confirmation message appears.-Click to save your changes.Update 

See also:

http://wiki.pentaho.com/display/ServerDoc1x/Managing+Data+Sources+in+the+Pentaho+BI+Platformhttp://wiki.pentaho.org/display/Reporting/Creating+a+Data+Source+for+Tomcathttp://wiki.pentaho.org/display/Reporting/4.+Data+Sources

.05 Using Administration Services.04 Configuring Data Sources  The Pentaho Administration Console  .06 Using the Scheduler

: The content on this page is not complete. The community is actively encouraged to add to, edit, and improve thisImportantdocument. Installation and configuration instructions are documented for Release Candidate 2.0.0.

Administration ServicesAdministration Services allow you to manage schedules and refresh the Pentaho BI Server settings.

The table below contains a short description of each administrative service: || || ||Service Description

UpdateRDBMS-basedSolutionRepository

Updates mirrored RDBMS-based Solution repository when Solution files are manually added to or edited on the masterSolution repository on the local file system.

Delete Files Removes files created in the content repository located in /pentaho-solution/system/content that are over 180 days old. Tochange, the number of days, edit the solution file clean_repository.xaction located in /pentaho-solution/admin

ScheduleFiles Deletion

Schedules the daily removal of files created in the content repository located in /pentaho-solution/system/content that areover 180 days old. To change, the number of days edit the solution file clean_repository.xaction located in/pentaho-solution/admin. To change the recurrence, edit the solution file schedule-clean.xaction located in/pentaho-solution/admin

RestoreRDBMSSolutionRepository

Deletes all the Solution files and their permissions from the RDBMS-based Solution repository. Copies all the Solutions fileswith default permissions from the master Solution repository on local file system.

RefreshGlobalVariables

Updates global variables by re-executing registered solution files.

RefreshMetadataModels

Refreshes the Metadata cache when models are added, edited or deleted in the Solution repository.

1.

2.

3.

4.

5.

6.

7.

8.

.06 Using the Scheduler.05 Using Administration Services  The Pentaho Administration Console  .07 Glossary

: The content on this page is not complete. The community is actively encouraged to add to, edit, and improve thisImportantdocument. Installation and configuration instructions are documented for Release Candidate 2.0.0.

Using the SchedulerThe Scheduler allows you to create, update, delete, run, suspend, and resume one or more schedules, (private and public*), in the BI Platform. Inaddition, you can suspend and resume the Scheduler itself. In the context of the BI platform, a schedule is a time (or group of times) associatedwith an action sequence (or group of action sequences). If you are unfamiliar with action sequences, see in theUnderstanding Action SequencesWiki.) In many instances, the output of an action sequence associated with a schedule is a report; for example, a sales report to which apublicmanager or salesperson can subscribe. As the administrator, the schedule (or schedules) you designate determines when the Scheduler allowsthe action sequence to run. Regular schedules are ad hoc, non-subscription schedules, which are associated with one action sequence only.

*Note:  Public Schedules were formerly called, "subscription schedules;" private schedules were formerly called, "regularschedules."  To see an example of a regular schedule in the BI Platform, go to the .Burst Using Action Sequence Document

In addition to associating a time (or group of times in the case of a repeating schedule) with an action sequence (or group of action sequences),the public schedule is also associated with a user's My Workspace. When an action sequence runs on its defined schedule, the output of theaction sequence (typically a report) is archived in the My Workspace of the user(s) who have subscribed to that action sequence. This allows thesubscribers to view the output of the action sequence (the report) at any time following its execution. (For more information about subscriptionsand My Workspace see ).User Subscriptions

Why not allow BI Platform users to create schedules whenever they want? Allowing that much flexibility may, among other things, overloadservers. In most instances, you know when it is most sensible to schedule an action sequence to run; for example, after all stores upload theirsales figures. In other instances, sales data may not change for a week or month, so reporting hourly would not make sense. You, or a solutiondeveloper, can define as many schedules as needed for a specific action sequence. Users are allowed to choose from schedules that makesense to them and you can schedule the run to occur at a time of minimal load.

Entering Schedules in the Schedule Creator Dialog Box

Enter schedules associated with your action sequences in the Schedule Creator dialog box. The Schedule Creator makes it easy for you to enterschedules without having to learn the syntax of Cron expressions; however, it provides you with the option to enter Cron expressions ifarcanethat is your preference.

Follow the instructions below to use the Schedule Creator:

In the main page of the Pentaho Open Admin Console, click .Administration Click the tab.Scheduler In the , click first icon on the left to open the dialog box.Scheduler Scheduler Creator Under , enter a for the schedule, for example, Monthly Sales.Schedule Name Enter a associated with the schedule, for example, Sales Schedules.Group Enter a short of the schedule. for example, "Schedule runs on the first of each month, schedule runs on Monday of eachDescriptionweek." Select a . You can schedule the action sequence to run once at a particular date and time only, or have it recur inRecurrence Typeseconds, minutes, hours, daily, weekly, monthly, yearly, or recur based on a Cron string. The options in the Recurrence Editor changedepending on the type of recurrence you select. Click .OK

Note: You can use the Schedule Creator to enter a Cron expression manually by selecting Cron from the Recurrence list. See to learn more about Cron expressions.Type CRON Expressions in Detail

Adding the Action Sequences

After you add your schedules, you must associate them with action sequences. Follow the instructions below to enter the paths to the action

1.

2.

sequences:

Under , enter the path to each action sequence separated by commas.Scheduled Action Click .OK 

Examining the List of Schedules

As you create new schedules, the schedules appear in a list box. By examining the list, you can identify the and associated withName Groupeach schedule. You can also determine the status ( ) of each schedule and read a brief description of the schedule. In addition, you canStatedetermine when the schedule was first run ( ) and when it will run again. The controls on the top corners of the SchedulerFire Time - Last/Nextpage allow you to perform tasks such as:

Icon Control Name Function

Create Schedule Allows you to create a new schedule

Edit Schedule Allows you to edit the details of a schedule

Delete Schedule Allows you to delete a specified schedule; however, if the schedule is currently executing in ascheduler thread it continues to execute but no new instances are run

Suspend Schedule Allows you to pause a specified schedule. Once the job is paused the only way to start it again iswith a Resume

Resume selectedSchedule(s)        

Allows you to resume a previously suspended schedule. Once the schedule is resumed theScheduler applies misfire rules if needed

Run Now Allows you to run a schedule immediately

icon here Suspend Scheduler Allows you to pause the scheduler in the event of an error, for example

icon here Resume Scheduler Allows you to resume running the scheduler after correcting an error, for example

Refresh Allows you to refresh the list of schedules

Filter by Allows you to search for a specific schedule by group name

.07 Glossary.06 Using the Scheduler  The Pentaho Administration Console  

Glossary of Terms

Attribute

A property or field of an object in the directory.

Authority, role, or group

In the BI Server, these three terms are synonymous. A role is a string that is associated with a user. A role is said to be granted to a user. A useris said to belong to or be a member of a role. The same role can be granted to multiple users and users can be granted zero or more roles. The BIServer uses roles to make authorization decisions.

BI Server

The BI Server consists of the Pentaho BI Platform and the libraries that deliver end user BI capabilities. The server runs inside a J2EE-compliantApplication Server such as Apache, JBOSS AS, IBM WebSphere, WebLogic, and Oracle AS.  The BI Server referred to in this document is yourcustomized PCI. See also, .Pre-Configured Installation (PCI)

End user capabilities

In the Pentaho Open BI Suite, end user capabilities include reporting, analysis, workflow, dashboards, and data mining.

LDAP User DN (Distinguished Name)

Used with LDAP authentication, this name consists of one or more strings identifying the user's assigned attributes in the LDAP Backend serverand a user password.

Manager

A user with read access to relevant objects in the directory. If you're familiar with the JDBC API, a manager is analogous to a user name givenalong with a URL and password in a call.DriverManager.getConnection (url, user, password)

Pentaho BI Platform

The BI Platform is the core architecture and foundation of the Pentaho Open BI Suite. The BI Platform is composed of the libraries and compiledcode that provide execution framework and services associated with logging, auditing, security, scheduling, ETL, Web Services, attributerepository, and rules engine. See also, .BI Server

Pentaho Design Studio

The Pentaho Design Studio is a desktop Eclipse-based design environment that allows solutions, reports, queries, business rules, dashboards,and workflows to be viewed and edited graphically. The Pentaho Design Studio is a Java application that is installed on the system administrator'sdesktop.

Pentaho Open BI Suite

A process-centric, solution-oriented platform that includes BI components, which enable companies to develop complete solutions to BI-relatedissues.

Pre-Configured Installation (PCI) 

The PCI is a ready-to-use pre-configured sample deployment that can be customized quickly and easily. The PCI deployment includes thefollowing components: JBoss Application Server, JBoss Portal V2.0, sample JSPs that demonstrate platform component usage, sample data,sample reports and BI processes, users and roles used in samples. The PCI can be modified to work with MySQL, Postgres or Oracle for theRDBMS repository.

Provider URL

A URL usually specifying protocol (such as ldap:// or ldaps://), host name, port, and root DN. If you are familiar with the JDBC API, a provider URLis analogous to a URL given along with a user name and password in a call.DriverManager.getConnection (url, user, password)

Root DN

The distinguished name of an object to which all search bases are relative.

Search base

An LDAP directory is hierarchical. Objects in the directory can have children and those children can have children, and so on. To search forrelevant sub trees in the directory, a search base is necessary. The base indicates the DN of an object from which to start searching. Searchbases are relative to the root DN. Stated differently: A search base is appended to the root DN to form a search base DN.

Search filter

A search filter is an expression that adheres to the rules specified in . It is always enclosed in parentheses.RFC 2254

Server repositories

The BI Server includes three embedded repositories that store the data necessary to define, execute, and audit a solution. These include: asolution Repository, a runtime repository, and an Audit Repository. The solution repository contains the metadata that defines solutions. Theruntime repository contains items of work managed by the workflow engine. The audit repository contains tracking and auditing information.

Solution Engine

The BI Server contains the engines and components for reporting, analysis, business rules, email, desktop notifications, and workflow. Thesecomponents are integrated together so that they can used to solve a BI-related problem.  In a solution, the behavior, inter-operation, and userinteraction of each subsystem is defined by a collection of solution definition documents. These documents are XML-based and contain thedefinitions of business processes, definitions that execute as part of processes on-demand, or called by Web services. These activities includedefinitions for data sources, queries, report templates, delivery and notification rules, business rules, dashboards, analytic views. 

Configuring Security with Pentaho AdministrationConsole

Introduction

This guide will help you configure security in your pentaho administration console.  The information provided here is based on Jetty 6.12 andJettyPlus 6.12 release, as pentaho administration  console uses an embedded jetty server. Out of the box pentaho administration console using aproperties based login module but you can plugin any of the login module from below or write your own.

Sample Login Modules

* org.mortbay.jetty.plus.jaas.spi.JDBCLoginModule* org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule* org.mortbay.jetty.plus.jaas.spi.DataSourceLoginModule

We'll take a look at all of these, but first, a word about password handling in pentaho administration console, as it applies to all LoginModules.

Passwords/Credentials

Passwords can be stored in clear text, obfuscated or checksummed. The class org.mortbay.util.Password should be used to generate all varietiesof passwords,the output from which can be cut and pasted into property files or entered into database tables.

> java \-cp lib/jetty.jar org.mortbay.jetty.security.PasswordUsage - java org.mortbay.util.Password \[<user>\] <password>> java \-cp lib/jetty.jar org.mortbay.jetty.security.Password me youyouOBF:20771x1b206zMD5:639bae9ac6b3e1a84cebb7b403297b79CRYPT:me/ks90E221EY

JDBCLoginModule

The JDBCLoginModule stores user passwords and roles in a database that are accessed via JDBC calls. You can configure the JDBC connectioninformation, as well as the names of the table and columns storing the username and credential, and the name of the table and columns storingthe roles.

Here is an example login module configuration file entry for it using an HSQLDB driver:

login.conf

JDBCLoginModule { org.mortbay.jetty.plus.jaas.spi.JDBCLoginModule required debug="true" dbUrl="jdbc:hsqldb:." dbUserName="sa" dbPassword="password" dbDriver="org.hsqldb.jdbcDriver" userTable="myusers" userField="myuser" credentialField="mypassword" userRoleTable="myuserroles" userRoleUserField="myuser" userRoleRoleField= ;"myrole"};

There is no particular schema required for the database tables storing the authentication and role information. The properties userTable,userField, credentialField, userRoleTable, userRoleUserField, userRoleRoleField configure the names of the tables and the columns within themthat are used to format the following queries:

database query

select from where =?<credentialField> <userTable> <userField>select from where =?<userRoleRoleField> <userRoleTable> <userRoleUserField>

Credential and role information is lazily read from the database when a previously unauthenticated user requests authentication. Note that thisinformation is only cached for the length of the authenticated session. When the user logs out or the session expires, the information is flushedfrom memory.

Be CarefulPay and extra attention to the semi-colon at the end of last entry in the login.conf. Without that you will get error inauthentication. JDBCLoginModule key in the login.conf needs to be exactly same as the value in console.properties. Here is thesnippet of a correct console.properties in this case

console.properties

# Security Authentication Section for Enterprise Consoleconsole.security.enabled=trueconsole.security.roles.allowed=Admin,server-administrator,content-administratorconsole.security.roles.delimiter=,console.security.realm.name=Pentahoconsole.security.login.module.name=JDBCLoginModuleconsole.security.auth.config.path=resource/config/login.confconsole.security.callback.handler=org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler

Note that passwords can be stored in the database in plain text or encoded formats, using the org.mortbay.jetty.security.Password class.

DataSourceLoginModule

Similar to the JDBCLoginModule, but this LoginModule uses a DataSource to connect to the database instead of a jdbc driver. The DataSource isobtained by doing a jndi lookup on java:comp/env/$dnJNDIName

Here is a sample login module configuration for it:

login.conf

ds { org.mortbay.jetty.plus.jaas.spi.DataSourceLoginModule required debug="true" dbJNDIName="ds" userTable="myusers" userField="myuser" credentialField="mypassword" userRoleTable="myuserroles" userRoleUserField="myuser" userRoleRoleField= ;"myrole" };

PropertyFileLoginModule

With this login module implementation, the authentication and role information is read from a property file.

login.conf

props { org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule required debug="true" file= ;"/somewhere/somefile.props" };

The file parameter is the location of a properties file of the same format as the etc/realm.properties example file. The format is:

<username>: <password>\[,<rolename> ...\]

Here's an example:

login.properties

admin: OBF:1xmk1w261u9r1w1c1xmq,user,adminsuperadmin: changeme,user,developermaster: MD5:164c88b302622e17050af52c89945d44,user: CRYPT:adpexzg3FUZAk,admin

The contents of the file are fully read in and cached in memory the first time a user requests authentication.

Changing the admin password

Since Pentaho Administration Console is based on Jetty, the password can be changed according to Jetty's instructions.Securing PasswordsThe only caveat is that the files mentioned in the instructions are found in the folder.jetty*.jar enterprise-console/lib

Example

java -cp enterprise-console/lib/jetty-xxx.jar:enterprise-console/lib/jetty-util-xxx.jar org.mortbay.jetty.security.Password adminpassword1

Changing the default security settings

The configuration for the security setting is stored in the security section of console.properties

console.properties

\# Pentaho Administration Console's Jetty Server Settingsconsole.start.port.number=8088console.stop.port.number=8033

\# SSL Section for Pentaho Administration Consoleconsole.ssl.enabled=falseconsole.ssl.port.number=8143keyAlias=jettykeyPassword=changeitkeyStore=resource/config/keystorekeyStorePassword=changeittrustStore=resource/config/keystoretrustStorePassword=changeitwantClientAuth=falseneedClientAuth=false

\# Security Authentication Section for Pentaho Administration Consoleconsole.security.enabled=trueconsole.security.roles.allowed=adminconsole.security.roles.delimiter=,console.security.realm.name=Pentahoconsole.security.login.module.name=PropertiesFileLoginModuleconsole.security.auth.config.path=resource/config/login.conf

By default the security is enabled. To change the roles you want to allow the application to access provide your list of roles in theconsole.security.roles.allowed property. By default the roles are comma separated but you can change that configuration also by providing yourdelimiter in the console.security.roles.delimiter property. The login module name needs to be provided for the property nameconsole.security.login.module.name. This is the name you have given to your login module in the login.conf file. Finally you have to provide thelocation of your login.conf file in the console.security.auth.config.path property.

Writing Your Own

If you want to implement your own custom LoginModule, there are two classes to be familiar with:

AbstractLoginModule.java

org.mortbay.jetty.plus.jaas.spi;package

class AbstractLoginModule LoginModulepublic abstract implements{&nbsp; ...&nbsp; UserInfo getUserInfo ( username) Exception;public abstract String throws}

UserInfo.java

org.mortbay.jetty.plus.jaas.spi;package

class UserInfopublic{

UserInfo ( userName, Credential credential, List roleNames)public String { ... }

getUserName()public String { ... }

List getRoleNames ()public { ... }

checkCredential ( suppliedCredential)public boolean Object { ... }}

The org.mortbay.jetty.plus.jaas.spi.AbstractLoginModule implements all of the javax.security.auth.spi.LoginModule methods. All you need to do isto implement the getUserInfo method to return a org.mortbay.jetty.plus.jaas.UserInfo instance which encapsulates the username, password androle names (note: as {{java.lang.String}}s) for a user.

The AbstractLoginModule does not support any caching, so if you want to cache UserInfo (eg as does theorg.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule) then you must provide this yourself.