View Only

 Restricting access to .../pentaho/kettle/status

  • User Created
  •   facts
charles verlinden's profile image
charles verlinden posted 11-26-2023 09:32

Hi Everyone

First post so be gentle (although i was an avid reader of the old forums, alas long gone)

Looking to restrict access the the kettle status page, user and role permissions don't seem to have any effect on its accessibility and in our application we don't want standard users stepping out of their lane.  

While Java is not in my skillset, changing options in config files certainly is

Thanks for reading

Stephen Donovan's profile image
Stephen Donovan

I thought you can edit the /pentaho-solutions/system/kettle/slave-server-config.xml to restrict access to the /status directive, as well as, anything else.  Note, because you are blocking the API call, there is no message, just an error that something went wrong (as if the URL did not exist).  The page will still work for those with Execute rights.

See Attached.

But after testing and going back to the page, it seems to let me in.  Might be a caching issue.  But it is a direction that might lead to a solution.  

Stephen Donovan's profile image
Stephen Donovan

NOTE: if you have not, you can also add the status page to the Tools menu by editing tomcat/webapps/pentaho/mantle/xul/mantle.xul and uncommmenting the entry.

charles verlinden's profile image
charles verlinden

Hi Stephen

Thank you for your suggestions

unfortunately like you the page was still accessible.  Flushed caches and restarted server, same.

Interestingly the default configuration lacked a binding for /status (which your sample did) and also /transStatus 
I added both, no change

I then changed require to a nonexistent role which I expected would block everyone, even admin, or force an error
Again no change which suggests the page rendering code is not checking slave-server-config.xml

Do you happen to know where the kettle endpoints are executed/rendered?  I suspect it is somewhere in tomcat but trying to save a night of coffee and head scratching! 

Could it be a slave server configuration issue?  Running V9. with a file repository 

Stephen Donovan's profile image
Stephen Donovan

I believe that I may have mislead you.  As I dug in, the UNAUTHORIZED message is from line 78 of RoleBoundCarteServlet.  Which is 'com.pentaho.pdi'. [aka Enterprise Edition].

78: resp.sendError( HttpServletResponse.SC_UNAUTHORIZED, BaseMessages.getString( CLASS, "RoleBoundCarteServlet.Response.Unauthorized" ) );

The CE code which it extends, does not contain any such role checks.  This would also explain why your slave-server-config.xml did not contain these values.  

Sorry, I should have clued in earlier that role-based access and multi-tenancy would lean into EE and not a CE function. 

Closing the loop; using your test of "execute2" it does indeed restrict admin as well.

charles verlinden's profile image
charles verlinden

Thanks for the clarification Stephen.  I was looking at that repo earlier and trying to unravel where the permissions are read from, in one sense it's reassuring to learn I couldn't find it because it isn't there.  But that doesn't solve my problem...

Is there less granular control available in CE that would achieve the same result, assuming the fewer options in the CE slave-server-config.xml still have some functionality?

As a workaround I'm thinking of either blocking those endpoints globally from tomcat or commenting out most of the status page on the kettle side.  Those workarounds could be disabled if necessary for troubleshooting, but having an independent dev server would make that need infrequent.  Neither option is very appealing but unfortunately EE is not an option at this time.

Asking a HV person how to work around CE limitations is probably pushing my luck, but as we say here in Oz, if you don't ask you don't get!

Stephen Donovan's profile image
Stephen Donovan

"Asking a HV person how to work around CE limitations is probably pushing my luck" #facts

You may indeed be able to work with tomcat restrictions to limit access to those URL endpoints.  Not my skillset.  There may be options in the authentication filter chain in Spring.   I will have to defer to the community at large for samples and workarounds.

charles verlinden's profile image
charles verlinden

Found a solution, posting here for the benefit of others who may find it useful.  Note we're using V9. so other versions may work slightly differently

In pentaho-server/pentaho-solutions/system/applicationContext-spring-security.xml

<bean id="filterInvocationInterceptor" class="">
    <property name="authenticationManager" ref="authenticationManager" />
    <property name="accessDecisionManager" ref="httpRequestAccessDecisionManager" />

    <!-- allow anyone to see the wsdl of various services -->
        Note - the "Nobody" below is saying that resource URLs with those
        patterns not be available through a web call.
    <property name="securityMetadataSource">
      <!-- -->
      <sec:filter-security-metadata-source request-matcher="ciRegex" use-expressions="false">
        <sec:intercept-url pattern="\A/kettle/status" access="Administrator" />  
        <sec:intercept-url pattern="\A/osgi/cxf/hadoop-cluster/runTests.*\Z" access="Authenticated" />

Added the following as the first rule as rules are matched sequentially.  If a more permissive rule was above then the new rule would never be applied

<sec:intercept-url pattern="\A/kettle/status" access="Administrator" />
Works with other patterns (using case insensitive regex) and Pentaho roles.  In our application most users' home is a dashboard so /Home is not required
<sec:intercept-url pattern="\A/Home" access="Administrator,Management" />
Methods can also be restricted. 
Welcome others' comments on the above, just because it works doesn't mean i haven't missed something or couldn't have done it better/easier
I'll share a rabbit hole i went down. to save others the trouble...  Note the below DOES NOT WORK!
Added the following to pentaho-server/tomcat/webapps/pentaho/WEB-INF/web.xml
    <display-name>Test Kettle Status Constraint</display-name>
      <web-resource-name>Kettle Status</web-resource-name>
While the above blocked the status page it did so for all roles.  Tried multiple Pentaho role names with and without the Spring default ROLE_ prefix
If you know what i missed, please share!