search

jjmontesl / cubesviewer

Explore and visualize analytical datasets
http://www.cubesviewer.com
Other
441 stars 112 forks source link

Customize Cube Access Based on User #65

Closed nih93 closed 8 years ago

nih93 commented 8 years ago

First of all - thank you for this wonderful piece of software! I have gotten it up and running - everything works great.

I was wondering if there is an easy way to allowing a logged on user access only a part of the cube. Is this customization done on the cubes side, or the django side? Any help/advice would be appreciated.

devvmh commented 8 years ago

@nih93 I don't think there's a great mechanism, either built into cubesviewer or cubes, that allows access to only part of a cube.

In my dev environment, there are two servers running: cubes's slicer server on port 5000, and cubesviewer's django server on port 8000. The cubesviewer server accesses cubes from the cubes server on port 5000, and that "slicer server" doesn't have any concept of user authentication - it allows all access by default.

That means that anyone who has access to either cubes or cubesviewer has access to all of the dimensions and aggregates available via either cubesviewer, or even the slicer server directly if they were determined.

Depending on your environment, you could implement a few half-solutions, but none will be really secure. If you're concerned about your data because of privacy or laws or something, you would need to implement something much better.

I think the only solution would be to run multiple servers. Each slicer server would have a different model.json file defining different dimensions and attributes that can be accessed. Each cubesviewer server would point to one slicer server, and have a unique set of users that can/can't log in to that server.

In my deployment of cubesviewer, I run my slicer and cubesviewer servers behind a firewall, and then use nginx to proxy requests through to cubesviewer. If you did something like this, then the slicer server won't be accessible, and you could even have your different servers accessible at, say

http://data.mydomain.com/data/cubesviewer/
http://data.mydomain.com/secretdata/cubesviewer/
http://data.mydomain.com/topsecretdata/cubesviewer/
http://data.mydomain.com/supertopsecretdata/cubesviewer/

Cubesviewer is effective at blocking access. The annoying problem is that you have to manage users and permissions for 4 servers now. There are other solutions for that.... but it gets more and more complicated.

jjmontesl commented 8 years ago

@Stiivi was working on implementing some authorization/authentication mechanisms for Cubes, but I'm not sure how fine-grained it is.

For now, @devvmh is a good answer: use different cubes or servers with different models.

I'm closing this as it won't be fixed in the foreseeable future, as it's now more critical to fix and refactor other areas.