.

01 Introduction
The Pentaho Administration Console .02 Installing and Configuring the Pentaho Administration Console Note: The content on this page is not complete. The community is actively encouraged to add to, edit, and improve this document. The Pentaho Administration Console provides you with a central location from which to administer your Pentaho deployments. The console aggregates and simplifies many common administrative tasks such as managing users and roles, scheduling jobs, and managing services. The Administration Console changes how you interact with your Pentaho deployments by automating some of the tasks that you now perform manually.

The Pentaho Administration Console offers limited functionality compared to the feature-rich, subscription-only, Pentaho Enterprise Console. The Pentaho Enterprise Console provides additional functionality that allows you to monitor performance, remotely monitor activity on a Carte server instance (for Pentaho Data Integration), verify connections, test configuration settings, configure security, and much more. For more information about the Pentaho Enterprise Console, contact us.

Overview of Console Components

Below is a short description of each page in the Pentaho Administration Console:

Home
From your console home page (shown above), you are able access to important information about your Pentaho deployment. For example, status indicators appear in the tool bar when there is a critical error, a process that is currently running, or a warning you must research.

Console tool bar

The console tool bar provides you with icons that help you determine the status of your server, console-related errors, console set up, and more. The table below contains a brief description of each icon in the tool bar, from left to right: Icon Description

Indicates whether the server is online or offline Server online/Server offline. Opens the console configuration setup page Console setup. Refreshes console-related data Refresh console. Opens this document Documentation help.

Administration
From the Administration page you can manage users and roles, define data sources, manage admin services, and manage public (subscription) and private (regular) schedules.

.02 Installing and Configuring the Pentaho Administration Console

.01 Introduction The Pentaho Administration Console .03 Managing Users and Roles Important: The content on this page is not complete. The community is actively encouraged to add to, edit, and improve this document. Installation and configuration instructions are documented for Release Candidate 2.0.0.

Overview
This section provides you with information and instructions for installing and configuring your Pentaho Administration Console. The following topics are covered here: System Requirements Opening the Installation Zip File Securing the Console Enabling SSL in Pentaho Administration Console Starting the Pentaho Administration Console Stopping the Pentaho Administration Console Configuring the Pentaho Administration Console Establishing a Trusted Proxy

System Requirements
The Pentaho Administration Console requires Java SE runtime version 1.5 or later. The console has been tested with the Sun HotSpot Client VM. The default memory system parameters of the JVM (such as those parameters specifying maximum heap size) are adequate for running the console. Specifically, Pentaho recommends that you have at least 100MBs of free physical memory.

Opening the Installation Zip File

The biserver-ce-3.5.2.stable.zip, (.tar or .gz), file contains all the libraries and script files necessary to run the console. The file is available on Sourceforge. To install the console, unzip this file into an empty directory.

Securing the Console

Before you start the Pentaho Administration Services Console, you must make sure that it is running on a secure server. The console runs as a Web server on the device on which it is started. Please follow the "Configuring Security in Pentaho Administration Console" document to ensure that you have configured security the console correctly.

Running the Console Locally

By default the Pentaho Administration Console starts up on port 8099. In most instances servers run with a firewall and this port is blocked from external devices unless explicitly configured. Running the console locally provides the highest degree of security. Pentaho strongly recommends that you have a firewall installed on the server running the console. You can have the console run on an alternate port by editing the console.properties page located at ...\pentaho-open-admin-console\resource\config.

Enabling SSL in Pentaho Administration Console

By default the Pentaho Administration Console has ssl disabled. You can enable ssl in Pentaho Administration Console by following few very easy steps.

Starting the Pentaho Administration Console

Follow the instructions below to start the Pentaho Administration Console in the operating system of your choice. If you are using this operating system... Windows Then follow these instructions... 1. Open the command window. 2. Go to the install directory. This directory contains the file, console.bat. 3. Type startup.bat and press ENTER. Once the console is running, the following line appears in the command window: Administration console is now started. Console can be accessed using http://<host-name>:8099 or http://<IP Address>:8099 Linux 1. Open the command window. 2. Go to the install directory. This directory contains the file, console.bat. 3. Type ./startup.sh and press ENTER. (You might need to run chmod +x console.sh before running.) Once the console is running, the following line appears in the command window: Administration console is now started. Console can be accessed using http://<host-name>:8099 or http://<IP Address>:8099 Mac OS X 1. Open a command window. 2. Go to the install directory. This directory contains the file, console.bat. 3. Type java -jar lib/startup.jar and press RETURN. Once the console is running, the following line appears in the command window: Administration console is now started. Console can be accessed using http://<host-name>:8099 or http://<IP Address>:8099

Note: The message Address already in use: JVM_Bind as the console starts, indicates that another program is using the port required by the The Pentaho Administration Console (8099). This port is currently not configurable. Note 2: The username / password combination for a fresh installation is 'admin' / 'password'. The login details are stored in 'pentaho_dir/administration-console/resource/config/login.properties'. See Configuring Security for more information.

Stopping the Pentaho Administration Console

To stop the server: 1. Open a command window. 2. Go to the install directory that contains the file, stop.bat (or .sh). 3. Type stop.bat and the console will be stopped.

Configuring the Pentaho Administration Console

Before you use the Pentaho Administration Console to administer a BI Server installation you must edit the default entries in the console.xml file (located at ...\pentaho-open-admin-console\resource\config) so that the console can locate the necessary BI platform files.

Setting <platform-username>

Description Enter the name of the administrative user.

<biServer-status-check-period> <homepage-timeout> <solution-path> <war-path>

Enter the time period in which the The Pentaho Administration Console console will ping the PCI to check if the server is running Enter length of time the The Pentaho Administration Console will wait for home page content from the server before displaying static HTML content. Paste the path to the solutions directory of the BI Server you want to administer. Paste the path to the Web application directory of the BI Server you want to administer into the Pentaho Web-App Path text box.

Establishing a Trusted Proxy

In instances where the BI Server and the Pentaho Administration Console are running on separate devices, you must edit the web.xml file to establish a trusted proxy between the PCI and the console. Go to x:\\pentaho-demo\name_of_app_server\webapps\pentaho\WEB-INF, where x corresponds to the drive on which the PCI is installed. In the web.xml file, replace the IP address (localhost) of the device running the Pentaho Administration Console:

.03 Managing Users and Roles

.02 Installing and Configuring the Pentaho Administration Console The Pentaho Administration Console .04 Configuring Data Sources Important: The content on this page is not complete. The community is actively encouraged to add to, edit, and improve this document. Installation and configuration instructions are documented for Release Candidate 2.0.0.

Managing Users and Roles

The Pentaho Pre-Configured Installation (PCI) includes sample data and a group of fictitious users. If you are new to Pentaho, you can use the Administration Console to manage real users (and roles) in the BI Platform without having to configure an LDAP-compliant directory such as MSAD (Microsoft Active Directory) while you are performing a proof of concept. Note: You must have administrative privileges (Admin) to manage users and roles.

Adding Users
Follow the instructions below to add users to the BI Platform: 1. 2. 3. 4. 5. In the Administration Console go to Administration > Users & Roles. Click the Users icon if you are not in Users mode. Click the plus sign (+) next to Users. In the Details pane, enter the User Name, Password, Password Confirmation, and Description. Click OK. The new user's name appears in the list of users.

Editing User Information

Follow the instructions below to edit user information: 1. In the Administration Console go to Administration > Users & Roles. 2. Select the user whose information you want to edit. 3. In the Details pane, edit the user details as needed. 4.

4. Click Update.

Deleting Users
Follow the instructions below to delete users and roles from the BI Platform: 1. 2. 3. 4. In the Administration Console go to Select the user or users you want to delete from the Users list. Click the minus sign (-) next to Users to delete the users you selected. A confirm message appears. Click OK to refresh the user list.

Finding Users
The User List Filter allows you to find specific users in the list of current users. To find a user, enter the first few letters of the user's name in the text box. A list of names matching your entry appears.

Managing Roles
Adding Roles
Follow the instructions below to add roles to the BI Platform: 1. 2. 3. 4. 5. In the Administration Console go to Administration > Users & Roles. Click the Roles icon if you are not in Roles mode. Click the plus sign (+) next to Roles. In the new window, type a new Role Name and Description. Click OK. The new role appears in the list of roles.

Editing Roles
Follow the instructions below to edit roles: 1. In the Administration Console go to Administration > Users & Roles. 2.

2. Select the role you want to edit. 3. In the right pane, edit the details as needed. 4. Click Update.

Deleting Roles
Follow the instructions below to roles from the BI Platform: 1. 2. 3. 4. In the Administration Console go to Administration > Users & Roles. Select role or roles you want to delete from the Roles list. Click the minus sign (-) next to Roles to delete the roles you selected. A confirm message appears. Click OK to refresh the roles list.

Finding Roles
The Role List Filter allows you to find specific roles in the list of current roles. To find a role, enter the first few letters of the role name in the text box. A list of role names matching your entry appears.

.04 Configuring Data Sources

.03 Managing Users and Roles The Pentaho Administration Console .05 Using Administration Services Important: The content on this page is not complete. The community is actively encouraged to add to, edit, and improve this document. Installation and configuration instructions are documented for Release Candidate 2.0.0.

Defining a data source

The Pre-configured Installation (PCI) includes sample data and reports; however, if you are evaluating Pentaho you will want to use and display your own data in the BI Platform. Defining a data source requires JDBC class name for the database driver, data source URL (server name, port number, database name) and the user ID and password needed to connect the database. Contact your database administrator to get the specific details about your database.

Follow the instructions below to configure a "General" data source:

1. 2. 3. 4. 5. 6. 7. 8. 9.

In the Administration Console go to Administration > Data Sources. Click General to display basic configuration options. Click + (add) if you cannot find your data source in the list. In the left panel, type an easy-to-remember Connection Name. Type or select the Driver Class from the list. The database driver name you select depends on the type of database you are accessing. For example, org.hsqldb.jdbcDriver is a sample driver name for a HypersonicSQL database. Type the User Name and Password required to access your database. Type or select the URL from the list. This is the URL of your database. For example, jdbc:hsqldb:hsql://localhost/sampledata. JDBC establishes a connection to a SQL-based database and sends and processes SQL statements. Click Test. A success message appears if the connection is established. Click OK to save your entries.

Advanced Configuration
Follow the instructions below complete an advanced configuration: 1. In the Administration Console go to Administration > Data Sources. 2.

2. 3. 4. 5.

Click Advanced to display advanced configuration options. Enter the maximum number of active instances, (Max Active Conn), that can be allocated from this pool at the same time. Enter the maximum number of connections that can sit idle (# Idle Conn) in this pool at the same time. Enter a Validation Query. This SQL query that can be used by the pool to validate connections before they are returned to the application. If specified, this query must be an SQL SELECT statement that returns at least one row. 6. Enter the maximum number of milliseconds that the pool will "wait" (when there are no available connections) for a connection to be returned before throwing an exception. 7. Click Test. A success message appears if the connection is established. 8. Click OK to save your entries.

Editing and Deleting Data Source Configurations

You can edit or delete a data source configuration when necessary.

Editing a Data Source Configuration

To edit a data source configuration: 1. 2. 3. 4. Select the data source name from the list under Data Sources. Make the appropriate changes in the right pane. Click Test to test the connection. Click Update to save your changes.

To delete a data source configuration: 1. Select the data source name from the list under Data Sources. 2. Click the minus sign (-) to delete the configuration. A confirmation message appears. 3. Click Update to save your changes.

See also: http://wiki.pentaho.com/display/ServerDoc1x/Managing+Data+Sources+in+the+Pentaho+BI+Platform http://wiki.pentaho.org/display/Reporting/Creating+a+Data+Source+for+Tomcat http://wiki.pentaho.org/display/Reporting/4.+Data+Sources

.05 Using Administration Services

.04 Configuring Data Sources The Pentaho Administration Console .06 Using the Scheduler Important: The content on this page is not complete. The community is actively encouraged to add to, edit, and improve this document. Installation and configuration instructions are documented for Release Candidate 2.0.0.

Administration Services
Administration Services allow you to manage schedules and refresh the Pentaho BI Server settings.

The table below contains a short description of each administrative service: || Service || Description || Update RDBMS-based Solution Repository Delete Files Schedule Files Deletion Updates mirrored RDBMS-based Solution repository when Solution files are manually added to or edited on the master Solution repository on the local file system.

Removes files created in the content repository located in /pentaho-solution/system/content that are over 180 days old. To change, the number of days, edit the solution file clean_repository.xaction located in /pentaho-solution/admin Schedules the daily removal of files created in the content repository located in /pentaho-solution/system/content that are over 180 days old. To change, the number of days edit the solution file clean_repository.xaction located in /pentaho-solution/admin. To change the recurrence, edit the solution file schedule-clean.xaction located in /pentaho-solution/admin Deletes all the Solution files and their permissions from the RDBMS-based Solution repository. Copies all the Solutions files with default permissions from the master Solution repository on local file system.

Restore RDBMS Solution Repository Refresh Global Variables

Updates global variables by re-executing registered solution files.

Refresh Metadata Models

Refreshes the Metadata cache when models are added, edited or deleted in the Solution repository.

.06 Using the Scheduler

.05 Using Administration Services The Pentaho Administration Console .07 Glossary Important: The content on this page is not complete. The community is actively encouraged to add to, edit, and improve this document. Installation and configuration instructions are documented for Release Candidate 2.0.0.

Using the Scheduler

The Scheduler allows you to create, update, delete, run, suspend, and resume one or more schedules, (private and public*), in the BI Platform. In addition, you can suspend and resume the Scheduler itself. In the context of the BI platform, a schedule is a time (or group of times) associated with an action sequence (or group of action sequences). If you are unfamiliar with action sequences, see Understanding Action Sequences in the Wiki.) In many instances, the output of an action sequence associated with a public schedule is a report; for example, a sales report to which a manager or salesperson can subscribe. As the administrator, the schedule (or schedules) you designate determines when the Scheduler allows the action sequence to run. Regular schedules are ad hoc, non-subscription schedules, which are associated with one action sequence only. *Note: Public Schedules were formerly called, "subscription schedules;" private schedules were formerly called, "regular schedules." To see an example of a regular schedule in the BI Platform, go to the Burst Using Action Sequence Document. In addition to associating a time (or group of times in the case of a repeating schedule) with an action sequence (or group of action sequences), the public schedule is also associated with a user's My Workspace. When an action sequence runs on its defined schedule, the output of the action sequence (typically a report) is archived in the My Workspace of the user(s) who have subscribed to that action sequence. This allows the subscribers to view the output of the action sequence (the report) at any time following its execution. (For more information about subscriptions and My Workspace see User Subscriptions). Why not allow BI Platform users to create schedules whenever they want? Allowing that much flexibility may, among other things, overload servers. In most instances, you know when it is most sensible to schedule an action sequence to run; for example, after all stores upload their sales figures. In other instances, sales data may not change for a week or month, so reporting hourly would not make sense. You, or a solution developer, can define as many schedules as needed for a specific action sequence. Users are allowed to choose from schedules that make sense to them and you can schedule the run to occur at a time of minimal load.

Entering Schedules in the Schedule Creator Dialog Box

Enter schedules associated with your action sequences in the Schedule Creator dialog box. The Schedule Creator makes it easy for you to enter schedules without having to learn the arcane syntax of Cron expressions; however, it provides you with the option to enter Cron expressions if that is your preference. Follow the instructions below to use the Schedule Creator: 1. In the main page of the Pentaho Open Admin Console, click Administration. 2. Click the Scheduler tab. 3. In the Scheduler, click first icon on the left to open the Scheduler Creator dialog box. 4. Under Schedule, enter a Name for the schedule, for example, Monthly Sales. 5. Enter a Group associated with the schedule, for example, Sales Schedules. 6. Enter a short Description of the schedule. for example, "Schedule runs on the first of each month, schedule runs on Monday of each week." 7. Select a Recurrence Type. You can schedule the action sequence to run once at a particular date and time only, or have it recur in seconds, minutes, hours, daily, weekly, monthly, yearly, or recur based on a Cron string. The options in the Recurrence Editor change depending on the type of recurrence you select. 8. Click OK. Note: You can use the Schedule Creator to enter a Cron expression manually by selecting Cron from the Recurrence Type list. See CRON Expressions in Detail to learn more about Cron expressions.

Adding the Action Sequences

After you add your schedules, you must associate them with action sequences. Follow the instructions below to enter the paths to the action

sequences: 1. Under Scheduled Action, enter the path to each action sequence separated by commas. 2. Click OK.

Examining the List of Schedules

As you create new schedules, the schedules appear in a list box. By examining the list, you can identify the Name and Group associated with each schedule. You can also determine the status (State) of each schedule and read a brief description of the schedule. In addition, you can determine when the schedule was first run (Fire Time - Last/Next) and when it will run again. The controls on the top corners of the Scheduler page allow you to perform tasks such as: Icon Control Name Create Schedule Edit Schedule Delete Schedule Suspend Schedule Resume selected Schedule(s) Run Now icon here icon here Suspend Scheduler Resume Scheduler Refresh Filter by Function Allows you to create a new schedule Allows you to edit the details of a schedule Allows you to delete a specified schedule; however, if the schedule is currently executing in a scheduler thread it continues to execute but no new instances are run Allows you to pause a specified schedule. Once the job is paused the only way to start it again is with a Resume Allows you to resume a previously suspended schedule. Once the schedule is resumed the Scheduler applies misfire rules if needed Allows you to run a schedule immediately Allows you to pause the scheduler in the event of an error, for example Allows you to resume running the scheduler after correcting an error, for example Allows you to refresh the list of schedules Allows you to search for a specific schedule by group name

.07 Glossary
.06 Using the Scheduler The Pentaho Administration Console

Glossary of Terms
Attribute
A property or field of an object in the directory.

Authority, role, or group

In the BI Server, these three terms are synonymous. A role is a string that is associated with a user. A role is said to be granted to a user. A user is said to belong to or be a member of a role. The same role can be granted to multiple users and users can be granted zero or more roles. The BI Server uses roles to make authorization decisions.

BI Server
The BI Server consists of the Pentaho BI Platform and the libraries that deliver end user BI capabilities. The server runs inside a J2EE-compliant Application Server such as Apache, JBOSS AS, IBM WebSphere, WebLogic, and Oracle AS. The BI Server referred to in this document is your customized PCI. See also, Pre-Configured Installation (PCI).

End user capabilities

In the Pentaho Open BI Suite, end user capabilities include reporting, analysis, workflow, dashboards, and data mining.

LDAP User DN (Distinguished Name)

Used with LDAP authentication, this name consists of one or more strings identifying the user's assigned attributes in the LDAP Backend server and a user password.

Manager
A user with read access to relevant objects in the directory. If you're familiar with the JDBC API, a manager is analogous to a user name given along with a URL and password in a DriverManager.getConnection (url, user, password) call.

Pentaho BI Platform
The BI Platform is the core architecture and foundation of the Pentaho Open BI Suite. The BI Platform is composed of the libraries and compiled code that provide execution framework and services associated with logging, auditing, security, scheduling, ETL, Web Services, attribute repository, and rules engine. See also, BI Server.

Pentaho Design Studio

The Pentaho Design Studio is a desktop Eclipse-based design environment that allows solutions, reports, queries, business rules, dashboards, and workflows to be viewed and edited graphically. The Pentaho Design Studio is a Java application that is installed on the system administrator's desktop.

Pentaho Open BI Suite

A process-centric, solution-oriented platform that includes BI components, which enable companies to develop complete solutions to BI-related issues.

Pre-Configured Installation (PCI)

The PCI is a ready-to-use pre-configured sample deployment that can be customized quickly and easily. The PCI deployment includes the following components: JBoss Application Server, JBoss Portal V2.0, sample JSPs that demonstrate platform component usage, sample data, sample reports and BI processes, users and roles used in samples. The PCI can be modified to work with MySQL, Postgres or Oracle for the RDBMS repository.

Provider URL
A URL usually specifying protocol (such as ldap:// or ldaps://), host name, port, and root DN. If you are familiar with the JDBC API, a provider URL is analogous to a URL given along with a user name and password in a DriverManager.getConnection (url, user, password) call.

Root DN
The distinguished name of an object to which all search bases are relative.

Search base
An LDAP directory is hierarchical. Objects in the directory can have children and those children can have children, and so on. To search for relevant sub trees in the directory, a search base is necessary. The base indicates the DN of an object from which to start searching. Search bases are relative to the root DN. Stated differently: A search base is appended to the root DN to form a search base DN.

Search filter
A search filter is an expression that adheres to the rules specified in RFC 2254. It is always enclosed in parentheses.

Server repositories
The BI Server includes three embedded repositories that store the data necessary to define, execute, and audit a solution. These include: a solution Repository, a runtime repository, and an Audit Repository. The solution repository contains the metadata that defines solutions. The runtime repository contains items of work managed by the workflow engine. The audit repository contains tracking and auditing information.

Solution Engine
The BI Server contains the engines and components for reporting, analysis, business rules, email, desktop notifications, and workflow. These components are integrated together so that they can used to solve a BI-related problem. In a solution, the behavior, inter-operation, and user interaction of each subsystem is defined by a collection of solution definition documents. These documents are XML-based and contain the definitions of business processes, definitions that execute as part of processes on-demand, or called by Web services. These activities include definitions for data sources, queries, report templates, delivery and notification rules, business rules, dashboards, analytic views.

Configuring Security with Pentaho Administration Console

Introduction
This guide will help you configure security in your pentaho administration console. The information provided here is based on Jetty 6.12 and JettyPlus 6.12 release, as pentaho administration console uses an embedded jetty server. Out of the box pentaho administration console using a properties based login module but you can plugin any of the login module from below or write your own.

Sample Login Modules

* org.mortbay.jetty.plus.jaas.spi.JDBCLoginModule * org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule * org.mortbay.jetty.plus.jaas.spi.DataSourceLoginModule We'll take a look at all of these, but first, a word about password handling in pentaho administration console, as it applies to all LoginModules.

Passwords/Credentials
Passwords can be stored in clear text, obfuscated or checksummed. The class org.mortbay.util.Password should be used to generate all varieties of passwords,the output from which can be cut and pasted into property files or entered into database tables.

> java \-cp lib/jetty.jar org.mortbay.jetty.security.Password Usage - java org.mortbay.util.Password \[<user>\] <password> > java \-cp lib/jetty.jar org.mortbay.jetty.security.Password me you you OBF:20771x1b206z MD5:639bae9ac6b3e1a84cebb7b403297b79 CRYPT:me/ks90E221EY

JDBCLoginModule
The JDBCLoginModule stores user passwords and roles in a database that are accessed via JDBC calls. You can configure the JDBC connection information, as well as the names of the table and columns storing the username and credential, and the name of the table and columns storing the roles. Here is an example login module configuration file entry for it using an HSQLDB driver: login.conf

JDBCLoginModule { org.mortbay.jetty.plus.jaas.spi.JDBCLoginModule required debug="true" dbUrl="jdbc:hsqldb:." dbUserName="sa" dbPassword="password" dbDriver="org.hsqldb.jdbcDriver" userTable="myusers" userField="myuser" credentialField="mypassword" userRoleTable="myuserroles" userRoleUserField="myuser" userRoleRoleField="myrole"; };

There is no particular schema required for the database tables storing the authentication and role information. The properties userTable, userField, credentialField, userRoleTable, userRoleUserField, userRoleRoleField configure the names of the tables and the columns within them that are used to format the following queries: database query

select <credentialField> from <userTable> where <userField> =? select <userRoleRoleField> from <userRoleTable> where <userRoleUserField> =?

Credential and role information is lazily read from the database when a previously unauthenticated user requests authentication. Note that this information is only cached for the length of the authenticated session. When the user logs out or the session expires, the information is flushed from memory.

Be Careful Pay and extra attention to the semi-colon at the end of last entry in the login.conf. Without that you will get error in authentication. JDBCLoginModule key in the login.conf needs to be exactly same as the value in console.properties. Here is the snippet of a correct console.properties in this case

console.properties

# Security Authentication Section for Enterprise Console console.security.enabled=true console.security.roles.allowed=Admin,server-administrator,content-administrator console.security.roles.delimiter=, console.security.realm.name=Pentaho console.security.login.module.name=JDBCLoginModule console.security.auth.config.path=resource/config/login.conf console.security.callback.handler=org.mortbay.jetty.plus.jaas.callback.DefaultCallbackHandler

Note that passwords can be stored in the database in plain text or encoded formats, using the org.mortbay.jetty.security.Password class.

DataSourceLoginModule
Similar to the JDBCLoginModule, but this LoginModule uses a DataSource to connect to the database instead of a jdbc driver. The DataSource is obtained by doing a jndi lookup on java:comp/env/$dnJNDIName Here is a sample login module configuration for it: login.conf

ds { org.mortbay.jetty.plus.jaas.spi.DataSourceLoginModule required debug="true" dbJNDIName="ds" userTable="myusers" userField="myuser" credentialField="mypassword" userRoleTable="myuserroles" userRoleUserField="myuser" userRoleRoleField="myrole"; };

PropertyFileLoginModule
With this login module implementation, the authentication and role information is read from a property file.

login.conf

props { org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule required debug="true" file="/somewhere/somefile.props"; };

The file parameter is the location of a properties file of the same format as the etc/realm.properties example file. The format is:

<username>: <password>\[,<rolename> ...\]

Here's an example: login.properties

admin: OBF:1xmk1w261u9r1w1c1xmq,user,admin superadmin: changeme,user,developer master: MD5:164c88b302622e17050af52c89945d44,user : CRYPT:adpexzg3FUZAk,admin

The contents of the file are fully read in and cached in memory the first time a user requests authentication.

Changing the admin password

Since Pentaho Administration Console is based on Jetty, the password can be changed according to Jetty's Securing Passwords instructions. The only caveat is that the jetty*.jar files mentioned in the instructions are found in the enterprise-console/lib folder. Example java -cp enterprise-console/lib/jetty-xxx.jar:enterprise-console/lib/jetty-util-xxx.jar org.mortbay.jetty.security.Password admin password1

Changing the default security settings

The configuration for the security setting is stored in the security section of console.properties

console.properties

\# Pentaho Administration Console's Jetty Server Settings console.start.port.number=8088 console.stop.port.number=8033 \# SSL Section for Pentaho Administration Console console.ssl.enabled=false console.ssl.port.number=8143 keyAlias=jetty keyPassword=changeit keyStore=resource/config/keystore keyStorePassword=changeit trustStore=resource/config/keystore trustStorePassword=changeit wantClientAuth=false needClientAuth=false \# Security Authentication Section for Pentaho Administration Console console.security.enabled=true console.security.roles.allowed=admin console.security.roles.delimiter=, console.security.realm.name=Pentaho console.security.login.module.name=PropertiesFileLoginModule console.security.auth.config.path=resource/config/login.conf

By default the security is enabled. To change the roles you want to allow the application to access provide your list of roles in the console.security.roles.allowed property. By default the roles are comma separated but you can change that configuration also by providing your delimiter in the console.security.roles.delimiter property. The login module name needs to be provided for the property name console.security.login.module.name. This is the name you have given to your login module in the login.conf file. Finally you have to provide the location of your login.conf file in the console.security.auth.config.path property.

Writing Your Own

If you want to implement your own custom LoginModule, there are two classes to be familiar with: AbstractLoginModule.java

package org.mortbay.jetty.plus.jaas.spi; public abstract class AbstractLoginModule implements LoginModule { &nbsp; ... &nbsp; public abstract UserInfo getUserInfo (String username) throws Exception; }

UserInfo.java

package org.mortbay.jetty.plus.jaas.spi; public class UserInfo { public UserInfo (String userName, Credential credential, List roleNames) { ... } public String getUserName() { ... } public List getRoleNames () { ... } public boolean checkCredential (Object suppliedCredential) { ... } }

The org.mortbay.jetty.plus.jaas.spi.AbstractLoginModule implements all of the javax.security.auth.spi.LoginModule methods. All you need to do is to implement the getUserInfo method to return a org.mortbay.jetty.plus.jaas.UserInfo instance which encapsulates the username, password and role names (note: as {{java.lang.String}}s) for a user. The AbstractLoginModule does not support any caching, so if you want to cache UserInfo (eg as does the org.mortbay.jetty.plus.jaas.spi.PropertyFileLoginModule) then you must provide this yourself.