Securing access to msmdpump.dll

14 posts, 1 answers
  1. Gary
    Gary avatar
    62 posts
    Member since:
    Sep 2013

    Posted 05 Aug 2014 Link to this post

    In the basic usage example, the transport read url is set to msmdpump.dll.

    I am investigating how to secure access to msdmpump.dll from the client, and I think that the only way is to introduce a server-side (Web Api) service as an intermediary between msmdpump.dll and the client application. Is that correct?

    Assuming it is, could you provide some guidance on how to implement Web Api to do this? 

    Thanks!
    Gary
  2. Answer
    Nikolay Rusev
    Admin
    Nikolay Rusev avatar
    2285 posts

    Posted 07 Aug 2014 Link to this post

    Hello Gary,

    We are not sure what you mean here `I am investigating how to secure access to msdmpump.dll from the client`.

    However you can use ADOMD to feed the PivotGrid with data. This way the request to the msmdpump.dll is made on server, while the client requests sort of proxy to it. The following code-library demonstrates how to implement this: bind-to-adomd-client.

    Regards,
    Nikolay Rusev
    Telerik
     
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
     
  3. Kendo UI is VS 2017 Ready
  4. Gary
    Gary avatar
    62 posts
    Member since:
    Sep 2013

    Posted 07 Aug 2014 in reply to Nikolay Rusev Link to this post

    Just what I was looking for. Thanks!
  5. Chris
    Chris avatar
    21 posts
    Member since:
    Jul 2004

    Posted 27 Aug 2014 Link to this post

    The approach in the PivotGridBindingAdomd.zip sample does indeed allow us to prevent direct connection restriction from the client to SSAS...   BUT there is an effective pass through of the raw SSAS statement from client to web backend/Controller to SSAS  (and so could be spoofed etc to create fake commands executed against the server), so the threat surface area of exposure of SSAS is widened.

    Does this effectively mean that the ajax version of pivotgrid is a tighter more secure option (as i am guessing the SSAS commands for ajax are generated server side) than the kendo version, for this dynamic stuff where commands would seem to be formed on the client.

    Unless you can suggest some sort of gatekeeper layer at the server?

    Please note personally everything about kendo pivotgrid appeals to me, just wanting to explore security issues / possibilities,
    Thanks,
    Chris

  6. Georgi Krustev
    Admin
    Georgi Krustev avatar
    3707 posts

    Posted 29 Aug 2014 Link to this post

    Hello Chris,

    In general, the PivotGrid bound to OLAP service will perform Ajax requests using the XMLA protocol, nothing more. In other words, the pivotgrid generates a XMLA request and sends it to the OLAP service. If it returns any result then the widget will render them.

    That being said, it should be sufficient to secure the access to the OLAP service requesting an authentication information. Here is a thorough MSDN help document on the same subject.

    Regards,
    Georgi Krustev
    Telerik
     
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
     
  7. Rajan
    Rajan avatar
    14 posts
    Member since:
    Aug 2012

    Posted 27 Aug 2015 in reply to Georgi Krustev Link to this post

    I am evaluating Kendo UI pivotgrid. We need to communicate to SSAS cube using msmdpump.dll site on IIS. We need to specify userid and password. We have configured only Basic authentication and Impersonation on the web site.

    Where do we specify userid/password in the configuration?

    transport.read does not seem to have userid and password attributes?

    I am trying with the following set up...but it does not connect to the cube.

                   dataSource: {
                        type: "xmla",
                        columns: ...,
                        rows: ...,
                        measures: ...,
                        transport: {
                            connection: {
                                catalog:  ....,
                                cube:... ,
                          
                            },
                            read: {
                                url: "http://.../msmdpump.dll",
                                dataType: "text",
                                contentType: "text/xml",
                                type: "POST",
                                userid: ...,
                                password: ..."
                            } 
                        },
                        schema: {
                            type: "xmla"
                        }

        }

  8. Rajan
    Rajan avatar
    14 posts
    Member since:
    Aug 2012

    Posted 27 Aug 2015 in reply to Rajan Link to this post

    A skeleton of the test file is attached here.  The issue is discussed above.  Connecting to OLAP cube in our intranet using mdmdpump.dll site does not work.
  9. Rajan
    Rajan avatar
    14 posts
    Member since:
    Aug 2012

    Posted 27 Aug 2015 in reply to Rajan Link to this post

    Using the following I can largely resolve the issue. 

          $.support.cors = true;

     ​Still IE8 complains about web page accessing data not under its control.

    I can try ajax function as an argument of transport.read.  Is there a declarative way to handle the settings better?

     

     

  10. Georgi Krustev
    Admin
    Georgi Krustev avatar
    3707 posts

    Posted 31 Aug 2015 Link to this post

    Hello Rajan,

    I would suggest you review the "Access the cube securely" help topic: It discusses the available options to use cube securely.

    With regards to the older browsers that does not support CORS, I would suggest you use proxy for communication. Thus you will be able to request the cube more securely too.

    Regards,
    Georgi Krustev
    Telerik
     
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
     
  11. Rajan
    Rajan avatar
    14 posts
    Member since:
    Aug 2012

    Posted 01 Sep 2015 in reply to Georgi Krustev Link to this post

    We will look into the options. CORS situation makes life a little harder. 
  12. rwb
    rwb avatar
    19 posts
    Member since:
    Aug 2015

    Posted 02 Feb Link to this post

    Brilliant bit of code there Georgi. Just saved my bacon. Many thanks.
  13. rwb
    rwb avatar
    19 posts
    Member since:
    Aug 2015

    Posted 03 Feb Link to this post

    OK, two steps forward and one step back.

     It seems that you can't specify a username in an ADOMD connection string, and you can only log in to SSAS using a Windows account. Therefore I had to set the app pool on the web server to use my domain account.

    Even so, I'm getting a lot of errors: The <CubeName> cube either does not exist or has not been processed. Which I think is symptomatic of a permissions or connection issue between the web server and SSAS.

     Any ideas or suggestions for fixes?

  14. Georgi Krustev
    Admin
    Georgi Krustev avatar
    3707 posts

    Posted 05 Feb Link to this post

    Hi rwb,

    In general, access authorization is a tricky task when it comes to data bases, cubes, IIS. What I would suggest you is to request the exposed service directly using a simple Ajax request: This, as test case, will help you to tweak the configuration until it is the proper one, and the service finally communicates correctly with Ajax requests.

    I am afraid that we would not be able to assist you with this particular task, as it falls out of the scope of the entitled support service.

    Regards,
    Georgi Krustev
    Telerik
     
    Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
     
  15. rwb
    rwb avatar
    19 posts
    Member since:
    Aug 2015

    Posted 27 Apr Link to this post

    Finally got a workable approach.

    While the username, password, effectiveusername fields in the ADOMD connection string either are ignored or don't work, crucially, the Roles field does.

    Therefore, with IIS set to run as a domain user that is an administrator in SSAS, we can set up roles in SSAS and by specifying the role name in the connection string (the web server code first matches a user to a the correct role) ensure that dimension security is enforced.

Back to Top
Kendo UI is VS 2017 Ready