This is a migrated thread and some comments may be shown as answers.

Securing access to msmdpump.dll

17 Answers 968 Views
PivotGrid
This is a migrated thread and some comments may be shown as answers.
Gary
Top achievements
Rank 1
Gary asked on 05 Aug 2014, 09:43 PM
In the basic usage example, the transport read url is set to msmdpump.dll.

I am investigating how to secure access to msdmpump.dll from the client, and I think that the only way is to introduce a server-side (Web Api) service as an intermediary between msmdpump.dll and the client application. Is that correct?

Assuming it is, could you provide some guidance on how to implement Web Api to do this? 

Thanks!
Gary

17 Answers, 1 is accepted

Sort by
0
Accepted
Nikolay Rusev
Telerik team
answered on 07 Aug 2014, 08:19 AM
Hello Gary,

We are not sure what you mean here `I am investigating how to secure access to msdmpump.dll from the client`.

However you can use ADOMD to feed the PivotGrid with data. This way the request to the msmdpump.dll is made on server, while the client requests sort of proxy to it. The following code-library demonstrates how to implement this: bind-to-adomd-client.

Regards,
Nikolay Rusev
Telerik
 
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
 
0
Gary
Top achievements
Rank 1
answered on 07 Aug 2014, 04:06 PM
Just what I was looking for. Thanks!
0
Chris
Top achievements
Rank 1
answered on 27 Aug 2014, 08:57 PM
The approach in the PivotGridBindingAdomd.zip sample does indeed allow us to prevent direct connection restriction from the client to SSAS...   BUT there is an effective pass through of the raw SSAS statement from client to web backend/Controller to SSAS  (and so could be spoofed etc to create fake commands executed against the server), so the threat surface area of exposure of SSAS is widened.

Does this effectively mean that the ajax version of pivotgrid is a tighter more secure option (as i am guessing the SSAS commands for ajax are generated server side) than the kendo version, for this dynamic stuff where commands would seem to be formed on the client.

Unless you can suggest some sort of gatekeeper layer at the server?

Please note personally everything about kendo pivotgrid appeals to me, just wanting to explore security issues / possibilities,
Thanks,
Chris

0
Georgi Krustev
Telerik team
answered on 29 Aug 2014, 07:55 AM
Hello Chris,

In general, the PivotGrid bound to OLAP service will perform Ajax requests using the XMLA protocol, nothing more. In other words, the pivotgrid generates a XMLA request and sends it to the OLAP service. If it returns any result then the widget will render them.

That being said, it should be sufficient to secure the access to the OLAP service requesting an authentication information. Here is a thorough MSDN help document on the same subject.

Regards,
Georgi Krustev
Telerik
 
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
 
0
Rajan
Top achievements
Rank 1
answered on 27 Aug 2015, 03:02 PM

I am evaluating Kendo UI pivotgrid. We need to communicate to SSAS cube using msmdpump.dll site on IIS. We need to specify userid and password. We have configured only Basic authentication and Impersonation on the web site.

Where do we specify userid/password in the configuration?

transport.read does not seem to have userid and password attributes?

I am trying with the following set up...but it does not connect to the cube.

               dataSource: {
                    type: "xmla",
                    columns: ...,
                    rows: ...,
                    measures: ...,
                    transport: {
                        connection: {
                            catalog:  ....,
                            cube:... ,
                      
                        },
                        read: {
                            url: "http://.../msmdpump.dll",
                            dataType: "text",
                            contentType: "text/xml",
                            type: "POST",
                            userid: ...,
                            password: ..."
                        } 
                    },
                    schema: {
                        type: "xmla"
                    }

    }

0
Rajan
Top achievements
Rank 1
answered on 27 Aug 2015, 06:25 PM
A skeleton of the test file is attached here.  The issue is discussed above.  Connecting to OLAP cube in our intranet using mdmdpump.dll site does not work.
0
Rajan
Top achievements
Rank 1
answered on 27 Aug 2015, 11:23 PM

Using the following I can largely resolve the issue. 

      $.support.cors = true;

 â€‹Still IE8 complains about web page accessing data not under its control.

I can try ajax function as an argument of transport.read.  Is there a declarative way to handle the settings better?

 

 

0
Georgi Krustev
Telerik team
answered on 31 Aug 2015, 10:37 AM
Hello Rajan,

I would suggest you review the "Access the cube securely" help topic: It discusses the available options to use cube securely.

With regards to the older browsers that does not support CORS, I would suggest you use proxy for communication. Thus you will be able to request the cube more securely too.

Regards,
Georgi Krustev
Telerik
 
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
 
0
Rajan
Top achievements
Rank 1
answered on 01 Sep 2015, 02:35 PM
We will look into the options. CORS situation makes life a little harder. 
0
rwb
Top achievements
Rank 2
answered on 02 Feb 2016, 09:58 AM
Brilliant bit of code there Georgi. Just saved my bacon. Many thanks.
0
rwb
Top achievements
Rank 2
answered on 03 Feb 2016, 08:46 AM

OK, two steps forward and one step back.

 It seems that you can't specify a username in an ADOMD connection string, and you can only log in to SSAS using a Windows account. Therefore I had to set the app pool on the web server to use my domain account.

Even so, I'm getting a lot of errors: The <CubeName> cube either does not exist or has not been processed. Which I think is symptomatic of a permissions or connection issue between the web server and SSAS.

 Any ideas or suggestions for fixes?

0
Georgi Krustev
Telerik team
answered on 05 Feb 2016, 10:23 AM
Hi rwb,

In general, access authorization is a tricky task when it comes to data bases, cubes, IIS. What I would suggest you is to request the exposed service directly using a simple Ajax request: This, as test case, will help you to tweak the configuration until it is the proper one, and the service finally communicates correctly with Ajax requests.

I am afraid that we would not be able to assist you with this particular task, as it falls out of the scope of the entitled support service.

Regards,
Georgi Krustev
Telerik
 
Join us on our journey to create the world's most complete HTML 5 UI Framework - download Kendo UI now!
 
0
rwb
Top achievements
Rank 2
answered on 27 Apr 2016, 09:11 AM

Finally got a workable approach.

While the username, password, effectiveusername fields in the ADOMD connection string either are ignored or don't work, crucially, the Roles field does.

Therefore, with IIS set to run as a domain user that is an administrator in SSAS, we can set up roles in SSAS and by specifying the role name in the connection string (the web server code first matches a user to a the correct role) ensure that dimension security is enforced.

0
Rajshree
Top achievements
Rank 1
answered on 14 Dec 2017, 03:47 PM
the solution file is not working.here is the error i found.
0
Rajshree
Top achievements
Rank 1
answered on 14 Dec 2017, 03:50 PM

https://www.telerik.com/support/code-library/bind-to-adomd-client#R99kE6f570qtGLc3wEYrvg

project solution link.

forgot to add earlier.

error attached

0
Rajshree
Top achievements
Rank 1
answered on 15 Dec 2017, 03:23 AM

so, i use similar code from the project below.

how can i pass parameter before i load the grid. for instance, i want to show only specific client data from the cube. i have client id available on html/cshtml view. how can i pass it to below and display only that specific client related data only. i dont want to show all clients data but only one client that is associated with user logged in.

https://www.telerik.com/support/code-library/bind-to-adomd-client

public ActionResult Read([PivotDataSourceRequest] PivotDataSourceRequest request)

        {

}

<script>
  $(document).ready(function () {
      var pivotgrid = $("#pivotgrid").kendoPivotGrid({
          height: 500,
          filterable: true,
          dataSource: {
              type: "xmla",
              columns: [{ name: "[Incident].[Status]" }],
              rows: [{ name: "[Clients].[Client Name]" }],
              measures: ["[Measures].[Incident Count]"],
              transport: {
                  connection: {
                      catalog: "NextGenToolIncidentCube",
                      cube: "IncidentAnalyticalCube"
                  },
                  read: {
                      url: "@Url.Action("Read")",
                      dataType: "text",
                      contentType: "text/xml",
                      type: "POST"
                  },
                  discover: {
                      url: "@Url.Action("Discover")",
                      dataType: "text",
                      contentType: "text/xml",
                      type: "POST"
                  }
              },
              schema: {
                  type: "xmla"
              },
              error: function (e) {
                  alert("error: " + kendo.stringify(e.errors[0]));
              }
          }
      }).data("kendoPivotGrid");
 
      $("#configurator").kendoPivotConfigurator({
          dataSource: pivotgrid.dataSource
      });
  });
      </script>

 

 

0
Alex Hajigeorgieva
Telerik team
answered on 18 Dec 2017, 11:59 AM
Hello, Rajshree,

The described scenario to show only specific data to the user sounds like the data should be filtered.

You may pass the filter configuration as shown in the how-to article at:

https://docs.telerik.com/kendo-ui/controls/data-management/pivotgrid/how-to/filtering/filter-dimension

Let me know what you think and if you need more information, please do not hesitate to get back to me.

Regards,
Alex Hajigeorgieva
Progress Telerik
Try our brand new, jQuery-free Angular components built from ground-up which deliver the business app essential building blocks - a grid component, data visualization (charts) and form elements.
Tags
PivotGrid
Asked by
Gary
Top achievements
Rank 1
Answers by
Nikolay Rusev
Telerik team
Gary
Top achievements
Rank 1
Chris
Top achievements
Rank 1
Georgi Krustev
Telerik team
Rajan
Top achievements
Rank 1
rwb
Top achievements
Rank 2
Rajshree
Top achievements
Rank 1
Alex Hajigeorgieva
Telerik team
Share this question
or