Securing access to msmdpump.dll

Hello Gary,

We are not sure what you mean here `I am investigating how to secure access to msdmpump.dll from the client`.

However you can use ADOMD to feed the PivotGrid with data. This way the request to the msmdpump.dll is made on server, while the client requests sort of proxy to it. The following code-library demonstrates how to implement this: bind-to-adomd-client.

Regards,
Nikolay Rusev
Telerik

Just what I was looking for. Thanks!

The approach in the PivotGridBindingAdomd.zip sample does indeed allow us to prevent direct connection restriction from the client to SSAS...   BUT there is an effective pass through of the raw SSAS statement from client to web backend/Controller to SSAS  (and so could be spoofed etc to create fake commands executed against the server), so the threat surface area of exposure of SSAS is widened.

Does this effectively mean that the ajax version of pivotgrid is a tighter more secure option (as i am guessing the SSAS commands for ajax are generated server side) than the kendo version, for this dynamic stuff where commands would seem to be formed on the client.

Unless you can suggest some sort of gatekeeper layer at the server?

Please note personally everything about kendo pivotgrid appeals to me, just wanting to explore security issues / possibilities,
Thanks,
Chris

Hello Chris,

In general, the PivotGrid bound to OLAP service will perform Ajax requests using the XMLA protocol, nothing more. In other words, the pivotgrid generates a XMLA request and sends it to the OLAP service. If it returns any result then the widget will render them.

That being said, it should be sufficient to secure the access to the OLAP service requesting an authentication information. Here is a thorough MSDN help document on the same subject.

Regards,
Georgi Krustev
Telerik

I am evaluating Kendo UI pivotgrid. We need to communicate to SSAS cube using msmdpump.dll site on IIS. We need to specify userid and password. We have configured only Basic authentication and Impersonation on the web site.

Where do we specify userid/password in the configuration?

transport.read does not seem to have userid and password attributes?

I am trying with the following set up...but it does not connect to the cube.

               dataSource: {
                    type: "xmla",
                    columns: ...,
                    rows: ...,
                    measures: ...,
                    transport: {
                        connection: {
                            catalog:  ....,
                            cube:... ,
                      
                        },
                        read: {
                            url: "http://.../msmdpump.dll",
                            dataType: "text",
                            contentType: "text/xml",
                            type: "POST",
                            userid: ...,
                            password: ..."
                        } 
                    },
                    schema: {
                        type: "xmla"
                    }

    }

A skeleton of the test file is attached here.  The issue is discussed above.  Connecting to OLAP cube in our intranet using mdmdpump.dll site does not work.

Using the following I can largely resolve the issue. 

      $.support.cors = true;

 ​Still IE8 complains about web page accessing data not under its control.

I can try ajax function as an argument of transport.read.  Is there a declarative way to handle the settings better?

 

 

Hello Rajan,

I would suggest you review the "Access the cube securely" help topic:

• http://docs.telerik.com/kendo-ui/web/pivotgrid/olap-cube-setup#access-the-cube-securely

It discusses the available options to use cube securely.

With regards to the older browsers that does not support CORS, I would suggest you use proxy for communication. Thus you will be able to request the cube more securely too.

Regards,
Georgi Krustev
Telerik

We will look into the options. CORS situation makes life a little harder. 

Brilliant bit of code there Georgi. Just saved my bacon. Many thanks.

OK, two steps forward and one step back.

 It seems that you can't specify a username in an ADOMD connection string, and you can only log in to SSAS using a Windows account. Therefore I had to set the app pool on the web server to use my domain account.

Even so, I'm getting a lot of errors: The <CubeName> cube either does not exist or has not been processed. Which I think is symptomatic of a permissions or connection issue between the web server and SSAS.

 Any ideas or suggestions for fixes?

Hi rwb,

In general, access authorization is a tricky task when it comes to data bases, cubes, IIS. What I would suggest you is to request the exposed service directly using a simple Ajax request:

• http://dojo.telerik.com/@ggkrustev/IjOQu

This, as test case, will help you to tweak the configuration until it is the proper one, and the service finally communicates correctly with Ajax requests.

I am afraid that we would not be able to assist you with this particular task, as it falls out of the scope of the entitled support service.

Regards,
Georgi Krustev
Telerik

Finally got a workable approach.

While the username, password, effectiveusername fields in the ADOMD connection string either are ignored or don't work, crucially, the Roles field does.

Therefore, with IIS set to run as a domain user that is an administrator in SSAS, we can set up roles in SSAS and by specifying the role name in the connection string (the web server code first matches a user to a the correct role) ensure that dimension security is enforced.

the solution file is not working.here is the error i found.

https://www.telerik.com/support/code-library/bind-to-adomd-client#R99kE6f570qtGLc3wEYrvg

project solution link.

forgot to add earlier.

error attached

so, i use similar code from the project below.

how can i pass parameter before i load the grid. for instance, i want to show only specific client data from the cube. i have client id available on html/cshtml view. how can i pass it to below and display only that specific client related data only. i dont want to show all clients data but only one client that is associated with user logged in.

https://www.telerik.com/support/code-library/bind-to-adomd-client

public ActionResult Read([PivotDataSourceRequest] PivotDataSourceRequest request)

        {

}

 

 

Hello, Rajshree,

The described scenario to show only specific data to the user sounds like the data should be filtered.

You may pass the filter configuration as shown in the how-to article at:

https://docs.telerik.com/kendo-ui/controls/data-management/pivotgrid/how-to/filtering/filter-dimension

Let me know what you think and if you need more information, please do not hesitate to get back to me.

Regards,
Alex Hajigeorgieva
Progress Telerik