Restricting users' access when using the Accelerator
even if I went through the documentation for Accelrator and authentication, I’m probably not able to fully understand the authentication concept when accelerator for SSAS is used…
Our application is working in this way:
- Windows authentication on web site that hosts the Flexmonster pivot. Our custom authorization which says which users can access the web
- Flexmonster accelerator running on the web server
- Web server is able to connect to SSAS using windows credentials – in flexmonster.config. I’m not supplying any credentials right now
Ideal case would be if we could use the end user authentication for accessing the SSAS. But I do not expect it is possible because of double hop issue – the web server can be on different machine than the SSAS. So I expect that Accelerator is using the account under which is the service running when no credentials are specified, is it right?
Also I expect that anybody who has access to the web server where accelerator is running can read the data from the accelerator unless it is restricted on firewall level.
Assume that we e.g. have 100 users in domain, 20 with access to the SSAS using Windows authentication (same 20 users have access to the web page), but all can access the Accelerator’s endpoint via http. How can we manage that only 20 authenticated users can access the cube? It does not have to be necessary based on Windows authentication, we can implement user/password authentication on the web site, but still I don’t know how to restrict the access on Accelerator side. The only think I would like to avoid is that we have to manually set allowed users in the firewall, because it would be another place where we have to keep and synchronize users.
In documentation at http://www.flexmonster.com/doc/configuring-usernamepassword-protection/ there is “In general, Accelerator will use these credentials if client-side report does not contain own credentials”. How can I pass my own credentials in the report?
BTW, the main purpose of using Accelerator is that we want to avoid setting up the data pump on SSAS server.
Thanks in advance for any explanation or hints.
Thank you for the detailed explanation.
Since the user authorization for Accelerator only works through IIS and data pump we want to recommend you another approach.
Accelerator can be integrated into your website backend as a separate ASP.NET controller. In this case, Accelerator endpoint will be on the same host as a website (i.e. http://example.com/api/FlexmonsterProxy/). It will give you the full control over the endpoint access management. For instance, if the end user has an open session he will be redirected to the Accelerator URL. Otherwise, it will be redirected to the authentication page.
We are ready to provide you with the Flexmonster Accelerator DLL file and with the examples of how to implement a separate controller. It will allow managing the security the way you want and also avoid setting up the data pump on SSAS server.
Please let us know if it works for you.
thanks for your answer, build a proxy in my MVC/WebAPI and just redirect authenticated requests to Accelerator endpoint which will be available only locally was one on mine ideas. If you have integration of endpoint to ASP.NET it would be great if you could provide me the DLL, otherwise I think I will manage to write my own solution…
Thank you for the answer, glad to hear that WebAPI solution can help.
As promised, we have prepared MVC/WebAPI sample.
Also, connection string can be modified in the
Please let me know if you have any additional questions.
This is absolutely amazing, thanks a lot! I think this way – a DLL that can be referenced directly from the ASP.NET project and used without Accelerator installation – should be preferred way how to distribute the Accelerator. It makes our live much easier – no checking if prerequisites are installed, no running of Accelerator installers, easy update to newest version, no firewall settings, no service dependencies etc.
Thanks a lot once again!
I have just found one issue, which is probably also exists when I use Accelerator as a service…
When I open the Connect -> To OLAP dialog, it sends a request to my API endpoint which contains SOAP body. There are two issues – there is no defined default action for /api/endpoint/ , I have tried to set default to Handshake, but still it does not expect SOAP content and fails on some NullReferenceException.
But even when I have accelerator running and I fill http://localhost:50005 to the Proxy URL, it does not load list of Catalogs/Cubes, the HTTP response just returns a message that accelerator is running.
It’s low priority, ideal case would be if we could change just the cube – catalog and Proxy URL should be hardcoded. For now we can do our custom function for that…
Thank you for writing. Currently, our Toolbar supports only OLAP connection via XMLA protocol. This step by step connection is supported by such API calls as
getXMLACubes. There are no such API calls for Accelerator. We may consider adding these API calls in our future minor releases. Please let us know how important this would be for your project.
Thanks for the reply. Adding API calls would be nice, however it’s just a medium priority for now and adding support for Accelerator in the dialog is a low priority – we can write custom dialog for that.
I have found one issue that causes us occasional errors – FlexmonsterProxyController is not thread safe. You have there static dictionaries like cachedAllMembers which can be accessed from multiple threads (multiple controllers – one per each request) and you are using regular Dictionary without locking. It can be quite easily fixed by changing it to ConcurrentDictionary…
If you want, I can rewrite it for you, if you send me the source code of FlexmonsterProxyController. Right now I have just decompiled version. I can fix it there, because I will have to fix it anyways before our go-live, but the merge to your version would be more complicated for you from decompiled version.
We would like to thank you for pointing out this issue about FlexmonsterProxyController. It’s a really good idea, and we will implement it quickly. But it will take some time to run all necessary tests. We will send you the updated version right after we finish testing.
Ok, thank you.