Skip to content

Instantly share code, notes, and snippets.

@shashanthk

shashanthk/pentaho.domain.ini

Last active July 12, 2024 06:18
Show Gist options
  • Save shashanthk/a21670592b16afedd0626bf239a3c2eb to your computer and use it in GitHub Desktop.
Save shashanthk/a21670592b16afedd0626bf239a3c2eb to your computer and use it in GitHub Desktop.
Download ZIP
Pentaho server auth without exposing username and password via Nginx
Raw
pentaho.domain.ini
upstream pentaho-server {
server <PENTAHO_SERVER_IP>:<PENTAHO_PORT>;
}
server {
## default listen port
listen 80;
## domain name
server_name pentaho.example.com;
access_log /var/log/nginx/pentaho-access.log;
error_log /var/log/nginx/pentaho-error.log;
##
## MAKE SURE TO ADD NECESSARY SECURITY HEADERS HERE
##
location / {
set $temp_args $args;
if ($args ~* "partkey=") {
rewrite ^ /validate$uri last;
}
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
## add required additional headers per your requirements
proxy_pass http://pentaho-server;
}
location /validate {
internal;
set $token "";
if ($args ~* "partkey=") {
set $token $arg_partkey;
set $args "${temp_args}&userid=<PENTAHO_USERNAME>&password=<PENTAHO_PASSWORD>";
}
rewrite ^/validate(?<realurl>/.*)$ $realurl break;
auth_request /auth;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://pentaho-server;
}
location /auth {
internal;
proxy_set_header token $token;
proxy_pass http://<SERVER_IP>:<PORT>/service/that/validates/pentaho-token;
}
}
@shashanthk
Copy link
Author

Above configuration is to add one layer of security to avoid exposing the username and password of Pentaho report link. Below is an example:

https://pentaho.example.com/some/path/to/report/sample.prpt?userid=admin&password=test123

Above URL contains user credential in plain format. If we do not want to expose it to the public, the Nginx config is the one ugly hack we can follow.

We need to write 2 REST APIs using any programming language or framework that does the below works:

  1. Generate an API key whenever requested by the client. Depends on how you build it return back to the client. You can follow your own method here.
  2. Validate the generated API key. When the client try to validate the key received, the API should validate and return 200 OK else 401 Unauthorized error message back. This API should be known to Nginx only.

When we open Pentaho links the links should be in the below format:

https://pentaho.example.com/some/path/to/report/sample.prpt?partkey=some-random-token-generated

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment