如何保护 MS SSAS 2005 以通过 Internet 进行 HTTP 远程访问? [英] How to secure MS SSAS 2005 for HTTP remote access via Internet?
问题描述
我们正在构建一个托管应用程序,该应用程序使用 MS SQL Server Analysis Services 2005 进行某些报告,特别是 OLAP 多维数据集浏览.由于它旨在供非常大的全球组织使用,因此安全性很重要.
We are building an hosted application that uses MS SQL Server Analysis Services 2005 for some of the reporting, specifically OLAP cube browsing. Since it is designed to be used by very large global organizations, security is important.
似乎 Microsoft 浏览 OLAP 多维数据集的首选客户端工具是 Excel 2007,整个基础架构都围绕 Windows 集成身份验证.但是,我们正在尝试构建面向 Internet 的 Web 应用程序,并且不想为每个用户创建 Windows 帐户.
It seems that Microsoft's preferred client tool for browsing OLAP cubes is Excel 2007 and the whole infrastructure is geared around Windows Integrated Authentication. We, however, are trying to build an internet-facing web application and do not want to create Windows Accounts for every user.
似乎还没有多少不错的基于 AJAXy 的基于 Web 的 OLAP 多维数据集浏览工具(快速、维度的拖放、对操作的支持、跨浏览器等)顺便说一句,我们目前正在使用Dundas OLAP Grid 但也考虑过 RadarCube 和其他更昂贵的商业解决方案,并且仍在考虑采用 CellSetGrid 并进一步开发 - 如果您知道任何其他廉价/开放的解决方案,请告诉我!
It also seems that there are not many nice AJAXy web-based OLAP cube browsing tools (fast, drag-and-drop for dimensions, support for actions, cross-browser etc.) As an aside, we're currently using Dundas OLAP Grid but have also considered RadarCube and other more expensive commercial solutions and are still thinking of taking on CellSetGrid and developing it further - if you know of any other cheap/open solutions please let me know!
因此,我们计划提供两种访问多维数据集数据的模式:
We are therefore planning on providing two modes of access to the cube data:
- 通过我们自己的 Web 应用程序使用这些 3rd 方基于 Web 的 OLAP 浏览工具之一.
- 通过 msmdpump.dll 数据泵通过 HTTPS 从 Excel 直接访问,用于当网络版本太慢/笨重或用户需要更强大的分析时.
对于 Web 应用程序访问,到 SSAS 数据源的连接发生在 Web 服务器,因此我们可以愉快地在连接字符串上传递一个 CustomData 项,指示哪个用户正在连接.由于我们可能有太多的权限组合来为其创建单个 SSAS 角色,因此我们实施了动态维度安全性,该安全性将多维数据集用户"维度与连接字符串中的 CustomData 项结合使用,并限制了相应地允许其他各种维度成员的集合(通过与包含权限映射"的度量组的其他多对多维度关系)
For the web app access, the connection to the SSAS data source happens from the web server so we can happily pass a CustomData item on the Connection String which indicates which user is connecting. Since we potentially have too many combinations of rights to create individual SSAS roles for, we have implemented dynamic dimension security that uses a "Cube Users" dimension in conjunction with the CustomData item from the connection string and limits the Allowed Set of various other dimension members accordingly (via other Many-to-Many dinemsion relationships with Measure Groups that contain the 'rights mapping')
在 Dimension Security 上查看 Mosha:http://www.sqljunkies.com/WebLog/mosha/archive/2004/12/16/5605.aspx
See Mosha on Dimension Security: http://www.sqljunkies.com/WebLog/mosha/archive/2004/12/16/5605.aspx
到目前为止,这一切似乎都运行良好.
This all seems to work fine so far.
对于来自 Excel 的直接连接",我们为 HTTP 访问设置了数据泵(请参阅 MS Technet 文章)但已启用匿名访问,再次依靠连接字符串来控制访问,因为我们没有 Windows 帐户.然而,在这种情况下,连接字符串是由用户控制的(我们从 Web 应用程序推送一个 .odc 文件,但好奇的用户可以查看和更改它),所以我们不能依赖用户的好和保持CustomData=grunt@corp.org 从更改为 CustomData=superuser@corp.org.事实证明,这也会导致与角色相同的问题,因为如果您未使用 Windows 集成身份验证,这些角色也会在连接字符串中指定.
For the 'direct connection' from Excel, we set up the data pump for HTTP access (see the MS Technet article) but have enabled anonymous access, relying again on the Connection String to control access since we don't have windows accounts. However, in this case, the connection string is controlled by the user (we push a .odc file from the web app, but a curious user could view & change it), so we cannot rely on users to be good and keep the CustomData=grunt@corp.org from changing to CustomData=superuser@corp.org. As it turns out, this also causes the same problem with Roles, since these are also specified on the connection string if you are not using Windows Integrated Authentication.
因此问题归结为:是否有一种方法可以在没有 Windows 帐户的情况下在 IIS 中获得基本身份验证,以便它可以与 SSAS 数据泵一起使用,让 SSAS 知道哪个用户正在连接,以便动态维保能不能成功使用?
The question therefore boils down to this: is there a way of getting basic authentication in IIS working without windows accounts in such a way that it can be used with the SSAS data pump to let SSAS know which user is connecting so that dynamic dimension security can be used successfully?
(这是我在 StackOverflow 上的第一个问题,可能是我问过的最复杂的问题:让我知道我没有很好地解释自己的地方,我会尝试澄清)
(This is my first q on StackOverflow and probably the most complicated question I've ever asked: let me know where I haven't explained myself very well and I'll attempt to clarify)
推荐答案
基本身份验证将适用于本地用户帐户(非域),如果本地帐户存在于不同的机器上,甚至支持直通身份验证,但是您应该强制使用 SSL 作为基本身份验证以明文形式发送密码.
Basic authentication will work with local user accounts (non-domain) and even support passthrough authentication if the local accounts exist on different machines, however you should force SSL as basic authentication sends passwords in plaintext.
您可以在带有附加组件的 IIS 中使用具有基本身份验证的非 Windows 帐户,例如 http://www.codeplex.com/CustomBasicAuth,但 SSAS 仍需要知道该用户是谁,据我所知,SSAS 仅使用 Windows 身份验证.
You can use non-windows accounts with basic authentication in IIS with add-on such as http://www.codeplex.com/CustomBasicAuth, but SSAS will still need to know who that user is and as far as I know SSAS uses only Windows authentication.
这篇关于如何保护 MS SSAS 2005 以通过 Internet 进行 HTTP 远程访问?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
