Thanks for the info Jorge, I will look into invariants, good pointer. My API, forces the rows to be a max of 500. If the user specifies more than 500 docs, then we modify the rows param to be 500.
On Tue, Oct 7, 2014 at 3:31 PM, Jorge Luis Betancourt Gonzalez < jlbetanco...@uci.cu> wrote: > I see you’re defining a default value for “rows” this could be overridden > on the request, and requesting a lot of documents from solr can stress out > your server/cluster, of course if the client in question has that many > documents. if this is a fixed value and the clients can’t request more > documents, then I’ll consider moving this into the invariants section > ensuring that no matter what this value can’t be changed by the request. > Some time ago I had a similar use case, we wanted to expose Solr to the > clients and eventually we faced problems where some clients requested “all > of his documents” in one request stressing out our cluster in the end we > wrote a custom SearchComponent to set max values (instead of a fixed value > specified on invariants) for the rows and start parameters (actually this > component those a little more as we add some limitations to each type of > client, defining some constrains as how many documents. i.e. data points > can be requested, etc.). > > Hope it helps, > > On Oct 7, 2014, at 11:37 AM, Nitin Agarwal <2nitinagar...@gmail.com> > wrote: > > > Hi, I have a question around SOLR query, I am trying to restrict access > to > > SOLR data. > > > > We are running SOLR 4.7.1, and wish to expose the query capabilities to > our > > customers for the data that belongs to them. Specifically "/select", with > > default configuration is the only Request Handler that customers can > > access. > > > > <requestHandler name="/select" class="solr.SearchHandler"> > > <lst name="defaults"> > > <str name="echoParams">explicit</str> > > <int name="rows">10</int> > > <str name="df">text</str> > > </lst> > > </requestHandler> > > > > The custom API that fronts SOLR, will inject appropriate restriction > > into the "q" param e.g. q=customerNumber:123 or > > append to "q" param q=<customer query> AND customerNumber:123, before > > sending the request to the "/select" handler. > > > > This works fine, however, > > > > I want to know if there is a way customer can override these > restrictions? > > > > If so what can I do to prevent that? > > > > So far I have come across facet.mincount as one potential concern > > where by customer can see data that they should not, e.g. > > > > /select?q=<customer query> AND > > > customerNumber:123&facet=true&facet.field=customerName&rows=0&*facet.mincount=0* > > > > will return those customer names as well that do not belong to > > customerNumber 123. > > > > Are there any other gotchas that I should know? > > > > Thanks for your time and help, > > > > Nitin > > Concurso "Mi selfie por los 5". Detalles en > http://justiciaparaloscinco.wordpress.com >
