I've been working for a while with Apache ManifoldCF and Enterprise Search in Solr ( with Document level security) . Basically you can add a couple of extra fields , for example :
allow_token : containing all the tokens that can view the document deny_token : containing all the tokens that are denied to view the document Apache ManifoldCF provides an integration that add an additional layer, and is able to combine different data sources permission schemes. The Authority Service endpoint will take in input the user name and return all the allow_token values and deny_token. At this point you can append the related filter queries to your queries and be sure that the user will only see what is supposed to see. It's basically an extension of the strategy you were proposing, role based. Of course keep protected your endpoints and avoid users to put custom fq, or all your document security model would be useless :) Cheers On 9 November 2015 at 21:52, Scott Stults <sstu...@opensourceconnections.com > wrote: > Susheel, > > This is perfectly fine for simple use-cases and has the benefit that the > filterCache will help things stay nice and speedy. Apache ManifoldCF goes a > bit further and ties back to your authentication and authorization > mechanism: > > > http://manifoldcf.apache.org/release/trunk/en_US/concepts.html#ManifoldCF+security+model > > > k/r, > Scott > > On Thu, Nov 5, 2015 at 2:26 PM, Susheel Kumar <susheel2...@gmail.com> > wrote: > > > Hi, > > > > I have seen couple of use cases / need where we want to restrict result > of > > search based on role of a user. For e.g. > > > > - if user role is admin, any document from the search result will be > > returned > > - if user role is manager, only documents intended for managers will be > > returned > > - if user role is worker, only documents intended for workers will be > > returned > > > > Typical practise is to tag the documents with the roles (using a > > multi-valued field) during indexing and then during search append filter > > query to restrict result based on roles. > > > > Wondering if there is any other better way out there and if this common > > requirement should be added as a Solr feature/plugin. > > > > The current security plugins are more towards making Solr apis/resources > > secure not towards securing/controlling data during search. > > > > > https://cwiki.apache.org/confluence/display/solr/Authentication+and+Authorization+Plugins > > > > > > Please share your thoughts. > > > > Thanks, > > Susheel > > > > > > -- > Scott Stults | Founder & Solutions Architect | OpenSource Connections, LLC > | 434.409.2780 > http://www.opensourceconnections.com > -- -------------------------- Benedetti Alessandro Visiting card : http://about.me/alessandro_benedetti "Tyger, tyger burning bright In the forests of the night, What immortal hand or eye Could frame thy fearful symmetry?" William Blake - Songs of Experience -1794 England
