Depending on requirements, another option for simple security is to
store the security info in the index and utilize a join. This really
only works when you have a single shard since joins aren't
distributed.
# the documents, with permissions
id:doc1, perms:public,...
id:doc2, perms:group1 group2 joe, ...
id:doc3, perms:group3, ...
# documents modeling users and what groups they belong to
id:joe, groups:joe public group3
id:mark, groups:mark public group1 group2
And then if joe does a query, you add a filter query like the following
fq={!join from=groups to=perms v=id:joe}
The user documents can either be in the same collection, or in a
separate "core" as long as it's co-located in the same JVM (core
container), and you can do a cross-core join.
-Yonik
http://heliosearch.org - solve Solr GC pauses with off-heap filters
and fieldcache
On Tue, Mar 25, 2014 at 3:06 PM, Philip Durbin
<philip_dur...@harvard.edu> wrote:
> I'm new to Solr and I'm looking for a document level security filter
> solution. Anonymous users searching my application should be able to
> find public data. Logged in users should be able to find public data
> and private data they have access to.
>
> Earlier today I wrote about shards as a possible solution. I got a
> great reply from Shalin Shekhar Mangar of LucidWorks explaining how to
> achieve something technical but I'd like to back up a minute and
> consider other solutions.
>
> For one thing, I'm concerned about the potential misuse of shards.
> Judging from this wiki page, shards seem to be used primarily for
> scalability rather than security (access control): "When an index
> becomes too large to fit on a single system..." -
> https://cwiki.apache.org/confluence/display/solr/Distributed+Search+with+Index+Sharding
>
> For consistency with longer writeup of mine on this topic[1], I'm
> going to refer to the sharding solution as Option 4. Here's the full
> list of options I'm aware of for document level security filtering:
>
> 1. Manifold CF (Connector Framework)
>
> http://manifoldcf.apache.org
>
> 2. ACL PostFilter (ACLs in each document)
>
> Specifically, I mean this wonderful writeup by Erik Hatcher from
> LucidWorks: http://java.dzone.com/articles/custom-security-filtering-solr
>
> 3. Pass a (often long) list of IDs in query
>
> Representative question:
> http://lucene.472066.n3.nabble.com/Solr-large-boolean-filter-td4070747.html
>
> 4. Sharding (public shard, private shards per user)
>
> My post from earlier today:
> http://lucene.472066.n3.nabble.com/creating-shards-on-the-fly-in-a-single-Solr-instance-quot-shards-quot-query-parameter-td4126909.html
>
> I'm happy to hear opinions on any of these solutions or others I
> haven't even considered!
>
> Thanks!
>
> Phil
>
> 1. My longer writeup of this topic:
> https://trello.com/c/5z5PpR4r/50-design-solr-document-level-security-filter-solution
>
> --
> Philip Durbin
> Software Developer for http://thedata.org
> http://www.iq.harvard.edu/people/philip-durbin
