Details

    • Type: New Feature New Feature
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 1.4
    • Fix Version/s: None
    • Labels:
      None

      Description

      Attached to this issue is a patch that includes a framework for enabling document level security in Solr as a search component. I did this as a Master thesis project at Findwise in Stockholm and Findwise has now decided to contribute it back to the community. The component was developed in spring 2009 and has been in use at a customer since autumn the same year.

      There is a simple demo application up at http://demo.findwise.se:8880/SolrSecurity/ which also explains more about the component and how to set it up.

      1. SOLR-1834-with-LCF.patch
        51 kB
        Karl Wright
      2. html.rar
        38 kB
        Anders Rask
      3. SOLR-1834.patch
        42 kB
        Anders Rask

        Issue Links

          Activity

          Hide
          Hoss Man added a comment -

          Anders: I only had a few moments to skim your patch, but it seems like a very cool feature, thank you (and Findwise) for contributing this.

          One thing i noticed was that there didn't seem to be a lot of documentation (javadoc or otherwise) ... i see that the demo application you cited seems to have some good overview documentation on how all the pieces fit together, and what configuration should look like – if your intention is that this documentation can also be used by Solr, would you mind attaching it to the Jira issue (as HTML, or in javadoc comments on the java files themselves) with the "Grant ... Apache License ..." box checked off so there's a clear audit log that the documentation can be reproduced within Solr?

          Show
          Hoss Man added a comment - Anders: I only had a few moments to skim your patch, but it seems like a very cool feature, thank you (and Findwise) for contributing this. One thing i noticed was that there didn't seem to be a lot of documentation (javadoc or otherwise) ... i see that the demo application you cited seems to have some good overview documentation on how all the pieces fit together, and what configuration should look like – if your intention is that this documentation can also be used by Solr, would you mind attaching it to the Jira issue (as HTML, or in javadoc comments on the java files themselves) with the "Grant ... Apache License ..." box checked off so there's a clear audit log that the documentation can be reproduced within Solr?
          Hide
          Anders Rask added a comment -

          HTML page describing the component and how to use it

          Show
          Anders Rask added a comment - HTML page describing the component and how to use it
          Hide
          Anders Rask added a comment -

          Thank you for looking at the patch.

          I'm aware that the component lacks javadoc and this will need to be corrected in the future. But for now I took the information from the demo site and put it in the html.rar file attached.

          Show
          Anders Rask added a comment - Thank you for looking at the patch. I'm aware that the component lacks javadoc and this will need to be corrected in the future. But for now I took the information from the demo site and put it in the html.rar file attached.
          Hide
          Andreas Hubold added a comment -

          The SecurityComponent from the patch wraps the parsed query in a FilteredQuery.
          Would it make sense to add the filter to ResponseBuilder#getFilters instead to utilize Solr's filterCache?

          Show
          Andreas Hubold added a comment - The SecurityComponent from the patch wraps the parsed query in a FilteredQuery. Would it make sense to add the filter to ResponseBuilder#getFilters instead to utilize Solr's filterCache?
          Hide
          Anders Rask added a comment -

          Hi Andreas,

          Sorry for my late reply.

          I haven't looked in to the difference between using the ResponseBuilder#getFilters and using filter's in a normal query. Are there any functional differences between the two ways other than that one of them utilizes Solr's filterCache and the other doesn't?

          Show
          Anders Rask added a comment - Hi Andreas, Sorry for my late reply. I haven't looked in to the difference between using the ResponseBuilder#getFilters and using filter's in a normal query. Are there any functional differences between the two ways other than that one of them utilizes Solr's filterCache and the other doesn't?
          Hide
          Karl Wright added a comment -

          Hi Anders,
          I spent an hour or so refreshing my memory as to SOLR-1834 this morning.
          It appears to me that SOLR-1834 delegates specific knowledge of all document access tokens to SOLR-1834 repository plugins, and similarly delegates knowledge of user access tokens to security provider plugins. The only thing that 1834 does not delegate is the repository-type attribute. Thus, anything that plays along with 1834 must include this attribute.

          It seems possible to develop SOLR-1834 repository and security provider plugins that would work explicitly with LCF - which basically take the code currently in ticket SOLR-1895 and just apply the appropriate class structure. The only other necessary change would have to be to be sure documents from LCF were indexed with the repository-type attribute, and that is already easily done by adding an appropriate argument using the configuration UI. This would yield an LCF "repository" and a corresponding LCF "security provider".

          Is this something you would like to pursue? The advantage I see is that folks who want late binding for some kinds of documents can get that in conjunction with LCF, using this setup, although configuration would be more complex. I could readily contribute this, but it's not clear how exactly to contribute a patch to a patch...

          Show
          Karl Wright added a comment - Hi Anders, I spent an hour or so refreshing my memory as to SOLR-1834 this morning. It appears to me that SOLR-1834 delegates specific knowledge of all document access tokens to SOLR-1834 repository plugins, and similarly delegates knowledge of user access tokens to security provider plugins. The only thing that 1834 does not delegate is the repository-type attribute. Thus, anything that plays along with 1834 must include this attribute. It seems possible to develop SOLR-1834 repository and security provider plugins that would work explicitly with LCF - which basically take the code currently in ticket SOLR-1895 and just apply the appropriate class structure. The only other necessary change would have to be to be sure documents from LCF were indexed with the repository-type attribute, and that is already easily done by adding an appropriate argument using the configuration UI. This would yield an LCF "repository" and a corresponding LCF "security provider". Is this something you would like to pursue? The advantage I see is that folks who want late binding for some kinds of documents can get that in conjunction with LCF, using this setup, although configuration would be more complex. I could readily contribute this, but it's not clear how exactly to contribute a patch to a patch...
          Hide
          Karl Wright added a comment -

          I've attached what I think to be the correct code to structure the LCF security support as two plugins into this framework. The first is a security provider, the second is a model. In order to use this with LCF, you still need to set up a schema consistent with SOLR-1895, and you would also need the schema addition that this framework provides.

          The SOLR-1834-with-LCF.patch file is an SVN diff against Solr trunk. I needed to make a number of changes to build.xml to get it to work in the current trunk environment. Also, I needed to comment out the @override commands for some reason - but still, everything looked good.

          Show
          Karl Wright added a comment - I've attached what I think to be the correct code to structure the LCF security support as two plugins into this framework. The first is a security provider, the second is a model. In order to use this with LCF, you still need to set up a schema consistent with SOLR-1895 , and you would also need the schema addition that this framework provides. The SOLR-1834 -with-LCF.patch file is an SVN diff against Solr trunk. I needed to make a number of changes to build.xml to get it to work in the current trunk environment. Also, I needed to comment out the @override commands for some reason - but still, everything looked good.
          Hide
          Ravish Bhagdev added a comment -

          are there any plans for adding this or other document level or other search security solutions into solr? This requirement is quite critical for most enterprise search apps I would have thought? Has this been discussed in detail elsewhere?

          Show
          Ravish Bhagdev added a comment - are there any plans for adding this or other document level or other search security solutions into solr? This requirement is quite critical for most enterprise search apps I would have thought? Has this been discussed in detail elsewhere?
          Hide
          Sumit Sen added a comment -

          I have added SOLR-1834 patch codes under contrib\security folder in Solr 3.4 distribution including build.xml. I am trying to build (ant dist) and apparently it is keep on running with no error. Is there anything I am missing. I am new to adding Solr patch stuff. Thanks.

          Show
          Sumit Sen added a comment - I have added SOLR-1834 patch codes under contrib\security folder in Solr 3.4 distribution including build.xml. I am trying to build (ant dist) and apparently it is keep on running with no error. Is there anything I am missing. I am new to adding Solr patch stuff. Thanks.

            People

            • Assignee:
              Unassigned
              Reporter:
              Anders Rask
            • Votes:
              3 Vote for this issue
              Watchers:
              16 Start watching this issue

              Dates

              • Created:
                Updated:

                Development