jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Vikas Saurabh (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (OAK-8167) With uneven distribution of ACL restriction across facet labels statistical facet count become too inaccurate
Date Fri, 05 Apr 2019 14:06:00 GMT

    [ https://issues.apache.org/jira/browse/OAK-8167?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16810862#comment-16810862
] 

Vikas Saurabh commented on OAK-8167:
------------------------------------

[~anchela], while I agree it can leak (not right away - but that's a bad arguement) information
such that one can get an estimate of number of items in the repository. But do note that by
default we do "secure" facet evaluation - for obvious reason that's unscalable and useful
for any kind of practical facet implementation. Maybe we should document this as a warning
that "statistical" facet evaluation can potentially leak information about number of items
for a given query. How worrisome is that leakage though is beyond my abilities to assess.

> With uneven distribution of ACL restriction across facet labels statistical facet count
become too inaccurate
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: OAK-8167
>                 URL: https://issues.apache.org/jira/browse/OAK-8167
>             Project: Jackrabbit Oak
>          Issue Type: Bug
>          Components: lucene, query
>    Affects Versions: 1.6.16
>            Reporter: Kelvin Xu
>            Priority: Major
>              Labels: vulnerability
>
> With the statistical mode, facet count is updated proportionally to the percentage of
accessible samples, which works for secured contents scattered across different facets. For
edge case where the whole facet (results) is not accessible, the count still shows a number
after the sampling percent is applied. Even if the number is small, user experience is misleading/inaccurate
as nothing would return when the facet is clicked (applied as a query condition).
> For example, a ACLs/CUGs guarded "private" folder, in which all the assets are tagged
with the same facet value. Non authorized user may still see this facet with a count but gets
nothing when clicking on the facet.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Mime
View raw message