lucene-solr-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ryan McKinley <ryan...@gmail.com>
Subject Re: Document level security in Apache Solr
Date Fri, 02 Apr 2010 23:35:47 GMT
Hi Anders-

see comments below...

>
> Two weeks ago I created a JIRA issue (
> https://issues.apache.org/jira/browse/SOLR-1834) involving document level
> security in Apache Solr and submitted a patch containing a search component
> that can be seen as a starting point for making Solr handle document level
> security. I believe that document security is an essential part of an
> enterprise search engine and I hope that this contribution can start a
> discussion about how this should be handled in Solr (possibly in conjunction
> with the Lucene Connector Framework).
>

Thanks for posting the code -- a quick pass it looks good.  I agree
some cordination with Lucene Connectors will make sense.

On the patch, it looks good, but to get into the the dist, it will
probably need some sort of tests.  I'm not sure how that would work
with windows authentication (I don't' know much about it, but it has
been on my long term TODO list for a while!)  Perhaps we could have
tests that would run on systems that have somethign to test agains,
but not fail when running on linux (or something)


> As this contribution shows I would like to help to develop the security
> capabilities of Solr together with the community because I believe that it
> will improve Solr’s appeal to large enterprises. Moreover I think that most
> of us believe that a transparent security system will in the end give rise
> to the best security.
>

agree  -- the more people to poke holes, the better


> I hope some of you can take the time to look at the patch, try it out and
> think about:
>
> 1)      1. Should this be a contrib module in Solr? (And if so, what needs
> to be done to contribute it?)
>

I think a contrib module makes sense.  For things to move forward, a
committer needs to step up to the plate.  I would love to, but don't
have much time soon.  To make it easier for people to feel comfortable
with it, tests and doc help lots.


> 2)      2. Should document level security be a core feature in Solr? (And if
> so, what is the best way to integrate it into Solr?)

I'm not quite sure what you mean by 'core' -- I think it makes sense
to live as a contrib for a while and see how things develop.


>
> 3)      3. How can this integrate with connectors like the Lucene Connector
> Framework? I.e. how do you create a uniform way to talk about Access Control
> Lists (http://en.wikipedia.org/wiki/Access_control_list).
>

good question!  That would be really powerful.


>
>
> P.s (for the nerdy)
>
> I have some ideas about putting the security deeper into Solr, perhaps by
> creating a secure SolrIndexReader and a secure SolrIndexSearcher that are
> fed user credentials from a search component. What do you think about this?
>

What are you thinking here?  To me, it seems like the index would need
to contain all data and a SearchComponet would take user credentials
and augment the query (group:[a b c] or whatever)

The advantage of keeping the same IndexSearch across all users is that
it can share a cache where appropriate.


> As I understand it, currently it’s possible to declare your own
> SolrIndexReader but not your own SolrIndexSearcher.
>

not sure on this...


ryan

Mime
View raw message