lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erick Erickson <erickerick...@gmail.com>
Subject Re: Matching all terms in a multiValued field
Date Fri, 01 Jul 2016 17:07:52 GMT
If the permissions are hierarchical, i.e. anyone who can see
paid_source and see confidential you could just index the
minimum-required clearance with the doc (think numeric codes here) and
form your fq as auth:[max_level_for_user TO *]. I admit I've rarely
seen security models that are that simple.

You can form a rather complex fq clause like
fq=auth:(confidential NOT (paid_source OR other_levels_bob_can't_see)]

On the plus side, that fq clause can be cached in the filterCache and re-used.
Hint: If you do this, be absolutely sure you form the filter clause exactly the
same way each time to insure it is re-used. I.e. even though this
is logically equivalent it wouldn't re-use the filterCache entry

fq=auth:(confidential NOT (other_levels_bob_can't_see OR paid_source)]

You could also write a "post filter", they were originally written
exactly to handle
ACLs, see: http://yonik.com/advanced-filter-caching-in-solr/
and
https://lucidworks.com/blog/2012/02/22/custom-security-filtering-in-solr/

Best,
Erick

On Fri, Jul 1, 2016 at 3:48 AM, Ellis, Tom (Financial Markets IT)
<Tom.Ellis@lloydsbanking.com.invalid> wrote:
> Hi There,
>
> I'm trying to create search component for some document level security. A user will have
a number of tags assigned to them, and these will be passed to the search component which
will add a filter to whatever the user's original query was. Documents will be written with
some or all of the users tags, and the query must only return documents that have a set of
tags that are included in the users tags.
>
> E.g. Alice is authorised to see 'confidential' and 'paid_source'
>
> Bob is only authorised to see 'confidential'
>
> Document 1 has tags confidential and paid_source - Alice should be able to see this document,
but Bob should not.
>
> So if I am creating a query for Bob, how can I write it so that he can't see Document
1? I.e. how do I create a query that checks the multiValued field for 'confidential' but excludes
documents that have anything else?
>
> Cheers,
>
> Tom Ellis
> Consultant Developer - Excelian
> Data Lake | Financial Markets IT
> LLOYDS BANK COMMERCIAL BANKING
> ________________________________
>
> E: Tom.Ellis@LloydsBanking.com<mailto:Tom.Ellis@LloydsBanking.com>
> Website: www.lloydsbankcommercial.com<http://www.lloydsbankcommercial.com/>
> , , ,
> Reduce printing. Lloyds Banking Group is helping to build the low carbon economy.
> Corporate Responsibility Report: www.lloydsbankinggroup-cr.com/downloads<http://www.lloydsbankinggroup-cr.com/downloads>
>
>
>
> Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered
in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25
Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626
1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in
Scotland no. SC327000. Telephone: 03457 801 801. Cheltenham & Gloucester plc. Registered
Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. Telephone:
0345 603 1637
>
> Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority
and regulated by the Financial Conduct Authority and Prudential Regulation Authority.
>
> Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct
Authority.
>
> Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is
a division of Lloyds Bank plc.
>
> HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no.
SC218813.
>
> This e-mail (including any attachments) is private and confidential and may contain privileged
material. If you have received this e-mail in error, please notify the sender and delete it
(including any attachments) immediately. You must not copy, distribute, disclose or use any
of the information in it or any attachments. Telephone calls may be monitored or recorded.

Mime
View raw message