You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-user@lucene.apache.org by Nitin Agarwal <2n...@gmail.com> on 2014/10/07 17:37:29 UTC

SOLR query - restrict access to user documents

Hi, I have a question around SOLR query, I am trying to restrict access to
SOLR data.

We are running SOLR 4.7.1, and wish to expose the query capabilities to our
customers for the data that belongs to them. Specifically "/select", with
default configuration is the only Request Handler that customers can
access.

<requestHandler name="/select" class="solr.SearchHandler">
     <lst name="defaults">
       <str name="echoParams">explicit</str>
       <int name="rows">10</int>
       <str name="df">text</str>
     </lst>
</requestHandler>

The custom API that fronts SOLR, will inject appropriate restriction
into the "q" param e.g. q=customerNumber:123 or
append to "q" param q=<customer query> AND customerNumber:123, before
sending the request to the "/select" handler.

This works fine, however,

I want to know if there is a way customer can override these restrictions?

If so what can I do to prevent that?

So far I have come across facet.mincount as one potential concern
where by customer can see data that they should not, e.g.

/select?q=<customer query> AND
customerNumber:123&facet=true&facet.field=customerName&rows=0&*facet.mincount=0*

will return those customer names as well that do not belong to
customerNumber 123.

Are there any other gotchas that I should know?

Thanks for your time and help,

Nitin

Re: SOLR query - restrict access to user documents

Posted by Ahmet Arslan <io...@yahoo.com.INVALID>.

How about using a fq in appends section of solrconfig.xml?

<lst name="appends">
    <str name="fq">{!term f=customerNumber v=$qq}</str>
</lst>

And your query string will be : /select?q=<customer query>&qq=123

https://cwiki.apache.org/confluence/display/solr/Local+Parameters+in+Queries

Ahmet


On Wednesday, October 8, 2014 1:40 AM, Nitin Agarwal <2n...@gmail.com> wrote:
Thanks for the info Jorge, I will look into invariants, good pointer.

My API, forces the rows to be a max of 500. If the user specifies more than
500 docs, then we modify the rows param to be 500.




On Tue, Oct 7, 2014 at 3:31 PM, Jorge Luis Betancourt Gonzalez <
jlbetancourt@uci.cu> wrote:

> I see you’re defining a default value for “rows” this could be overridden
> on the request, and requesting a lot of documents from solr can stress out
> your server/cluster, of course if the client in question has that many
> documents. if this is a fixed value and the clients can’t request more
> documents, then I’ll consider moving this into the invariants section
> ensuring that no matter what this value can’t be changed by the request.
> Some time ago I had a similar use case, we wanted to expose Solr to the
> clients and eventually we faced problems where some clients requested “all
> of his documents” in one request stressing out our cluster in the end we
> wrote a custom SearchComponent to set max values (instead of a fixed value
> specified on invariants) for the rows and start parameters (actually this
> component those a little more as we add some limitations to each type of
> client, defining some constrains as how many documents. i.e. data points
> can be requested, etc.).
>
> Hope it helps,
>
> On Oct 7, 2014, at 11:37 AM, Nitin Agarwal <2n...@gmail.com>
> wrote:
>
> > Hi, I have a question around SOLR query, I am trying to restrict access
> to
> > SOLR data.
> >
> > We are running SOLR 4.7.1, and wish to expose the query capabilities to
> our
> > customers for the data that belongs to them. Specifically "/select", with
> > default configuration is the only Request Handler that customers can
> > access.
> >
> > <requestHandler name="/select" class="solr.SearchHandler">
> >     <lst name="defaults">
> >       <str name="echoParams">explicit</str>
> >       <int name="rows">10</int>
> >       <str name="df">text</str>
> >     </lst>
> > </requestHandler>
> >
> > The custom API that fronts SOLR, will inject appropriate restriction
> > into the "q" param e.g. q=customerNumber:123 or
> > append to "q" param q=<customer query> AND customerNumber:123, before
> > sending the request to the "/select" handler.
> >
> > This works fine, however,
> >
> > I want to know if there is a way customer can override these
> restrictions?
> >
> > If so what can I do to prevent that?
> >
> > So far I have come across facet.mincount as one potential concern
> > where by customer can see data that they should not, e.g.
> >
> > /select?q=<customer query> AND
> >
> customerNumber:123&facet=true&facet.field=customerName&rows=0&*facet.mincount=0*
> >
> > will return those customer names as well that do not belong to
> > customerNumber 123.
> >
> > Are there any other gotchas that I should know?
> >
> > Thanks for your time and help,
> >
> > Nitin
>
> Concurso "Mi selfie por los 5". Detalles en
> http://justiciaparaloscinco.wordpress.com
>

Re: SOLR query - restrict access to user documents

Posted by Nitin Agarwal <2n...@gmail.com>.

Thanks for the info Jorge, I will look into invariants, good pointer.

My API, forces the rows to be a max of 500. If the user specifies more than
500 docs, then we modify the rows param to be 500.

On Tue, Oct 7, 2014 at 3:31 PM, Jorge Luis Betancourt Gonzalez <
jlbetancourt@uci.cu> wrote:

> I see you’re defining a default value for “rows” this could be overridden
> on the request, and requesting a lot of documents from solr can stress out
> your server/cluster, of course if the client in question has that many
> documents. if this is a fixed value and the clients can’t request more
> documents, then I’ll consider moving this into the invariants section
> ensuring that no matter what this value can’t be changed by the request.
> Some time ago I had a similar use case, we wanted to expose Solr to the
> clients and eventually we faced problems where some clients requested “all
> of his documents” in one request stressing out our cluster in the end we
> wrote a custom SearchComponent to set max values (instead of a fixed value
> specified on invariants) for the rows and start parameters (actually this
> component those a little more as we add some limitations to each type of
> client, defining some constrains as how many documents. i.e. data points
> can be requested, etc.).
>
> Hope it helps,
>
> On Oct 7, 2014, at 11:37 AM, Nitin Agarwal <2n...@gmail.com>
> wrote:
>
> > Hi, I have a question around SOLR query, I am trying to restrict access
> to
> > SOLR data.
> >
> > We are running SOLR 4.7.1, and wish to expose the query capabilities to
> our
> > customers for the data that belongs to them. Specifically "/select", with
> > default configuration is the only Request Handler that customers can
> > access.
> >
> > <requestHandler name="/select" class="solr.SearchHandler">
> >     <lst name="defaults">
> >       <str name="echoParams">explicit</str>
> >       <int name="rows">10</int>
> >       <str name="df">text</str>
> >     </lst>
> > </requestHandler>
> >
> > The custom API that fronts SOLR, will inject appropriate restriction
> > into the "q" param e.g. q=customerNumber:123 or
> > append to "q" param q=<customer query> AND customerNumber:123, before
> > sending the request to the "/select" handler.
> >
> > This works fine, however,
> >
> > I want to know if there is a way customer can override these
> restrictions?
> >
> > If so what can I do to prevent that?
> >
> > So far I have come across facet.mincount as one potential concern
> > where by customer can see data that they should not, e.g.
> >
> > /select?q=<customer query> AND
> >
> customerNumber:123&facet=true&facet.field=customerName&rows=0&*facet.mincount=0*
> >
> > will return those customer names as well that do not belong to
> > customerNumber 123.
> >
> > Are there any other gotchas that I should know?
> >
> > Thanks for your time and help,
> >
> > Nitin
>
> Concurso "Mi selfie por los 5". Detalles en
> http://justiciaparaloscinco.wordpress.com
>

Re: SOLR query - restrict access to user documents

Posted by Jorge Luis Betancourt Gonzalez <jl...@uci.cu>.

I see you’re defining a default value for “rows” this could be overridden on the request, and requesting a lot of documents from solr can stress out your server/cluster, of course if the client in question has that many documents. if this is a fixed value and the clients can’t request more documents, then I’ll consider moving this into the invariants section ensuring that no matter what this value can’t be changed by the request. Some time ago I had a similar use case, we wanted to expose Solr to the clients and eventually we faced problems where some clients requested “all of his documents” in one request stressing out our cluster in the end we wrote a custom SearchComponent to set max values (instead of a fixed value specified on invariants) for the rows and start parameters (actually this component those a little more as we add some limitations to each type of client, defining some constrains as how many documents. i.e. data points can be requested, etc.).

Hope it helps, 

On Oct 7, 2014, at 11:37 AM, Nitin Agarwal <2n...@gmail.com> wrote:

> Hi, I have a question around SOLR query, I am trying to restrict access to
> SOLR data.
> 
> We are running SOLR 4.7.1, and wish to expose the query capabilities to our
> customers for the data that belongs to them. Specifically "/select", with
> default configuration is the only Request Handler that customers can
> access.
> 
> <requestHandler name="/select" class="solr.SearchHandler">
>     <lst name="defaults">
>       <str name="echoParams">explicit</str>
>       <int name="rows">10</int>
>       <str name="df">text</str>
>     </lst>
> </requestHandler>
> 
> The custom API that fronts SOLR, will inject appropriate restriction
> into the "q" param e.g. q=customerNumber:123 or
> append to "q" param q=<customer query> AND customerNumber:123, before
> sending the request to the "/select" handler.
> 
> This works fine, however,
> 
> I want to know if there is a way customer can override these restrictions?
> 
> If so what can I do to prevent that?
> 
> So far I have come across facet.mincount as one potential concern
> where by customer can see data that they should not, e.g.
> 
> /select?q=<customer query> AND
> customerNumber:123&facet=true&facet.field=customerName&rows=0&*facet.mincount=0*
> 
> will return those customer names as well that do not belong to
> customerNumber 123.
> 
> Are there any other gotchas that I should know?
> 
> Thanks for your time and help,
> 
> Nitin

Concurso "Mi selfie por los 5". Detalles en http://justiciaparaloscinco.wordpress.com