You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-user@lucene.apache.org by Jaran Nilsen <ja...@gmail.com> on 2012/01/12 11:13:15 UTC
Restricting access to shards / collections with SolrCloud
Hi.
We're currently looking at SolrCloud to improve management of our Solr
cluster. There is one use case which I am wondering if SolrCloud provide
any support for out of the box, or if our best bet is to stick with our
current solution.
The use case is:
We have a large number of shards, using the same schema - so, perfect for
SolrCloud. Some of these shards should have restricted access, meaning only
customers with certain privileges will be able to query them. The way we
solve this today is to maintain a database listing those users who have
access to these restricted shards. When building the shards-parameter for
querying Solr, we then use this database to append the URLs of the
restricted shards ONLY if the user has access to them.
With SolrCloud it would be great to be able to use the distrib=true
parameter, but that would override the approach we're currently using.
My questions are:
1. would it be an idea to create a separate collection for the shards that
are restricted? If so, is there currently any support for specifying which
collections to search so that we could implement the solution outlined
above, but for collections rather than shards?
2. If no-go on #1, are we better off sticking with our current approach and
skip using distrib=true which would query all shards?
Any input appreciated!
Best,
Jaran
--
Jaran Nilsen
Skype: jaran.nilsen
jarannilsen.com || codemunchies.com || notpod.com
twitter.com/jarannilsen // www.linkedin.com/in/jarannilsen //
facebook.com/jaran.nilsen
Re: Restricting access to shards / collections with SolrCloud
Posted by Jaran Nilsen <ja...@gmail.com>.
Hi Erick, thanks for your response!
I think we'll stick with our current solution for now, but thanks for your
suggestion on using tokens.
Best,
Jaran
On Fri, Jan 13, 2012 at 1:58 PM, Erick Erickson <er...@gmail.com>wrote:
> The SolrCloud capabilities are pretty new to me too, but I doubt
> anything like this is built in, you're probably better off with your
> current solution.
>
> Although one wonders if some kind of group-based permission
> scheme would work for you. Essentially you add an
> authorized_users entry to each document at index time and
> then simply form an fq=auth_token:(123 2348 238....). This only
> works if the total number of tokens a user can have is relatively
> small....
>
> Best
> Erick
>
> On Thu, Jan 12, 2012 at 5:13 AM, Jaran Nilsen <ja...@gmail.com>
> wrote:
> > Hi.
> >
> > We're currently looking at SolrCloud to improve management of our Solr
> > cluster. There is one use case which I am wondering if SolrCloud provide
> > any support for out of the box, or if our best bet is to stick with our
> > current solution.
> >
> > The use case is:
> >
> > We have a large number of shards, using the same schema - so, perfect for
> > SolrCloud. Some of these shards should have restricted access, meaning
> only
> > customers with certain privileges will be able to query them. The way we
> > solve this today is to maintain a database listing those users who have
> > access to these restricted shards. When building the shards-parameter for
> > querying Solr, we then use this database to append the URLs of the
> > restricted shards ONLY if the user has access to them.
> >
> > With SolrCloud it would be great to be able to use the distrib=true
> > parameter, but that would override the approach we're currently using.
> >
> > My questions are:
> >
> > 1. would it be an idea to create a separate collection for the shards
> that
> > are restricted? If so, is there currently any support for specifying
> which
> > collections to search so that we could implement the solution outlined
> > above, but for collections rather than shards?
> >
> > 2. If no-go on #1, are we better off sticking with our current approach
> and
> > skip using distrib=true which would query all shards?
> >
> > Any input appreciated!
> >
> > Best,
> > Jaran
> >
> > --
> > Jaran Nilsen
> > Skype: jaran.nilsen
> > jarannilsen.com || codemunchies.com || notpod.com
> > twitter.com/jarannilsen // www.linkedin.com/in/jarannilsen //
> > facebook.com/jaran.nilsen
>
--
Jaran Nilsen
Skype: jaran.nilsen
jarannilsen.com || codemunchies.com || notpod.com
twitter.com/jarannilsen // www.linkedin.com/in/jarannilsen //
facebook.com/jaran.nilsen
Re: Restricting access to shards / collections with SolrCloud
Posted by Erick Erickson <er...@gmail.com>.
The SolrCloud capabilities are pretty new to me too, but I doubt
anything like this is built in, you're probably better off with your
current solution.
Although one wonders if some kind of group-based permission
scheme would work for you. Essentially you add an
authorized_users entry to each document at index time and
then simply form an fq=auth_token:(123 2348 238....). This only
works if the total number of tokens a user can have is relatively
small....
Best
Erick
On Thu, Jan 12, 2012 at 5:13 AM, Jaran Nilsen <ja...@gmail.com> wrote:
> Hi.
>
> We're currently looking at SolrCloud to improve management of our Solr
> cluster. There is one use case which I am wondering if SolrCloud provide
> any support for out of the box, or if our best bet is to stick with our
> current solution.
>
> The use case is:
>
> We have a large number of shards, using the same schema - so, perfect for
> SolrCloud. Some of these shards should have restricted access, meaning only
> customers with certain privileges will be able to query them. The way we
> solve this today is to maintain a database listing those users who have
> access to these restricted shards. When building the shards-parameter for
> querying Solr, we then use this database to append the URLs of the
> restricted shards ONLY if the user has access to them.
>
> With SolrCloud it would be great to be able to use the distrib=true
> parameter, but that would override the approach we're currently using.
>
> My questions are:
>
> 1. would it be an idea to create a separate collection for the shards that
> are restricted? If so, is there currently any support for specifying which
> collections to search so that we could implement the solution outlined
> above, but for collections rather than shards?
>
> 2. If no-go on #1, are we better off sticking with our current approach and
> skip using distrib=true which would query all shards?
>
> Any input appreciated!
>
> Best,
> Jaran
>
> --
> Jaran Nilsen
> Skype: jaran.nilsen
> jarannilsen.com || codemunchies.com || notpod.com
> twitter.com/jarannilsen // www.linkedin.com/in/jarannilsen //
> facebook.com/jaran.nilsen
Re: Restricting access to shards / collections with SolrCloud
Posted by Jaran Nilsen <ja...@gmail.com>.
Excellent. Thank you, Mark!
This will be a huge improvement for us when this functionality goes live :)
Jaran
On Fri, Jan 13, 2012 at 9:13 PM, Mark Miller <ma...@gmail.com> wrote:
> Here it is: https://issues.apache.org/jira/browse/SOLR-2287
>
> On Fri, Jan 13, 2012 at 3:12 PM, Mark Miller <ma...@gmail.com>
> wrote:
>
> >
> >
> > On Thu, Jan 12, 2012 at 5:13 AM, Jaran Nilsen <jaran.nilsen@gmail.com
> >wrote:
> >
> >>
> >> My questions are:
> >>
> >> 1. would it be an idea to create a separate collection for the shards
> that
> >> are restricted? If so, is there currently any support for specifying
> which
> >> collections to search so that we could implement the solution outlined
> >> above, but for collections rather than shards?
> >>
> >> 2. If no-go on #1, are we better off sticking with our current approach
> >> and
> >> skip using distrib=true which would query all shards?
> >>
> >>
> > Yes, option 1 sounds like what you want - but if you look at the bottom
> of
> > http://wiki.apache.org/solr/SolrCloud<
> http://wiki.apache.org/solr/SolrCloud2> you
> > will of course see this is not yet implemented (query over compatible
> > collections).
> >
> > We will get this support in I believe though - there may even be a JIRA
> > for it around already - I will take a look.
> >
> > --
> > - Mark
> >
> > http://www.lucidimagination.com
> >
> >
>
>
> --
> - Mark
>
> http://www.lucidimagination.com
>
--
Jaran Nilsen
Skype: jaran.nilsen
jarannilsen.com || codemunchies.com || notpod.com
twitter.com/jarannilsen // www.linkedin.com/in/jarannilsen //
facebook.com/jaran.nilsen
Re: Restricting access to shards / collections with SolrCloud
Posted by Mark Miller <ma...@gmail.com>.
Here it is: https://issues.apache.org/jira/browse/SOLR-2287
On Fri, Jan 13, 2012 at 3:12 PM, Mark Miller <ma...@gmail.com> wrote:
>
>
> On Thu, Jan 12, 2012 at 5:13 AM, Jaran Nilsen <ja...@gmail.com>wrote:
>
>>
>> My questions are:
>>
>> 1. would it be an idea to create a separate collection for the shards that
>> are restricted? If so, is there currently any support for specifying which
>> collections to search so that we could implement the solution outlined
>> above, but for collections rather than shards?
>>
>> 2. If no-go on #1, are we better off sticking with our current approach
>> and
>> skip using distrib=true which would query all shards?
>>
>>
> Yes, option 1 sounds like what you want - but if you look at the bottom of
> http://wiki.apache.org/solr/SolrCloud<http://wiki.apache.org/solr/SolrCloud2> you
> will of course see this is not yet implemented (query over compatible
> collections).
>
> We will get this support in I believe though - there may even be a JIRA
> for it around already - I will take a look.
>
> --
> - Mark
>
> http://www.lucidimagination.com
>
>
--
- Mark
http://www.lucidimagination.com
Re: Restricting access to shards / collections with SolrCloud
Posted by Mark Miller <ma...@gmail.com>.
On Thu, Jan 12, 2012 at 5:13 AM, Jaran Nilsen <ja...@gmail.com>wrote:
>
>
> My questions are:
>
> 1. would it be an idea to create a separate collection for the shards that
> are restricted? If so, is there currently any support for specifying which
> collections to search so that we could implement the solution outlined
> above, but for collections rather than shards?
>
> 2. If no-go on #1, are we better off sticking with our current approach and
> skip using distrib=true which would query all shards?
>
>
Yes, option 1 sounds like what you want - but if you look at the bottom of
http://wiki.apache.org/solr/SolrCloud<http://wiki.apache.org/solr/SolrCloud2>
you
will of course see this is not yet implemented (query over compatible
collections).
We will get this support in I believe though - there may even be a JIRA for
it around already - I will take a look.
--
- Mark
http://www.lucidimagination.com