You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-user@lucene.apache.org by Manupriya <ma...@gmail.com> on 2009/01/12 10:54:51 UTC
Restricting results based on user authentication
Hi,
I am using DIH feature of Solr for indexing a database. I am using Solr
server and it is independent of my web application. I send a http request
for searching and then process the returned result.
Now we have a requirement that we have to filter the results further based
on security level restrictions? For example, user id abc should not be
allowed to see a particular result. How could we achieve that?
I
followed,http://www.nabble.com/Restricted-views-of-an-index-td15088750.html#a15090791
It suggests something like -
"Add a role or access class to each indexed item, then use that in the
queries, probably in a filter specified in a request handler. That keeps
the definition of the filter within Solr.
For example, you can create a request handler named "admin", a field named
"role", and add a filter of "role:admin". "
I could not follow this solution. Is there any example or resource that
explains how to use custom request handler with filtering?
Thanks,
Manu
--
View this message in context: http://www.nabble.com/Restricting-results-based-on-user-authentication-tp21411449p21411449.html
Sent from the Solr - User mailing list archive at Nabble.com.
Re: Restricting results based on user authentication
Posted by Chris Harris <ry...@gmail.com>.
On Mon, Jan 12, 2009 at 9:31 PM, Manupriya <ma...@gmail.com> wrote:
>
> Thanks Chris,
>
> I agree with your approach. I also dont want to add anything at the
> application level. I want authentication to be handled internally at the
> Solr level itself.
The application layer needs to be involved somehow, right, because I
assume the application level is the code that knows what the current
user id is. I'm not clear exactly what you want to keep out of the
application level.
In any case, if you don't like the idea of the application layer
adding a filter query, I think I'll defer to people with more
expertise on what your options are.
> Can you please explain me little more about how to add a "role" field to
> each object at indexing time? Is there any resource/example available
> explaining this?
You mentioned you're using the DataImportHandler. If your data source
is a single SQL table, the easiest approach might be to add a "role"
column to that table, and populate it appropriately for each object.
(How to do this of course depends on your application.) If your data
import code joins multiple tables, you'd need to think about which
table would be most appropriate for storing the role data.
Or perhaps your select statement could fill out a role based on
testing values of other fields; in SQL Server anyway you can write
something that looks more or less like this (the real syntax is
slightly different):
SELECT OrderID, Date, Company, CASE Company = 'CIA' THEN 'admin' ELSE
'user' END CASE as Role
(The idea here is to require admin access to view orders from the CIA.)
>
> Thank,
> Manu
>
>
> ryguasu wrote:
>>
>> Hi Manu,
>>
>> I haven't made a custom request handler in a while, but I want to
>> clarify that, if you trust your application code, you don't actually
>> need a custom request handler to do this sort of authentication
>> filtering. At indexing time, you can add a "role" field to each object
>> that you index, as described in the thread. At query time, you could
>> simply have your application code add an appropriate filter query to
>> each Solr request. So, if you're using the standard XML query
>> interface, instead of sending URLs like
>>
>> http://.../solr/select?q=foo...
>>
>> you can have your application code send URLs like
>>
>> http://.../solr/select?q=foo&fq=role:admin...
>>
>> If I understand the custom request handler approach, then it basically
>> amounts to the same thing as the above; the only difference is that
>> the filter query gets added internally by Solr, rather than at the
>> application level.
>>
>> Sorry if you already understand all this; I'm throwing these comments
>> out just in case.
>>
>> Cheers,
>> Chris
>>
>> On Mon, Jan 12, 2009 at 1:54 AM, Manupriya <ma...@gmail.com>
>> wrote:
>>>
>>> Hi,
>>>
>>> I am using DIH feature of Solr for indexing a database. I am using Solr
>>> server and it is independent of my web application. I send a http request
>>> for searching and then process the returned result.
>>>
>>> Now we have a requirement that we have to filter the results further
>>> based
>>> on security level restrictions? For example, user id abc should not be
>>> allowed to see a particular result. How could we achieve that?
>>>
>>> I
>>> followed,http://www.nabble.com/Restricted-views-of-an-index-td15088750.html#a15090791
>>> It suggests something like -
>>> "Add a role or access class to each indexed item, then use that in the
>>> queries, probably in a filter specified in a request handler. That keeps
>>> the definition of the filter within Solr.
>>> For example, you can create a request handler named "admin", a field
>>> named
>>> "role", and add a filter of "role:admin". "
>>>
>>> I could not follow this solution. Is there any example or resource that
>>> explains how to use custom request handler with filtering?
>>>
>>> Thanks,
>>> Manu
Re: Restricting results based on user authentication
Posted by Manupriya <ma...@gmail.com>.
Thanks Chris,
I agree with your approach. I also dont want to add anything at the
application level. I want authentication to be handled internally at the
Solr level itself.
Can you please explain me little more about how to add a "role" field to
each object at indexing time? Is there any resource/example available
explaining this?
Thank,
Manu
ryguasu wrote:
>
> Hi Manu,
>
> I haven't made a custom request handler in a while, but I want to
> clarify that, if you trust your application code, you don't actually
> need a custom request handler to do this sort of authentication
> filtering. At indexing time, you can add a "role" field to each object
> that you index, as described in the thread. At query time, you could
> simply have your application code add an appropriate filter query to
> each Solr request. So, if you're using the standard XML query
> interface, instead of sending URLs like
>
> http://.../solr/select?q=foo...
>
> you can have your application code send URLs like
>
> http://.../solr/select?q=foo&fq=role:admin...
>
> If I understand the custom request handler approach, then it basically
> amounts to the same thing as the above; the only difference is that
> the filter query gets added internally by Solr, rather than at the
> application level.
>
> Sorry if you already understand all this; I'm throwing these comments
> out just in case.
>
> Cheers,
> Chris
>
> On Mon, Jan 12, 2009 at 1:54 AM, Manupriya <ma...@gmail.com>
> wrote:
>>
>> Hi,
>>
>> I am using DIH feature of Solr for indexing a database. I am using Solr
>> server and it is independent of my web application. I send a http request
>> for searching and then process the returned result.
>>
>> Now we have a requirement that we have to filter the results further
>> based
>> on security level restrictions? For example, user id abc should not be
>> allowed to see a particular result. How could we achieve that?
>>
>> I
>> followed,http://www.nabble.com/Restricted-views-of-an-index-td15088750.html#a15090791
>> It suggests something like -
>> "Add a role or access class to each indexed item, then use that in the
>> queries, probably in a filter specified in a request handler. That keeps
>> the definition of the filter within Solr.
>> For example, you can create a request handler named "admin", a field
>> named
>> "role", and add a filter of "role:admin". "
>>
>> I could not follow this solution. Is there any example or resource that
>> explains how to use custom request handler with filtering?
>>
>> Thanks,
>> Manu
>>
>>
>>
>> --
>> View this message in context:
>> http://www.nabble.com/Restricting-results-based-on-user-authentication-tp21411449p21411449.html
>> Sent from the Solr - User mailing list archive at Nabble.com.
>>
>>
>
>
--
View this message in context: http://www.nabble.com/Restricting-results-based-on-user-authentication-tp21411449p21429723.html
Sent from the Solr - User mailing list archive at Nabble.com.
Re: Restricting results based on user authentication
Posted by Chris Harris <ry...@gmail.com>.
Hi Manu,
I haven't made a custom request handler in a while, but I want to
clarify that, if you trust your application code, you don't actually
need a custom request handler to do this sort of authentication
filtering. At indexing time, you can add a "role" field to each object
that you index, as described in the thread. At query time, you could
simply have your application code add an appropriate filter query to
each Solr request. So, if you're using the standard XML query
interface, instead of sending URLs like
http://.../solr/select?q=foo...
you can have your application code send URLs like
http://.../solr/select?q=foo&fq=role:admin...
If I understand the custom request handler approach, then it basically
amounts to the same thing as the above; the only difference is that
the filter query gets added internally by Solr, rather than at the
application level.
Sorry if you already understand all this; I'm throwing these comments
out just in case.
Cheers,
Chris
On Mon, Jan 12, 2009 at 1:54 AM, Manupriya <ma...@gmail.com> wrote:
>
> Hi,
>
> I am using DIH feature of Solr for indexing a database. I am using Solr
> server and it is independent of my web application. I send a http request
> for searching and then process the returned result.
>
> Now we have a requirement that we have to filter the results further based
> on security level restrictions? For example, user id abc should not be
> allowed to see a particular result. How could we achieve that?
>
> I
> followed,http://www.nabble.com/Restricted-views-of-an-index-td15088750.html#a15090791
> It suggests something like -
> "Add a role or access class to each indexed item, then use that in the
> queries, probably in a filter specified in a request handler. That keeps
> the definition of the filter within Solr.
> For example, you can create a request handler named "admin", a field named
> "role", and add a filter of "role:admin". "
>
> I could not follow this solution. Is there any example or resource that
> explains how to use custom request handler with filtering?
>
> Thanks,
> Manu
>
>
>
> --
> View this message in context: http://www.nabble.com/Restricting-results-based-on-user-authentication-tp21411449p21411449.html
> Sent from the Solr - User mailing list archive at Nabble.com.
>
>