You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@lucenenet.apache.org by Prescott Nasser <ge...@hotmail.com> on 2011/05/18 04:32:22 UTC
[Lucene.Net] Document Search with Permissions
Does anyone have experience building a document database that requires various user permission levels?
UserX can Edit/Delete, Read
UserY can Read
UserZ No Access
GroupA = UserX & UserY
Document1 = everyone can read
Document2 = readable by GroupA
etc?
Similar to the windows filesystem permission system.
I'm just not sure the best way to keep track of document permissions - do I make a field Permissions and store all the various permissions in that? Is there another way?
Any Insights anyone has would be great,
Thanks
~Prescott
Re: [Lucene.Net] Document Search with Permissions
Posted by Wyatt Barnett <wy...@gmail.com>.
And ravendb even uses lucene internally for all it's indexing so it fits
here well.
On 5/18/11 1:30 AM, "Itamar Syn-Hershko" <it...@code972.com> wrote:
>In RavenDB permissions info is stored as an object (with user / role /
>permission data) as metadata for each secured entity. Look at the
>Authorization bundle.
>
>
>Itamar.
>
>
>On 18/05/2011 05:32, Prescott Nasser wrote:
>
>> Does anyone have experience building a document database that requires
>>various user permission levels?
>>
>> UserX can Edit/Delete, Read
>> UserY can Read
>> UserZ No Access
>>
>> GroupA = UserX& UserY
>>
>> Document1 = everyone can read
>> Document2 = readable by GroupA
>>
>> etc?
>>
>> Similar to the windows filesystem permission system.
>>
>> I'm just not sure the best way to keep track of document permissions -
>>do I make a field Permissions and store all the various permissions in
>>that? Is there another way?
>>
>> Any Insights anyone has would be great,
>>
>> Thanks
>> ~Prescott
>>
Re: [Lucene.Net] Document Search with Permissions
Posted by Itamar Syn-Hershko <it...@code972.com>.
In RavenDB permissions info is stored as an object (with user / role /
permission data) as metadata for each secured entity. Look at the
Authorization bundle.
Itamar.
On 18/05/2011 05:32, Prescott Nasser wrote:
> Does anyone have experience building a document database that requires various user permission levels?
>
> UserX can Edit/Delete, Read
> UserY can Read
> UserZ No Access
>
> GroupA = UserX& UserY
>
> Document1 = everyone can read
> Document2 = readable by GroupA
>
> etc?
>
> Similar to the windows filesystem permission system.
>
> I'm just not sure the best way to keep track of document permissions - do I make a field Permissions and store all the various permissions in that? Is there another way?
>
> Any Insights anyone has would be great,
>
> Thanks
> ~Prescott
>
Re: [Lucene.Net] Document Search with Permissions
Posted by Noel Lysaght <ly...@hotmail.com>.
We struggled with this for a long time. Especially when user permissions
change frequently.
Here is what we done; it may not suit your environment but it worked out
well for us.
We classify documents using a number of fields; lets call those fields L1,
L2, L3, L4
As documents move around the company the classification may change and we
update that as appropriate.
For example;
Document-001: L1=PENSION, L2=FINANCIAL, L3=PAY, L4=PAYSLIP
Document-002: L1=PENSION, L2=FINANCIAL, L3=PAY, L4=P60
Document-003: L1=PENSION, L2=MEDICAL, L3=CHECKUP, L4=
We allow users access to various combinations of the levels, note * here
represents wildcard access.
A users permissions are a set of all allowed records for that user. Each row
below represents an allowed
set of classification for a user, a user may have multiple sets of
classification, as can be seen for user-001.
That user (user-001) has access to all financial documents relating to pay
and also has access to all mortgage, medical xrays (sorry extreme example
here for user access; but I'm hoping you get the idea).
USER-001 L1=* ,L2=FINANCIAL,L3=PAY,L4=*
USER-001 L1=MORTGAGE ,L2=MEDICAL,L3=XRAYS,L4=*
USER-002 L1=* ,L2=FINANCIAL,L3=PAY,L4=*
All the permissions for a user are stored in an external database. When a
user then searches we build up a list of all types of documents they are
allowed access to.
We then search for all documents that match their criteria (regardless of
their permissions). We then run the results through a custom collector; that
validates the users security and removes any documents they don't have
access to.
To do this; when indexing we store the document identifier and also the 4
additional fields (L1...L4). In our custom collector we retrieve those 4
values and compare them to the list of allowed documents classifications.
This has worked out very well for us.
But you need to be aware of the possible constraints.
Writing your own custom collector and making it perform well can be a
significant challenge.
Also when storing data in Lucene for retrieval; you should store the most
minimal amount of data that is possible.
Try and store things as integers for the L1...L4 values; rather than strings
as above. When you are iterating over 10's of thousands of documents,
keeping these sizes as small as possible allows Lucene to move quickly from
1 document to the next.
Also this is all based upon v2.9.2 of Lucene; so things may have changed in
the later versions.
We do other fancy stuff; like caching results for users; caching permissions
etc.
Writing our own custom collector has also allowed us to override document
access when required. For example implementing delegation; where when a user
goes on an extended break they nominate another user(s) to work on their
behalf.
Hope this has help.
Kind Regards
Noel
-----Original Message-----
From: Granroth, Neal V.
Sent: Wednesday, May 18, 2011 5:00 PM
To: lucene-net-user@lucene.apache.org
Subject: RE: [Lucene.Net] Document Search with Permissions
Is it required that all documents reside in a single index regardless of a
document's Windows DACL?
If not, then another possible scheme would be to create multiple indexes
stored in different folders. Apply the need user permissions to each
folder. When searching, your code would select for search only those
indexes contained in folders that the current user can access.
It is somewhat convoluted, but it let's Windows do nearly all of the work of
controlling user access; and the administrator can use standard Windows
tools to manage access control.
- Neal
-----Original Message-----
From: Prescott Nasser [mailto:geobmx540@hotmail.com]
Sent: Tuesday, May 17, 2011 9:32 PM
To: lucene-net-user@lucene.apache.org
Subject: [Lucene.Net] Document Search with Permissions
Does anyone have experience building a document database that requires
various user permission levels?
UserX can Edit/Delete, Read
UserY can Read
UserZ No Access
GroupA = UserX & UserY
Document1 = everyone can read
Document2 = readable by GroupA
etc?
Similar to the windows filesystem permission system.
I'm just not sure the best way to keep track of document permissions - do I
make a field Permissions and store all the various permissions in that? Is
there another way?
Any Insights anyone has would be great,
Thanks
~Prescott
RE: [Lucene.Net] Document Search with Permissions
Posted by "Granroth, Neal V." <ne...@thermofisher.com>.
Is it required that all documents reside in a single index regardless of a document's Windows DACL?
If not, then another possible scheme would be to create multiple indexes stored in different folders. Apply the need user permissions to each folder. When searching, your code would select for search only those indexes contained in folders that the current user can access.
It is somewhat convoluted, but it let's Windows do nearly all of the work of controlling user access; and the administrator can use standard Windows tools to manage access control.
- Neal
-----Original Message-----
From: Prescott Nasser [mailto:geobmx540@hotmail.com]
Sent: Tuesday, May 17, 2011 9:32 PM
To: lucene-net-user@lucene.apache.org
Subject: [Lucene.Net] Document Search with Permissions
Does anyone have experience building a document database that requires various user permission levels?
UserX can Edit/Delete, Read
UserY can Read
UserZ No Access
GroupA = UserX & UserY
Document1 = everyone can read
Document2 = readable by GroupA
etc?
Similar to the windows filesystem permission system.
I'm just not sure the best way to keep track of document permissions - do I make a field Permissions and store all the various permissions in that? Is there another way?
Any Insights anyone has would be great,
Thanks
~Prescott