You are viewing a plain text version of this content. The canonical link for it is here.
Posted to solr-user@lucene.apache.org by Dennis Gearon <ge...@sbcglobal.net> on 2011/01/19 08:15:36 UTC
unix permission styles for access control
I was wondering if the are binary operation filters? Haven't seen any in the
book nor was able to find any using google.
So if I had 0600(octal) in a permission field, and I wanted to return any
records that 'permission & 0400(octal)==TRUE', how would I filter that?
Dennis Gearon
Signature Warning
----------------
It is always a good idea to learn from your own mistakes. It is usually a better
idea to learn from others’ mistakes, so you do not have to make them yourself.
from 'http://blogs.techrepublic.com.com/security/?p=4501&tag=nl.e036'
EARTH has a Right To Life,
otherwise we all die.
Re: unix permission styles for access control
Posted by Jonathan Rochkind <ro...@jhu.edu>.
Yep, that's what I'm suggesting as one possible approach to consider,
whether it will work or not depends on your specifics.
Character length in a token doesn't really matter for solr performance.
It might be less confusing to actually put "read update delete own" (or
whatever 'o' stands for) in a field, such that it will be tokenized so
each of those words is a seperate token. (Make sure you aren't stemming
or using synonyms, heh!).
Or instead of seperating a single string into tokens, use a multi-valued
String field, and put "read", "delete", etc in as seperate values. That
is actually more straightforward and less confusing than tokenizing.
Then you can just search for fq=permissions:read or whatever.
Again, whether this will actually work for you depends on exactly what
you're requirements are, but it's something to consider, before
resorting to weird patches. It will work in any Solr version.
The first approach to solving a problem in Solr should be trying to
think "Can I solve this by setting up my index in such a way that I can
ask the questions I want simply by asking if a certain token is in a
certain field?" Because that's what Solr does, basically, tell you if
certain tokens are in certain fields. If you can reduce the problem to
that, Solr will handle it easily, simply, and efficiently. Otherwise,
you might need weird patches. :)
On 1/19/2011 12:45 PM, Dennis Gearon wrote:
> So, if I used something like r-u-d-o in a field (read,update,delete,others) I
> could get it tokenized to those four characters,and then search for those in
> that field. Is that what you're suggesting, (thanks by the way).
>
> An article I read created a 'hybrid' access control system (can't remember if it
> was ACL or RBAC). It used a primary system like Unix file system 9bit permission
> for the primary permissions normally needed on most objects of any kind, and
> then flagged if there were any other permissions and any other groups. It was
> very fast for the primary permissons, and fast for the secondary.
>
>
> Dennis Gearon
>
>
> Signature Warning
> ----------------
> It is always a good idea to learn from your own mistakes. It is usually a better
> idea to learn from others’ mistakes, so you do not have to make them yourself.
> from 'http://blogs.techrepublic.com.com/security/?p=4501&tag=nl.e036'
>
>
> EARTH has a Right To Life,
> otherwise we all die.
>
>
>
> ----- Original Message ----
> From: Jonathan Rochkind<ro...@jhu.edu>
> To: "solr-user@lucene.apache.org"<so...@lucene.apache.org>
> Sent: Wed, January 19, 2011 8:40:30 AM
> Subject: Re: unix permission styles for access control
>
> No. There is no built in way to address 'bits' in Solr that I am aware
> of. Instead you can think about how to transform your data at indexing
> into individual tokens (rather than bits) in one or more field, such
> that they are capable of answering your query. Solr works in tokens as
> the basic unit of operation (mostly, basically), not characters or bytes
> or bits.
>
> On 1/19/2011 9:48 AM, Dennis Gearon wrote:
>> Sorry for repeat, trying to make sure this gets on the newsgroup to 'all'.
>>
>> So 'fieldName.x' is how to address bits?
>>
>>
>> Dennis Gearon
>>
>>
>> Signature Warning
>> ----------------
>> It is always a good idea to learn from your own mistakes. It is usually a
>> better
>> idea to learn from others’ mistakes, so you do not have to make them yourself.
>> from 'http://blogs.techrepublic.com.com/security/?p=4501&tag=nl.e036'
>>
>>
>> EARTH has a Right To Life,
>> otherwise we all die.
>>
>>
>>
>> ----- Original Message ----
>> From: Toke Eskildsen<te...@statsbiblioteket.dk>
>> To: "solr-user@lucene.apache.org"<so...@lucene.apache.org>
>> Sent: Wed, January 19, 2011 12:23:04 AM
>> Subject: Re: unix permission styles for access control
>>
>> On Wed, 2011-01-19 at 08:15 +0100, Dennis Gearon wrote:
>>> I was wondering if the are binary operation filters? Haven't seen any in the
>>> book nor was able to find any using google.
>>>
>>> So if I had 0600(octal) in a permission field, and I wanted to return any
>>> records that 'permission& 0400(octal)==TRUE', how would I filter that?
>> Don't you mean permission& 0400(octal) == 0400? Anyway, the
>> functionality can be accomplished by extending your index a bit.
>>
>>
>> You could split the permission into user, group and all parts, then use
>> an expanded query.
>>
>> If the permission is 0755 it will be indexed as
>> user_p:7 group_p:5 all_p:5
>>
>> If you're searching for something with at least 0650 your query should
>> be expanded to
>> (user_p:7 OR user_p:6) AND (group_p:7 OR group_p:5)
>>
>>
>> Alternatively you could represent the bits explicitly in the index:
>> user_p:1 user_p:2 user_p:4 group_p:1 group_p:4 all_p:1 all_p:5
>>
>> Then a search for 0650 would query with
>> user_p:2 AND user_p:4 AND group_p:1 AND group_p:4
>>
>>
>> Finally you could represent all valid permission values, still split
>> into parts with
>> user_p:1 user_p:2 user_p:3 user_p:4 user_p:5 user_p:6 user_p:7
>> group_p:1 group_p:2 group_p:3 group_p:4 group_p:5
>> all_p:1 all_p:2 all_p:3 all_p:4 all_p:5
>>
>> The query would be simply
>> user_p:6 AND group_p:5
Re: unix permission styles for access control
Posted by Dennis Gearon <ge...@sbcglobal.net>.
So, if I used something like r-u-d-o in a field (read,update,delete,others) I
could get it tokenized to those four characters,and then search for those in
that field. Is that what you're suggesting, (thanks by the way).
An article I read created a 'hybrid' access control system (can't remember if it
was ACL or RBAC). It used a primary system like Unix file system 9bit permission
for the primary permissions normally needed on most objects of any kind, and
then flagged if there were any other permissions and any other groups. It was
very fast for the primary permissons, and fast for the secondary.
Dennis Gearon
Signature Warning
----------------
It is always a good idea to learn from your own mistakes. It is usually a better
idea to learn from others’ mistakes, so you do not have to make them yourself.
from 'http://blogs.techrepublic.com.com/security/?p=4501&tag=nl.e036'
EARTH has a Right To Life,
otherwise we all die.
----- Original Message ----
From: Jonathan Rochkind <ro...@jhu.edu>
To: "solr-user@lucene.apache.org" <so...@lucene.apache.org>
Sent: Wed, January 19, 2011 8:40:30 AM
Subject: Re: unix permission styles for access control
No. There is no built in way to address 'bits' in Solr that I am aware
of. Instead you can think about how to transform your data at indexing
into individual tokens (rather than bits) in one or more field, such
that they are capable of answering your query. Solr works in tokens as
the basic unit of operation (mostly, basically), not characters or bytes
or bits.
On 1/19/2011 9:48 AM, Dennis Gearon wrote:
> Sorry for repeat, trying to make sure this gets on the newsgroup to 'all'.
>
> So 'fieldName.x' is how to address bits?
>
>
> Dennis Gearon
>
>
> Signature Warning
> ----------------
> It is always a good idea to learn from your own mistakes. It is usually a
>better
> idea to learn from others’ mistakes, so you do not have to make them yourself.
> from 'http://blogs.techrepublic.com.com/security/?p=4501&tag=nl.e036'
>
>
> EARTH has a Right To Life,
> otherwise we all die.
>
>
>
> ----- Original Message ----
> From: Toke Eskildsen<te...@statsbiblioteket.dk>
> To: "solr-user@lucene.apache.org"<so...@lucene.apache.org>
> Sent: Wed, January 19, 2011 12:23:04 AM
> Subject: Re: unix permission styles for access control
>
> On Wed, 2011-01-19 at 08:15 +0100, Dennis Gearon wrote:
>> I was wondering if the are binary operation filters? Haven't seen any in the
>> book nor was able to find any using google.
>>
>> So if I had 0600(octal) in a permission field, and I wanted to return any
>> records that 'permission& 0400(octal)==TRUE', how would I filter that?
> Don't you mean permission& 0400(octal) == 0400? Anyway, the
> functionality can be accomplished by extending your index a bit.
>
>
> You could split the permission into user, group and all parts, then use
> an expanded query.
>
> If the permission is 0755 it will be indexed as
> user_p:7 group_p:5 all_p:5
>
> If you're searching for something with at least 0650 your query should
> be expanded to
> (user_p:7 OR user_p:6) AND (group_p:7 OR group_p:5)
>
>
> Alternatively you could represent the bits explicitly in the index:
> user_p:1 user_p:2 user_p:4 group_p:1 group_p:4 all_p:1 all_p:5
>
> Then a search for 0650 would query with
> user_p:2 AND user_p:4 AND group_p:1 AND group_p:4
>
>
> Finally you could represent all valid permission values, still split
> into parts with
> user_p:1 user_p:2 user_p:3 user_p:4 user_p:5 user_p:6 user_p:7
> group_p:1 group_p:2 group_p:3 group_p:4 group_p:5
> all_p:1 all_p:2 all_p:3 all_p:4 all_p:5
>
> The query would be simply
> user_p:6 AND group_p:5
Re: unix permission styles for access control
Posted by Jonathan Rochkind <ro...@jhu.edu>.
No. There is no built in way to address 'bits' in Solr that I am aware
of. Instead you can think about how to transform your data at indexing
into individual tokens (rather than bits) in one or more field, such
that they are capable of answering your query. Solr works in tokens as
the basic unit of operation (mostly, basically), not characters or bytes
or bits.
On 1/19/2011 9:48 AM, Dennis Gearon wrote:
> Sorry for repeat, trying to make sure this gets on the newsgroup to 'all'.
>
> So 'fieldName.x' is how to address bits?
>
>
> Dennis Gearon
>
>
> Signature Warning
> ----------------
> It is always a good idea to learn from your own mistakes. It is usually a better
> idea to learn from others’ mistakes, so you do not have to make them yourself.
> from 'http://blogs.techrepublic.com.com/security/?p=4501&tag=nl.e036'
>
>
> EARTH has a Right To Life,
> otherwise we all die.
>
>
>
> ----- Original Message ----
> From: Toke Eskildsen<te...@statsbiblioteket.dk>
> To: "solr-user@lucene.apache.org"<so...@lucene.apache.org>
> Sent: Wed, January 19, 2011 12:23:04 AM
> Subject: Re: unix permission styles for access control
>
> On Wed, 2011-01-19 at 08:15 +0100, Dennis Gearon wrote:
>> I was wondering if the are binary operation filters? Haven't seen any in the
>> book nor was able to find any using google.
>>
>> So if I had 0600(octal) in a permission field, and I wanted to return any
>> records that 'permission& 0400(octal)==TRUE', how would I filter that?
> Don't you mean permission& 0400(octal) == 0400? Anyway, the
> functionality can be accomplished by extending your index a bit.
>
>
> You could split the permission into user, group and all parts, then use
> an expanded query.
>
> If the permission is 0755 it will be indexed as
> user_p:7 group_p:5 all_p:5
>
> If you're searching for something with at least 0650 your query should
> be expanded to
> (user_p:7 OR user_p:6) AND (group_p:7 OR group_p:5)
>
>
> Alternatively you could represent the bits explicitly in the index:
> user_p:1 user_p:2 user_p:4 group_p:1 group_p:4 all_p:1 all_p:5
>
> Then a search for 0650 would query with
> user_p:2 AND user_p:4 AND group_p:1 AND group_p:4
>
>
> Finally you could represent all valid permission values, still split
> into parts with
> user_p:1 user_p:2 user_p:3 user_p:4 user_p:5 user_p:6 user_p:7
> group_p:1 group_p:2 group_p:3 group_p:4 group_p:5
> all_p:1 all_p:2 all_p:3 all_p:4 all_p:5
>
> The query would be simply
> user_p:6 AND group_p:5
Re: unix permission styles for access control
Posted by Dennis Gearon <ge...@sbcglobal.net>.
Sorry for repeat, trying to make sure this gets on the newsgroup to 'all'.
So 'fieldName.x' is how to address bits?
Dennis Gearon
Signature Warning
----------------
It is always a good idea to learn from your own mistakes. It is usually a better
idea to learn from others’ mistakes, so you do not have to make them yourself.
from 'http://blogs.techrepublic.com.com/security/?p=4501&tag=nl.e036'
EARTH has a Right To Life,
otherwise we all die.
----- Original Message ----
From: Toke Eskildsen <te...@statsbiblioteket.dk>
To: "solr-user@lucene.apache.org" <so...@lucene.apache.org>
Sent: Wed, January 19, 2011 12:23:04 AM
Subject: Re: unix permission styles for access control
On Wed, 2011-01-19 at 08:15 +0100, Dennis Gearon wrote:
> I was wondering if the are binary operation filters? Haven't seen any in the
> book nor was able to find any using google.
>
> So if I had 0600(octal) in a permission field, and I wanted to return any
> records that 'permission & 0400(octal)==TRUE', how would I filter that?
Don't you mean permission & 0400(octal) == 0400? Anyway, the
functionality can be accomplished by extending your index a bit.
You could split the permission into user, group and all parts, then use
an expanded query.
If the permission is 0755 it will be indexed as
user_p:7 group_p:5 all_p:5
If you're searching for something with at least 0650 your query should
be expanded to
(user_p:7 OR user_p:6) AND (group_p:7 OR group_p:5)
Alternatively you could represent the bits explicitly in the index:
user_p:1 user_p:2 user_p:4 group_p:1 group_p:4 all_p:1 all_p:5
Then a search for 0650 would query with
user_p:2 AND user_p:4 AND group_p:1 AND group_p:4
Finally you could represent all valid permission values, still split
into parts with
user_p:1 user_p:2 user_p:3 user_p:4 user_p:5 user_p:6 user_p:7
group_p:1 group_p:2 group_p:3 group_p:4 group_p:5
all_p:1 all_p:2 all_p:3 all_p:4 all_p:5
The query would be simply
user_p:6 AND group_p:5
Re: unix permission styles for access control
Posted by Dennis Gearon <ge...@sbcglobal.net>.
Did some more searching this morning. Perhaps being bleary eyed helpe :-) I
found this JIRA which does bitwise boolean operator filtering:
https://issues.apache.org/jira/browse/SOLR-1913
I'm not that sure how to interpret JIRA pages for features. It's 'OPEN", but the
comments all say it works.
So, what's they syntax for combining filters in queries? I am currently using
the spatial filter.How would I write a query that combines:
http://localhost:8983/path/to/solr/select/?q={!bitwise field=fieldname
op=OPERATION_NAME source=sourcevalue negate=boolean}remainder
{!spatial lat=37.393026 long=-121.998304 radius=10 unit=km threadCount=3}
ts_begin:[1 TO 2145916800] AND text:"find_this"
Dennis Gearon
Signature Warning
----------------
It is always a good idea to learn from your own mistakes. It is usually a better
idea to learn from others’ mistakes, so you do not have to make them yourself.
from 'http://blogs.techrepublic.com.com/security/?p=4501&tag=nl.e036'
EARTH has a Right To Life,
otherwise we all die.
----- Original Message ----
From: Toke Eskildsen <te...@statsbiblioteket.dk>
To: "solr-user@lucene.apache.org" <so...@lucene.apache.org>
Sent: Wed, January 19, 2011 12:23:04 AM
Subject: Re: unix permission styles for access control
On Wed, 2011-01-19 at 08:15 +0100, Dennis Gearon wrote:
> I was wondering if the are binary operation filters? Haven't seen any in the
> book nor was able to find any using google.
>
> So if I had 0600(octal) in a permission field, and I wanted to return any
> records that 'permission & 0400(octal)==TRUE', how would I filter that?
Don't you mean permission & 0400(octal) == 0400? Anyway, the
functionality can be accomplished by extending your index a bit.
You could split the permission into user, group and all parts, then use
an expanded query.
If the permission is 0755 it will be indexed as
user_p:7 group_p:5 all_p:5
If you're searching for something with at least 0650 your query should
be expanded to
(user_p:7 OR user_p:6) AND (group_p:7 OR group_p:5)
Alternatively you could represent the bits explicitly in the index:
user_p:1 user_p:2 user_p:4 group_p:1 group_p:4 all_p:1 all_p:5
Then a search for 0650 would query with
user_p:2 AND user_p:4 AND group_p:1 AND group_p:4
Finally you could represent all valid permission values, still split
into parts with
user_p:1 user_p:2 user_p:3 user_p:4 user_p:5 user_p:6 user_p:7
group_p:1 group_p:2 group_p:3 group_p:4 group_p:5
all_p:1 all_p:2 all_p:3 all_p:4 all_p:5
The query would be simply
user_p:6 AND group_p:5
Re: unix permission styles for access control
Posted by Dennis Gearon <ge...@sbcglobal.net>.
so fieldName.x ishow to address bits?
Dennis Gearon
Signature Warning
----------------
It is always a good idea to learn from your own mistakes. It is usually a better
idea to learn from others’ mistakes, so you do not have to make them yourself.
from 'http://blogs.techrepublic.com.com/security/?p=4501&tag=nl.e036'
EARTH has a Right To Life,
otherwise we all die.
----- Original Message ----
From: Toke Eskildsen <te...@statsbiblioteket.dk>
To: "solr-user@lucene.apache.org" <so...@lucene.apache.org>
Sent: Wed, January 19, 2011 12:23:04 AM
Subject: Re: unix permission styles for access control
On Wed, 2011-01-19 at 08:15 +0100, Dennis Gearon wrote:
> I was wondering if the are binary operation filters? Haven't seen any in the
> book nor was able to find any using google.
>
> So if I had 0600(octal) in a permission field, and I wanted to return any
> records that 'permission & 0400(octal)==TRUE', how would I filter that?
Don't you mean permission & 0400(octal) == 0400? Anyway, the
functionality can be accomplished by extending your index a bit.
You could split the permission into user, group and all parts, then use
an expanded query.
If the permission is 0755 it will be indexed as
user_p:7 group_p:5 all_p:5
If you're searching for something with at least 0650 your query should
be expanded to
(user_p:7 OR user_p:6) AND (group_p:7 OR group_p:5)
Alternatively you could represent the bits explicitly in the index:
user_p:1 user_p:2 user_p:4 group_p:1 group_p:4 all_p:1 all_p:5
Then a search for 0650 would query with
user_p:2 AND user_p:4 AND group_p:1 AND group_p:4
Finally you could represent all valid permission values, still split
into parts with
user_p:1 user_p:2 user_p:3 user_p:4 user_p:5 user_p:6 user_p:7
group_p:1 group_p:2 group_p:3 group_p:4 group_p:5
all_p:1 all_p:2 all_p:3 all_p:4 all_p:5
The query would be simply
user_p:6 AND group_p:5
Re: unix permission styles for access control
Posted by Toke Eskildsen <te...@statsbiblioteket.dk>.
On Wed, 2011-01-19 at 08:15 +0100, Dennis Gearon wrote:
> I was wondering if the are binary operation filters? Haven't seen any in the
> book nor was able to find any using google.
>
> So if I had 0600(octal) in a permission field, and I wanted to return any
> records that 'permission & 0400(octal)==TRUE', how would I filter that?
Don't you mean permission & 0400(octal) == 0400? Anyway, the
functionality can be accomplished by extending your index a bit.
You could split the permission into user, group and all parts, then use
an expanded query.
If the permission is 0755 it will be indexed as
user_p:7 group_p:5 all_p:5
If you're searching for something with at least 0650 your query should
be expanded to
(user_p:7 OR user_p:6) AND (group_p:7 OR group_p:5)
Alternatively you could represent the bits explicitly in the index:
user_p:1 user_p:2 user_p:4 group_p:1 group_p:4 all_p:1 all_p:5
Then a search for 0650 would query with
user_p:2 AND user_p:4 AND group_p:1 AND group_p:4
Finally you could represent all valid permission values, still split
into parts with
user_p:1 user_p:2 user_p:3 user_p:4 user_p:5 user_p:6 user_p:7
group_p:1 group_p:2 group_p:3 group_p:4 group_p:5
all_p:1 all_p:2 all_p:3 all_p:4 all_p:5
The query would be simply
user_p:6 AND group_p:5