You are viewing a plain text version of this content. The canonical link for it is here.

Posted to solr-user@lucene.apache.org by "Ellis, Tom (Financial Markets IT)" <To...@LloydsBanking.com.INVALID> on 2016/07/01 10:48:02 UTC

Matching all terms in a multiValued field

Hi There,

I'm trying to create search component for some document level security. A user will have a number of tags assigned to them, and these will be passed to the search component which will add a filter to whatever the user's original query was. Documents will be written with some or all of the users tags, and the query must only return documents that have a set of tags that are included in the users tags.

E.g. Alice is authorised to see 'confidential' and 'paid_source'

Bob is only authorised to see 'confidential'

Document 1 has tags confidential and paid_source - Alice should be able to see this document, but Bob should not.

So if I am creating a query for Bob, how can I write it so that he can't see Document 1? I.e. how do I create a query that checks the multiValued field for 'confidential' but excludes documents that have anything else?

Cheers,

Tom Ellis
Consultant Developer - Excelian
Data Lake | Financial Markets IT
LLOYDS BANK COMMERCIAL BANKING
________________________________

E: Tom.Ellis@LloydsBanking.com<ma...@LloydsBanking.com>
Website: www.lloydsbankcommercial.com<http://www.lloydsbankcommercial.com/>
, , ,
Reduce printing. Lloyds Banking Group is helping to build the low carbon economy.
Corporate Responsibility Report: www.lloydsbankinggroup-cr.com/downloads<http://www.lloydsbankinggroup-cr.com/downloads>

Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 03457 801 801. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. Telephone: 0345 603 1637

Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.

Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.

Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.

HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813.

This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded.

Re: Matching all terms in a multiValued field

Posted by Erick Erickson <er...@gmail.com>.

If the permissions are hierarchical, i.e. anyone who can see
paid_source and see confidential you could just index the
minimum-required clearance with the doc (think numeric codes here) and
form your fq as auth:[max_level_for_user TO *]. I admit I've rarely
seen security models that are that simple.

You can form a rather complex fq clause like
fq=auth:(confidential NOT (paid_source OR other_levels_bob_can't_see)]

On the plus side, that fq clause can be cached in the filterCache and re-used.
Hint: If you do this, be absolutely sure you form the filter clause exactly the
same way each time to insure it is re-used. I.e. even though this
is logically equivalent it wouldn't re-use the filterCache entry

fq=auth:(confidential NOT (other_levels_bob_can't_see OR paid_source)]

You could also write a "post filter", they were originally written
exactly to handle
ACLs, see: http://yonik.com/advanced-filter-caching-in-solr/
and
https://lucidworks.com/blog/2012/02/22/custom-security-filtering-in-solr/

Best,
Erick

On Fri, Jul 1, 2016 at 3:48 AM, Ellis, Tom (Financial Markets IT)
<To...@lloydsbanking.com.invalid> wrote:
> Hi There,
>
> I'm trying to create search component for some document level security. A user will have a number of tags assigned to them, and these will be passed to the search component which will add a filter to whatever the user's original query was. Documents will be written with some or all of the users tags, and the query must only return documents that have a set of tags that are included in the users tags.
>
> E.g. Alice is authorised to see 'confidential' and 'paid_source'
>
> Bob is only authorised to see 'confidential'
>
> Document 1 has tags confidential and paid_source - Alice should be able to see this document, but Bob should not.
>
> So if I am creating a query for Bob, how can I write it so that he can't see Document 1? I.e. how do I create a query that checks the multiValued field for 'confidential' but excludes documents that have anything else?
>
> Cheers,
>
> Tom Ellis
> Consultant Developer - Excelian
> Data Lake | Financial Markets IT
> LLOYDS BANK COMMERCIAL BANKING
> ________________________________
>
> E: Tom.Ellis@LloydsBanking.com<ma...@LloydsBanking.com>
> Website: www.lloydsbankcommercial.com<http://www.lloydsbankcommercial.com/>
> , , ,
> Reduce printing. Lloyds Banking Group is helping to build the low carbon economy.
> Corporate Responsibility Report: www.lloydsbankinggroup-cr.com/downloads<http://www.lloydsbankinggroup-cr.com/downloads>
>
>
>
> Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 03457 801 801. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. Telephone: 0345 603 1637
>
> Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.
>
> Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.
>
> Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.
>
> HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813.
>
> This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded.