[Google Drive - Dropbox] Permission indexing

[Alessandro Benedetti <ab...@apache.org>]

Hi guys!
Testing Google Drive and Dropbox connector I verified that the Indexing of
the permission is quite simple.
To refresh that part we can add one or more tokens to a specific job and
then all the documents belonging to that job will have that token indexed
in the allow_document_token .

In a real scenario this is quite un-realistic.
The simplest way could be to index in the allow_document_token the list of
accounts that the document is shared with.
Of course storing the uncrypted plain version of the account mail can be
dangerous ( as simply someone could impersonate other people directly
accessing solr) .

So an authority connector is necessary as well .

Any though about this ? Was it in plan ? Any reason behind the current
simple approach ?
The same is valid for the dropbox connector and the web crawler one (
permissions per area of a web site is possible through a workaround but not
using only one single job).

Cheers

Re: [Google Drive - Dropbox] Permission indexing

[Alessandro Benedetti <be...@gmail.com>]

Ok Karl,
I will keep you updated on this and as soon as I can dedicate some time, I
am going to open the tickets and discuss this with you !

Cheers

2015-02-20 18:40 GMT+00:00 Karl Wright <da...@gmail.com>:

> Hi Alessandro,
>
> The current connectors were contributions.  No integration with the
> underlying security model was attempted by the contributors, near as I can
> tell.  Forced security tokens (which are per-job) are present in most of
> our connectors, even when there's a real security model available for
> document security.  That's traditional, because we've found that setting up
> security in a demonstration situation often can be challenging.
>
> If you would like to provide authority connectors and authorization-based
> patches for DropBox and Google Drive, please create the appropriate
> tickets.  It would also be good to discuss your precise approach in the
> context of those tickets.  I'm specifically interested in how the
> authorities would work: how you would go from a user name to a list of user
> email accounts (if that's what your access token is going to be).
>
> Karl
>
>
>
> On Fri, Feb 20, 2015 at 12:25 PM, Alessandro Benedetti <
> abenedetti@apache.org> wrote:
>
> > Hi guys!
> > Testing Google Drive and Dropbox connector I verified that the Indexing
> of
> > the permission is quite simple.
> > To refresh that part we can add one or more tokens to a specific job and
> > then all the documents belonging to that job will have that token indexed
> > in the allow_document_token .
> >
> > In a real scenario this is quite un-realistic.
> > The simplest way could be to index in the allow_document_token the list
> of
> > accounts that the document is shared with.
> > Of course storing the uncrypted plain version of the account mail can be
> > dangerous ( as simply someone could impersonate other people directly
> > accessing solr) .
> >
> > So an authority connector is necessary as well .
> >
> > Any though about this ? Was it in plan ? Any reason behind the current
> > simple approach ?
> > The same is valid for the dropbox connector and the web crawler one (
> > permissions per area of a web site is possible through a workaround but
> not
> > using only one single job).
> >
> > Cheers
> >
>



-- 
--------------------------

Benedetti Alessandro
Visiting card : http://about.me/alessandro_benedetti

"Tyger, tyger burning bright
In the forests of the night,
What immortal hand or eye
Could frame thy fearful symmetry?"

William Blake - Songs of Experience -1794 England

Re: [Google Drive - Dropbox] Permission indexing

[Karl Wright <da...@gmail.com>]

Hi Alessandro,

The current connectors were contributions.  No integration with the
underlying security model was attempted by the contributors, near as I can
tell.  Forced security tokens (which are per-job) are present in most of
our connectors, even when there's a real security model available for
document security.  That's traditional, because we've found that setting up
security in a demonstration situation often can be challenging.

If you would like to provide authority connectors and authorization-based
patches for DropBox and Google Drive, please create the appropriate
tickets.  It would also be good to discuss your precise approach in the
context of those tickets.  I'm specifically interested in how the
authorities would work: how you would go from a user name to a list of user
email accounts (if that's what your access token is going to be).

Karl



On Fri, Feb 20, 2015 at 12:25 PM, Alessandro Benedetti <
abenedetti@apache.org> wrote:

> Hi guys!
> Testing Google Drive and Dropbox connector I verified that the Indexing of
> the permission is quite simple.
> To refresh that part we can add one or more tokens to a specific job and
> then all the documents belonging to that job will have that token indexed
> in the allow_document_token .
>
> In a real scenario this is quite un-realistic.
> The simplest way could be to index in the allow_document_token the list of
> accounts that the document is shared with.
> Of course storing the uncrypted plain version of the account mail can be
> dangerous ( as simply someone could impersonate other people directly
> accessing solr) .
>
> So an authority connector is necessary as well .
>
> Any though about this ? Was it in plan ? Any reason behind the current
> simple approach ?
> The same is valid for the dropbox connector and the web crawler one (
> permissions per area of a web site is possible through a workaround but not
> using only one single job).
>
> Cheers
>