The best practice would be to implement an application layer API that enforces security and prevents application clients from directly accessing Solr.
LucidWorks Fusion (or their earlier LucidWorks Enterprise product) supports access control via search filters, including LDAP integration: https://docs.lucidworks.com/display/help/Search+Filters+for+Access+Control -- Jack Krupansky On Thu, Nov 5, 2015 at 2:26 PM, Susheel Kumar <susheel2...@gmail.com> wrote: > Hi, > > I have seen couple of use cases / need where we want to restrict result of > search based on role of a user. For e.g. > > - if user role is admin, any document from the search result will be > returned > - if user role is manager, only documents intended for managers will be > returned > - if user role is worker, only documents intended for workers will be > returned > > Typical practise is to tag the documents with the roles (using a > multi-valued field) during indexing and then during search append filter > query to restrict result based on roles. > > Wondering if there is any other better way out there and if this common > requirement should be added as a Solr feature/plugin. > > The current security plugins are more towards making Solr apis/resources > secure not towards securing/controlling data during search. > https://cwiki.apache.org/confluence/display/solr/Authentication+and+Authorization+Plugins > > > Please share your thoughts. > > Thanks, > Susheel > > >
