[
https://issues.apache.org/jira/browse/SOLR-1895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13112438#comment-13112438
]
Karl Wright edited comment on SOLR-1895 at 9/22/11 9:23 AM:
------------------------------------------------------------
Here's the diff, which looks perfectly fine to me. If anybody knows why this
shouldn't work, please let me know. The first incarnation of the security
filter used queries, and that was fine, but that was a year ago now.
{code}
Index: src/java/org/apache/solr/mcf/ManifoldCFSecurityFilter.java
===================================================================
--- src/java/org/apache/solr/mcf/ManifoldCFSecurityFilter.java (revision
1173895)
+++ src/java/org/apache/solr/mcf/ManifoldCFSecurityFilter.java (working copy)
@@ -150,7 +150,8 @@
userAccessTokens = getAccessTokens(authenticatedUserName);
}
- BooleanFilter bf = new BooleanFilter();
+ BooleanQuery bq = new BooleanQuery();
+ //bf.setMaxClauseCount(100000);
if (userAccessTokens.size() == 0)
{
@@ -159,28 +160,26 @@
// (fieldAllowShare is empty AND fieldDenyShare is empty AND
fieldAllowDocument is empty AND fieldDenyDocument is empty)
// We're trying to map to: -(fieldAllowShare:*) , which should be
pretty efficient in Solr because it is negated. If this turns out not to be
so, then we should
// have the SolrConnector inject a special token into these fields when
they otherwise would be empty, and we can trivially match on that token.
- bf.add(new FilterClause(new QueryWrapperFilter(new WildcardQuery(new
Term(fieldAllowShare,"*"))),BooleanClause.Occur.MUST_NOT));
- bf.add(new FilterClause(new QueryWrapperFilter(new WildcardQuery(new
Term(fieldDenyShare,"*"))),BooleanClause.Occur.MUST_NOT));
- bf.add(new FilterClause(new QueryWrapperFilter(new WildcardQuery(new
Term(fieldAllowDocument,"*"))),BooleanClause.Occur.MUST_NOT));
- bf.add(new FilterClause(new QueryWrapperFilter(new WildcardQuery(new
Term(fieldDenyDocument,"*"))),BooleanClause.Occur.MUST_NOT));
+ bq.add(new WildcardQuery(new
Term(fieldAllowShare,"*")),BooleanClause.Occur.MUST_NOT);
+ bq.add(new WildcardQuery(new
Term(fieldDenyShare,"*")),BooleanClause.Occur.MUST_NOT);
+ bq.add(new WildcardQuery(new
Term(fieldAllowDocument,"*")),BooleanClause.Occur.MUST_NOT);
+ bq.add(new WildcardQuery(new
Term(fieldDenyDocument,"*")),BooleanClause.Occur.MUST_NOT);
}
else
{
// Extend the query appropriately for each user access token.
- bf.add(new
FilterClause(calculateCompleteSubfilter(fieldAllowShare,fieldDenyShare,userAccessTokens),BooleanClause.Occur.MUST));
- bf.add(new
FilterClause(calculateCompleteSubfilter(fieldAllowDocument,fieldDenyDocument,userAccessTokens),BooleanClause.Occur.MUST));
+
bq.add(calculateCompleteSubquery(fieldAllowShare,fieldDenyShare,userAccessTokens),BooleanClause.Occur.MUST);
+
bq.add(calculateCompleteSubquery(fieldAllowDocument,fieldDenyDocument,userAccessTokens),BooleanClause.Occur.MUST);
}
// Concatenate with the user's original query.
- //FilteredQuery query = new FilteredQuery(rb.getQuery(),bf);
- //rb.setQuery(query);
List<Query> list = rb.getFilters();
if (list == null)
{
list = new ArrayList<Query>();
rb.setFilters(list);
}
- list.add(new ConstantScoreQuery(bf));
+ list.add(new ConstantScoreQuery(bq));
}
@Override
@@ -193,28 +192,27 @@
* ((fieldAllowShare is empty AND fieldDenyShare is empty) OR fieldAllowShare
HAS token1 OR fieldAllowShare HAS token2 ...)
* AND fieldDenyShare DOESN'T_HAVE token1 AND fieldDenyShare DOESN'T_HAVE
token2 ...
*/
- protected Filter calculateCompleteSubfilter(String allowField, String
denyField, List<String> userAccessTokens)
+ protected Query calculateCompleteSubquery(String allowField, String
denyField, List<String> userAccessTokens)
{
- BooleanFilter bf = new BooleanFilter();
+ BooleanQuery bq = new BooleanQuery();
+ bq.setMaxClauseCount(1000000);
// Add a clause for each token. This will be added directly to the main
filter (as a deny test), as well as to an OR's subclause (as an allow test).
- BooleanFilter orFilter = new BooleanFilter();
+ BooleanQuery orQuery = new BooleanQuery();
+ orQuery.setMaxClauseCount(1000000);
+
// Add the empty-acl case
- BooleanFilter subUnprotectedClause = new BooleanFilter();
- subUnprotectedClause.add(new FilterClause(new QueryWrapperFilter(new
WildcardQuery(new Term(allowField,"*"))),BooleanClause.Occur.MUST_NOT));
- subUnprotectedClause.add(new FilterClause(new QueryWrapperFilter(new
WildcardQuery(new Term(denyField,"*"))),BooleanClause.Occur.MUST_NOT));
- orFilter.add(new
FilterClause(subUnprotectedClause,BooleanClause.Occur.SHOULD));
+ BooleanQuery subUnprotectedClause = new BooleanQuery();
+ subUnprotectedClause.add(new WildcardQuery(new
Term(allowField,"*")),BooleanClause.Occur.MUST_NOT);
+ subUnprotectedClause.add(new WildcardQuery(new
Term(denyField,"*")),BooleanClause.Occur.MUST_NOT);
+ orQuery.add(subUnprotectedClause,BooleanClause.Occur.SHOULD);
for (String accessToken : userAccessTokens)
{
- TermsFilter tf = new TermsFilter();
- tf.addTerm(new Term(allowField,accessToken));
- orFilter.add(new FilterClause(tf,BooleanClause.Occur.SHOULD));
- tf = new TermsFilter();
- tf.addTerm(new Term(denyField,accessToken));
- bf.add(new FilterClause(tf,BooleanClause.Occur.MUST_NOT));
+ orQuery.add(new TermQuery(new
Term(allowField,accessToken)),BooleanClause.Occur.SHOULD);
+ bq.add(new TermQuery(new
Term(denyField,accessToken)),BooleanClause.Occur.MUST_NOT);
}
- bf.add(new FilterClause(orFilter,BooleanClause.Occur.MUST));
- return bf;
+ bq.add(orQuery,BooleanClause.Occur.MUST);
+ return bq;
}
//---------------------------------------------------------------------------------
{code}
was (Author: kwri...@metacarta.com):
Here's the diff, which looks perfectly fine to me. If anybody knows why
this shouldn't work, please let me know. The first incarnation of the security
filter used queries, and that was fine, but that was a year ago now.
Index: src/java/org/apache/solr/mcf/ManifoldCFSecurityFilter.java
===================================================================
--- src/java/org/apache/solr/mcf/ManifoldCFSecurityFilter.java (revision
1173895)
+++ src/java/org/apache/solr/mcf/ManifoldCFSecurityFilter.java (working copy)
@@ -150,7 +150,8 @@
userAccessTokens = getAccessTokens(authenticatedUserName);
}
- BooleanFilter bf = new BooleanFilter();
+ BooleanQuery bq = new BooleanQuery();
+ //bf.setMaxClauseCount(100000);
if (userAccessTokens.size() == 0)
{
@@ -159,28 +160,26 @@
// (fieldAllowShare is empty AND fieldDenyShare is empty AND
fieldAllowDocument is empty AND fieldDenyDocument is empty)
// We're trying to map to: -(fieldAllowShare:*) , which should be
pretty efficient in Solr because it is negated. If this turns out not to be
so, then we should
// have the SolrConnector inject a special token into these fields when
they otherwise would be empty, and we can trivially match on that token.
- bf.add(new FilterClause(new QueryWrapperFilter(new WildcardQuery(new
Term(fieldAllowShare,"*"))),BooleanClause.Occur.MUST_NOT));
- bf.add(new FilterClause(new QueryWrapperFilter(new WildcardQuery(new
Term(fieldDenyShare,"*"))),BooleanClause.Occur.MUST_NOT));
- bf.add(new FilterClause(new QueryWrapperFilter(new WildcardQuery(new
Term(fieldAllowDocument,"*"))),BooleanClause.Occur.MUST_NOT));
- bf.add(new FilterClause(new QueryWrapperFilter(new WildcardQuery(new
Term(fieldDenyDocument,"*"))),BooleanClause.Occur.MUST_NOT));
+ bq.add(new WildcardQuery(new
Term(fieldAllowShare,"*")),BooleanClause.Occur.MUST_NOT);
+ bq.add(new WildcardQuery(new
Term(fieldDenyShare,"*")),BooleanClause.Occur.MUST_NOT);
+ bq.add(new WildcardQuery(new
Term(fieldAllowDocument,"*")),BooleanClause.Occur.MUST_NOT);
+ bq.add(new WildcardQuery(new
Term(fieldDenyDocument,"*")),BooleanClause.Occur.MUST_NOT);
}
else
{
// Extend the query appropriately for each user access token.
- bf.add(new
FilterClause(calculateCompleteSubfilter(fieldAllowShare,fieldDenyShare,userAccessTokens),BooleanClause.Occur.MUST));
- bf.add(new
FilterClause(calculateCompleteSubfilter(fieldAllowDocument,fieldDenyDocument,userAccessTokens),BooleanClause.Occur.MUST));
+
bq.add(calculateCompleteSubquery(fieldAllowShare,fieldDenyShare,userAccessTokens),BooleanClause.Occur.MUST);
+
bq.add(calculateCompleteSubquery(fieldAllowDocument,fieldDenyDocument,userAccessTokens),BooleanClause.Occur.MUST);
}
// Concatenate with the user's original query.
- //FilteredQuery query = new FilteredQuery(rb.getQuery(),bf);
- //rb.setQuery(query);
List<Query> list = rb.getFilters();
if (list == null)
{
list = new ArrayList<Query>();
rb.setFilters(list);
}
- list.add(new ConstantScoreQuery(bf));
+ list.add(new ConstantScoreQuery(bq));
}
@Override
@@ -193,28 +192,27 @@
* ((fieldAllowShare is empty AND fieldDenyShare is empty) OR fieldAllowShare
HAS token1 OR fieldAllowShare HAS token2 ...)
* AND fieldDenyShare DOESN'T_HAVE token1 AND fieldDenyShare DOESN'T_HAVE
token2 ...
*/
- protected Filter calculateCompleteSubfilter(String allowField, String
denyField, List<String> userAccessTokens)
+ protected Query calculateCompleteSubquery(String allowField, String
denyField, List<String> userAccessTokens)
{
- BooleanFilter bf = new BooleanFilter();
+ BooleanQuery bq = new BooleanQuery();
+ bq.setMaxClauseCount(1000000);
// Add a clause for each token. This will be added directly to the main
filter (as a deny test), as well as to an OR's subclause (as an allow test).
- BooleanFilter orFilter = new BooleanFilter();
+ BooleanQuery orQuery = new BooleanQuery();
+ orQuery.setMaxClauseCount(1000000);
+
// Add the empty-acl case
- BooleanFilter subUnprotectedClause = new BooleanFilter();
- subUnprotectedClause.add(new FilterClause(new QueryWrapperFilter(new
WildcardQuery(new Term(allowField,"*"))),BooleanClause.Occur.MUST_NOT));
- subUnprotectedClause.add(new FilterClause(new QueryWrapperFilter(new
WildcardQuery(new Term(denyField,"*"))),BooleanClause.Occur.MUST_NOT));
- orFilter.add(new
FilterClause(subUnprotectedClause,BooleanClause.Occur.SHOULD));
+ BooleanQuery subUnprotectedClause = new BooleanQuery();
+ subUnprotectedClause.add(new WildcardQuery(new
Term(allowField,"*")),BooleanClause.Occur.MUST_NOT);
+ subUnprotectedClause.add(new WildcardQuery(new
Term(denyField,"*")),BooleanClause.Occur.MUST_NOT);
+ orQuery.add(subUnprotectedClause,BooleanClause.Occur.SHOULD);
for (String accessToken : userAccessTokens)
{
- TermsFilter tf = new TermsFilter();
- tf.addTerm(new Term(allowField,accessToken));
- orFilter.add(new FilterClause(tf,BooleanClause.Occur.SHOULD));
- tf = new TermsFilter();
- tf.addTerm(new Term(denyField,accessToken));
- bf.add(new FilterClause(tf,BooleanClause.Occur.MUST_NOT));
+ orQuery.add(new TermQuery(new
Term(allowField,accessToken)),BooleanClause.Occur.SHOULD);
+ bq.add(new TermQuery(new
Term(denyField,accessToken)),BooleanClause.Occur.MUST_NOT);
}
- bf.add(new FilterClause(orFilter,BooleanClause.Occur.MUST));
- return bf;
+ bq.add(orQuery,BooleanClause.Occur.MUST);
+ return bq;
}
//---------------------------------------------------------------------------------
> ManifoldCF SearchComponent plugin for enforcing ManifoldCF security at search
> time
> ----------------------------------------------------------------------------------
>
> Key: SOLR-1895
> URL: https://issues.apache.org/jira/browse/SOLR-1895
> Project: Solr
> Issue Type: New Feature
> Components: SearchComponents - other
> Reporter: Karl Wright
> Labels: document, security, solr
> Fix For: 3.5, 4.0
>
> Attachments: LCFSecurityFilter.java, LCFSecurityFilter.java,
> LCFSecurityFilter.java, LCFSecurityFilter.java,
> SOLR-1895-service-plugin.patch, SOLR-1895-service-plugin.patch,
> SOLR-1895.patch, SOLR-1895.patch, SOLR-1895.patch, SOLR-1895.patch,
> SOLR-1895.patch, SOLR-1895.patch
>
>
> I've written an LCF SearchComponent which filters returned results based on
> access tokens provided by LCF's authority service. The component requires
> you to configure the appropriate authority service URL base, e.g.:
> <!-- LCF document security enforcement component -->
> <searchComponent name="lcfSecurity" class="LCFSecurityFilter">
> <str
> name="AuthorityServiceBaseURL">http://localhost:8080/lcf-authority-service</str>
> </searchComponent>
> Also required are the following schema.xml additions:
> <!-- Security fields -->
> <field name="allow_token_document" type="string" indexed="true"
> stored="false" multiValued="true"/>
> <field name="deny_token_document" type="string" indexed="true"
> stored="false" multiValued="true"/>
> <field name="allow_token_share" type="string" indexed="true"
> stored="false" multiValued="true"/>
> <field name="deny_token_share" type="string" indexed="true" stored="false"
> multiValued="true"/>
> Finally, to tie it into the standard request handler, it seems to need to run
> last:
> <requestHandler name="standard" class="solr.SearchHandler" default="true">
> <arr name="last-components">
> <str>lcfSecurity</str>
> </arr>
> ...
> I have not set a package for this code. Nor have I been able to get it
> reviewed by someone as conversant with Solr as I would prefer. It is my
> hope, however, that this module will become part of the standard Solr 1.5
> suite of search components, since that would tie it in with LCF nicely.
--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
