Re: Field level security
Hi, I don't understand all the details, but I'll inline a few comments. - Original Message From: Geoff Hopson [EMAIL PROTECTED] To: solr-user@lucene.apache.org Sent: Thursday, September 18, 2008 1:44:33 AM Subject: Field level security Hi, First post/question, so please be gentle :-) I am trying to put together a security model around fields in my index. My requirement is that a user may not have permission to view certain fields in the index when he does a search. For example, he may have permission to see the name and address, but not the occupation. Whereas a different user with different permissions will be able to search all 3 fields. What exactly is restricted? Viewing of specific fields in results, or searching in specific fields? If it's the former, you could tell Solr which fields to return using %fl=field1,field2... If it's the latter, you could always write a custom SearchComponent that takes your custom userType or allowedFields parameter and constructs a query based on that. What is the best way to model this? My current stab at this has a document-level security level set (I have a field called security_default), and all fields have this default. If there are exceptions, I have a multiValued field called 'security_exceptions' where I comma delimit the fild name and different access permission for that field. Eg I might have 'occupation=Restricted' in that field. This falls over when I copyField fields into a text field for easier searching. Searching across multiple fields is pretty easy, too. I'd stick to that, as that also lets you assign different weight to different fields. Otis Has anyone else attempted to do this and are willing to share their ideas? Thanks in advance, Geoff
Re: Field level security
Hi Otis, Thanks for the response. I'll try and inline some clarity... 2008/9/18 Otis Gospodnetic [EMAIL PROTECTED]: I am trying to put together a security model around fields in my index. My requirement is that a user may not have permission to view certain fields in the index when he does a search. For example, he may have permission to see the name and address, but not the occupation. Whereas a different user with different permissions will be able to search all 3 fields. What exactly is restricted? Viewing of specific fields in results, or searching in specific fields? I am restricting the results - the user can search everything, but I was planning (as you mention) to apply a fieldList qualifier to the query. In my head (ie not tried it yet) I was hoping I could write a 'SecurityRequestHandler' that would take an incoming security 'token' and construct a %fl qualifier. Some other thoughts in my head are around developing my own fieldType, where I could tokenise the value against the field (e.g. store field name=occupationcandlestick maker=Restricted/field or something similar. Thoughts on that? If it's the former, you could tell Solr which fields to return using %fl=field1,field2... If it's the latter, you could always write a custom SearchComponent that takes your custom userType or allowedFields parameter and constructs a query based on that. What is the best way to model this? My current stab at this has a document-level security level set (I have a field called security_default), and all fields have this default. If there are exceptions, I have a multiValued field called 'security_exceptions' where I comma delimit the fild name and different access permission for that field. Eg I might have 'occupation=Restricted' in that field. This falls over when I copyField fields into a text field for easier searching. Searching across multiple fields is pretty easy, too. I'd stick to that, as that also lets you assign different weight to different fields. My requirement is to offer a google-type search, so the user can type in john smith ford green and get results where ford may be a last name or a car manufacturer, or green is the colour of the car, a last name or part of a town name. If I tokenised the field values as above and copyField-ed them into a single text box, would my tokeniser pick those out? Dunno - I guess I need to roll my sleeves up and do some coding, try some of this out. Thanks again for any insights Geoff
Re: Field level security
Hi, If all you have to do is hide certain fields from search results for some users, then your application -- the application that sends search requests to Solr can just use different fl=XXX parameters based on user's permission. I think that's all you need and the custom fieldType should not be needed. As for entering just the keywords and searching several fields automatically - this is what DisMax handler is good at, so give that a try. Otis -- Sematext -- http://sematext.com/ -- Lucene - Solr - Nutch - Original Message From: Geoff Hopson [EMAIL PROTECTED] To: solr-user@lucene.apache.org Sent: Thursday, September 18, 2008 3:21:01 AM Subject: Re: Field level security Hi Otis, Thanks for the response. I'll try and inline some clarity... 2008/9/18 Otis Gospodnetic : I am trying to put together a security model around fields in my index. My requirement is that a user may not have permission to view certain fields in the index when he does a search. For example, he may have permission to see the name and address, but not the occupation. Whereas a different user with different permissions will be able to search all 3 fields. What exactly is restricted? Viewing of specific fields in results, or searching in specific fields? I am restricting the results - the user can search everything, but I was planning (as you mention) to apply a fieldList qualifier to the query. In my head (ie not tried it yet) I was hoping I could write a 'SecurityRequestHandler' that would take an incoming security 'token' and construct a %fl qualifier. Some other thoughts in my head are around developing my own fieldType, where I could tokenise the value against the field (e.g. store name=occupationcandlestick maker=Restricted or something similar. Thoughts on that? If it's the former, you could tell Solr which fields to return using %fl=field1,field2... If it's the latter, you could always write a custom SearchComponent that takes your custom userType or allowedFields parameter and constructs a query based on that. What is the best way to model this? My current stab at this has a document-level security level set (I have a field called security_default), and all fields have this default. If there are exceptions, I have a multiValued field called 'security_exceptions' where I comma delimit the fild name and different access permission for that field. Eg I might have 'occupation=Restricted' in that field. This falls over when I copyField fields into a text field for easier searching. Searching across multiple fields is pretty easy, too. I'd stick to that, as that also lets you assign different weight to different fields. My requirement is to offer a google-type search, so the user can type in john smith ford green and get results where ford may be a last name or a car manufacturer, or green is the colour of the car, a last name or part of a town name. If I tokenised the field values as above and copyField-ed them into a single text box, would my tokeniser pick those out? Dunno - I guess I need to roll my sleeves up and do some coding, try some of this out. Thanks again for any insights Geoff