For automated testing, a mock implementation of the authentication APIs is usually the approach. The DataImportHandler tests use a mock database and a mock solr index.
On Fri, Apr 2, 2010 at 4:35 PM, Ryan McKinley <ryan...@gmail.com> wrote: > Hi Anders- > > see comments below... > >> >> Two weeks ago I created a JIRA issue ( >> https://issues.apache.org/jira/browse/SOLR-1834) involving document level >> security in Apache Solr and submitted a patch containing a search component >> that can be seen as a starting point for making Solr handle document level >> security. I believe that document security is an essential part of an >> enterprise search engine and I hope that this contribution can start a >> discussion about how this should be handled in Solr (possibly in conjunction >> with the Lucene Connector Framework). >> > > Thanks for posting the code -- a quick pass it looks good. I agree > some cordination with Lucene Connectors will make sense. > > On the patch, it looks good, but to get into the the dist, it will > probably need some sort of tests. I'm not sure how that would work > with windows authentication (I don't' know much about it, but it has > been on my long term TODO list for a while!) Perhaps we could have > tests that would run on systems that have somethign to test agains, > but not fail when running on linux (or something) > > >> As this contribution shows I would like to help to develop the security >> capabilities of Solr together with the community because I believe that it >> will improve Solr’s appeal to large enterprises. Moreover I think that most >> of us believe that a transparent security system will in the end give rise >> to the best security. >> > > agree -- the more people to poke holes, the better > > >> I hope some of you can take the time to look at the patch, try it out and >> think about: >> >> 1) 1. Should this be a contrib module in Solr? (And if so, what needs >> to be done to contribute it?) >> > > I think a contrib module makes sense. For things to move forward, a > committer needs to step up to the plate. I would love to, but don't > have much time soon. To make it easier for people to feel comfortable > with it, tests and doc help lots. > > >> 2) 2. Should document level security be a core feature in Solr? (And if >> so, what is the best way to integrate it into Solr?) > > I'm not quite sure what you mean by 'core' -- I think it makes sense > to live as a contrib for a while and see how things develop. > > >> >> 3) 3. How can this integrate with connectors like the Lucene Connector >> Framework? I.e. how do you create a uniform way to talk about Access Control >> Lists (http://en.wikipedia.org/wiki/Access_control_list). >> > > good question! That would be really powerful. > > >> >> >> P.s (for the nerdy) >> >> I have some ideas about putting the security deeper into Solr, perhaps by >> creating a secure SolrIndexReader and a secure SolrIndexSearcher that are >> fed user credentials from a search component. What do you think about this? >> > > What are you thinking here? To me, it seems like the index would need > to contain all data and a SearchComponet would take user credentials > and augment the query (group:[a b c] or whatever) > > The advantage of keeping the same IndexSearch across all users is that > it can share a cache where appropriate. > > >> As I understand it, currently it’s possible to declare your own >> SolrIndexReader but not your own SolrIndexSearcher. >> > > not sure on this... > > > ryan > -- Lance Norskog goks...@gmail.com
