[ https://issues.apache.org/jira/browse/SOLR-1895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13112438#comment-13112438 ]
Karl Wright commented on SOLR-1895: ----------------------------------- Here's the diff, which looks perfectly fine to me. If anybody knows why this shouldn't work, please let me know. The first incarnation of the security filter used queries, and that was fine, but that was a year ago now. Index: src/java/org/apache/solr/mcf/ManifoldCFSecurityFilter.java =================================================================== --- src/java/org/apache/solr/mcf/ManifoldCFSecurityFilter.java (revision 1173895) +++ src/java/org/apache/solr/mcf/ManifoldCFSecurityFilter.java (working copy) @@ -150,7 +150,8 @@ userAccessTokens = getAccessTokens(authenticatedUserName); } - BooleanFilter bf = new BooleanFilter(); + BooleanQuery bq = new BooleanQuery(); + //bf.setMaxClauseCount(100000); if (userAccessTokens.size() == 0) { @@ -159,28 +160,26 @@ // (fieldAllowShare is empty AND fieldDenyShare is empty AND fieldAllowDocument is empty AND fieldDenyDocument is empty) // We're trying to map to: -(fieldAllowShare:*) , which should be pretty efficient in Solr because it is negated. If this turns out not to be so, then we should // have the SolrConnector inject a special token into these fields when they otherwise would be empty, and we can trivially match on that token. - bf.add(new FilterClause(new QueryWrapperFilter(new WildcardQuery(new Term(fieldAllowShare,"*"))),BooleanClause.Occur.MUST_NOT)); - bf.add(new FilterClause(new QueryWrapperFilter(new WildcardQuery(new Term(fieldDenyShare,"*"))),BooleanClause.Occur.MUST_NOT)); - bf.add(new FilterClause(new QueryWrapperFilter(new WildcardQuery(new Term(fieldAllowDocument,"*"))),BooleanClause.Occur.MUST_NOT)); - bf.add(new FilterClause(new QueryWrapperFilter(new WildcardQuery(new Term(fieldDenyDocument,"*"))),BooleanClause.Occur.MUST_NOT)); + bq.add(new WildcardQuery(new Term(fieldAllowShare,"*")),BooleanClause.Occur.MUST_NOT); + bq.add(new WildcardQuery(new Term(fieldDenyShare,"*")),BooleanClause.Occur.MUST_NOT); + bq.add(new WildcardQuery(new Term(fieldAllowDocument,"*")),BooleanClause.Occur.MUST_NOT); + bq.add(new WildcardQuery(new Term(fieldDenyDocument,"*")),BooleanClause.Occur.MUST_NOT); } else { // Extend the query appropriately for each user access token. - bf.add(new FilterClause(calculateCompleteSubfilter(fieldAllowShare,fieldDenyShare,userAccessTokens),BooleanClause.Occur.MUST)); - bf.add(new FilterClause(calculateCompleteSubfilter(fieldAllowDocument,fieldDenyDocument,userAccessTokens),BooleanClause.Occur.MUST)); + bq.add(calculateCompleteSubquery(fieldAllowShare,fieldDenyShare,userAccessTokens),BooleanClause.Occur.MUST); + bq.add(calculateCompleteSubquery(fieldAllowDocument,fieldDenyDocument,userAccessTokens),BooleanClause.Occur.MUST); } // Concatenate with the user's original query. - //FilteredQuery query = new FilteredQuery(rb.getQuery(),bf); - //rb.setQuery(query); List<Query> list = rb.getFilters(); if (list == null) { list = new ArrayList<Query>(); rb.setFilters(list); } - list.add(new ConstantScoreQuery(bf)); + list.add(new ConstantScoreQuery(bq)); } @Override @@ -193,28 +192,27 @@ * ((fieldAllowShare is empty AND fieldDenyShare is empty) OR fieldAllowShare HAS token1 OR fieldAllowShare HAS token2 ...) * AND fieldDenyShare DOESN'T_HAVE token1 AND fieldDenyShare DOESN'T_HAVE token2 ... */ - protected Filter calculateCompleteSubfilter(String allowField, String denyField, List<String> userAccessTokens) + protected Query calculateCompleteSubquery(String allowField, String denyField, List<String> userAccessTokens) { - BooleanFilter bf = new BooleanFilter(); + BooleanQuery bq = new BooleanQuery(); + bq.setMaxClauseCount(1000000); // Add a clause for each token. This will be added directly to the main filter (as a deny test), as well as to an OR's subclause (as an allow test). - BooleanFilter orFilter = new BooleanFilter(); + BooleanQuery orQuery = new BooleanQuery(); + orQuery.setMaxClauseCount(1000000); + // Add the empty-acl case - BooleanFilter subUnprotectedClause = new BooleanFilter(); - subUnprotectedClause.add(new FilterClause(new QueryWrapperFilter(new WildcardQuery(new Term(allowField,"*"))),BooleanClause.Occur.MUST_NOT)); - subUnprotectedClause.add(new FilterClause(new QueryWrapperFilter(new WildcardQuery(new Term(denyField,"*"))),BooleanClause.Occur.MUST_NOT)); - orFilter.add(new FilterClause(subUnprotectedClause,BooleanClause.Occur.SHOULD)); + BooleanQuery subUnprotectedClause = new BooleanQuery(); + subUnprotectedClause.add(new WildcardQuery(new Term(allowField,"*")),BooleanClause.Occur.MUST_NOT); + subUnprotectedClause.add(new WildcardQuery(new Term(denyField,"*")),BooleanClause.Occur.MUST_NOT); + orQuery.add(subUnprotectedClause,BooleanClause.Occur.SHOULD); for (String accessToken : userAccessTokens) { - TermsFilter tf = new TermsFilter(); - tf.addTerm(new Term(allowField,accessToken)); - orFilter.add(new FilterClause(tf,BooleanClause.Occur.SHOULD)); - tf = new TermsFilter(); - tf.addTerm(new Term(denyField,accessToken)); - bf.add(new FilterClause(tf,BooleanClause.Occur.MUST_NOT)); + orQuery.add(new TermQuery(new Term(allowField,accessToken)),BooleanClause.Occur.SHOULD); + bq.add(new TermQuery(new Term(denyField,accessToken)),BooleanClause.Occur.MUST_NOT); } - bf.add(new FilterClause(orFilter,BooleanClause.Occur.MUST)); - return bf; + bq.add(orQuery,BooleanClause.Occur.MUST); + return bq; } //--------------------------------------------------------------------------------- > ManifoldCF SearchComponent plugin for enforcing ManifoldCF security at search > time > ---------------------------------------------------------------------------------- > > Key: SOLR-1895 > URL: https://issues.apache.org/jira/browse/SOLR-1895 > Project: Solr > Issue Type: New Feature > Components: SearchComponents - other > Reporter: Karl Wright > Labels: document, security, solr > Fix For: 3.5, 4.0 > > Attachments: LCFSecurityFilter.java, LCFSecurityFilter.java, > LCFSecurityFilter.java, LCFSecurityFilter.java, > SOLR-1895-service-plugin.patch, SOLR-1895-service-plugin.patch, > SOLR-1895.patch, SOLR-1895.patch, SOLR-1895.patch, SOLR-1895.patch, > SOLR-1895.patch, SOLR-1895.patch > > > I've written an LCF SearchComponent which filters returned results based on > access tokens provided by LCF's authority service. The component requires > you to configure the appropriate authority service URL base, e.g.: > <!-- LCF document security enforcement component --> > <searchComponent name="lcfSecurity" class="LCFSecurityFilter"> > <str > name="AuthorityServiceBaseURL">http://localhost:8080/lcf-authority-service</str> > </searchComponent> > Also required are the following schema.xml additions: > <!-- Security fields --> > <field name="allow_token_document" type="string" indexed="true" > stored="false" multiValued="true"/> > <field name="deny_token_document" type="string" indexed="true" > stored="false" multiValued="true"/> > <field name="allow_token_share" type="string" indexed="true" > stored="false" multiValued="true"/> > <field name="deny_token_share" type="string" indexed="true" stored="false" > multiValued="true"/> > Finally, to tie it into the standard request handler, it seems to need to run > last: > <requestHandler name="standard" class="solr.SearchHandler" default="true"> > <arr name="last-components"> > <str>lcfSecurity</str> > </arr> > ... > I have not set a package for this code. Nor have I been able to get it > reviewed by someone as conversant with Solr as I would prefer. It is my > hope, however, that this module will become part of the standard Solr 1.5 > suite of search components, since that would tie it in with LCF nicely. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org