[jira] [Commented] (SOLR-1895) ManifoldCF SearchComponent plugin for enforcing ManifoldCF security at search time

Thu, 22 Sep 2011 04:07:51 -0700 

    [ 
https://issues.apache.org/jira/browse/SOLR-1895?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13112475#comment-13112475
 ] 

Karl Wright commented on SOLR-1895:
-----------------------------------

Doing some debugging on the test yields no joy.  Here's a chunk of the output 
(where I dump the security part of the query that is being applied):
{code}
    [junit] ------------- Standard Error -----------------
    [junit] +((-allow_token_share:* -deny_token_share:*) 
allow_token_share:token1 -deny_token_share:token1) +((-allow_token_document:* 
-deny_token_document:*) allow_token_document:token1 -deny_token_document:token1)
    [junit] 22/09/2011 08:26:50 ? org.apache.solr.SolrTestCaseJ4 assertQ
    [junit] SEVERE: REQUEST FAILED: xpath=//*[@numFound='3']
    [junit]     xml response was: <?xml version="1.0" encoding="UTF-8"?>
    [junit] <response>
    [junit] <lst name="responseHeader"><int name="status">0</int><int 
name="QTime">116</int><lst name="params"><str name="echoParams">all</str><str 
name="fl">id</str><str name="q">*:*</str><str name="qt">/mcf</str><str 
name="UserTokens">token1</str><str name="mcf">true</str></lst></lst><result 
name="response" numFound="0" start="0"></result>
    [junit] </response>
{code}

The query looks correct, and given the following data:

{code}
    //             |     share    |   document
    //             |--------------|--------------
    //             | allow | deny | allow | deny
    // ------------+-------+------+-------+------
    // da12        |       |      | 1, 2  |
    // ------------+-------+------+-------+------
    // da13-dd3    |       |      | 1,3   | 3
    // ------------+-------+------+-------+------
    // sa123-sd13  | 1,2,3 | 1, 3 |       |
    // ------------+-------+------+-------+------
    // sa3-sd1-da23| 3     | 1    | 2,3   |
    // ------------+-------+------+-------+------
    // notoken     |       |      |       |
    // ------------+-------+------+-------+------
{code}

... I would indeed expect three documents to be returned by that query: da12, 
da13-dd3, and notoken.
So I have to conclude that there's currently a bug in trunk in BooleanQuery.  
Is anybody looking at this?


> ManifoldCF SearchComponent plugin for enforcing ManifoldCF security at search 
> time
> ----------------------------------------------------------------------------------
>
>                 Key: SOLR-1895
>                 URL: https://issues.apache.org/jira/browse/SOLR-1895
>             Project: Solr
>          Issue Type: New Feature
>          Components: SearchComponents - other
>            Reporter: Karl Wright
>              Labels: document, security, solr
>             Fix For: 3.5, 4.0
>
>         Attachments: LCFSecurityFilter.java, LCFSecurityFilter.java, 
> LCFSecurityFilter.java, LCFSecurityFilter.java, 
> SOLR-1895-service-plugin.patch, SOLR-1895-service-plugin.patch, 
> SOLR-1895.patch, SOLR-1895.patch, SOLR-1895.patch, SOLR-1895.patch, 
> SOLR-1895.patch, SOLR-1895.patch
>
>
> I've written an LCF SearchComponent which filters returned results based on 
> access tokens provided by LCF's authority service.  The component requires 
> you to configure the appropriate authority service URL base, e.g.:
>   <!-- LCF document security enforcement component -->
>   <searchComponent name="lcfSecurity" class="LCFSecurityFilter">
>     <str 
> name="AuthorityServiceBaseURL">http://localhost:8080/lcf-authority-service</str>
>   </searchComponent>
> Also required are the following schema.xml additions:
>    <!-- Security fields -->
>    <field name="allow_token_document" type="string" indexed="true" 
> stored="false" multiValued="true"/>
>    <field name="deny_token_document" type="string" indexed="true" 
> stored="false" multiValued="true"/>
>    <field name="allow_token_share" type="string" indexed="true" 
> stored="false" multiValued="true"/>
>    <field name="deny_token_share" type="string" indexed="true" stored="false" 
> multiValued="true"/>
> Finally, to tie it into the standard request handler, it seems to need to run 
> last:
>   <requestHandler name="standard" class="solr.SearchHandler" default="true">
>     <arr name="last-components">
>       <str>lcfSecurity</str>
>     </arr>
> ...
> I have not set a package for this code.  Nor have I been able to get it 
> reviewed by someone as conversant with Solr as I would prefer.  It is my 
> hope, however, that this module will become part of the standard Solr 1.5 
> suite of search components, since that would tie it in with LCF nicely.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to