[
https://issues.apache.org/jira/browse/CONNECTORS-886?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13909377#comment-13909377
]
Karl Wright commented on CONNECTORS-886:
----------------------------------------
Hi Abe-san,
See r1570837. After much thought, I refactored how security is managed in
RepositoryDocument. The principle change is to have all security acl/denyacl
pairs have a String "security type". This change makes it more acceptable to
have a dedicated security type of "parent". I have supported directory level
security using the same mechanism, but deprecated all of the older security
methods.
For now, with this commit, I also do not support directory level acls in the
ElasticSearch connector. The reason is that ES does not allow default indexing
values for a field, and so the connector has to force that behavior. There
must therefore be a strict alignment between fields required in ES and fields
understood by the ElasticSearch connector for everything to work. I will fix
this later.
Some principles I think we need to adhere to:
(1) The output connector for a search engine should explicitly REJECT any
documents whose security they cannot enforce. I've updated the Solr and
ElasticSearch output connectors accordingly.
(2) We really should FORCE people to upgrade their solr schema when they go to
the newer version of the Solr 3.x and Solr 4.x plugins. Having a configuration
switch is likely to mean that people do not notice the change, and thus people
may well give themselves a security problem on upgrade. That's going to get us
into trouble.
Given all the changes, I'm going to work on revising the plugins, the output
connectors, CIFS connector, and plugins all still need revision. I'll be
trying to finish that over the weekend.
Thanks!
Karl
> Add support for Parent folder security
> --------------------------------------
>
> Key: CONNECTORS-886
> URL: https://issues.apache.org/jira/browse/CONNECTORS-886
> Project: ManifoldCF
> Issue Type: Improvement
> Components: ElasticSearch component, Framework agents process, JCIFS
> connector, Solr-3.x-component, Solr-4.x-component
> Affects Versions: ManifoldCF 1.6
> Reporter: Shinichiro Abe
> Assignee: Shinichiro Abe
> Fix For: ManifoldCF 1.6
>
> Attachments: CONNECTORS-886-Ver2.patch,
> CONNECTORS-886-forSolr3xPlugin-Ver3.patch,
> CONNECTORS-886-forSolr4xPlugin-Ver2.patch,
> CONNECTORS-886-forSolr4xPlugin-Ver3.patch,
> CONNECTORS-886-forSolrPlugin.patch, CONNECTORS-886.patch
>
>
> Windows server checks the access permission of a share folder and the
> security permission of a file document when we access a file via network.
> As far as I look into that, Windows does not take subfolder's security
> permissions into account.
> There is a case that someone who is admin wants to configure 'Everyone' for
> 'share folders' and configure each access permissions for 'sub folders'.
> E.g. \\ShareFolder\Admin --> Admin folder for administrative user,
> \\ShareFolder\Sales --> Sales folder for sales user.
> The users put files in 'sub folders', then the permission of these files will
> be inherited from the permission of 'sub folders'.
> I'd like to support access permissions for 'sub folders' in jcifs/solr
> connector.
> In general, we expect file's permission to be inherited from parent folder.
> So I want to manage parent's security by providing new [allow|deny]_token
> fields.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
