Re: Solr Search: Access Control / Role based security
On 18/11/2015 07:55, Noble Paul wrote: I haven't evaluated manifoldCF for this . However , my preference would be to have a generic mechanism in built into Solr to restrict user access to certain docs based on some field values. Relying on external tools make life complex for users who do not like it. Our strategy is * Provide a pluggable framework so that custom external solutions can be plugged in * Provide a standard implementation which does not depend upon any external solutions any suggestions are welcome Hi, We're working on an external JOIN as part of the BioSolr project: basically this lets you filter result sets with an external query (which could be an authentication system of some kind). There's a patch at https://issues.apache.org/jira/browse/SOLR-7341 and the author, Tom Winch, is working on a blog post to explain it further - it'll hopefully be up on http://www.flax.co.uk/blog within the week. Cheers Charlie PS If anyone fancies a trip to Cambridge UK this February we're running a free 'search for bioinformatics' event http://www.ebi.ac.uk/pdbe/about/events/open-source-search-bioinformatics On Wed, Nov 11, 2015 at 12:07 AM, Susheel Kumar wrote: Thanks everyone for the suggestions. Hi Noble - Were there any thoughts made on utilizing Apache ManifoldCF while developing Authentication/Authorization plugins or anything to add there. Thanks, Susheel On Tue, Nov 10, 2015 at 5:01 AM, Alessandro Benedetti wrote: I've been working for a while with Apache ManifoldCF and Enterprise Search in Solr ( with Document level security) . Basically you can add a couple of extra fields , for example : allow_token : containing all the tokens that can view the document deny_token : containing all the tokens that are denied to view the document Apache ManifoldCF provides an integration that add an additional layer, and is able to combine different data sources permission schemes. The Authority Service endpoint will take in input the user name and return all the allow_token values and deny_token. At this point you can append the related filter queries to your queries and be sure that the user will only see what is supposed to see. It's basically an extension of the strategy you were proposing, role based. Of course keep protected your endpoints and avoid users to put custom fq, or all your document security model would be useless :) Cheers On 9 November 2015 at 21:52, Scott Stults < sstu...@opensourceconnections.com wrote: Susheel, This is perfectly fine for simple use-cases and has the benefit that the filterCache will help things stay nice and speedy. Apache ManifoldCF goes a bit further and ties back to your authentication and authorization mechanism: http://manifoldcf.apache.org/release/trunk/en_US/concepts.html#ManifoldCF+security+model k/r, Scott On Thu, Nov 5, 2015 at 2:26 PM, Susheel Kumar wrote: Hi, I have seen couple of use cases / need where we want to restrict result of search based on role of a user. For e.g. - if user role is admin, any document from the search result will be returned - if user role is manager, only documents intended for managers will be returned - if user role is worker, only documents intended for workers will be returned Typical practise is to tag the documents with the roles (using a multi-valued field) during indexing and then during search append filter query to restrict result based on roles. Wondering if there is any other better way out there and if this common requirement should be added as a Solr feature/plugin. The current security plugins are more towards making Solr apis/resources secure not towards securing/controlling data during search. https://cwiki.apache.org/confluence/display/solr/Authentication+and+Authorization+Plugins Please share your thoughts. Thanks, Susheel -- Scott Stults | Founder & Solutions Architect | OpenSource Connections, LLC | 434.409.2780 http://www.opensourceconnections.com -- -- Benedetti Alessandro Visiting card : http://about.me/alessandro_benedetti "Tyger, tyger burning bright In the forests of the night, What immortal hand or eye Could frame thy fearful symmetry?" William Blake - Songs of Experience -1794 England -- Charlie Hull Flax - Open Source Enterprise Search tel/fax: +44 (0)8700 118334 mobile: +44 (0)7767 825828 web: www.flax.co.uk
Re: Solr Search: Access Control / Role based security
I haven't evaluated manifoldCF for this . However , my preference would be to have a generic mechanism in built into Solr to restrict user access to certain docs based on some field values. Relying on external tools make life complex for users who do not like it. Our strategy is * Provide a pluggable framework so that custom external solutions can be plugged in * Provide a standard implementation which does not depend upon any external solutions any suggestions are welcome On Wed, Nov 11, 2015 at 12:07 AM, Susheel Kumar wrote: > Thanks everyone for the suggestions. > > Hi Noble - Were there any thoughts made on utilizing Apache ManifoldCF > while developing Authentication/Authorization plugins or anything to add > there. > > Thanks, > Susheel > > On Tue, Nov 10, 2015 at 5:01 AM, Alessandro Benedetti > wrote: > >> I've been working for a while with Apache ManifoldCF and Enterprise Search >> in Solr ( with Document level security) . >> Basically you can add a couple of extra fields , for example : >> >> allow_token : containing all the tokens that can view the document >> deny_token : containing all the tokens that are denied to view the document >> >> Apache ManifoldCF provides an integration that add an additional layer, and >> is able to combine different data sources permission schemes. >> The Authority Service endpoint will take in input the user name and return >> all the allow_token values and deny_token. >> At this point you can append the related filter queries to your queries and >> be sure that the user will only see what is supposed to see. >> >> It's basically an extension of the strategy you were proposing, role based. >> Of course keep protected your endpoints and avoid users to put custom fq, >> or all your document security model would be useless :) >> >> Cheers >> >> >> On 9 November 2015 at 21:52, Scott Stults < >> sstu...@opensourceconnections.com >> > wrote: >> >> > Susheel, >> > >> > This is perfectly fine for simple use-cases and has the benefit that the >> > filterCache will help things stay nice and speedy. Apache ManifoldCF >> goes a >> > bit further and ties back to your authentication and authorization >> > mechanism: >> > >> > >> > >> http://manifoldcf.apache.org/release/trunk/en_US/concepts.html#ManifoldCF+security+model >> > >> > >> > k/r, >> > Scott >> > >> > On Thu, Nov 5, 2015 at 2:26 PM, Susheel Kumar >> > wrote: >> > >> > > Hi, >> > > >> > > I have seen couple of use cases / need where we want to restrict result >> > of >> > > search based on role of a user. For e.g. >> > > >> > > - if user role is admin, any document from the search result will be >> > > returned >> > > - if user role is manager, only documents intended for managers will be >> > > returned >> > > - if user role is worker, only documents intended for workers will be >> > > returned >> > > >> > > Typical practise is to tag the documents with the roles (using a >> > > multi-valued field) during indexing and then during search append >> filter >> > > query to restrict result based on roles. >> > > >> > > Wondering if there is any other better way out there and if this common >> > > requirement should be added as a Solr feature/plugin. >> > > >> > > The current security plugins are more towards making Solr >> apis/resources >> > > secure not towards securing/controlling data during search. >> > > >> > > >> > >> https://cwiki.apache.org/confluence/display/solr/Authentication+and+Authorization+Plugins >> > > >> > > >> > > Please share your thoughts. >> > > >> > > Thanks, >> > > Susheel >> > > >> > >> > >> > >> > -- >> > Scott Stults | Founder & Solutions Architect | OpenSource Connections, >> LLC >> > | 434.409.2780 >> > http://www.opensourceconnections.com >> > >> >> >> >> -- >> -- >> >> Benedetti Alessandro >> Visiting card : http://about.me/alessandro_benedetti >> >> "Tyger, tyger burning bright >> In the forests of the night, >> What immortal hand or eye >> Could frame thy fearful symmetry?" >> >> William Blake - Songs of Experience -1794 England >> -- - Noble Paul
Re: Solr Search: Access Control / Role based security
I think both of those overlap at some point but aren't really directly related or problems that would be solved in the same manner. Document level security, though can be implemented using custom authentication/authorization plugins, but there are a fair amount of users who use ManifoldCF for the same. So it's totally your pick. I'm not 100% sure, but I think using a custom authentication/authorization plugin + an update request processor is more work than using ManifoldCF for that purpose. On Tue, Nov 10, 2015 at 10:37 AM, Susheel Kumar wrote: > Thanks everyone for the suggestions. > > Hi Noble - Were there any thoughts made on utilizing Apache ManifoldCF > while developing Authentication/Authorization plugins or anything to add > there. > > Thanks, > Susheel > > On Tue, Nov 10, 2015 at 5:01 AM, Alessandro Benedetti < > abenede...@apache.org > > wrote: > > > I've been working for a while with Apache ManifoldCF and Enterprise > Search > > in Solr ( with Document level security) . > > Basically you can add a couple of extra fields , for example : > > > > allow_token : containing all the tokens that can view the document > > deny_token : containing all the tokens that are denied to view the > document > > > > Apache ManifoldCF provides an integration that add an additional layer, > and > > is able to combine different data sources permission schemes. > > The Authority Service endpoint will take in input the user name and > return > > all the allow_token values and deny_token. > > At this point you can append the related filter queries to your queries > and > > be sure that the user will only see what is supposed to see. > > > > It's basically an extension of the strategy you were proposing, role > based. > > Of course keep protected your endpoints and avoid users to put custom fq, > > or all your document security model would be useless :) > > > > Cheers > > > > > > On 9 November 2015 at 21:52, Scott Stults < > > sstu...@opensourceconnections.com > > > wrote: > > > > > Susheel, > > > > > > This is perfectly fine for simple use-cases and has the benefit that > the > > > filterCache will help things stay nice and speedy. Apache ManifoldCF > > goes a > > > bit further and ties back to your authentication and authorization > > > mechanism: > > > > > > > > > > > > http://manifoldcf.apache.org/release/trunk/en_US/concepts.html#ManifoldCF+security+model > > > > > > > > > k/r, > > > Scott > > > > > > On Thu, Nov 5, 2015 at 2:26 PM, Susheel Kumar > > > wrote: > > > > > > > Hi, > > > > > > > > I have seen couple of use cases / need where we want to restrict > result > > > of > > > > search based on role of a user. For e.g. > > > > > > > > - if user role is admin, any document from the search result will be > > > > returned > > > > - if user role is manager, only documents intended for managers will > be > > > > returned > > > > - if user role is worker, only documents intended for workers will be > > > > returned > > > > > > > > Typical practise is to tag the documents with the roles (using a > > > > multi-valued field) during indexing and then during search append > > filter > > > > query to restrict result based on roles. > > > > > > > > Wondering if there is any other better way out there and if this > common > > > > requirement should be added as a Solr feature/plugin. > > > > > > > > The current security plugins are more towards making Solr > > apis/resources > > > > secure not towards securing/controlling data during search. > > > > > > > > > > > > > > https://cwiki.apache.org/confluence/display/solr/Authentication+and+Authorization+Plugins > > > > > > > > > > > > Please share your thoughts. > > > > > > > > Thanks, > > > > Susheel > > > > > > > > > > > > > > > > -- > > > Scott Stults | Founder & Solutions Architect | OpenSource Connections, > > LLC > > > | 434.409.2780 > > > http://www.opensourceconnections.com > > > > > > > > > > > -- > > -- > > > > Benedetti Alessandro > > Visiting card : http://about.me/alessandro_benedetti > > > > "Tyger, tyger burning bright > > In the forests of the night, > > What immortal hand or eye > > Could frame thy fearful symmetry?" > > > > William Blake - Songs of Experience -1794 England > > > -- Anshum Gupta
Re: Solr Search: Access Control / Role based security
Thanks everyone for the suggestions. Hi Noble - Were there any thoughts made on utilizing Apache ManifoldCF while developing Authentication/Authorization plugins or anything to add there. Thanks, Susheel On Tue, Nov 10, 2015 at 5:01 AM, Alessandro Benedetti wrote: > I've been working for a while with Apache ManifoldCF and Enterprise Search > in Solr ( with Document level security) . > Basically you can add a couple of extra fields , for example : > > allow_token : containing all the tokens that can view the document > deny_token : containing all the tokens that are denied to view the document > > Apache ManifoldCF provides an integration that add an additional layer, and > is able to combine different data sources permission schemes. > The Authority Service endpoint will take in input the user name and return > all the allow_token values and deny_token. > At this point you can append the related filter queries to your queries and > be sure that the user will only see what is supposed to see. > > It's basically an extension of the strategy you were proposing, role based. > Of course keep protected your endpoints and avoid users to put custom fq, > or all your document security model would be useless :) > > Cheers > > > On 9 November 2015 at 21:52, Scott Stults < > sstu...@opensourceconnections.com > > wrote: > > > Susheel, > > > > This is perfectly fine for simple use-cases and has the benefit that the > > filterCache will help things stay nice and speedy. Apache ManifoldCF > goes a > > bit further and ties back to your authentication and authorization > > mechanism: > > > > > > > http://manifoldcf.apache.org/release/trunk/en_US/concepts.html#ManifoldCF+security+model > > > > > > k/r, > > Scott > > > > On Thu, Nov 5, 2015 at 2:26 PM, Susheel Kumar > > wrote: > > > > > Hi, > > > > > > I have seen couple of use cases / need where we want to restrict result > > of > > > search based on role of a user. For e.g. > > > > > > - if user role is admin, any document from the search result will be > > > returned > > > - if user role is manager, only documents intended for managers will be > > > returned > > > - if user role is worker, only documents intended for workers will be > > > returned > > > > > > Typical practise is to tag the documents with the roles (using a > > > multi-valued field) during indexing and then during search append > filter > > > query to restrict result based on roles. > > > > > > Wondering if there is any other better way out there and if this common > > > requirement should be added as a Solr feature/plugin. > > > > > > The current security plugins are more towards making Solr > apis/resources > > > secure not towards securing/controlling data during search. > > > > > > > > > https://cwiki.apache.org/confluence/display/solr/Authentication+and+Authorization+Plugins > > > > > > > > > Please share your thoughts. > > > > > > Thanks, > > > Susheel > > > > > > > > > > > -- > > Scott Stults | Founder & Solutions Architect | OpenSource Connections, > LLC > > | 434.409.2780 > > http://www.opensourceconnections.com > > > > > > -- > -- > > Benedetti Alessandro > Visiting card : http://about.me/alessandro_benedetti > > "Tyger, tyger burning bright > In the forests of the night, > What immortal hand or eye > Could frame thy fearful symmetry?" > > William Blake - Songs of Experience -1794 England >
Re: Solr Search: Access Control / Role based security
I've been working for a while with Apache ManifoldCF and Enterprise Search in Solr ( with Document level security) . Basically you can add a couple of extra fields , for example : allow_token : containing all the tokens that can view the document deny_token : containing all the tokens that are denied to view the document Apache ManifoldCF provides an integration that add an additional layer, and is able to combine different data sources permission schemes. The Authority Service endpoint will take in input the user name and return all the allow_token values and deny_token. At this point you can append the related filter queries to your queries and be sure that the user will only see what is supposed to see. It's basically an extension of the strategy you were proposing, role based. Of course keep protected your endpoints and avoid users to put custom fq, or all your document security model would be useless :) Cheers On 9 November 2015 at 21:52, Scott Stults wrote: > Susheel, > > This is perfectly fine for simple use-cases and has the benefit that the > filterCache will help things stay nice and speedy. Apache ManifoldCF goes a > bit further and ties back to your authentication and authorization > mechanism: > > > http://manifoldcf.apache.org/release/trunk/en_US/concepts.html#ManifoldCF+security+model > > > k/r, > Scott > > On Thu, Nov 5, 2015 at 2:26 PM, Susheel Kumar > wrote: > > > Hi, > > > > I have seen couple of use cases / need where we want to restrict result > of > > search based on role of a user. For e.g. > > > > - if user role is admin, any document from the search result will be > > returned > > - if user role is manager, only documents intended for managers will be > > returned > > - if user role is worker, only documents intended for workers will be > > returned > > > > Typical practise is to tag the documents with the roles (using a > > multi-valued field) during indexing and then during search append filter > > query to restrict result based on roles. > > > > Wondering if there is any other better way out there and if this common > > requirement should be added as a Solr feature/plugin. > > > > The current security plugins are more towards making Solr apis/resources > > secure not towards securing/controlling data during search. > > > > > https://cwiki.apache.org/confluence/display/solr/Authentication+and+Authorization+Plugins > > > > > > Please share your thoughts. > > > > Thanks, > > Susheel > > > > > > -- > Scott Stults | Founder & Solutions Architect | OpenSource Connections, LLC > | 434.409.2780 > http://www.opensourceconnections.com > -- -- Benedetti Alessandro Visiting card : http://about.me/alessandro_benedetti "Tyger, tyger burning bright In the forests of the night, What immortal hand or eye Could frame thy fearful symmetry?" William Blake - Songs of Experience -1794 England
Re: Solr Search: Access Control / Role based security
Susheel, This is perfectly fine for simple use-cases and has the benefit that the filterCache will help things stay nice and speedy. Apache ManifoldCF goes a bit further and ties back to your authentication and authorization mechanism: http://manifoldcf.apache.org/release/trunk/en_US/concepts.html#ManifoldCF+security+model k/r, Scott On Thu, Nov 5, 2015 at 2:26 PM, Susheel Kumar wrote: > Hi, > > I have seen couple of use cases / need where we want to restrict result of > search based on role of a user. For e.g. > > - if user role is admin, any document from the search result will be > returned > - if user role is manager, only documents intended for managers will be > returned > - if user role is worker, only documents intended for workers will be > returned > > Typical practise is to tag the documents with the roles (using a > multi-valued field) during indexing and then during search append filter > query to restrict result based on roles. > > Wondering if there is any other better way out there and if this common > requirement should be added as a Solr feature/plugin. > > The current security plugins are more towards making Solr apis/resources > secure not towards securing/controlling data during search. > > https://cwiki.apache.org/confluence/display/solr/Authentication+and+Authorization+Plugins > > > Please share your thoughts. > > Thanks, > Susheel > -- Scott Stults | Founder & Solutions Architect | OpenSource Connections, LLC | 434.409.2780 http://www.opensourceconnections.com
Solr Search: Access Control / Role based security
Hi, I have seen couple of use cases / need where we want to restrict result of search based on role of a user. For e.g. - if user role is admin, any document from the search result will be returned - if user role is manager, only documents intended for managers will be returned - if user role is worker, only documents intended for workers will be returned Typical practise is to tag the documents with the roles (using a multi-valued field) during indexing and then during search append filter query to restrict result based on roles. Wondering if there is any other better way out there and if this common requirement should be added as a Solr feature/plugin. The current security plugins are more towards making Solr apis/resources secure not towards securing/controlling data during search. https://cwiki.apache.org/confluence/display/solr/Authentication+and+Authorization+Plugins Please share your thoughts. Thanks, Susheel
