Hi Anders- see comments below...
> > Two weeks ago I created a JIRA issue ( > https://issues.apache.org/jira/browse/SOLR-1834) involving document level > security in Apache Solr and submitted a patch containing a search component > that can be seen as a starting point for making Solr handle document level > security. I believe that document security is an essential part of an > enterprise search engine and I hope that this contribution can start a > discussion about how this should be handled in Solr (possibly in conjunction > with the Lucene Connector Framework). > Thanks for posting the code -- a quick pass it looks good. I agree some cordination with Lucene Connectors will make sense. On the patch, it looks good, but to get into the the dist, it will probably need some sort of tests. I'm not sure how that would work with windows authentication (I don't' know much about it, but it has been on my long term TODO list for a while!) Perhaps we could have tests that would run on systems that have somethign to test agains, but not fail when running on linux (or something) > As this contribution shows I would like to help to develop the security > capabilities of Solr together with the community because I believe that it > will improve Solr’s appeal to large enterprises. Moreover I think that most > of us believe that a transparent security system will in the end give rise > to the best security. > agree -- the more people to poke holes, the better > I hope some of you can take the time to look at the patch, try it out and > think about: > > 1) 1. Should this be a contrib module in Solr? (And if so, what needs > to be done to contribute it?) > I think a contrib module makes sense. For things to move forward, a committer needs to step up to the plate. I would love to, but don't have much time soon. To make it easier for people to feel comfortable with it, tests and doc help lots. > 2) 2. Should document level security be a core feature in Solr? (And if > so, what is the best way to integrate it into Solr?) I'm not quite sure what you mean by 'core' -- I think it makes sense to live as a contrib for a while and see how things develop. > > 3) 3. How can this integrate with connectors like the Lucene Connector > Framework? I.e. how do you create a uniform way to talk about Access Control > Lists (http://en.wikipedia.org/wiki/Access_control_list). > good question! That would be really powerful. > > > P.s (for the nerdy) > > I have some ideas about putting the security deeper into Solr, perhaps by > creating a secure SolrIndexReader and a secure SolrIndexSearcher that are > fed user credentials from a search component. What do you think about this? > What are you thinking here? To me, it seems like the index would need to contain all data and a SearchComponet would take user credentials and augment the query (group:[a b c] or whatever) The advantage of keeping the same IndexSearch across all users is that it can share a cache where appropriate. > As I understand it, currently it’s possible to declare your own > SolrIndexReader but not your own SolrIndexSearcher. > not sure on this... ryan
