You should also see SOLR-1834. More later. On Apr 6, 2010, at 9:24 AM, Karl Wright wrote:
> Hi, > > This post pertains to the integration between Lucene Connectors Framework and > Solr. > > I don't know a ton about Solr, but one of the engineers here at MetaCarta has > become quite familiar with it. So, I took some time to try and work through > one of the outstanding LCF/Solr integration issues, which is how to enforce > the LCF security model using Solr. > > As many may be aware, the LCF model relies on "access tokens" (e.g. active > directory SIDs). There are "allow" tokens, and "deny" tokens. They are > currently dropped on the floor when Solr is involved, but they can readily > (and most naturally) be handled to Solr as metadata when a document is > ingested. > > Read more about the LCF security model here: > > http://cwiki.apache.org/confluence/display/CONNECTORS/Lucene+Connectors+Framework+concepts > > My proposal is therefore to do the following: > > (1) Choose specific metadata names that LCF will use for "allow" tokens and > "deny" tokens; > (2) Write a Solr request handler, which would peel out the special headers > that LCF's mod_authz_annotate module puts into the request, and put those > into a Solr request object; > (3) Write a Solr search component, which pulls out the access tokens from the > Solr request object, and effectively wraps all incoming queries with the > appropriate clauses that limit the results returned according to the > appropriate "allow" and "deny" metadata matches. > > Some questions: > > (a) Is this the right approach (bearing in mind that the LCF security model > is pretty deeply ingrained in LCF at this time, and is thus not subject to > significant changes); > (b) Where should all of this live? Should it be a component of Solr, or a > component of LCF? > (c) The access tokens used by LCF are arbitrary strings, which are usually > alphanumeric, but do contain certain punctuation. Would this cause a problem? > > Thanks, > Karl