On Wed, Nov 19, 2014 at 9:22 AM, Philip Durbin
<philip_dur...@harvard.edu> wrote:
> On Wed, Nov 19, 2014 at 5:45 AM, Yonik Seeley <yo...@heliosearch.com> wrote:
>> On Tue, Nov 18, 2014 at 3:47 PM, Philip Durbin
>> <philip_dur...@harvard.edu> wrote:
>>> Solr JOINs are a way to enforce simple document security, as explained
>>> by Yonik Seeley at
>>> http://lucene.472066.n3.nabble.com/document-level-security-filter-solution-for-Solr-tp4126992p4126994.html
>>>
>>> I'm trying to tweak this pattern so that I don't have to keep the
>>> security information in each of my primary Solr documents.
>>>
>>> I just posted the gist at
>>> https://gist.github.com/pdurbin/4d27fea7b431ef3bf4f9 as an example of
>>> my working Solr JOIN based on data in `before.json` . Permissions per
>>> user are embedded in the primary documents like this:
>>>
>>> {
>>> "id": "dataset_3",
>>> "perms_ss": [
>>> "alice",
>>> "bob"
>>> ]
>>> },
>>> {
>>> "id": "dataset_4",
>>> "perms_ss": [
>>> "alice",
>>> "bob",
>>> "public"
>>> ]
>>> },
>>>
>>> User document have been created to do the JOIN on:
>>>
>>> {
>>> "id": "alice",
>>> "groups_s": "alice"
>>> },
>>>
>>> The JOIN looks like this:
>>>
>>> {!join+from=groups_s+to=perms_ss}id:public+OR+{!join+from=groups_s+to=perms_ss}id:alice
>>
>> It would probably be faster written as a single join:
>> fq={!join+from=groups_s+to=perms_ss}id:(public alice)
>
> Hmm, I can't get the single JOIN to work on the "before" example
> (perms embedded in each primary doc) in the gist I posted so I guess
> I'll live with the slower version with "OR".
>
>> Or, if you're using Heliosearch you could cache the filters separately
>> for better hit rates on commonly used perms via the "filter" keyword:
>> fq=filter({!join+from=groups_s+to=perms_ss}id:public) OR
>> filter({!join+from=groups_s+to=perms_ss}id:alice)
>
> Getting back to my original question about keeping permission
> information out of my primary documents, I noticed that
> http://heliosearch.org describes the Pseudo-Join feature as "selects a
> set of documents based on their relationship to a **second** set of
> documents" (emphasis mine) so I assume I can't take the perms out of
> my primary Solr documents and put them in a **third** set of
> "permission assignments" documents with definition points and role
> assignees:
> https://gist.github.com/pdurbin/4d27fea7b431ef3bf4f9#file-after-json
> . That is, the three sets of documents would be:
>
> 1. primary (datasets, with no permission info)
> 2. users
> 3. permission assignments
You should be able to chain joins to follow any number of links.
I don't quite understand how you mean to use your schema... but something like
fq={!join from=definition_point_s to=id}role_assignee_ss:alice
That's only following a single link and ignoring the group_s field, so
I'm probably missing something.
-Yonik
