0

I have an application where document creators determine what access permission (s) to give. The permissions are of the form:

  1. EVERYONE => 1
  2. MY_FRIENDS => 2
  3. ME_ONLY => 3

Example:

  1. User 1 creates doc1 and sets permission to EVERYONE
  2. User 2 created doc2 and sets permission to ME_ONLY
  3. User 3 creates doc3 and sets permissions to MY_FRIENDS

In the index we have creator_ids representing the list of users who created the document. e.g. for doc1: creator_ids=[1]

The list of MY_FRIENDS (for each document creator) is determined by different module, accessible at runtime.

A document can be created by more than one user, with each user giving permissions independently. e.g.:

  1. User 4 & 5 creates doc4. User 4 sets permission as EVERYONE while user 5 sets permission to ME_ONLY.
  2. User 6 & 7 creates doc5. User 6 sets permissions to MY_FRIENDS while user 7 sets permissive to ME_ONLY

For the case of multiple creators the less restrictive permission is used. e.g.:

  1. For doc4 the overriding permission will be EVERYONE
  2. For doc5 the overriding permission will be MY_FRIENDS

I have checked several discussions and can't find one that fits the model above:

  1. SOLR Permissions / Filtering Results depending on Access Rights
  2. https://issues.apache.org/jira/browse/SOLR-1872
  3. https://issues.apache.org/jira/browse/SOLR-1834
  4. http://lucene.472066.n3.nabble.com/Solr-and-Permissions-td2663289.html
  5. Fine grained security in Solr

To handle security I was thinking of 2 methods:

  1. Create a dynamic field ("permissions_*") that holds permission for each document creator. e.g:

    a) For doc1 permissions_1=1
b) For doc4 permissions_4=1 & permissions_5=3

Then a created a runtime method that checks each document permission (s) and decides if user trying to access is allowed.

  2. For each permission create a field that hold user(s) that have set that permission. e.g.

    a) For doc2 permission_1=[4], permission_2=[] & permission_3=[5]
b) For doc5 permission_1=[], permission_2=[6] & permission_3=[7]

Then use solr fq query to filter out documents based on permissions. However, I am not an expert in solr, so I still trying to find out how to create such a query.

A couple of questions:

  1. Is there a better way of handling this?
  2. Which of the 2 methods would scale?

Thanks in advance.

Community
  • 1
  • 1
Mugoma J. Okomba
  • 3,185
  • 1
  • 26
  • 37

1 Answers1

0

First of all, you should model your permissions set as ACL, so that it contains proper ACE (like 'allow User_A Friends' and 'allow User_B Me_Only). You can choose either to index this information together with document or to implement an external (custom) cache if permissions change frequently and you don't want to reindex. You can implement a custom filter that receives a user (name,id,whatever) and evaluates his permissions according to the rules you mentioned above. I advise to implement it as a PostFilter if the number of users and number of documents is large. See this post for more information: http://java.dzone.com/articles/custom-security-filtering-solr

lexk
  • 761
  • 3
  • 7