6

Our team currently uses Solr as the backend for our search solution and we are currently looking into adding some security constraints to it. We are currently looking into different levels of security which may encompass:

1) Dataset/core level security: the whole index is blocked from access for unauthorised users.
2) Field level security: certain fields are blocked from access.
3) Document level security: certain documents are blocked from access.

So far my research has shown that most people have implemented URL path based security for Solr, but no one seems to have any experience with finer grained security as outlined above. Our current use case is in the spend analysis market, where access to datasets needs to be tightly controlled at differing levels of granularity.

Based on what we have found so far, our questions are:

1) Is it possible to extend Solr so that it handles these differing levels of security transparently? Or should we be looking at controlling all of this within our search application? 2) Are there any extensions or packages out there that already do anything similar?

Thanks in advance for the help!

drigofonte
  • 198
  • 1
  • 9
  • Any luck with this? Because i am also looking for the same feature "document level security". I have one design approach too, but want to know if you have got something cool. –  Feb 15 '13 at 06:44
  • @hardik, so far we have stuck with implementing the above at the application level and then essentially controlling access to Solr so that only our application can access it (i.e. through port blocking and a firewall at the server level). I have not come across anything yet that does this within Solr, although I must say it has been a long time since I looked at this in any detail. Have you bumped into anything? – drigofonte Jul 27 '13 at 18:05

2 Answers2

4

As you already have found out, Solr does not current implement any kind of document-level security. Most people handle security at the HTTP level, or at the application level using simple filter queries. Obviously in this case, Solr access needs to be restricted to this application only, e.g. using HTTP auth.

That said, there are a couple of efforts towards implementing document-level security: SOLR-1834 and SOLR-1872. These patches are over a year old, so it will be probably cumbersome to apply them to a recent revision of Solr.

See also these discussions on the topic:

Mauricio Scheffer
  • 98,863
  • 23
  • 192
  • 275
0

I realize this is an old question but there have not been many (any?) advances in Solr to help with this since it was asked. There's an excellent general article at https://web.archive.org/web/20140625220726/http://www.searchtechnologies.com/search-engine-security.html that deals with this same question; it does not prescribe a specific implementation but discusses pros and cons of different approaches and is well worth the read.

Oskar Austegard
  • 4,599
  • 4
  • 36
  • 50
  • 1
    The article link doesn't work anymore, use this one instead: https://web.archive.org/web/20140625220726/http://www.searchtechnologies.com/search-engine-security.html – DavidVdd Jul 28 '22 at 09:37