lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jorge Luis Betancourt Gonzalez <jlbetanco...@uci.cu>
Subject Re: SOLR query - restrict access to user documents
Date Tue, 07 Oct 2014 21:31:46 GMT
I see you’re defining a default value for “rows” this could be overridden on the request,
and requesting a lot of documents from solr can stress out your server/cluster, of course
if the client in question has that many documents. if this is a fixed value and the clients
can’t request more documents, then I’ll consider moving this into the invariants section
ensuring that no matter what this value can’t be changed by the request. Some time ago I
had a similar use case, we wanted to expose Solr to the clients and eventually we faced problems
where some clients requested “all of his documents” in one request stressing out our cluster
in the end we wrote a custom SearchComponent to set max values (instead of a fixed value specified
on invariants) for the rows and start parameters (actually this component those a little more
as we add some limitations to each type of client, defining some constrains as how many documents.
i.e. data points can be requested, etc.).

Hope it helps, 

On Oct 7, 2014, at 11:37 AM, Nitin Agarwal <2nitinagarwal@gmail.com> wrote:

> Hi, I have a question around SOLR query, I am trying to restrict access to
> SOLR data.
> 
> We are running SOLR 4.7.1, and wish to expose the query capabilities to our
> customers for the data that belongs to them. Specifically "/select", with
> default configuration is the only Request Handler that customers can
> access.
> 
> <requestHandler name="/select" class="solr.SearchHandler">
>     <lst name="defaults">
>       <str name="echoParams">explicit</str>
>       <int name="rows">10</int>
>       <str name="df">text</str>
>     </lst>
> </requestHandler>
> 
> The custom API that fronts SOLR, will inject appropriate restriction
> into the "q" param e.g. q=customerNumber:123 or
> append to "q" param q=<customer query> AND customerNumber:123, before
> sending the request to the "/select" handler.
> 
> This works fine, however,
> 
> I want to know if there is a way customer can override these restrictions?
> 
> If so what can I do to prevent that?
> 
> So far I have come across facet.mincount as one potential concern
> where by customer can see data that they should not, e.g.
> 
> /select?q=<customer query> AND
> customerNumber:123&facet=true&facet.field=customerName&rows=0&*facet.mincount=0*
> 
> will return those customer names as well that do not belong to
> customerNumber 123.
> 
> Are there any other gotchas that I should know?
> 
> Thanks for your time and help,
> 
> Nitin

Concurso "Mi selfie por los 5". Detalles en http://justiciaparaloscinco.wordpress.com

Mime
View raw message