lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Erick Erickson <>
Subject Re: Access permission
Date Tue, 03 Mar 2015 23:46:06 GMT
You really have two choices:
1> index tokens with each doc of those (usually groups) that are
authorized to see them.
    Then when a user signs on, the front end assembles the list of
groups that the user
     belongs to and appends a filter query to each request like
&fq=auth:(group1 group5 group89)
    This starts to break down if any particular user can belong to
many hundreds of groups,
    although if you construct the fq clause _exactly_ the same way
each time, requests 2-n will
    use the filterCache.
    The other way this breaks down is if you have to grant individual
user/doc rights.
     The user changing groups isn't really a problem, since the fq
clause you assemble will just change.
    The big downside here is if the doc/group permissions change. Say
group1 suddenly gets or loses
    permissions to docs 1, 4, 90, 108. You must then re-index (or use
atomic updates) to update the
    auth tokens in each of those docs

2> use a "post filter", see: The advantage
    is that the filter is run _only_ on docs that make it through the
original query _and_ all
   more costly filters.


On Tue, Mar 3, 2015 at 6:32 AM,  <> wrote:
> Hi,
> I'm indexing data off a DB.  The data is secured with access permission.  That is record-A
can be seen by users-x, while record-B can be seen by users-y and yet record-C can be seen
by users x and y.  Even more, the group access permission can change over time.
> The question I have is this: how to handle this in Solr?  Is there anything I can do
during index and / or search time?  What's the best practice to handle access permission in
> Thanks!
> - MJ

View raw message