lucene-solr-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Douglas McGilvray ...@weemondo.com>
Subject Re: Securing field level access permission by filtering the query itself
Date Fri, 06 Nov 2015 15:05:36 GMT
You know what guys, I have had a change in perspective… 

I previously thought: do I want to index all these documents multiple times just to protect
3 fields
I am now thinking: do I really want to try to parse all the fields in a query when there are
only 3 roles. 

I have only 4k documents and 3 roles, so thats 8k more documents and I doubt I will need to
cross query with the other documents … 

Until I have more or more complex roles, or more protected documents, I think multiple cores
is the best option … 

Cheers
D


> On 5 Nov 2015, at 12:50, Alessandro Benedetti <abenedetti@apache.org> wrote:
> 
> Be careful to the suggester as well. You don't want to show suggestions
> coming from sensitive fields.
> 
> Cheers
> 
> On 5 November 2015 at 15:28, Scott Stults <sstults@opensourceconnections.com
>> wrote:
> 
>> Good to hear! Depending on how far you want to take it, you can then scan
>> the initial request coming in from the client (and the final response) for
>> raw Solr fields -- that shouldn't happen. I've used mod_security as a
>> general-purpose application firewall and would recommend it.
>> 
>> k/r,
>> Scott
>> 
>> On Wed, Nov 4, 2015 at 1:40 PM, Douglas McGilvray <dm@weemondo.com> wrote:
>> 
>>> 
>>> Thanks Alessandro, I had overlooked the highlighting component.
>>> 
>>> I will also add a reminder to exclude these fields from spellcheck
>> fields,
>>> (or maintain different spellcheck fields for different roles).
>>> 
>>> @Scott - Once I started planning my code the penny finally dropped
>>> regarding your point about aliasing the fields - it removes the need for
>>> calculating which fields to request in the app itself.
>>> 
>>> Regards,
>>> D
>>> 
>>> 
>>>> On 4 Nov 2015, at 14:53, Alessandro Benedetti <abenedetti@apache.org>
>>> wrote:
>>>> 
>>>> Of course it depends of all the query parameter you use and you process
>>> in
>>>> the response.
>>>> The list you wrote should be ok if you use only those components.
>>>> 
>>>> For example if you use highlight, it's not ok and you need to take care
>>> of
>>>> the highlighted fields as well.
>>>> 
>>>> Cheers
>>>> 
>>>> On 30 October 2015 at 14:51, Douglas McGilvray <dm@weemondo.com>
>> wrote:
>>>> 
>>>>> 
>>>>> Scott thanks for the reply. I like the idea of mapping all the
>>> fieldnames
>>>>> internally, adding security through obscurity. My question therefore
>>> would
>>>>> be what is the definitive list of query parameters that one must
>> filter
>>> to
>>>>> ensure a particular field is not exposed in the query response? Am I
>>>>> missing in the following?
>>>>> 
>>>>> fl
>>>>> facect.field
>>>>> facet.pivot
>>>>> json.facet
>>>>> terms.fl
>>>>> 
>>>>> 
>>>>> kr
>>>>> Douglas
>>>>> 
>>>>> 
>>>>>> On 30 Oct 2015, at 07:37, Scott Stults <
>>>>> sstults@opensourceconnections.com> wrote:
>>>>>> 
>>>>>> Douglas,
>>>>>> 
>>>>>> Managing a per-user-group whitelist of fields outside of Solr seems
>> the
>>>>>> best approach. When the query comes in you can then filter out any
>>> fields
>>>>>> not contained in the whitelist before you send the request to Solr.
>> The
>>>>>> easy part will be to do that on URL parameters like fl. Depending
on
>>> how
>>>>>> your app generates the actual query string, you may want to also
scan
>>>>> that
>>>>>> for fielded query clauses (eg "badfield:value") and localParams (eg
>>>>>> "{!dismax qf=badfield}value").
>>>>>> 
>>>>>> Secondly, you can map internal Solr fields to aliases using this
>> syntax
>>>>> in
>>>>>> the fl parameter: "display_name:real_solr_name". So when the request
>>>>> comes
>>>>>> in from your app, first you'll map from the requested field alias
>> names
>>>>> to
>>>>>> internal Solr names (while enforcing the whitelist), and then in
the
>> fl
>>>>>> parameter supply the aliases you want sent in the response.
>>>>>> 
>>>>>> 
>>>>>> k/r,
>>>>>> Scott
>>>>>> 
>>>>>> On Wed, Oct 28, 2015 at 6:58 PM, Douglas McGilvray <dm@weemondo.com>
>>>>> wrote:
>>>>>> 
>>>>>>> Hi all,
>>>>>>> 
>>>>>>> First I’d like to say the nested facets and the json facet
api in
>>>>>>> particular have made my world much better, I thank everyone
>> involved,
>>>>> you
>>>>>>> are all awesome.
>>>>>>> 
>>>>>>> In my implementation has much of the solr query building working
on
>>> the
>>>>>>> browser, solr is behind a php server which acts as “proxy”
and
>>> doorman,
>>>>>>> filtering at the document level according to user role and supplying
>>>>> some
>>>>>>> sensible maximums …
>>>>>>> 
>>>>>>> However we now wish to filter just one or two potentially sensitive
>>>>> fields
>>>>>>> in one document type according to user role (as determined in
the
>> php
>>>>>>> proxy). Duplicating documents (or cores) seems like overkill
for
>> just
>>>>> two
>>>>>>> fields in one document type .. I wondered if it would be feasible
>> (in
>>>>> the
>>>>>>> interests of preventing malicious activity) to filter the query
>> itself
>>>>>>> whether it be parameters (fl, facet.fields, terms, etc) … or
even
>> deny
>>>>> any
>>>>>>> request in which fieldname occurs …
>>>>>>> 
>>>>>>> Is there someway someone might obscure a fieldname in a request?
>>>>>>> 
>>>>>>> Kind Regards & thanks in davacne,
>>>>>>> Douglas
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> --
>>>>>> Scott Stults | Founder & Solutions Architect | OpenSource
>> Connections,
>>>>> LLC
>>>>>> | 434.409.2780
>>>>>> http://www.opensourceconnections.com
>>>>> 
>>>>> 
>>>> 
>>>> 
>>>> --
>>>> --------------------------
>>>> 
>>>> Benedetti Alessandro
>>>> Visiting card : http://about.me/alessandro_benedetti
>>>> 
>>>> "Tyger, tyger burning bright
>>>> In the forests of the night,
>>>> What immortal hand or eye
>>>> Could frame thy fearful symmetry?"
>>>> 
>>>> William Blake - Songs of Experience -1794 England
>>> 
>>> 
>> 
>> 
>> --
>> Scott Stults | Founder & Solutions Architect | OpenSource Connections, LLC
>> | 434.409.2780
>> http://www.opensourceconnections.com
>> 
> 
> 
> 
> -- 
> --------------------------
> 
> Benedetti Alessandro
> Visiting card : http://about.me/alessandro_benedetti
> 
> "Tyger, tyger burning bright
> In the forests of the night,
> What immortal hand or eye
> Could frame thy fearful symmetry?"
> 
> William Blake - Songs of Experience -1794 England


Mime
View raw message