jackrabbit-oak-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Dawid Iwo Cokan (Jira)" <j...@apache.org>
Subject [jira] [Created] (OAK-9381) Access check delegated to query execution
Date Thu, 11 Mar 2021 14:54:00 GMT
Dawid Iwo Cokan created OAK-9381:

             Summary: Access check delegated to query execution
                 Key: OAK-9381
                 URL: https://issues.apache.org/jira/browse/OAK-9381
             Project: Jackrabbit Oak
          Issue Type: Wish
            Reporter: Dawid Iwo Cokan

We are implementing a system to manage documents based on Jackrabbit Oak. We store thousands
of them and we have have access rules set individually for every document (due to business
requirements). We have configured the Lucene index to support all our queries but there are
some users in the system that have access to only small subset of documents. When one of such
user invokes the search it takes long time because OAK will first use index to read all results
matching constraints and only then will check whether user has access to it.

We were evaluating how to improve this and we simply added additional property to our document
nodes and saved list of user ids who can read particular node. Then we extended definition
of Lucene index to include this field. 

Next we ensured that all queries we perform add the condition for that property. Now results
coming from LuceneIndex are 100% matched with current user access and perfomance is very good. 


I am adding this as a Wish as this should be for sure discussed in wider public. Especially
there are known limitations / problems:
 * Lucene would not support negation of the property so if the node would have DENY set for
some principal it would still have to be checked in memory
 * The property would be visible when reading a node, so would have to ensure it gets hidden
 * We'd have to ensure the property is aligned with current state of ACL, also when parent
node settings are changed
 * Principal can have child principals and can be resolved dynamically so the finite list
of all principal names who can access the node might vary over the time
 * In case of inheriting access the same principal would have to be set for each of the node
in structure



This message was sent by Atlassian Jira

View raw message