Solr Authentication

Question

I have my Solr 4.3 instance running on a tomcat server with Nutch crawling my local filesystem and Solr storing the indexes.

When a user searches, I need Solr to filter out certain docs based on the type of user.

Say I have a directory structure like so:

dir1
  |------dir_userA----files
  |------dir_userB----files
  |------Public-------files

So I only want the search to return results from directories that a particular user has access to.

Is this possible?

Answer 1

Solr does not have document-level security, so you would have to retrieve and index access control lists for each document. Then you need to apply a filter query to every search and pass in the user's security group and/or username.

Let's say your document is indexed like this, where the values for the multivalued field "access" is determined at index time by the actual permissions on the file:

<doc>
  <field name="id">42</field>
  <field name="name">Products.xlsx</field>
  <field name="title">Product list</field>
  <field name="content">...</field>
  <field name="access">COMPANY\Marketing</field>
  <field name="access">COMPANY\CustomerService</field>
</doc>

Then you can decorate the query request handler with a default filter query parameter in solrconfig.xml:

<requestHandler name="/select" class="solr.SearchHandler">
    <defaults>
        <str name="fq">access:"COMPANY\Everyone"</str>
    </default>
</requestHandler>

Now searches by default will not return the Products.xlsx document, since the default 'user' that is impersonated (namely "COMPANT\Everyone") does not appear in the "access" field. But as soon as you pass in an actual user's group to override the default filter query, Solr will return the document:

/solr/collection1/select?q=content:"product x"&fq=access:"COMPANY\Marketing"

Of course when the permissions change, the index must be updated as soon as possible to reflect this.