Reputation: 139
What are the best practices for applying security on full text search results
All.
I have a theoretical question. Imagine: I have several millions of documents with metadata (class,attributes) + full text search engine (ES, Solr) + attribute based access control (ABAC... or RBAC for simplicity). Documents metadata can be updated frequently.
Q: What are the best practices to applying security on top of full text search results? Do I need to go through each result and check : does it pass security or not?
Any real life examples are welcome.
Upvotes: 1
Views: 547
Answers (1)
Reputation: 657
With security I think you mean authorization of search fields. There are several approaches.
You can do it on the index level by building different indices and create this security on the application level for each index. Both ES and Solr allow you to search across indices.
On the document level by applying filtering on a field that indicates the authorization. You will have to apply this as a filter automatically for each profile.
On the field level would also be possible by applying suffixes to field names. You can then do the configuration per profile.
Solr has an authorization plugin that does this for you, see https://cwiki.apache.org/confluence/display/solr/Rule-Based+Authorization+Plugin You then need to define custom request handlers in the solrconfig to indices or automatic filtering of fields.
Elasticsearch has Security (Shield) which should do this for you. https://www.elastic.co/products/x-pack/security
Upvotes: 2
Related Questions
- Elastic Search Document Level Security
- Full text search engines and security
- How to secure elasticsearch API's
- How not to have sensitive data in Elastic search?
- Protecting data in elastic search
- Data security in result sets from Elastic Search, Solr or
- How to secure Elasticsearch
- Solr: Document & sub-document level security
- Full-text search with permissions using Solr
- Searching secured/gated content with Solr