Alfresco and Solr permission checks

Question

The following code returns a number of results greater than 1000:

SearchParameters searchParams = new SearchParameters();
searchParameters.setQuery(query);
searchParameters.setSkipCount(0);
searchParameters.setMaxPermissionChecks(1000);
searchParameters.setPermissionEvaluation(PermissionEvaluationMode.EAGER);
searchParameters.setLimitBy(LimitBy.NUMBER_OF_PERMISSION_EVALUATIONS);
ResultSet results = searchService.query(searchParams);

Because I am setting the max permission checks to 1000, I wasn't expecting more than 1000 results.

To get the expected number of results, it is possible to use a different permission evaluation:

searchParameters.setPermissionEvaluation(PermissionEvaluationMode.NONE);

The problem with this is that Solr will not use its internal permission checks and so performance will be impacted.

Is this the expected behaviour? Is there a way to let Solr filter the results based on permissions and at the same time limit the number of permission evaluations?

Answer 1

Read access filtering is done by a simple SOLR filter query, which is extremely efficient and does not really make that much of a difference whether 100 or 100.000 results are matched. As the SOLR filter query handling is an extremely low-level operation that may occur before results are sorted according to relevance, there is also no way for Alfresco to limit the number of "evaluations" without messing with the internals of how SOLR executes queries. The real performance overhead comes from the fact that in this particular case, an effectively unbounded result page is requested, causing 1) significant transport overhead as the SOLR JSON result has to contain all the matching result's IDs, and 2) the Repository-tier handling of SOLR results aggressively pre-caches the results from the database.

There is generally no sensible use of the LimitBy.NUMBER_OF_PERMISSION_EVALUATIONS limitation, especially from an end-user perspective. Limitations should generally always be based on the LimitBy.FINAL_SIZE (in combination with setMaxItems(int)), as the maxPermissionChecks would still be respected IF at some point during search execution, Repository-tier permission checking needs to be involved (e.g. processing denied permissions if security.anyDenyDenies is enabled and either security.postProcessDenies is enabled or SOLR was itself not able / configured to filter denies).

TL;DR: The behaviour is to be expected. The LimitBy.NUMBER_OF_PERMISSION_EVALUATIONS is a left-over mode from legacy Lucene that is not applicable to SOLR. It is always recommended to also limit the total number of items to be returned from search via setMaxItems(int)