Our team currently uses Solr as the backend for our search solution and we are currently looking into adding some security constraints to it. We are currently looking into different levels of security which may encompass:
1) Dataset/core level security: the whole index is blocked from access for unauthorised users.
2) Field level security: certain fields are blocked from access.
3) Document level security: certain documents are blocked from access.
So far my research has shown that most people have implemented URL path based security for Solr, but no one seems to have any experience with finer grained security as outlined above. Our current use case is in the spend analysis market, where access to datasets needs to be tightly controlled at differing levels of granularity.
Based on what we have found so far, our questions are:
1) Is it possible to extend Solr so that it handles these differing levels of security transparently? Or should we be looking at controlling all of this within our search application?
2) Are there any extensions or packages out there that already do anything similar?
Thanks in advance for the help!
As you already have found out, Solr does not current implement any kind of document-level security. Most people handle security at the HTTP level, or at the application level using simple filter queries. Obviously in this case, Solr access needs to be restricted to this application only, e.g. using HTTP auth.
That said, there are a couple of efforts towards implementing document-level security: SOLR-1834 and SOLR-1872. These patches are over a year old, so it will be probably cumbersome to apply them to a recent revision of Solr.
See also these discussions on the topic: