问题
I have data that can only expose to people with entitlement, the data has a meta field call "system", there are hundreds of systems, we have authorized user pre-defined in a database, how can I design the system to allow the authorized user be granted only the data that he or she is entitled to? e.g. if Adam is from Equity team, he can view the search result from system 1-10 and not the rest; if Amily is from Audit team, she can view search result from all systems 1-200.
Thank you very much.
回答1:
For small-ish number of systems (i.e. where the count doesn't exceed the maximum number of boolean terms in a query), adding a fq=system:(1 OR 2 OR 3 OR 4 OR 5 ... OR 10) is the easiest way to limit the result set - this assumes that the user is allowed to access all fields in the document. Your external system can provide a list of system ids that the user is allowed to access, and you then apply the fq for every request to Solr.
It's important that this is done on every request, since a user can otherwise get exposed to data they should not have access to through facets and other metainformation.
Bloomberg has a nice presentation about how they attacked this problem in one of their 2014 Lucene/Solr Revolution talks - Efficient Scalable Search in a Multi-Tenant Environment - where they went as far down as implementing different access rights for parts of the values in a field.
回答2:
I think best solution for your query, you can created documents and for each document you can add multivalued field we called it as userAllow.
Whenever you query for solr pass userid in filter query in below way and solr returns only those documents who having rights rights for those users.
if Adam userid is 1 then,
q:(Your Query)
fq:SolrAllow:1
Result set contain only those records having rights for userid 1.
you can also implement it using this way.
来源:https://stackoverflow.com/questions/49741782/how-to-restrict-users-solr-searching-scope-based-on-his-her-entitlement