Solr JOINs are a way to enforce document security, as explained by Yonik Seeley at http://lucene.472066.n3.nabble.com/document-level-security-filter-solution-for-Solr-tp4126992p4126994.html
This repository contains an example of a working Solr JOIN based on data in before.json
. Permissions per user are embedded in the primary documents like this:
{
"id": "dataset_3",
"perms_ss": [
"alice",
"bob"
]
},
{
"id": "dataset_4",
"perms_ss": [
"alice",
"bob",
"public"
]
},
User document have been created to do the JOIN on:
{
"id": "alice",
"groups_s": "alice"
},
The JOIN looks like this:
{!join+from=groups_s+to=perms_ss}id:public+OR+{!join+from=groups_s+to=perms_ss}id:alice
Because indexing the primary documents (datasets) takes a while, I'm interested in exploring the idea of introducing a third type of document that contains the permission information. after.json
is an example, with documents that look like this:
{
"id": "dataset_3"
},
{
"id": "dataset_4"
},
{
"id": "public",
"groups_s": "public"
},
{
"id": "alice",
"groups_s": "alice"
},
{
"id": "bob",
"groups_s": "bob"
},
{
"id": "charlie",
"groups_s": "charlie"
},
{
"id": "dataset_1_perms",
"definition_point_s": "dataset_1",
"role_assignee_ss": [
"alice"
]
},
{
"id": "dataset_2_perms",
"definition_point_s": "dataset_2",
"role_assignee_ss": [
"bob"
]
},
The question is if it's possible to construct a Solr JOIN such that the same permissions are enforced and the same documents are returned per user. This repo contains expected output and test runners for anyone who can figure out the syntax of the JOIN.