# Licensed to the Apache Software Foundation (ASF) under one or more # contributor license agreements. See the NOTICE file distributed with # this work for additional information regarding copyright ownership. # The ASF licenses this file to You under the Apache License, Version 2.0 # (the "License"); you may not use this file except in compliance with # the License. You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. Compatibility ------------ This version of this component is fully functional with Apache ManifoldCF 1.6 and above. It is backwards compatible with earlier versions as well, except for the fact that two additional Solr fields are required for this plugin to work. Instructions for Building Apache ManifoldCF Plugin for Apache Solr 7.x from Source ------------------------------------------------------------------------------ 1. Download the Java SE 8 JDK (Java Development Kit), or greater, from http://www.oracle.com/technetwork/java/index.html. You will need the JDK installed, and the %JAVA_HOME%\bin directory included on your command path. To test this, issue a "java -version" command from your shell and verify that the Java version is 1.8 or greater. 2. Download and install Maven 3.0 or later. Maven installation and configuration instructions can be found here: http://maven.apache.org 3. Building distribution assemblies Execute the following command in order to build the distribution assemblies mvn clean package assembly:single The JAR package can be found in the target folder: target/apache-manifoldcf-solr-7.x-plugin-.jar where is the release version Getting Started --------------- There are two ways to hook up security to Solr in this package. The first is using a Query Parser plugin. The second is using a Search Component. In both cases, the first step is to have ManifoldCF installed and running. See: http://manifoldcf.apache.org/release/trunk/en_US/how-to-build-and-deploy.html Then, in order to store the document authorization information you need to add 'allow' and 'deny' fields for documents, parents, and shares to your Solr index. Depending on your schemaFactory setting in solrconfig.xml you have to use either the schema.xml file for 'ClassicIndexSchemaFactory' or the schema API for 'ManagedIndexSchemaFactory'. See section 'Managed Schema Definition in SolrConfig' in the Solr Reference Gude https://www.apache.org/dyn/closer.cgi/lucene/solr/ref-guide/apache-solr-ref-guide-7.0.pdf For schema.xml simply add the following field definitions to the section: To define the fields via schema API use the curl command instead: curl -X POST -H 'Content-type:application/json' --data-binary '{ "add-field" : [ { "name":"allow_token_document", "type":"string", "indexed":"true", "stored":"true", "multiValued":"true", "required":"true", "default":"__nosecurity__" }, { "name":"allow_token_parent", "type":"string", "indexed":"true", "stored":"true", "multiValued":"true", "required":"true", "default":"__nosecurity__" }, { "name":"allow_token_share", "type":"string", "indexed":"true", "stored":"true", "multiValued":"true", "required":"true", "default":"__nosecurity__" }, { "name":"deny_token_document", "type":"string", "indexed":"true", "stored":"true", "multiValued":"true", "required":"true", "default":"__nosecurity__" }, { "name":"deny_token_parent", "type":"string", "indexed":"true", "stored":"true", "multiValued":"true", "required":"true", "default":"__nosecurity__" }, { "name":"deny_token_share", "type":"string", "indexed":"true", "stored":"true", "multiValued":"true", "required":"true", "default":"__nosecurity__"} ]}' http://localhost:8983/solr//schema Replace with your core or collection name respectively. The default value of "__nosecurity__" is mandatory because the queries will be rewritten to use all of these 6 fields. If a field is missing in the index then you will get no results for your search. Check the field definitions with curl http://localhost:8983/solr//schema/fields Using the Query Parser Plugin ----------------------------- To set up the query parser plugin, modify your solrconfig.xml to add the query parser: http://localhost:8345/mcf-authority-service 50 Hook up the search component in the solrconfig.xml file wherever you want it, e.g.: {!manifoldCFSecurity} ... Using the Search Component -------------------------- To set up the search component, modify your solrconfig.xml to add the search component: http://localhost:8345/mcf-authority-service 50 Hook up the search component in the solrconfig.xml file wherever you want it, e.g.: manifoldCFSecurity ... Supplying authenticated usernames and domains ---------------------------------------------- This component looks for the following parameters in the Solr request object: AuthenticatedUserName AuthenticatedUserDomain AuthenticatedUserName_XX AuthenticatedUserDomain_XX At a minimum, AuthenticatedUserName must be present in order for the component to communicate with the ManifoldCF Authority Service and obtain user access tokens. In that case, the user identity will consist of one user and one authorization domain. If AuthenticatedUserDomain is not set, then the authorization domain chosen will be the standard default domain, an empty string. If you need multiple user/domain tuples for the user identity, you may pass these as parameter pairs starting with AuthenticatedUserName_0 and AuthenticatedUserDomain_0, and counting up as high as you like. Operation in conjunction with mod-authz-annotate ------------------------------------------------ An optional component of ManifoldCF can be built and deployed as part of Apache - mod-authz-annotate. The mod-authz-annotate module obtains the Kerberos principal from the Kerberos tickets present if mod-auth-kerb is used, and uses the MCF Authority Service to look up the appropriate access tokens. If you choose to use that architecture, you will still need to use this Solr component to modify the user query. All you have to do is the following: - Make sure you do not set AuthenticatedUserName or AuthenticatedUserName_0 in the request - Make sure the HTTP request from Apache to Solr translates all AAAGRP header values into "UserToken" parameters for the Solr request Licensing --------- Apache ManifoldCF Plugin for Apache Solr 7.x is licensed under the Apache License 2.0. See the files called LICENSE.txt and NOTICE.txt for more information. Cryptographic Software Notice ----------------------------- This distribution may include software that has been designed for use with cryptographic software. The country in which you currently reside may have restrictions on the import, possession, use, and/or re-export to another country, of encryption software. BEFORE using any encryption software, please check your country's laws, regulations and policies concerning the import, possession, or use, and re-export of encryption software, to see if this is permitted. See for more information. The U.S. Government Department of Commerce, Bureau of Industry and Security (BIS), has classified this software as Export Commodity Control Number (ECCN) 5D002.C.1, which includes information security software using or performing cryptographic functions with asymmetric algorithms. The form and manner of this Apache Software Foundation distribution makes it eligible for export under the License Exception ENC Technology Software Unrestricted (TSU) exception (see the BIS Export Administration Regulations, Section 740.13) for both object code and source code. The following provides more details on the included software that may be subject to export controls on cryptographic software: The Apache ManifoldCF Solr 7.x Plugin does not include any implementation or usage of cryptographic software at this time. Contact ------- o For general information visit the main project site at http://manifoldcf.apache.org