Displaying restricted documents - MCF Authority connection
Valid from 3.0
The documentation below is valid from Datafari v3.0 upwards
In this page we explain what is a MCF authority connection, how to create one for a file share and finally how to ask directly MCF in order to see the ACLs retrieved for a particular user.
1.What is a MCF authority connection
To answer that, first an architecture diagram of MCF :
The authority service is a web application that runs authority connectors. Its goal is to get tokens for a specific user.
So when a user does a query on Datafari, he can only see documents that he has the right to see.
This schema is extracted from a presentation at Lucene Revolution by Aurelien Mazoyer from France Labs : https://fr.slideshare.net/francelabs/integrate-manifoldcf-with-solr You can see it entirely if you want more information about MCF.
2.How to create a MCF authority connection for a Windows file share
MCF provides a early-binding authorization mechanism for file searchs. MCF extracts ACLs from files at crawling-time, and injects them into Solr as specific fields for the Solr document.
At query time,Datafari can query Solr for documents that are available for a specific user profile. Solr handles the query, contacts the authority service of MCF in order to ask for information on the authenticated user, such as its group membership. Solr then performs the query and filters the query results with this information.
In Datafari the Solr schema is already configured to store ACL and the MCF security plugin on the search handler is also present. So you have just to configure the MCF authority connection into the MCF admin UI.
So go to MCF admin UI then Create a new Authority, select the connection type “Active Directory” and add the configuration of your AD in the tab Domain Controller as the following screenshot :
Change the configuration of your windows share connector to link it with your AD connector :
Create a crawl Job and configure it as you want.
You can now perform a search on Datafari and the results displayed are only the documents that you have the right to see.
If you see the Solr logs, you will see that for each query a parameter is added : AuthenticatedUserName=username@domain. It is related to the MCF security plugin added to the search handler.
So if you want to perform queries in the Solr admin and see what documents a particular user can access, add the parameter : AuthenticatedUserName=username@domain like this :
3. Ask directly MCF authority connector
For testing purposes, you can also directly query the MCF authority service to get SSID of a specific user and SSIDs of group that he belongs to :
The url is http://DATAFARI_IP:8080/datafari-mcf-authority-service/UserACLs?username=user@domain
The url is case sensitive so be careful about it.
So for my previous example, the url will be :
http://DATAFARI_IP:8080/datafari-mcf-authority-service/UserACLs?username=admin@corp.francelabs.com
You will obtain the ACLs list for this user :
This documentation is largely inspired from our blog : http://www.francelabs.com/blog/tutorial-on-authorizations-for-manifold-cf-and-solr/