You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@lucene.apache.org by "Jan Høydahl (JIRA)" <ji...@apache.org> on 2019/07/23 23:35:00 UTC

[jira] [Commented] (SOLR-13649) When Using Basic Authentication, the blockUnknown Value should be True

    [ https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16891466#comment-16891466 ] 

Jan Høydahl commented on SOLR-13649:
------------------------------------

It is a quire common case that you want to require authentication for write but not read, or for admin operations but not for index/search etc.
Another reason for the default is that it enables you to start with an empty config (without any users or roles) and still be allowed to use the security REST API to start adding users and roles. Then, if you wish to only allow known users, you can flip the blockUnknown switch after adding users.

I tend to agree with you that true would be a better default to follow the principle of least surprise, so I'm positive to the thought of changing it. If we change it, we'd need to think about back-compat, so that users that upgrade are not caught by surprise if they have not specified the parameter in {{security.json}}. Perhaps wait until 9.0?

What do others think?

> When Using Basic Authentication, the blockUnknown Value should be True
> ----------------------------------------------------------------------
>
>                 Key: SOLR-13649
>                 URL: https://issues.apache.org/jira/browse/SOLR-13649
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Admin UI, Authentication
>    Affects Versions: 7.7.2, 8.1.1
>         Environment: All
>            Reporter: Marcus Eagan
>            Priority: Major
>              Labels: Authentication
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> If someone seeks to enable basic authentication but they do not specify the {{blockUnknown}} parameter, the default value is {{false}}. That default behavior is a bit counterintuitive because if someone wishes to enable basic authentication, you would expect that they would want all unknown users to need to authenticate by default. I can imagine cases where you would not, but those cases would be less frequent.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org