[jira] [Commented] (SOLR-8429) add a flag blockUnknown to BasicAutPlugin

Fri, 18 Dec 2015 02:32:05 -0800 

    [ 
https://issues.apache.org/jira/browse/SOLR-8429?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15063800#comment-15063800
 ] 

Jan Høydahl commented on SOLR-8429:
-----------------------------------

bq. I'm kinda against any rule which requires a user to read documentation to 
understand. The rule of thumb is if a user looks at the security.json he should 
have enough idea on what could happen.

Agree, but how can a user reading this {{security.json}} 
{code}
{"authentication": {"class": "solr.BasicAuthPlugin",  "credentials": {"solr": 
"i9buKe/RhJV5bF/46EI9xmVVYyrnbg9zXf+2FrFwcy0= OTg3"}}}
{code}
...have any clue that absolutely nothing will be protected -- unless that was 
the default? On the other hand, if he saw {{"blockUnknown":false}} in there, 
he'd be explicitly warned that it is necessary to cover every single path in 
{{AutorizationPlugin}}

Related: Should we protect the user against locking herself out, i.e. throw 
exception if {{blockUnknown}} is set through API before there are any 
registered users?


> add a flag blockUnknown to BasicAutPlugin
> -----------------------------------------
>
>                 Key: SOLR-8429
>                 URL: https://issues.apache.org/jira/browse/SOLR-8429
>             Project: Solr
>          Issue Type: Improvement
>            Reporter: Noble Paul
>            Assignee: Noble Paul
>
> If authentication is setup with BasicAuthPlugin, it let's all requests go 
> through if no credentials are passed. This was done to have minimal impact 
> for users who only wishes to protect a few end points (say , collection admin 
> and core admin only)
> We can add a flag to {{BasicAuthPlugin}} to allow only authenticated requests 
> to go in 
> the users can create the first security.json with that flag
> {code}
> server/scripts/cloud-scripts/zkcli.sh -z localhost:9983 -cmd put 
> /security.json '{"authentication": {"class": "solr.BasicAuthPlugin", 
> "blockUnknown": true,
> "credentials": {"solr": "orwp2Ghgj39lmnrZOTm7Qtre1VqHFDfwAEzr0ApbN3Y= 
> Ju5osoAqOX8iafhWpPP01E5P+sg8tK8tHON7rCYZRRw="}}}'
> {code}
> or add the flag later
> using the command
> {code}
> curl  http://localhost:8983/solr/admin/authentication -H 
> 'Content-type:application/json' -d  '{ 
> {set-property:{blockUnknown:true}
> }'
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to