[jira] [Commented] (SOLR-13649) When Using Basic Authentication, the blockUnknown Value should be True

Tue, 23 Jul 2019 16:35:15 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16891466#comment-16891466
 ] 

Jan Høydahl commented on SOLR-13649:
------------------------------------

It is a quire common case that you want to require authentication for write but 
not read, or for admin operations but not for index/search etc.
Another reason for the default is that it enables you to start with an empty 
config (without any users or roles) and still be allowed to use the security 
REST API to start adding users and roles. Then, if you wish to only allow known 
users, you can flip the blockUnknown switch after adding users.

I tend to agree with you that true would be a better default to follow the 
principle of least surprise, so I'm positive to the thought of changing it. If 
we change it, we'd need to think about back-compat, so that users that upgrade 
are not caught by surprise if they have not specified the parameter in 
{{security.json}}. Perhaps wait until 9.0?

What do others think?

> When Using Basic Authentication, the blockUnknown Value should be True
> ----------------------------------------------------------------------
>
>                 Key: SOLR-13649
>                 URL: https://issues.apache.org/jira/browse/SOLR-13649
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Admin UI, Authentication
>    Affects Versions: 7.7.2, 8.1.1
>         Environment: All
>            Reporter: Marcus Eagan
>            Priority: Major
>              Labels: Authentication
>          Time Spent: 10m
>  Remaining Estimate: 0h
>
> If someone seeks to enable basic authentication but they do not specify the 
> {{blockUnknown}} parameter, the default value is {{false}}. That default 
> behavior is a bit counterintuitive because if someone wishes to enable basic 
> authentication, you would expect that they would want all unknown users to 
> need to authenticate by default. I can imagine cases where you would not, but 
> those cases would be less frequent.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to