[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true

Thu, 01 Aug 2019 04:58:19 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16898014#comment-16898014
 ] 

Jason Gerlowski commented on SOLR-13649:
----------------------------------------

I agree with Noble that this is a backwards compatible change.  But if we hold 
off on introducing it until 9.0, I don't see any problems with that.  We direct 
users to re-evaluate all config files on a major version upgrade already.  So 
the only people who might be bitten by this change in defaults would have to be 
(1) going against that prescribed update step and (2) not paying attention to 
the release notes and CHANGES.txt where this is called out.

It might take a little extra documentation in the short term (a bullet point in 
release-notes), and I'm all for avoiding documentation bloat.  But I think 
keeping the docs concise needs to be secondary to making security easy to get 
right.

[~janhoy] I'm +1 on seeing this change happen, assuming it's made clear in 
release notes and only introduced at the major version.

> BasicAuth's 'blockUnknown' param should default to true
> -------------------------------------------------------
>
>                 Key: SOLR-13649
>                 URL: https://issues.apache.org/jira/browse/SOLR-13649
>             Project: Solr
>          Issue Type: Improvement
>          Components: Admin UI, Authentication, security
>    Affects Versions: 7.7.2, 8.1.1
>         Environment: All
>            Reporter: Marcus Eagan
>            Priority: Major
>              Labels: Authentication
>             Fix For: master (9.0)
>
>          Time Spent: 40m
>  Remaining Estimate: 0h
>
> If someone seeks to enable basic authentication but they do not specify the 
> {{blockUnknown}} parameter, the default value is {{false}}. That default 
> behavior is a bit counterintuitive because if someone wishes to enable basic 
> authentication, you would expect that they would want all unknown users to 
> need to authenticate by default. I can imagine cases where you would not, but 
> those cases would be less frequent.



--
This message was sent by Atlassian JIRA
(v7.6.14#76016)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to