[
https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16905959#comment-16905959
]
Jan Høydahl commented on SOLR-13649:
------------------------------------
{quote}I've added an error in case the blockUnknown parameter is not set to
make it easier for the community to adopt this change upon upgrading.
{quote}
I'm not so keen on adding more mandatory parameters. As long as we wait until
9.0 it is perfectly ok with a backcompat-break in defaults such as this. That
was the whole point with the change in the first place, that if you enable auth
then you'd expect it to actually require auth by default. If you make it
required then there is no need for a default in the first place.
What I *was* hoping for wrt smooth upgrade was a way to make the default depend
on config version. We could have used luceneMatchVersion if this was a per-core
config but it is a cluster-wide config so we cannot. I'm not aware of any
cluster-wide config version parameter we could use instead. Perhaps a new
clusterProperty {{solrMatchVersion}} could be of benefit for this and other
cluster wide breaking changes. Then if solrMatchVersion is not set you'll
assume {{Version.LATEST}}, but if it is set to e.g. 8.2 then {{blockUnknown}}
could default to true as before. Or perhaps better is to introduce a "version"
property in {{security.json}} that would work much like our schema version
property, and we could start on version=2 from Solr9. This is how e.g. docker
versions their docker-compose configs. This could be useful in the future if we
need to change the very format of security.json to e.g. support multiple auth
schemes and backends in the same cluster.
> BasicAuth's 'blockUnknown' param should default to true
> -------------------------------------------------------
>
> Key: SOLR-13649
> URL: https://issues.apache.org/jira/browse/SOLR-13649
> Project: Solr
> Issue Type: Improvement
> Components: Admin UI, Authentication, security
> Affects Versions: 7.7.2, 8.1.1
> Environment: All
> Reporter: Marcus Eagan
> Priority: Major
> Labels: Authentication
> Fix For: master (9.0)
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> If someone seeks to enable basic authentication but they do not specify the
> {{blockUnknown}} parameter, the default value is {{false}}. That default
> behavior is a bit counterintuitive because if someone wishes to enable basic
> authentication, you would expect that they would want all unknown users to
> need to authenticate by default. I can imagine cases where you would not, but
> those cases would be less frequent.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
