janhoy commented on pull request #355: URL: https://github.com/apache/solr/pull/355#issuecomment-948521927
A concern with enabling BasicAuth is that it is less secure than OIDC which has a expiry of tokens, while a password is long-lived. To mitigate this added surface area, I wonder how easy it would be to "lock down" what a BasicAuth user can do in the system, such as limiting the role's permissions to block any request except /admin/system/info and /admin/collection?cmd=CLUSTERSTATUS. I think this is doable in authorization.. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org
