janhoy commented on PR #4477: URL: https://github.com/apache/solr/pull/4477#issuecomment-4627089802
> err wait, i see a script test failing... Yea, this was a tricky one. But I committed a fix, explained below: The CI "Run Solr Script Tests" job was failing on test 89 (`start solr with ssl and auth`) in `test_ssl.bats`. **Root cause:** The earlier commit in this PR correctly fixed `AuthTool` to place `blockUnknown` inside the `authentication` block (instead of erroneously at the top level of `security.json`). However, the old code also unconditionally set `blockUnknown=true` (the CLI default), which **overrode** the template's intentional `blockUnknown=false`. On `main`, this override was harmless because it landed at the wrong JSON level and was ignored by `BasicAuthPlugin`. But once we fixed the placement, the override started taking effect — blocking unauthenticated requests and changing the 401 error message from `"Authentication"` (from the authorization layer) to `"require authentication"` (from `BasicAuthPlugin`), breaking the test assertion. **Fix:** `AuthTool` no longer overrides `blockUnknown` unless the user explicitly passes `--block-unknown`. The template `security.json` already sets `blockUnknown=false`, which is the intended default — it allows unauthenticated pass-through for endpoints like health checks and metrics that are authorized via the `authorization` rules. If a user wants to block all unknown users, they can pass `--block-unknown true` explicitly. **Risk:**: The previously unknown bug of AuthTool setting the wrong `blockUnknown` param could have been serious, had it not been for the fact that the security.json template that **always** is used, has a catch-all rule at the end of chain requiring "admin" role. The healthcheck and metric endpoints were open to the world, and if user specified `--blockUnknown true` they would still be open, as intended by the template. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
