[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[
https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16918293#comment-16918293
]
ASF subversion and git services commented on SOLR-13649:
Commit b37d92bfee63a9ede2a754347cbe8627dedade33 in lucene-solr's branch
refs/heads/master from Marcus
[ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=b37d92b ]
SOLR-13649 change the default behavior of the basic authentication plugin.
(#805)
SOLR-13649: Property 'blockUnknown' of BasicAuthPlugin and JWTAuthPlugin now
defaults to 'true'. This change is backward incompatible. To achieve the
previous default behavior, explicitly set 'blockUnknown':'false' in
security.json
> BasicAuth's 'blockUnknown' param should default to true
> ---
>
> Key: SOLR-13649
> URL: https://issues.apache.org/jira/browse/SOLR-13649
> Project: Solr
> Issue Type: Improvement
> Components: Admin UI, Authentication, security
>Affects Versions: 7.7.2, 8.1.1
> Environment: All
>Reporter: Marcus Eagan
>Assignee: Shalin Shekhar Mangar
>Priority: Major
> Labels: Authentication
> Fix For: master (9.0)
>
> Time Spent: 9h 10m
> Remaining Estimate: 0h
>
> If someone seeks to enable basic authentication but they do not specify the
> {{blockUnknown}} parameter, the default value is {{false}}. That default
> behavior is a bit counterintuitive because if someone wishes to enable basic
> authentication, you would expect that they would want all unknown users to
> need to authenticate by default. I can imagine cases where you would not, but
> those cases would be less frequent.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[
https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16918294#comment-16918294
]
ASF subversion and git services commented on SOLR-13649:
Commit b37d92bfee63a9ede2a754347cbe8627dedade33 in lucene-solr's branch
refs/heads/master from Marcus
[ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=b37d92b ]
SOLR-13649 change the default behavior of the basic authentication plugin.
(#805)
SOLR-13649: Property 'blockUnknown' of BasicAuthPlugin and JWTAuthPlugin now
defaults to 'true'. This change is backward incompatible. To achieve the
previous default behavior, explicitly set 'blockUnknown':'false' in
security.json
> BasicAuth's 'blockUnknown' param should default to true
> ---
>
> Key: SOLR-13649
> URL: https://issues.apache.org/jira/browse/SOLR-13649
> Project: Solr
> Issue Type: Improvement
> Components: Admin UI, Authentication, security
>Affects Versions: 7.7.2, 8.1.1
> Environment: All
>Reporter: Marcus Eagan
>Assignee: Shalin Shekhar Mangar
>Priority: Major
> Labels: Authentication
> Fix For: master (9.0)
>
> Time Spent: 9h 10m
> Remaining Estimate: 0h
>
> If someone seeks to enable basic authentication but they do not specify the
> {{blockUnknown}} parameter, the default value is {{false}}. That default
> behavior is a bit counterintuitive because if someone wishes to enable basic
> authentication, you would expect that they would want all unknown users to
> need to authenticate by default. I can imagine cases where you would not, but
> those cases would be less frequent.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[
https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16917485#comment-16917485
]
Jan Høydahl commented on SOLR-13649:
{quote}I have added the appropriate tests and now throw an exception if a user
attempts to delete the final user or enable the basic auth plugin without at
least one user
{quote}
Elegant solution.
See PR for some additional comments, in particular on the major test changes -
you may want to explain more of your reasoning for changing the entire test
instead of adding blockUnkow=false to the config in that test which would be
much less intrusive?
> BasicAuth's 'blockUnknown' param should default to true
> ---
>
> Key: SOLR-13649
> URL: https://issues.apache.org/jira/browse/SOLR-13649
> Project: Solr
> Issue Type: Improvement
> Components: Admin UI, Authentication, security
>Affects Versions: 7.7.2, 8.1.1
> Environment: All
>Reporter: Marcus Eagan
>Assignee: Shalin Shekhar Mangar
>Priority: Major
> Labels: Authentication
> Fix For: master (9.0)
>
> Time Spent: 5h 40m
> Remaining Estimate: 0h
>
> If someone seeks to enable basic authentication but they do not specify the
> {{blockUnknown}} parameter, the default value is {{false}}. That default
> behavior is a bit counterintuitive because if someone wishes to enable basic
> authentication, you would expect that they would want all unknown users to
> need to authenticate by default. I can imagine cases where you would not, but
> those cases would be less frequent.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[
https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16914342#comment-16914342
]
Marcus Eagan commented on SOLR-13649:
-
bq. What I was hoping for wrt smooth upgrade was a way to make the default
depend on config version. We could have used luceneMatchVersion if this was a
per-core config but it is a cluster-wide config so we cannot. I'm not aware of
any cluster-wide config version parameter we could use instead. Perhaps a new
clusterProperty solrMatchVersion could be of benefit for this and other cluster
wide breaking changes. Then if solrMatchVersion is not set you'll assume
Version.LATEST, but if it is set to e.g. 8.2 then blockUnknown could default to
true as before. Or perhaps better is to introduce a "version" property in
security.json that would work much like our schema version property, and we
could start on version=2 from Solr9. This is how e.g. docker versions their
docker-compose configs. This could be useful in the future if we need to change
the very format of security.json to e.g. support multiple auth schemes and
backends in the same cluster.
I think that would need to be addressed in another issue or PR that is linked
to this one. I can write it, but would prefer the scope not creep on this
change.
> BasicAuth's 'blockUnknown' param should default to true
> ---
>
> Key: SOLR-13649
> URL: https://issues.apache.org/jira/browse/SOLR-13649
> Project: Solr
> Issue Type: Improvement
> Components: Admin UI, Authentication, security
>Affects Versions: 7.7.2, 8.1.1
> Environment: All
>Reporter: Marcus Eagan
>Priority: Major
> Labels: Authentication
> Fix For: master (9.0)
>
> Time Spent: 4h
> Remaining Estimate: 0h
>
> If someone seeks to enable basic authentication but they do not specify the
> {{blockUnknown}} parameter, the default value is {{false}}. That default
> behavior is a bit counterintuitive because if someone wishes to enable basic
> authentication, you would expect that they would want all unknown users to
> need to authenticate by default. I can imagine cases where you would not, but
> those cases would be less frequent.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[
https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16911042#comment-16911042
]
Marcus Eagan commented on SOLR-13649:
-
for people watching this issue, I have added the appropriate tests and now
throw an exception if a user attempts to delete the final user or enable the
basic auth plugin without at least one user.
> BasicAuth's 'blockUnknown' param should default to true
> ---
>
> Key: SOLR-13649
> URL: https://issues.apache.org/jira/browse/SOLR-13649
> Project: Solr
> Issue Type: Improvement
> Components: Admin UI, Authentication, security
>Affects Versions: 7.7.2, 8.1.1
> Environment: All
>Reporter: Marcus Eagan
>Priority: Major
> Labels: Authentication
> Fix For: master (9.0)
>
> Time Spent: 4h
> Remaining Estimate: 0h
>
> If someone seeks to enable basic authentication but they do not specify the
> {{blockUnknown}} parameter, the default value is {{false}}. That default
> behavior is a bit counterintuitive because if someone wishes to enable basic
> authentication, you would expect that they would want all unknown users to
> need to authenticate by default. I can imagine cases where you would not, but
> those cases would be less frequent.
--
This message was sent by Atlassian Jira
(v8.3.2#803003)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[
https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16905973#comment-16905973
]
Marcus Eagan commented on SOLR-13649:
-
My apologies. I thought that an error was what you were requesting. I will
revert that change in the morning.
> BasicAuth's 'blockUnknown' param should default to true
> ---
>
> Key: SOLR-13649
> URL: https://issues.apache.org/jira/browse/SOLR-13649
> Project: Solr
> Issue Type: Improvement
> Components: Admin UI, Authentication, security
>Affects Versions: 7.7.2, 8.1.1
> Environment: All
>Reporter: Marcus Eagan
>Priority: Major
> Labels: Authentication
> Fix For: master (9.0)
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> If someone seeks to enable basic authentication but they do not specify the
> {{blockUnknown}} parameter, the default value is {{false}}. That default
> behavior is a bit counterintuitive because if someone wishes to enable basic
> authentication, you would expect that they would want all unknown users to
> need to authenticate by default. I can imagine cases where you would not, but
> those cases would be less frequent.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[
https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16905959#comment-16905959
]
Jan Høydahl commented on SOLR-13649:
{quote}I've added an error in case the blockUnknown parameter is not set to
make it easier for the community to adopt this change upon upgrading.
{quote}
I'm not so keen on adding more mandatory parameters. As long as we wait until
9.0 it is perfectly ok with a backcompat-break in defaults such as this. That
was the whole point with the change in the first place, that if you enable auth
then you'd expect it to actually require auth by default. If you make it
required then there is no need for a default in the first place.
What I *was* hoping for wrt smooth upgrade was a way to make the default depend
on config version. We could have used luceneMatchVersion if this was a per-core
config but it is a cluster-wide config so we cannot. I'm not aware of any
cluster-wide config version parameter we could use instead. Perhaps a new
clusterProperty {{solrMatchVersion}} could be of benefit for this and other
cluster wide breaking changes. Then if solrMatchVersion is not set you'll
assume {{Version.LATEST}}, but if it is set to e.g. 8.2 then {{blockUnknown}}
could default to true as before. Or perhaps better is to introduce a "version"
property in {{security.json}} that would work much like our schema version
property, and we could start on version=2 from Solr9. This is how e.g. docker
versions their docker-compose configs. This could be useful in the future if we
need to change the very format of security.json to e.g. support multiple auth
schemes and backends in the same cluster.
> BasicAuth's 'blockUnknown' param should default to true
> ---
>
> Key: SOLR-13649
> URL: https://issues.apache.org/jira/browse/SOLR-13649
> Project: Solr
> Issue Type: Improvement
> Components: Admin UI, Authentication, security
>Affects Versions: 7.7.2, 8.1.1
> Environment: All
>Reporter: Marcus Eagan
>Priority: Major
> Labels: Authentication
> Fix For: master (9.0)
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> If someone seeks to enable basic authentication but they do not specify the
> {{blockUnknown}} parameter, the default value is {{false}}. That default
> behavior is a bit counterintuitive because if someone wishes to enable basic
> authentication, you would expect that they would want all unknown users to
> need to authenticate by default. I can imagine cases where you would not, but
> those cases would be less frequent.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[
https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16905822#comment-16905822
]
Marcus Eagan commented on SOLR-13649:
-
I've added an error in case the blockUnknown parameter is not set to make it
easier for the community to adopt this change upon upgrading.
> BasicAuth's 'blockUnknown' param should default to true
> ---
>
> Key: SOLR-13649
> URL: https://issues.apache.org/jira/browse/SOLR-13649
> Project: Solr
> Issue Type: Improvement
> Components: Admin UI, Authentication, security
>Affects Versions: 7.7.2, 8.1.1
> Environment: All
>Reporter: Marcus Eagan
>Priority: Major
> Labels: Authentication
> Fix For: master (9.0)
>
> Time Spent: 2h 20m
> Remaining Estimate: 0h
>
> If someone seeks to enable basic authentication but they do not specify the
> {{blockUnknown}} parameter, the default value is {{false}}. That default
> behavior is a bit counterintuitive because if someone wishes to enable basic
> authentication, you would expect that they would want all unknown users to
> need to authenticate by default. I can imagine cases where you would not, but
> those cases would be less frequent.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[
https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16898014#comment-16898014
]
Jason Gerlowski commented on SOLR-13649:
I agree with Noble that this is a backwards compatible change. But if we hold
off on introducing it until 9.0, I don't see any problems with that. We direct
users to re-evaluate all config files on a major version upgrade already. So
the only people who might be bitten by this change in defaults would have to be
(1) going against that prescribed update step and (2) not paying attention to
the release notes and CHANGES.txt where this is called out.
It might take a little extra documentation in the short term (a bullet point in
release-notes), and I'm all for avoiding documentation bloat. But I think
keeping the docs concise needs to be secondary to making security easy to get
right.
[~janhoy] I'm +1 on seeing this change happen, assuming it's made clear in
release notes and only introduced at the major version.
> BasicAuth's 'blockUnknown' param should default to true
> ---
>
> Key: SOLR-13649
> URL: https://issues.apache.org/jira/browse/SOLR-13649
> Project: Solr
> Issue Type: Improvement
> Components: Admin UI, Authentication, security
>Affects Versions: 7.7.2, 8.1.1
> Environment: All
>Reporter: Marcus Eagan
>Priority: Major
> Labels: Authentication
> Fix For: master (9.0)
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> If someone seeks to enable basic authentication but they do not specify the
> {{blockUnknown}} parameter, the default value is {{false}}. That default
> behavior is a bit counterintuitive because if someone wishes to enable basic
> authentication, you would expect that they would want all unknown users to
> need to authenticate by default. I can imagine cases where you would not, but
> those cases would be less frequent.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[
https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16897572#comment-16897572
]
Marcus Eagan commented on SOLR-13649:
-
[~noble.paul] That makes sense. It will be only added to 9.0 (master branch, I
believe)
> BasicAuth's 'blockUnknown' param should default to true
> ---
>
> Key: SOLR-13649
> URL: https://issues.apache.org/jira/browse/SOLR-13649
> Project: Solr
> Issue Type: Improvement
> Components: Admin UI, Authentication, security
>Affects Versions: 7.7.2, 8.1.1
> Environment: All
>Reporter: Marcus Eagan
>Priority: Major
> Labels: Authentication
> Fix For: master (9.0)
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> If someone seeks to enable basic authentication but they do not specify the
> {{blockUnknown}} parameter, the default value is {{false}}. That default
> behavior is a bit counterintuitive because if someone wishes to enable basic
> authentication, you would expect that they would want all unknown users to
> need to authenticate by default. I can imagine cases where you would not, but
> those cases would be less frequent.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[
https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16897569#comment-16897569
]
Noble Paul commented on SOLR-13649:
---
bq.Can you explain what's backward incompatible about it so that the community
has the details?
If we change it now, anyone who omited that param will see a different
behavior. So, this is automatically backward incompatible.
However I'm -0 on changing the default in a major release.
0 : because it is not a big deal and doesn't take away any functionality
-ve : because it leads to extra documentation
> BasicAuth's 'blockUnknown' param should default to true
> ---
>
> Key: SOLR-13649
> URL: https://issues.apache.org/jira/browse/SOLR-13649
> Project: Solr
> Issue Type: Improvement
> Components: Admin UI, Authentication, security
>Affects Versions: 7.7.2, 8.1.1
> Environment: All
>Reporter: Marcus Eagan
>Priority: Major
> Labels: Authentication
> Fix For: master (9.0)
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> If someone seeks to enable basic authentication but they do not specify the
> {{blockUnknown}} parameter, the default value is {{false}}. That default
> behavior is a bit counterintuitive because if someone wishes to enable basic
> authentication, you would expect that they would want all unknown users to
> need to authenticate by default. I can imagine cases where you would not, but
> those cases would be less frequent.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[
https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16897554#comment-16897554
]
Marcus Eagan commented on SOLR-13649:
-
[~noble.paul] Can you explain what's backward incompatible about it so that the
community has the details?
I've explained why we need to change it if you read above. All our
documentation is a false statement, starting with documentation you wrote.
Secondly, the default behavior is not intuitive yet should not require
documentation consultation.
> BasicAuth's 'blockUnknown' param should default to true
> ---
>
> Key: SOLR-13649
> URL: https://issues.apache.org/jira/browse/SOLR-13649
> Project: Solr
> Issue Type: Improvement
> Components: Admin UI, Authentication, security
>Affects Versions: 7.7.2, 8.1.1
> Environment: All
>Reporter: Marcus Eagan
>Priority: Major
> Labels: Authentication
> Fix For: master (9.0)
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> If someone seeks to enable basic authentication but they do not specify the
> {{blockUnknown}} parameter, the default value is {{false}}. That default
> behavior is a bit counterintuitive because if someone wishes to enable basic
> authentication, you would expect that they would want all unknown users to
> need to authenticate by default. I can imagine cases where you would not, but
> those cases would be less frequent.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[
https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16897095#comment-16897095
]
Noble Paul commented on SOLR-13649:
---
It's a backward incompatible change. However all our documentation has
blockUnknown=true. Why do we need to change anything?
> BasicAuth's 'blockUnknown' param should default to true
> ---
>
> Key: SOLR-13649
> URL: https://issues.apache.org/jira/browse/SOLR-13649
> Project: Solr
> Issue Type: Improvement
> Components: Admin UI, Authentication, security
>Affects Versions: 7.7.2, 8.1.1
> Environment: All
>Reporter: Marcus Eagan
>Priority: Major
> Labels: Authentication
> Fix For: master (9.0)
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> If someone seeks to enable basic authentication but they do not specify the
> {{blockUnknown}} parameter, the default value is {{false}}. That default
> behavior is a bit counterintuitive because if someone wishes to enable basic
> authentication, you would expect that they would want all unknown users to
> need to authenticate by default. I can imagine cases where you would not, but
> those cases would be less frequent.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[
https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16897085#comment-16897085
]
Jan Høydahl commented on SOLR-13649:
[~noble.paul], [~sarkaramr...@gmail.com], is there a reason why this would NOT
work out?
> BasicAuth's 'blockUnknown' param should default to true
> ---
>
> Key: SOLR-13649
> URL: https://issues.apache.org/jira/browse/SOLR-13649
> Project: Solr
> Issue Type: Improvement
> Components: Admin UI, Authentication, security
>Affects Versions: 7.7.2, 8.1.1
> Environment: All
>Reporter: Marcus Eagan
>Priority: Major
> Labels: Authentication
> Fix For: master (9.0)
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> If someone seeks to enable basic authentication but they do not specify the
> {{blockUnknown}} parameter, the default value is {{false}}. That default
> behavior is a bit counterintuitive because if someone wishes to enable basic
> authentication, you would expect that they would want all unknown users to
> need to authenticate by default. I can imagine cases where you would not, but
> those cases would be less frequent.
--
This message was sent by Atlassian JIRA
(v7.6.14#76016)
-
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
