[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[ https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16918293#comment-16918293 ] ASF subversion and git services commented on SOLR-13649: Commit b37d92bfee63a9ede2a754347cbe8627dedade33 in lucene-solr's branch refs/heads/master from Marcus [ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=b37d92b ] SOLR-13649 change the default behavior of the basic authentication plugin. (#805) SOLR-13649: Property 'blockUnknown' of BasicAuthPlugin and JWTAuthPlugin now defaults to 'true'. This change is backward incompatible. To achieve the previous default behavior, explicitly set 'blockUnknown':'false' in security.json > BasicAuth's 'blockUnknown' param should default to true > --- > > Key: SOLR-13649 > URL: https://issues.apache.org/jira/browse/SOLR-13649 > Project: Solr > Issue Type: Improvement > Components: Admin UI, Authentication, security >Affects Versions: 7.7.2, 8.1.1 > Environment: All >Reporter: Marcus Eagan >Assignee: Shalin Shekhar Mangar >Priority: Major > Labels: Authentication > Fix For: master (9.0) > > Time Spent: 9h 10m > Remaining Estimate: 0h > > If someone seeks to enable basic authentication but they do not specify the > {{blockUnknown}} parameter, the default value is {{false}}. That default > behavior is a bit counterintuitive because if someone wishes to enable basic > authentication, you would expect that they would want all unknown users to > need to authenticate by default. I can imagine cases where you would not, but > those cases would be less frequent. -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[ https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16918294#comment-16918294 ] ASF subversion and git services commented on SOLR-13649: Commit b37d92bfee63a9ede2a754347cbe8627dedade33 in lucene-solr's branch refs/heads/master from Marcus [ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=b37d92b ] SOLR-13649 change the default behavior of the basic authentication plugin. (#805) SOLR-13649: Property 'blockUnknown' of BasicAuthPlugin and JWTAuthPlugin now defaults to 'true'. This change is backward incompatible. To achieve the previous default behavior, explicitly set 'blockUnknown':'false' in security.json > BasicAuth's 'blockUnknown' param should default to true > --- > > Key: SOLR-13649 > URL: https://issues.apache.org/jira/browse/SOLR-13649 > Project: Solr > Issue Type: Improvement > Components: Admin UI, Authentication, security >Affects Versions: 7.7.2, 8.1.1 > Environment: All >Reporter: Marcus Eagan >Assignee: Shalin Shekhar Mangar >Priority: Major > Labels: Authentication > Fix For: master (9.0) > > Time Spent: 9h 10m > Remaining Estimate: 0h > > If someone seeks to enable basic authentication but they do not specify the > {{blockUnknown}} parameter, the default value is {{false}}. That default > behavior is a bit counterintuitive because if someone wishes to enable basic > authentication, you would expect that they would want all unknown users to > need to authenticate by default. I can imagine cases where you would not, but > those cases would be less frequent. -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[ https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16917485#comment-16917485 ] Jan Høydahl commented on SOLR-13649: {quote}I have added the appropriate tests and now throw an exception if a user attempts to delete the final user or enable the basic auth plugin without at least one user {quote} Elegant solution. See PR for some additional comments, in particular on the major test changes - you may want to explain more of your reasoning for changing the entire test instead of adding blockUnkow=false to the config in that test which would be much less intrusive? > BasicAuth's 'blockUnknown' param should default to true > --- > > Key: SOLR-13649 > URL: https://issues.apache.org/jira/browse/SOLR-13649 > Project: Solr > Issue Type: Improvement > Components: Admin UI, Authentication, security >Affects Versions: 7.7.2, 8.1.1 > Environment: All >Reporter: Marcus Eagan >Assignee: Shalin Shekhar Mangar >Priority: Major > Labels: Authentication > Fix For: master (9.0) > > Time Spent: 5h 40m > Remaining Estimate: 0h > > If someone seeks to enable basic authentication but they do not specify the > {{blockUnknown}} parameter, the default value is {{false}}. That default > behavior is a bit counterintuitive because if someone wishes to enable basic > authentication, you would expect that they would want all unknown users to > need to authenticate by default. I can imagine cases where you would not, but > those cases would be less frequent. -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[ https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16914342#comment-16914342 ] Marcus Eagan commented on SOLR-13649: - bq. What I was hoping for wrt smooth upgrade was a way to make the default depend on config version. We could have used luceneMatchVersion if this was a per-core config but it is a cluster-wide config so we cannot. I'm not aware of any cluster-wide config version parameter we could use instead. Perhaps a new clusterProperty solrMatchVersion could be of benefit for this and other cluster wide breaking changes. Then if solrMatchVersion is not set you'll assume Version.LATEST, but if it is set to e.g. 8.2 then blockUnknown could default to true as before. Or perhaps better is to introduce a "version" property in security.json that would work much like our schema version property, and we could start on version=2 from Solr9. This is how e.g. docker versions their docker-compose configs. This could be useful in the future if we need to change the very format of security.json to e.g. support multiple auth schemes and backends in the same cluster. I think that would need to be addressed in another issue or PR that is linked to this one. I can write it, but would prefer the scope not creep on this change. > BasicAuth's 'blockUnknown' param should default to true > --- > > Key: SOLR-13649 > URL: https://issues.apache.org/jira/browse/SOLR-13649 > Project: Solr > Issue Type: Improvement > Components: Admin UI, Authentication, security >Affects Versions: 7.7.2, 8.1.1 > Environment: All >Reporter: Marcus Eagan >Priority: Major > Labels: Authentication > Fix For: master (9.0) > > Time Spent: 4h > Remaining Estimate: 0h > > If someone seeks to enable basic authentication but they do not specify the > {{blockUnknown}} parameter, the default value is {{false}}. That default > behavior is a bit counterintuitive because if someone wishes to enable basic > authentication, you would expect that they would want all unknown users to > need to authenticate by default. I can imagine cases where you would not, but > those cases would be less frequent. -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[ https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16911042#comment-16911042 ] Marcus Eagan commented on SOLR-13649: - for people watching this issue, I have added the appropriate tests and now throw an exception if a user attempts to delete the final user or enable the basic auth plugin without at least one user. > BasicAuth's 'blockUnknown' param should default to true > --- > > Key: SOLR-13649 > URL: https://issues.apache.org/jira/browse/SOLR-13649 > Project: Solr > Issue Type: Improvement > Components: Admin UI, Authentication, security >Affects Versions: 7.7.2, 8.1.1 > Environment: All >Reporter: Marcus Eagan >Priority: Major > Labels: Authentication > Fix For: master (9.0) > > Time Spent: 4h > Remaining Estimate: 0h > > If someone seeks to enable basic authentication but they do not specify the > {{blockUnknown}} parameter, the default value is {{false}}. That default > behavior is a bit counterintuitive because if someone wishes to enable basic > authentication, you would expect that they would want all unknown users to > need to authenticate by default. I can imagine cases where you would not, but > those cases would be less frequent. -- This message was sent by Atlassian Jira (v8.3.2#803003) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[ https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16905973#comment-16905973 ] Marcus Eagan commented on SOLR-13649: - My apologies. I thought that an error was what you were requesting. I will revert that change in the morning. > BasicAuth's 'blockUnknown' param should default to true > --- > > Key: SOLR-13649 > URL: https://issues.apache.org/jira/browse/SOLR-13649 > Project: Solr > Issue Type: Improvement > Components: Admin UI, Authentication, security >Affects Versions: 7.7.2, 8.1.1 > Environment: All >Reporter: Marcus Eagan >Priority: Major > Labels: Authentication > Fix For: master (9.0) > > Time Spent: 2h 20m > Remaining Estimate: 0h > > If someone seeks to enable basic authentication but they do not specify the > {{blockUnknown}} parameter, the default value is {{false}}. That default > behavior is a bit counterintuitive because if someone wishes to enable basic > authentication, you would expect that they would want all unknown users to > need to authenticate by default. I can imagine cases where you would not, but > those cases would be less frequent. -- This message was sent by Atlassian JIRA (v7.6.14#76016) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[ https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16905959#comment-16905959 ] Jan Høydahl commented on SOLR-13649: {quote}I've added an error in case the blockUnknown parameter is not set to make it easier for the community to adopt this change upon upgrading. {quote} I'm not so keen on adding more mandatory parameters. As long as we wait until 9.0 it is perfectly ok with a backcompat-break in defaults such as this. That was the whole point with the change in the first place, that if you enable auth then you'd expect it to actually require auth by default. If you make it required then there is no need for a default in the first place. What I *was* hoping for wrt smooth upgrade was a way to make the default depend on config version. We could have used luceneMatchVersion if this was a per-core config but it is a cluster-wide config so we cannot. I'm not aware of any cluster-wide config version parameter we could use instead. Perhaps a new clusterProperty {{solrMatchVersion}} could be of benefit for this and other cluster wide breaking changes. Then if solrMatchVersion is not set you'll assume {{Version.LATEST}}, but if it is set to e.g. 8.2 then {{blockUnknown}} could default to true as before. Or perhaps better is to introduce a "version" property in {{security.json}} that would work much like our schema version property, and we could start on version=2 from Solr9. This is how e.g. docker versions their docker-compose configs. This could be useful in the future if we need to change the very format of security.json to e.g. support multiple auth schemes and backends in the same cluster. > BasicAuth's 'blockUnknown' param should default to true > --- > > Key: SOLR-13649 > URL: https://issues.apache.org/jira/browse/SOLR-13649 > Project: Solr > Issue Type: Improvement > Components: Admin UI, Authentication, security >Affects Versions: 7.7.2, 8.1.1 > Environment: All >Reporter: Marcus Eagan >Priority: Major > Labels: Authentication > Fix For: master (9.0) > > Time Spent: 2h 20m > Remaining Estimate: 0h > > If someone seeks to enable basic authentication but they do not specify the > {{blockUnknown}} parameter, the default value is {{false}}. That default > behavior is a bit counterintuitive because if someone wishes to enable basic > authentication, you would expect that they would want all unknown users to > need to authenticate by default. I can imagine cases where you would not, but > those cases would be less frequent. -- This message was sent by Atlassian JIRA (v7.6.14#76016) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[ https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16905822#comment-16905822 ] Marcus Eagan commented on SOLR-13649: - I've added an error in case the blockUnknown parameter is not set to make it easier for the community to adopt this change upon upgrading. > BasicAuth's 'blockUnknown' param should default to true > --- > > Key: SOLR-13649 > URL: https://issues.apache.org/jira/browse/SOLR-13649 > Project: Solr > Issue Type: Improvement > Components: Admin UI, Authentication, security >Affects Versions: 7.7.2, 8.1.1 > Environment: All >Reporter: Marcus Eagan >Priority: Major > Labels: Authentication > Fix For: master (9.0) > > Time Spent: 2h 20m > Remaining Estimate: 0h > > If someone seeks to enable basic authentication but they do not specify the > {{blockUnknown}} parameter, the default value is {{false}}. That default > behavior is a bit counterintuitive because if someone wishes to enable basic > authentication, you would expect that they would want all unknown users to > need to authenticate by default. I can imagine cases where you would not, but > those cases would be less frequent. -- This message was sent by Atlassian JIRA (v7.6.14#76016) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[ https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16898014#comment-16898014 ] Jason Gerlowski commented on SOLR-13649: I agree with Noble that this is a backwards compatible change. But if we hold off on introducing it until 9.0, I don't see any problems with that. We direct users to re-evaluate all config files on a major version upgrade already. So the only people who might be bitten by this change in defaults would have to be (1) going against that prescribed update step and (2) not paying attention to the release notes and CHANGES.txt where this is called out. It might take a little extra documentation in the short term (a bullet point in release-notes), and I'm all for avoiding documentation bloat. But I think keeping the docs concise needs to be secondary to making security easy to get right. [~janhoy] I'm +1 on seeing this change happen, assuming it's made clear in release notes and only introduced at the major version. > BasicAuth's 'blockUnknown' param should default to true > --- > > Key: SOLR-13649 > URL: https://issues.apache.org/jira/browse/SOLR-13649 > Project: Solr > Issue Type: Improvement > Components: Admin UI, Authentication, security >Affects Versions: 7.7.2, 8.1.1 > Environment: All >Reporter: Marcus Eagan >Priority: Major > Labels: Authentication > Fix For: master (9.0) > > Time Spent: 40m > Remaining Estimate: 0h > > If someone seeks to enable basic authentication but they do not specify the > {{blockUnknown}} parameter, the default value is {{false}}. That default > behavior is a bit counterintuitive because if someone wishes to enable basic > authentication, you would expect that they would want all unknown users to > need to authenticate by default. I can imagine cases where you would not, but > those cases would be less frequent. -- This message was sent by Atlassian JIRA (v7.6.14#76016) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[ https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16897572#comment-16897572 ] Marcus Eagan commented on SOLR-13649: - [~noble.paul] That makes sense. It will be only added to 9.0 (master branch, I believe) > BasicAuth's 'blockUnknown' param should default to true > --- > > Key: SOLR-13649 > URL: https://issues.apache.org/jira/browse/SOLR-13649 > Project: Solr > Issue Type: Improvement > Components: Admin UI, Authentication, security >Affects Versions: 7.7.2, 8.1.1 > Environment: All >Reporter: Marcus Eagan >Priority: Major > Labels: Authentication > Fix For: master (9.0) > > Time Spent: 40m > Remaining Estimate: 0h > > If someone seeks to enable basic authentication but they do not specify the > {{blockUnknown}} parameter, the default value is {{false}}. That default > behavior is a bit counterintuitive because if someone wishes to enable basic > authentication, you would expect that they would want all unknown users to > need to authenticate by default. I can imagine cases where you would not, but > those cases would be less frequent. -- This message was sent by Atlassian JIRA (v7.6.14#76016) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[ https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16897569#comment-16897569 ] Noble Paul commented on SOLR-13649: --- bq.Can you explain what's backward incompatible about it so that the community has the details? If we change it now, anyone who omited that param will see a different behavior. So, this is automatically backward incompatible. However I'm -0 on changing the default in a major release. 0 : because it is not a big deal and doesn't take away any functionality -ve : because it leads to extra documentation > BasicAuth's 'blockUnknown' param should default to true > --- > > Key: SOLR-13649 > URL: https://issues.apache.org/jira/browse/SOLR-13649 > Project: Solr > Issue Type: Improvement > Components: Admin UI, Authentication, security >Affects Versions: 7.7.2, 8.1.1 > Environment: All >Reporter: Marcus Eagan >Priority: Major > Labels: Authentication > Fix For: master (9.0) > > Time Spent: 40m > Remaining Estimate: 0h > > If someone seeks to enable basic authentication but they do not specify the > {{blockUnknown}} parameter, the default value is {{false}}. That default > behavior is a bit counterintuitive because if someone wishes to enable basic > authentication, you would expect that they would want all unknown users to > need to authenticate by default. I can imagine cases where you would not, but > those cases would be less frequent. -- This message was sent by Atlassian JIRA (v7.6.14#76016) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[ https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16897554#comment-16897554 ] Marcus Eagan commented on SOLR-13649: - [~noble.paul] Can you explain what's backward incompatible about it so that the community has the details? I've explained why we need to change it if you read above. All our documentation is a false statement, starting with documentation you wrote. Secondly, the default behavior is not intuitive yet should not require documentation consultation. > BasicAuth's 'blockUnknown' param should default to true > --- > > Key: SOLR-13649 > URL: https://issues.apache.org/jira/browse/SOLR-13649 > Project: Solr > Issue Type: Improvement > Components: Admin UI, Authentication, security >Affects Versions: 7.7.2, 8.1.1 > Environment: All >Reporter: Marcus Eagan >Priority: Major > Labels: Authentication > Fix For: master (9.0) > > Time Spent: 40m > Remaining Estimate: 0h > > If someone seeks to enable basic authentication but they do not specify the > {{blockUnknown}} parameter, the default value is {{false}}. That default > behavior is a bit counterintuitive because if someone wishes to enable basic > authentication, you would expect that they would want all unknown users to > need to authenticate by default. I can imagine cases where you would not, but > those cases would be less frequent. -- This message was sent by Atlassian JIRA (v7.6.14#76016) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[ https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16897095#comment-16897095 ] Noble Paul commented on SOLR-13649: --- It's a backward incompatible change. However all our documentation has blockUnknown=true. Why do we need to change anything? > BasicAuth's 'blockUnknown' param should default to true > --- > > Key: SOLR-13649 > URL: https://issues.apache.org/jira/browse/SOLR-13649 > Project: Solr > Issue Type: Improvement > Components: Admin UI, Authentication, security >Affects Versions: 7.7.2, 8.1.1 > Environment: All >Reporter: Marcus Eagan >Priority: Major > Labels: Authentication > Fix For: master (9.0) > > Time Spent: 40m > Remaining Estimate: 0h > > If someone seeks to enable basic authentication but they do not specify the > {{blockUnknown}} parameter, the default value is {{false}}. That default > behavior is a bit counterintuitive because if someone wishes to enable basic > authentication, you would expect that they would want all unknown users to > need to authenticate by default. I can imagine cases where you would not, but > those cases would be less frequent. -- This message was sent by Atlassian JIRA (v7.6.14#76016) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
[jira] [Commented] (SOLR-13649) BasicAuth's 'blockUnknown' param should default to true
[ https://issues.apache.org/jira/browse/SOLR-13649?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=16897085#comment-16897085 ] Jan Høydahl commented on SOLR-13649: [~noble.paul], [~sarkaramr...@gmail.com], is there a reason why this would NOT work out? > BasicAuth's 'blockUnknown' param should default to true > --- > > Key: SOLR-13649 > URL: https://issues.apache.org/jira/browse/SOLR-13649 > Project: Solr > Issue Type: Improvement > Components: Admin UI, Authentication, security >Affects Versions: 7.7.2, 8.1.1 > Environment: All >Reporter: Marcus Eagan >Priority: Major > Labels: Authentication > Fix For: master (9.0) > > Time Spent: 40m > Remaining Estimate: 0h > > If someone seeks to enable basic authentication but they do not specify the > {{blockUnknown}} parameter, the default value is {{false}}. That default > behavior is a bit counterintuitive because if someone wishes to enable basic > authentication, you would expect that they would want all unknown users to > need to authenticate by default. I can imagine cases where you would not, but > those cases would be less frequent. -- This message was sent by Atlassian JIRA (v7.6.14#76016) - To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org