[
https://issues.apache.org/jira/browse/SOLR-8429?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15061887#comment-15061887
]
Jan Høydahl commented on SOLR-8429:
-----------------------------------
bq. All we need to do is change the example and add this flag there.
We have a tradition of letting example configs and defaults be the same, and
reflect what majority of users want/need/expect.
bq. If we put in the default nobody will know this.
By controlling the default in luceneMatchVersion, people upgrading solr without
upgrading their config will get what they had, and still be able to add the
flag if they wish. Those bumping their config version will get the new default,
and they will be aware of it since it will be highlighted in the *Upgrading
from Solr 5.4* section of CHANGES.
bq. ...a lot of users who have solr without security and they would just want
to have minimal security.
With "a lot of" -- do you mean "the majority"? The defaults should reflect what
most people would want when securing their Solr in production for the first
time. The simplest possible requirement is typically to require user/pass
across the board. This should work, without also having to configure an
authorization plugin. Those that also want to add users, groups and roles will
add a authorization section, and those that want to open up for unauthenticated
users/clients would add the new flag.
This one command should be enough to secure *all* of Solr with username solr
and password solr:
{code}
server/scripts/cloud-scripts/zkcli.sh -z localhost:9983 -cmd put /security.json
'{"authentication": {"class": "solr.BasicAuthPlugin","credentials": {"solr":
"i9buKe/RhJV5bF/46EI9xmVVYyrnbg9zXf+2FrFwcy0= OTg3"}}}'
{code}
What to do if only class and no credentials are given? A) Temporarily allow all
traffic until at least 1 user is created, or B) Enable default credentials
admin/admin with a big fat warning in the ADMIN UI that it must be changed?
> add a flag blockUnauthenticated to BasicAutPlugin
> -------------------------------------------------
>
> Key: SOLR-8429
> URL: https://issues.apache.org/jira/browse/SOLR-8429
> Project: Solr
> Issue Type: Improvement
> Reporter: Noble Paul
> Assignee: Noble Paul
>
> If authentication is setup with BasicAuthPlugin, it let's all requests go
> through if no credentials are passed. This was done to have minimal impact
> for users who only wishes to protect a few end points (say , collection admin
> and core admin only)
> We can add a flag to {{BasicAuthPlugin}} to allow only authenticated requests
> to go in
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
