[
https://issues.apache.org/jira/browse/SOLR-8440?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16001649#comment-16001649
]
Jan Høydahl commented on SOLR-8440:
-----------------------------------
[~ichattopadhyaya], have you tested the patch with {{-blockUnknown true}}?
If I'm not mistaken, it will cause Solr to be locked down and not even the
admin user will be able to /query or /update :-)
Is there any way, using same security.json, to just flip blockUnknown and allow
the admin user to do everything once authenticated?
Or perhaps we should add support for an optional "normal" user right away. We
could have three different hardcoded {{security.json}} files for these three
cases:
*A:* Auth always required, but only one user who has all power (implicit
blockUnknown and an "all" permission for the "user" role):
{noformat}
bin/solr auth -enable -type basic -user solr -password normalUser
{noformat}
*B:* Normal query / update activity not protected, but security-edit,
collection edit requires admin user (as current patch)
{noformat}
bin/solr auth -enable -type basic -adminuser solr -adminpassword SolrRocks
{noformat}
*C:* Auth always required, the admin user is required for security, collection
etc, while an ordinary user can do all the rest (implicit blockUnknown=true):
{noformat}
bin/solr auth -enable -type basic -adminuser solr -adminpassword SolrRocks
-user solr -password normalUser
{noformat}
I think the current assumption that most novice users would be happy with *B*
is not realistic. I don't even know if it makes sense to try to model the full
power of the Authorization REST API on the command line - if you need complex
stuff you'd probably use REST APIs, but perhaps these three use cases can cover
80% of typical user needs?
> Script support for enabling basic auth
> --------------------------------------
>
> Key: SOLR-8440
> URL: https://issues.apache.org/jira/browse/SOLR-8440
> Project: Solr
> Issue Type: New Feature
> Components: scripts and tools
> Reporter: Jan Høydahl
> Assignee: Ishan Chattopadhyaya
> Labels: authentication, security
> Attachments: SOLR-8440.patch, SOLR-8440.patch, SOLR-8440.patch,
> SOLR-8440.patch, SOLR-8440.patch, SOLR-8440.patch
>
>
> Now that BasicAuthPlugin will be able to work without an AuthorizationPlugin
> (SOLR-8429), it would be sweet to provide a super simple way to "Password
> protect Solr"™ right from the command line:
> {noformat}
> bin/solr basicAuth -adduser -user solr -pass SolrRocks
> {noformat}
> It would take the mystery out of enabling one single password across the
> board. The command would do something like this
> # Check if HTTPS is enabled, and if not, print a friendly warning
> # Check if {{/security.json}} already exists
> ## NO => create one with only plugin class defined
> ## YES => Abort if exists but plugin is not {{BasicAuthPlugin}}
> # Using security REST API, add the new user
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
