MarcusSorealheis commented on a change in pull request #805: SOLR-13649 change the default behavior of the basic authentication plugin. URL: https://github.com/apache/lucene-solr/pull/805#discussion_r310342269
########## File path: solr/CHANGES.txt ########## @@ -57,6 +57,8 @@ Upgrade Notes * SOLR-13596: Deprecated GroupingSpecification methods are removed. (Munendra S N) +* SOLR-13649: When Basic Authentication is enabled, users will be required to enter credentials to access the Admin UI and associated operations by default. The blockUnknown parameter can still be set to false to disable the need to authenticate. (marcussorealheis) Review comment: > Gave some concrete comments. But there are many many more mentions of `blockUnknown` in the codebase. You should consider each and every one in light of the change. There should also be a unit test that asserts that the default is now true. > > One example of a place that also needs change is https://github.com/apache/lucene-solr/blob/master/solr/core/src/java/org/apache/solr/util/SolrCLI.java#L4413 but there are probably many more. > > Related, I think we also should change the default and docs for `JWTAuthPlugin` to align with the new expectations: > > We could also consider whether this special case security.json should still default to false or alternatively generate an ERROR instead of blocking everything, since it has no users at all: > > ``` > "authentication": {"class":"solr.BasicAuthPlugin"} > ``` My Strategy today was to simply add the parameter to the docs for JWT rather than changing its functionality. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org
