[
https://issues.apache.org/jira/browse/SOLR-18163?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18066800#comment-18066800
]
Jason Gerlowski edited comment on SOLR-18163 at 3/19/26 2:21 PM:
-----------------------------------------------------------------
All of the v2 API stuff is currently "experimental", and I think that would
technically extend to cover this system property. So by that logic we should
be able to remove it in (e.g.) 10.1 if we choose.
My one slight reservation with doing this is that folks might be leaning on
"solr.disable.v2" for security-adjacent purposes. That is - I can imagine
there are users who have set up RuleBasedAuth permissions for only v1 paths and
are using the sysprop to disable v2 paths that they don't want to think about
securing in their permission list. Removing the sysprop and making v2 "always
on" might open a security gap for any users who (1) don't notice the change on
upgrading and (2) don't have a "catch-all" permission in their list somewhere.
In talking about this qualm in a recent Community Meetup folks pointed out that
this is really a "docs" problem. Any worries about this scenario can be
addressed by putting a sufficiently loud and attention-grabbing Upgrade Note or
changelog entry to ensure that users notice this change and appreciate its
implications.
I think I'm on board with that logic. So pending any objections here, I'll
target removing this sysprop in both main and branch_10x so that we can start
dogfooding our v2 APIs in various places.
was (Author: gerlowskija):
All of the v2 API stuff is currently "experimental", and I think that would
technically extend to cover this system property. So by that logic we should
be able to remove it in (e.g.) 10.1 if we choose.
My one slight reservation with doing this is that folks might be leaning on
"solr.disable.v2" for security-adjacent purposes. That is - I can imagine
there are users who have set up RuleBasedAuth permissions for only v1 paths and
are using the sysprop to disable v2 paths that they don't want to think about
securing in their permission list. Removing the sysprop and making v2 "always
on" might open a security gap for any users who (1) don't notice the change on
upgrading and (2) don't have a "catch-all" permission in their list somewhere.
In talking about this qualm in a recent Community Meetup folks pointed out that
this is a problem we can solve by documentation. If
> Figure out V2 API use in Solr 10.1 and later
> --------------------------------------------
>
> Key: SOLR-18163
> URL: https://issues.apache.org/jira/browse/SOLR-18163
> Project: Solr
> Issue Type: New Feature
> Affects Versions: 10.1
> Reporter: Eric Pugh
> Priority: Blocker
>
> [https://github.com/apache/solr/pull/4154] is the first use of a V2 api as
> part of Solr, in the Solr CLI. However, we still have a setting that can be
> set solr.disable.v2 that of course would then break the v2 api.
> The decision was to merge 4154 to `main` only, and get a decision on this to
> decide if we back port to branch_10x for Solr 10.1.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
