janhoy opened a new pull request, #4477: URL: https://github.com/apache/solr/pull/4477
https://issues.apache.org/jira/browse/SOLR-18233 **Password policy (affects all Basic Auth installations)**: Solr's Basic Authentication has had minimal password requirements. While the Admin UI enforced a few rules, it still permitted passwords identical to the username (e.g. admin/admin). This change disallows username/password equality both at login and at account creation, via the API and Admin UI alike. As a side effect, any existing installation retaining the well-known template credentials will have those accounts silently disabled until the passwords are changed. **`bin/solr auth enable` cleanup**: The command previously uploaded a bundled security.json template containing four undocumented accounts with weak default credentials. With this change: * The superadmin template account is removed from the bundled template * The remaining template accounts ship with no password set rather than a default one * The command will prompt the operator to set passwords for any template accounts at enable-time * Documentation for bin/solr auth enable is updated to clearly describe all accounts it creates These changes collectively strengthen the security posture of both new and existing Solr installations using Basic Authentication. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
