[
https://issues.apache.org/jira/browse/SOLR-8429?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15061910#comment-15061910
]
Noble Paul commented on SOLR-8429:
----------------------------------
bq.By controlling the default in luceneMatchVersion, people upgrading solr
without upgrading their config will get what they had, and still be able to add
the flag if they wish.
I don't wish to tie this to {{luceneMatchVersion}} . This is just adding
complexity and making it harder to debug
bq.With "a lot of" – do you mean "the majority"?
I have no numbers to justify either way. Solr users haven't had any
authentication in the past. So the assumption was that most of them did not
need any security (or they had alternate solutions).
Lets say what my proposal look like
{code}
server/scripts/cloud-scripts/zkcli.sh -z localhost:9983 -cmd put /security.json
'{"authentication": {"class": "solr.BasicAuthPlugin",
"blockUnauthenticated":true ,
"credentials": {"solr": "i9buKe/RhJV5bF/46EI9xmVVYyrnbg9zXf+2FrFwcy0= OTg3"}}}'
{code}
I'm eager to hear what others think about this.
> add a flag blockUnauthenticated to BasicAutPlugin
> -------------------------------------------------
>
> Key: SOLR-8429
> URL: https://issues.apache.org/jira/browse/SOLR-8429
> Project: Solr
> Issue Type: Improvement
> Reporter: Noble Paul
> Assignee: Noble Paul
>
> If authentication is setup with BasicAuthPlugin, it let's all requests go
> through if no credentials are passed. This was done to have minimal impact
> for users who only wishes to protect a few end points (say , collection admin
> and core admin only)
> We can add a flag to {{BasicAuthPlugin}} to allow only authenticated requests
> to go in
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
