lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl (JIRA) <j...@apache.org>
Subject [jira] [Commented] (SOLR-8429) add a flag blockUnauthenticated to BasicAutPlugin
Date Thu, 17 Dec 2015 10:54:46 GMT

    [ https://issues.apache.org/jira/browse/SOLR-8429?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15061887#comment-15061887
] 

Jan Høydahl commented on SOLR-8429:
-----------------------------------

bq. All we need to do is change the example and add this flag there.

We have a tradition of letting example configs and defaults be the same, and reflect what
majority of users want/need/expect.

bq. If we put in the default nobody will know this.

By controlling the default in luceneMatchVersion, people upgrading solr without upgrading
their config will get what they had, and still be able to add the flag if they wish. Those
bumping their config version will get the new default, and they will be aware of it since
it will be highlighted in the *Upgrading from Solr 5.4* section of CHANGES.

bq. ...a lot of users who have solr without security and they would just want to have minimal
security. 

With "a lot of" -- do you mean "the majority"? The defaults should reflect what most people
would want when securing their Solr in production for the first time. The simplest possible
requirement is typically to require user/pass across the board. This should work, without
also having to configure an authorization plugin. Those that also want to add users, groups
and roles will add a authorization section, and those that want to open up for unauthenticated
users/clients would add the new flag.

This one command should be enough to secure *all* of Solr with username solr and password
solr:
{code}
server/scripts/cloud-scripts/zkcli.sh -z localhost:9983 -cmd put /security.json '{"authentication":
{"class": "solr.BasicAuthPlugin","credentials": {"solr": "i9buKe/RhJV5bF/46EI9xmVVYyrnbg9zXf+2FrFwcy0=
OTg3"}}}'
{code}
What to do if only class and no credentials are given? A) Temporarily allow all traffic until
at least 1 user is created, or B) Enable default credentials admin/admin with a big fat warning
in the ADMIN UI that it must be changed?

> add a flag blockUnauthenticated to BasicAutPlugin
> -------------------------------------------------
>
>                 Key: SOLR-8429
>                 URL: https://issues.apache.org/jira/browse/SOLR-8429
>             Project: Solr
>          Issue Type: Improvement
>            Reporter: Noble Paul
>            Assignee: Noble Paul
>
> If authentication is setup with BasicAuthPlugin, it let's all requests go through if
no credentials are passed. This was done to have minimal impact for users who only wishes
to protect a few end points (say , collection admin and core admin only)
> We can add a flag to {{BasicAuthPlugin}} to allow only authenticated requests to go in




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message