lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jan Høydahl (JIRA) <>
Subject [jira] [Commented] (SOLR-13649) When Using Basic Authentication, the blockUnknown Value should be True
Date Tue, 23 Jul 2019 23:35:00 GMT


Jan Høydahl commented on SOLR-13649:

It is a quire common case that you want to require authentication for write but not read,
or for admin operations but not for index/search etc.
Another reason for the default is that it enables you to start with an empty config (without
any users or roles) and still be allowed to use the security REST API to start adding users
and roles. Then, if you wish to only allow known users, you can flip the blockUnknown switch
after adding users.

I tend to agree with you that true would be a better default to follow the principle of least
surprise, so I'm positive to the thought of changing it. If we change it, we'd need to think
about back-compat, so that users that upgrade are not caught by surprise if they have not
specified the parameter in {{security.json}}. Perhaps wait until 9.0?

What do others think?

> When Using Basic Authentication, the blockUnknown Value should be True
> ----------------------------------------------------------------------
>                 Key: SOLR-13649
>                 URL:
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Admin UI, Authentication
>    Affects Versions: 7.7.2, 8.1.1
>         Environment: All
>            Reporter: Marcus Eagan
>            Priority: Major
>              Labels: Authentication
>          Time Spent: 10m
>  Remaining Estimate: 0h
> If someone seeks to enable basic authentication but they do not specify the {{blockUnknown}}
parameter, the default value is {{false}}. That default behavior is a bit counterintuitive
because if someone wishes to enable basic authentication, you would expect that they would
want all unknown users to need to authenticate by default. I can imagine cases where you would
not, but those cases would be less frequent.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message