Skip to content

Commit 85b8568

Browse files
authored
SOLR-18216 Fix documentation bug for jwt-auth blockUnkonwn (#4374)
Document the fact that the default for blockUnknown is 'false'.
1 parent b522264 commit 85b8568

3 files changed

Lines changed: 26 additions & 6 deletions

File tree

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
# See https://github.com/apache/solr/blob/main/dev-docs/changelog.adoc
2+
title: "JWT Authentication Plugin: correct documentation of `blockUnknown` default value (`false`, not `true`). See upgrade notes in the reference guide for more details."
3+
type: fixed # added, changed, fixed, deprecated, removed, dependency_update, security, other
4+
authors:
5+
- name: Jan Høydahl
6+
links:
7+
- name: SOLR-18216
8+
url: https://issues.apache.org/jira/browse/SOLR-18216

solr/solr-ref-guide/modules/deployment-guide/pages/jwt-authentication-plugin.adoc

Lines changed: 10 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -37,22 +37,27 @@ The simplest possible `security.json` for registering the plugin without configu
3737
{
3838
"authentication": {
3939
"class":"solr.JWTAuthPlugin",
40-
"blockUnknown":"false"
40+
"blockUnknown": false
4141
}
4242
}
4343
----
4444

45-
The plugin will by default require a valid JWT token for all traffic.
45+
[WARNING]
46+
====
47+
Earlier versions of this documentation incorrectly stated that `blockUnknown` defaulted to `true`. The actual default is `false`, meaning requests without a JWT token are passed through unauthenticated. If you intend to require authentication for all requests, you must explicitly set `"blockUnknown": true` in your `security.json`.
48+
====
49+
50+
By default, `blockUnknown` is `false`, so requests without a JWT token are passed through unauthenticated.
4651

47-
If the `blockUnknown` property is set to `false` as in the above example, it is possible to start configuring the plugin using unauthenticated REST API calls, which is further described in section <<Editing JWT Authentication Plugin Configuration>>.
52+
With `blockUnknown` set to `false` (the default, as shown above), you can configure the plugin using unauthenticated REST API calls, which is further described in section <<Editing JWT Authentication Plugin Configuration>>.
4853

4954
== Configuration Parameters
5055

5156
//*TODO*: standard is not to put parameters in tables but use labeled lists instead
5257
[%header,format=csv,separator=;,cols="25%,50%,25%"]
5358
|===
5459
Key ; Description ; Default
55-
blockUnknown ; Set to `false` to if you need to perform configuration through REST API or if you use an Authorization Plugin and only want certain paths protected. By default all requests will require a token ; `true`
60+
blockUnknown ; Set to `true` to require a valid JWT token for all requests. Set to `false` (the default) to allow unauthenticated requests through — useful when configuring via REST API or when an Authorization Plugin handles path-based protection ; `false`
5661
realm ; Name of the authentication realm to echo back in HTTP 401 responses. Will also be displayed in Admin UI login page ; 'solr-jwt'
5762
scope ; Whitespace separated list of valid scopes. If configured, the JWT access token MUST contain a `scope` claim with at least one of the listed scopes. Example: `solr:read solr:admin` ;
5863
requireIss ; Fails requests that lacks an `iss` (issuer) claim ; `true`
@@ -167,7 +172,7 @@ Let's look at a more complex configuration, this time with two issuers configure
167172
Let's comment on this config:
168173

169174
<1> Plugin class
170-
<2> Make sure to block anyone without a valid token (this is also the default)
175+
<2> Explicitly block anyone without a valid token (the default is `false`, so this must be set explicitly to enforce authentication)
171176
<3> Fetch the user id from another claim than the default `sub`
172177
<4> Require that the `foo` claim is one of "A" or "B" and that the `dept` claim is "IT"
173178
<5> Require one of the scopes `solr:read`, `solr:write` or `solr:admin`

solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-9.adoc

Lines changed: 8 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -97,6 +97,13 @@ The project normally doesn't remove functionality in a minor release, but we mad
9797

9898
+NOTE: The previous parse-context-based configuration (`parseContext.config`) is no longer supported. Tika parser-specific properties must now be configured directly on the Tika Server itself, rather than through Solr configuration. Please refer to the Tika Server documentation for details on how to set these properties.
9999

100+
=== JWT Authentication Plugin: `blockUnknown` documentation corrected
101+
102+
The `blockUnknown` configuration parameter of the xref:deployment-guide:jwt-authentication-plugin.adoc[JWT Authentication Plugin] defaults to `false`, meaning requests without a JWT token are passed through unauthenticated.
103+
Previous versions of the reference guide incorrectly stated the default was `true`.
104+
105+
* Users who relied on the (incorrectly documented) default of `true` should explicitly add `"blockUnknown": true` to their `authentication` block in `security.json` to preserve the intended behaviour.
106+
100107
== Solr 9.10
101108

102109
=== SolrJ
@@ -389,7 +396,7 @@ to switch back if needed.
389396
* Upgrade to Zookeeper 3.7, allowing for TLS protected ZK communication.
390397
* All request handlers support security permissions. Users may have to adapt their `security.json`.
391398
* Ability to disable admin UI through a system property.
392-
* The property `blockUnknown` in the `BasicAuthPlugin` and the `JWTAuthPlugin` now defaults to `true` instead of `false`. This change is backward incompatible. If you need the pre-9.0 default behavior, you need to explicitly set `blockUnknown:false` in `security.json`.
399+
* The property `blockUnknown` in the `BasicAuthPlugin` [.line-through]#and the `JWTAuthPlugin`# now defaults to `true` instead of `false`. This change is backward incompatible. If you need the pre-9.0 default behavior, you need to explicitly set `blockUnknown:false` in `security.json`.
393400
* Solr now runs with the Java security manager enabled by default. Hadoop users may need to disable this.
394401
* Solr now binds to localhost network interface by default for better out of the box security.
395402
Administrators that need Solr exposed more broadly can change the `SOLR_JETTY_HOST` property in their Solr include (`solr.in.sh`/`solr.in.cmd`) file.

0 commit comments

Comments
 (0)