If you use the API to configure BasicAuth, the order in which you specify your config matters. Currently it is possible to set the blockUnknown property without any users being configured, rendering Solr useless. The same would be the case if the last user is removed when blockUnknown is still set.
Perhaps fail with code 409 Conflict or something?
More tricky is the case where BasicAuth is configured with no users, and someone adds an Authorization config requiring a certain user to do anything at all - it would also lock down Solr but since the plugins don't know about each other it is hard to control.