lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Noble Paul (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (SOLR-7849) Secure Inter-node communication in a standard mechanism
Date Sat, 01 Aug 2015 01:44:05 GMT

    [ https://issues.apache.org/jira/browse/SOLR-7849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14650095#comment-14650095
] 

Noble Paul commented on SOLR-7849:
----------------------------------

bq. How will node B be able to lookup the public key from core admin API of node A if A requires
B to also authenticate? Perhaps publish pub-key through ZK instead of core admin?

The public-key will be available at every node through a standard end-point e.g {{/admin/cores/key}}
which will always be unprotected


bq.What should happen in multi-DC case; would cross cluster communication be treated as "internal"?


That mechanism will have to be sorted out. Not a part of this ticket

e.g : node-A in DC1 cluster wants to lookup node-P in DC2 cluster. We will publish the zk
address of DC2 cluster in ZK of DC1 cluster and vice versa. This way node-A will trust al
nodes in DC2 cluster as well

bq.What would <original-user-principal> be in case the action is initiated by Solr and
not an external request?

It will be a standard string like {{'$'}} which means the node itself is the principal


> Secure Inter-node communication in a  standard mechanism
> --------------------------------------------------------
>
>                 Key: SOLR-7849
>                 URL: https://issues.apache.org/jira/browse/SOLR-7849
>             Project: Solr
>          Issue Type: Sub-task
>            Reporter: Noble Paul
>            Assignee: Noble Paul
>
> Relying on every Authentication plugin to secure the internode communication is error
prone. Solr can standardize the authentication so that only the first request that comes from
outside the cluster needs to be authenticated by the authentication plugin
> The scheme to protect the communication will be as follows
> * Every Solr node creates a an RSA key pair 
> * The private key is kept private and the public key is made available through a  core
admin API
> * If authentication is enabled , every outgoing request will carry an extra header {{
SolrAuth : <nodename> encrypt_with_pvt_key(<original-user-principal> <timestamp>)
}}
> * If authentication is enabled {{SolrDispatchFilter}} would look for this header and
see the nodename
> ** If the public key of the nodename is available in cache , make a request to the node
and fetch the public key
> ** If the public key has changed (because of a server restart) decryption fails and the
public keyis fetched again
> * If the decryption succeeds , the user-name is set to what the header has encoded



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message