lucene-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ishan Chattopadhyaya (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (SOLR-7849) Secure Inter-node communication in a standard mechanism
Date Wed, 05 Aug 2015 12:03:04 GMT

    [ https://issues.apache.org/jira/browse/SOLR-7849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14655245#comment-14655245
] 

Ishan Chattopadhyaya edited comment on SOLR-7849 at 8/5/15 12:02 PM:
---------------------------------------------------------------------

+1, looks great!

Here are some minor issues:
1.
{noformat}
  private void addHttpConfigurer(Object authcPlugin) {
      ...
      log.info("Reconfiguring the shard handler factory and update shard handler.");
{noformat}
Can we change it to: 
{noformat}
      log.info("Reconfiguring the httpclients of shard handler factory and update shard handler.");
{noformat}

2.
{noformat}
  private void addHttpConfigurer(Object authcPlugin) {
    log.info("addHttpConfigurer()");//TODO no commit
{noformat}

I don't see any reason for the nocommit here. Is there something missing still?

3. 
I think in SDF's `doFilter()`,
{noformat}
    if (cores.getAuthenticationPlugin() != null) {
{noformat}
should be
{noformat}
    if (cores != null && cores.getAuthenticationPlugin() != null) {
{noformat}
This is for those requests that come in even before the init() has finished execution.

4. In PKIAuthenticationPlugin,
{noformat}
  private int maxValidity = 5000;
{noformat}
Am I correct in my understanding that the difference of received internode request's timestamp
and current timestamp shouldn't be more than this maxValidity? If that's true, I think an
out of the box default of 5 secs is too less. Unless, we require all nodes to be using NTP;
is that the plan? Also, shouldn't this be admin/user configurable?


was (Author: ichattopadhyaya):
+1, looks great!

Here are some minor issues:
1.
{noformat}
  private void addHttpConfigurer(Object authcPlugin) {
      ...
      log.info("Reconfiguring the shard handler factory and update shard handler.");
{noformat}
Can we change it to: 
{noformat}
      log.info("Reconfiguring the httpclients of shard handler factory and update shard handler.");
{noformat}

2.
{noformat}
  private void addHttpConfigurer(Object authcPlugin) {
    log.info("addHttpConfigurer()");//TODO no commit
{noformat}

I don't see any reason for the nocommit here. Is there something missing still?

3. 
I think in SDF's `doFilter()`,
{noformat}
    if (cores.getAuthenticationPlugin() != null) {
{noformat}
should be
{noformat}
    if (cores != null && cores.getAuthenticationPlugin() != null) {
{noformat}
This is for those requests that come in even before the init() has finished execution.

4. In PKIAuthenticationPlugin,
{noformat}
  private int maxValidity = 5000;
{noformat}
Am I correct in my understanding that the received internode request's timestamp and current
timestamp shouldn't be more than this maxValidity? If that's true, I think an out of the box
default of 5 secs is too less. Also, shouldn't this be configurable?

> Secure Inter-node communication in a  standard mechanism
> --------------------------------------------------------
>
>                 Key: SOLR-7849
>                 URL: https://issues.apache.org/jira/browse/SOLR-7849
>             Project: Solr
>          Issue Type: Sub-task
>            Reporter: Noble Paul
>            Assignee: Noble Paul
>         Attachments: SOLR-7849.patch, SOLR-7849.patch, SOLR-7849.patch, SOLR-7849.patch
>
>
> Relying on every Authentication plugin to secure the internode communication is error
prone. Solr can standardize the authentication so that only the first request that comes from
outside the cluster needs to be authenticated by the authentication plugin
> The scheme to protect the communication will be as follows
> * Every Solr node creates a an RSA key pair 
> * The private key is kept private and the public key is made available through a  core
admin API
> * If authentication is enabled , every outgoing request will carry an extra header {{
SolrAuth : <nodename> encrypt_with_pvt_key(<original-user-principal> <timestamp>)
}}
> * If authentication is enabled {{SolrDispatchFilter}} would look for this header and
see the nodename
> ** If the public key of the nodename is available in cache , make a request to the node
and fetch the public key
> ** If the public key has changed (because of a server restart) decryption fails and the
public keyis fetched again
> * If the decryption succeeds , the user-name is set to what the header has encoded



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org


Mime
View raw message