You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by "Alex Deparvu (Jira)" <ji...@apache.org> on 2023/01/19 23:16:00 UTC

[jira] [Updated] (SOLR-16551) Provide a way to disable the PKIAuthenticationPlugin TTL verification

     [ https://issues.apache.org/jira/browse/SOLR-16551?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Alex Deparvu updated SOLR-16551:
--------------------------------
    Summary: Provide a way to disable the PKIAuthenticationPlugin TTL verification  (was: Provide a way to disable the PKIAuthenticationPlugin)

> Provide a way to disable the PKIAuthenticationPlugin TTL verification
> ---------------------------------------------------------------------
>
>                 Key: SOLR-16551
>                 URL: https://issues.apache.org/jira/browse/SOLR-16551
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication
>    Affects Versions: 8.6.3
>            Reporter: Alex Deparvu
>            Priority: Minor
>
> The PKIAuthenticationPlugin [0] plugin will secure inter-node communication by injecting a custom header that will allow any destination node to verify tampering of message by checking against source node's public key. This header also contains a TTL value that exists to prevent replay attacks (default is 5 seconds).
> Under very high load for increased periods of time, messages can start to expire, causing a spike in authorization errors. by trial and error, increasing the TTL value high enough seems to help the cluster get over the hump but it potentially only pushes the problem a bit futher ahead. Enabling inter-node encryption [1] can provide sufficient protection in transit so that the TTL check could be skipped.
> I am proposing to introduce a new system property that will allow disabling of the TTL check only ("pkiauth.disableTTLVerification" name open to suggestions).
> Note. The original description of this ticket has changed. based on the discussion below I have reduced the scope to introducing a system property as needed, off by default.
> [0] https://solr.apache.org/guide/solr/latest/deployment-guide/authentication-and-authorization-plugins.html#pkiauthenticationplugin
> [1] https://solr.apache.org/guide/solr/latest/deployment-guide/enabling-ssl.html



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org