You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@lucene.apache.org by "Mike Drob (Jira)" <ji...@apache.org> on 2020/02/06 18:28:00 UTC

[jira] [Commented] (SOLR-14223) PublicKeyHandler consumes a lot of entropy during tests

    [ https://issues.apache.org/jira/browse/SOLR-14223?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17031847#comment-17031847 ] 

Mike Drob commented on SOLR-14223:
----------------------------------

Based on [~rcmuir]'s suggestions, we can read a key from disk instead of generating a new one each time in our tests - this has the advantage of skipping the entropy consumption and also the expensive primality testing. PR is ready for final review if anybody is interested in taking a look.

> PublicKeyHandler consumes a lot of entropy during tests
> -------------------------------------------------------
>
>                 Key: SOLR-14223
>                 URL: https://issues.apache.org/jira/browse/SOLR-14223
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 7.4, 8.0
>            Reporter: Mike Drob
>            Priority: Major
>          Time Spent: 1h 50m
>  Remaining Estimate: 0h
>
> After the changes in SOLR-12354 to eagerly create a {{PublicKeyHandler}} for the CoreContainer, the creation of the underlying {{RSAKeyPair}} uses {{SecureRandom}} to generate primes. This eats up a lot of system entropy and can slow down tests significantly (I observed it adding 10s to an individual test).
> Similar to what we do for SSL config for tests, we can swap in a non blocking implementation of SecureRandom for the key pair generation to allow multiple tests to run better in parallel. Primality testing with BigInteger is also slow, so I'm not sure how much total speedup we can get here, maybe it's worth checking if there are faster implementations out there in other libraries.
> In production cases, this also blocks creation of all cores. We should only create the Handler if necessary, i.e. if the existing authn/z tell us that they won't support internode requests.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@lucene.apache.org
For additional commands, e-mail: issues-help@lucene.apache.org