You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Alex Deparvu (Jira)" <ji...@apache.org> on 2022/12/01 17:23:00 UTC
[jira] [Comment Edited] (SOLR-16551) Provide a way to disable the PKIAuthenticationPlugin
[ https://issues.apache.org/jira/browse/SOLR-16551?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17642063#comment-17642063 ]
Alex Deparvu edited comment on SOLR-16551 at 12/1/22 5:22 PM:
--------------------------------------------------------------
[~janhoy] could you provide some thoughts on the list thread? [0] just to make sure this does not get lost in the archives.
bq. I don't see how disabling PKI will give you better security.
I didn't say disabling it provides better security. I said under specific circumstances this mechanism provides no better security and it actually hurts very overloaded systems.
bq. We could look at whether the 5s default is too low, but it is configurable, right?
Yes it is configurable. We area already increasing the value (I think I mentioned this in the description already), but it feels like we're playing a game of Whack-A-Mole. If we can setup encryption, why also have this TTL constraint?
[0] https://lists.apache.org/thread/0xh87z9pwqy2x234588lk4dwn4mc1w5w
was (Author: alex.parvulescu):
[~janhoy] could you provide some thoughts on the list thread? [0] just to make sure this does not get lost in the archives.
> I don't see how disabling PKI will give you better security.
I didn't say disabling it provides better security. I said under specific circumstances this mechanism provides no better security and it actually hurts very overloaded systems.
> We could look at whether the 5s default is too low, but it is configurable, right?
Yes it is configurable. We area already increasing the value (I think I mentioned this in the description already), but it feels like we're playing a game of Whack-A-Mole. If we can setup encryption, why also have this TTL constraint?
[0] https://lists.apache.org/thread/0xh87z9pwqy2x234588lk4dwn4mc1w5w
> Provide a way to disable the PKIAuthenticationPlugin
> ----------------------------------------------------
>
> Key: SOLR-16551
> URL: https://issues.apache.org/jira/browse/SOLR-16551
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authentication
> Affects Versions: 8.6.3
> Reporter: Alex Deparvu
> Priority: Minor
>
> The PKIAuthenticationPlugin [0] plugin will secure inter-node communication by injecting a custom header that will allow any destination node to verify tampering of message by checking against source node's public key. This header also contains a TTL value that exists to prevent replay attacks (default is 5 seconds).
> Under very high load for increased periods of time, messages can start to expire, causing a spike in authorization errors. by trial and error, increasing the TTL value high enough seems to help the cluster get over the hump, but setting it too high will raise security concerns.
> This begs the question: is there any circumstance under which it is safe to disable the "header sign and check with TTL" mechanism. It seems that enabling inter-node encryption [1] can provide sufficient protection in transit so that the header approach would no longer be required.
> I am opening this ticket to gather feedback from the community. First, is this something that others have seen (heavy load can lead to 401s on inter-node requests). Second, is the approach to disable the PKI plugin sensible or would it cause more confusion and/or security troubles?
> [0] https://solr.apache.org/guide/solr/latest/deployment-guide/authentication-and-authorization-plugins.html#pkiauthenticationplugin
> [1] https://solr.apache.org/guide/solr/latest/deployment-guide/enabling-ssl.html
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org