You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@solr.apache.org by "Alex Deparvu (Jira)" <ji...@apache.org> on 2023/01/19 23:16:00 UTC

[jira] [Commented] (SOLR-16551) Provide a way to disable the PKIAuthenticationPlugin

    [ https://issues.apache.org/jira/browse/SOLR-16551?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17678937#comment-17678937 ] 

Alex Deparvu commented on SOLR-16551:
-------------------------------------

[~houston], [~janhoy] thank you for the insightful discussion so far! I have updated the Jira description to only refer to the possibility of disabling the TTL check when needed, off by default, based on a system property similar to the existing TTL value. the patch should be trivial and I am happy to prepare one, if there are no objections.

> Provide a way to disable the PKIAuthenticationPlugin
> ----------------------------------------------------
>
>                 Key: SOLR-16551
>                 URL: https://issues.apache.org/jira/browse/SOLR-16551
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication
>    Affects Versions: 8.6.3
>            Reporter: Alex Deparvu
>            Priority: Minor
>
> The PKIAuthenticationPlugin [0] plugin will secure inter-node communication by injecting a custom header that will allow any destination node to verify tampering of message by checking against source node's public key. This header also contains a TTL value that exists to prevent replay attacks (default is 5 seconds).
> Under very high load for increased periods of time, messages can start to expire, causing a spike in authorization errors. by trial and error, increasing the TTL value high enough seems to help the cluster get over the hump but it potentially only pushes the problem a bit futher ahead. Enabling inter-node encryption [1] can provide sufficient protection in transit so that the TTL check could be skipped.
> I am proposing to introduce a new system property that will allow disabling of the TTL check only ("pkiauth.disableTTLVerification" name open to suggestions).
> Note. The original description of this ticket has changed. based on the discussion below I have reduced the scope to introducing a system property as needed, off by default.
> [0] https://solr.apache.org/guide/solr/latest/deployment-guide/authentication-and-authorization-plugins.html#pkiauthenticationplugin
> [1] https://solr.apache.org/guide/solr/latest/deployment-guide/enabling-ssl.html



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org