XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • 5.3, 6.0
    • None
    • None

    Description

      Relying on every Authentication plugin to secure the internode communication is error prone. Solr can standardize the authentication so that only the first request that comes from outside the cluster needs to be authenticated by the authentication plugin

      The scheme to protect the communication will be as follows

      • Every Solr node creates a an RSA key pair
      • The private key is kept private and the public key is made available through a core admin API
      • If authentication is enabled , every outgoing request will carry an extra header {{ SolrAuth : <nodename> encrypt_with_pvt_key(<original-user-principal> <timestamp>) }}
      • If authentication is enabled SolrDispatchFilter would look for this header and see the nodename
        • If the public key of the nodename is available in cache , make a request to the node and fetch the public key
        • If the public key has changed (because of a server restart) decryption fails and the public keyis fetched again
      • If the decryption succeeds , the user-name is set to what the header has encoded

      Attachments

        1. SOLR-7849.patch
          38 kB
          Noble Paul
        2. SOLR-7849.patch
          41 kB
          Noble Paul
        3. SOLR-7849.patch
          44 kB
          Noble Paul
        4. SOLR-7849.patch
          54 kB
          Noble Paul

        Issue Links

          Activity

            People

              noble.paul Noble Paul
              noble.paul Noble Paul
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: