[
https://issues.apache.org/jira/browse/SOLR-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Noble Paul updated SOLR-7126:
-----------------------------
Description:
We need to ensure that the jars loaded into solr are trusted
We shall use simple PKI to protect the jars/config loaded into the system
The following are the steps involved for doing that.
# create your private key. example: {{openssl genrsa -out key.pem 1024}} .
store your private keys safely (with a password if possible)
# create your public key from the private key. example: {{openssl rsa -in
key.pem -pubout > key.pub}}
copy the public keys to all solrs under {{SOLR_HOME/keys}} . or start all your
solr servers with {{-Dpublic.keys.dir=/location/of/keys}} . Please note that
you can store multiple public keys in that directory and all are valid
# start all your servers with {{-Denable.dynamic.loading=true}}
# sign the sha1 digest of your jar with one of your private keys and get the
base64 string of that signature. example {{openssl dgst -sha1 -sign key.pem
myjar.jar | openssl enc -base64}}
# use the command to add your jar to classpath as follows
{code}
curl http://localhost:8983/solr/collection1/config -H
'Content-type:application/json' -d '{
"add-runtimelib" : {"name": "jarname" , "version":2 ,
sig:"mW1Gwtz2QazjfVdrLFHfbGwcr8xzFYgUOLu68LHqWRDvLG0uLcy1McQ+AzVmeZFBf1yLPDEHBWJb5KXr8bdbHN/PYgUB1nsr9pk4EFyD9KfJ8TqeH/ijQ9waa/vjqyiKEI9U550EtSzruLVZ32wJ7smvV0fj2YYhrUaaPzOn9g0="
// out put of step #4
}
}'
{code}
If no keys are present , the jar is loaded without any checking.
Before loading a jar from blob store , each Solr node would check if there are
keys present in the keys directory. If yes, each jar's signature will be
verified with all the available public keys. If atleast one succeeds , the jar
is loaded into memory. If nothing succeeds , it will be rejected
was:
We need to ensure that the jars loaded into solr are trusted
We shall use simple PKI to protect the jars/config loaded into the system
The following are the steps involved for doing that.
* create your private key. example: {{openssl genrsa -out key.pem 1024}}
* create your public key from the private key. example: {{openssl rsa -in
key.pem -pubout > key.pub}}
* copy the public keys to all solrs under {{SOLR_HOME/keys}} . or start all
your solr servers with {{-Dpublic.keys.dir=/location/of/keys}} . Please note
that you can store multiple public keys in that directory and all are valid
* start all your servers with {{-Denable.dynamic.loading=true}}
* store your private keys safely
* sign the sha1 digest of your jar with one of your private keys and get the
base64 string of that signature. example {{openssl dgst -sha1 -sign key.pem
myjar.jar | openssl enc -base64}}
* use the command to add your jar to classpath as follows
{code}
curl http://localhost:8983/solr/collection1/config -H
'Content-type:application/json' -d '{
"add-runtimelib" : {"name": "jarname" , "version":2 ,
sig:"mW1Gwtz2QazjfVdrLFHfbGwcr8xzFYgUOLu68LHqWRDvLG0uLcy1McQ+AzVmeZFBf1yLPDEHBWJb5KXr8bdbHN/PYgUB1nsr9pk4EFyD9KfJ8TqeH/ijQ9waa/vjqyiKEI9U550EtSzruLVZ32wJ7smvV0fj2YYhrUaaPzOn9g0="}
}'
{code}
If no keys are present , the jar is loaded without any checking.
Before loading a jar from blob store , each Solr node would check if there are
keys present in the keys directory. If yes, each jar's signature will be
verified with all the available public keys. If atleast one succeeds , the jar
is loaded into memory. If nothing succeeds , it will be rejected
> signing a jar and secure dynamic loading
> ----------------------------------------
>
> Key: SOLR-7126
> URL: https://issues.apache.org/jira/browse/SOLR-7126
> Project: Solr
> Issue Type: Sub-task
> Reporter: Noble Paul
> Assignee: Noble Paul
>
> We need to ensure that the jars loaded into solr are trusted
> We shall use simple PKI to protect the jars/config loaded into the system
> The following are the steps involved for doing that.
> # create your private key. example: {{openssl genrsa -out key.pem 1024}} .
> store your private keys safely (with a password if possible)
> # create your public key from the private key. example: {{openssl rsa -in
> key.pem -pubout > key.pub}}
> copy the public keys to all solrs under {{SOLR_HOME/keys}} . or start all
> your solr servers with {{-Dpublic.keys.dir=/location/of/keys}} . Please note
> that you can store multiple public keys in that directory and all are valid
> # start all your servers with {{-Denable.dynamic.loading=true}}
> # sign the sha1 digest of your jar with one of your private keys and get the
> base64 string of that signature. example {{openssl dgst -sha1 -sign key.pem
> myjar.jar | openssl enc -base64}}
> # use the command to add your jar to classpath as follows
> {code}
> curl http://localhost:8983/solr/collection1/config -H
> 'Content-type:application/json' -d '{
> "add-runtimelib" : {"name": "jarname" , "version":2 ,
> sig:"mW1Gwtz2QazjfVdrLFHfbGwcr8xzFYgUOLu68LHqWRDvLG0uLcy1McQ+AzVmeZFBf1yLPDEHBWJb5KXr8bdbHN/PYgUB1nsr9pk4EFyD9KfJ8TqeH/ijQ9waa/vjqyiKEI9U550EtSzruLVZ32wJ7smvV0fj2YYhrUaaPzOn9g0="
> // out put of step #4
> }
> }'
> {code}
> If no keys are present , the jar is loaded without any checking.
> Before loading a jar from blob store , each Solr node would check if there
> are keys present in the keys directory. If yes, each jar's signature will be
> verified with all the available public keys. If atleast one succeeds , the
> jar is loaded into memory. If nothing succeeds , it will be rejected
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
