[
https://issues.apache.org/jira/browse/SOLR-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Noble Paul updated SOLR-7126:
-----------------------------
Attachment: SOLR-7126.patch
utility class for crypto
> signing a jar and secure dynamic loading
> ----------------------------------------
>
> Key: SOLR-7126
> URL: https://issues.apache.org/jira/browse/SOLR-7126
> Project: Solr
> Issue Type: Sub-task
> Reporter: Noble Paul
> Assignee: Noble Paul
> Labels: security
> Attachments: SOLR-7126.patch
>
>
> We need to ensure that the jars loaded into solr are trusted
> We shall use simple PKI to protect the jars/config loaded into the system
> The following are the steps involved for doing that.
> # create your private key. example: {{openssl genrsa -out key.pem 1024}} .
> store your private keys safely (with a password if possible)
> # create your public key from the private key. example: {{openssl rsa -in
> key.pem -pubout > key.pub}}
> copy the public keys to all solrs under {{SOLR_HOME/keys}} . or start all
> your solr servers with {{-Dpublic.keys.dir=/location/of/keys}} . Please note
> that you can store multiple public keys in that directory and all are valid
> # start all your servers with {{-Denable.dynamic.loading=true}}
> # sign the sha1 digest of your jar with one of your private keys and get the
> base64 string of that signature. example {{openssl dgst -sha1 -sign key.pem
> myjar.jar | openssl enc -base64}}
> # load your jars into blob store . refer SOLR-6787
> # use the command to add your jar to classpath as follows
> {code}
> curl http://localhost:8983/solr/collection1/config -H
> 'Content-type:application/json' -d '{
> "add-runtimelib" : {"name": "jarname" , "version":2 ,
> sig:"mW1Gwtz2QazjfVdrLFHfbGwcr8xzFYgUOLu68LHqWRDvLG0uLcy1McQ+AzVmeZFBf1yLPDEHBWJb5KXr8bdbHN/PYgUB1nsr9pk4EFyD9KfJ8TqeH/ijQ9waa/vjqyiKEI9U550EtSzruLVZ32wJ7smvV0fj2YYhrUaaPzOn9g0="
> // out put of step #4
> }
> }'
> {code}
> If no keys are present , the jar is loaded without any checking.
> Before loading a jar from blob store , each Solr node would check if there
> are keys present in the keys directory. If yes, each jar's signature will be
> verified with all the available public keys. If atleast one succeeds , the
> jar is loaded into memory. If nothing succeeds , it will be rejected
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
