[
https://issues.apache.org/jira/browse/SOLR-9541?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15510649#comment-15510649
]
Hrishikesh Gadre commented on SOLR-9541:
----------------------------------------
Thanks for the feedback [~noble.paul], [~ichattopadhyaya] !
bq. AFAIK, with the kerberos plugin enabled, all internode communication is
done via Kerberos. Every solr node has a server principal and a client
principal. To have it use PKI, we might need to add the support.
No that is not really needed. Just having support for kerberos in all cases
(client/server and server/server) is sufficient.
bq. What do you mean? The documentation says it clearly
Sorry I missed that documentation section because it is in the of basic
authentication page which I didn't go through (mostly because I am interested
in kerberos integration and have no plans to use the basic auth). [~ctargett]
May be we can add this information in the following page for better visibility?
https://cwiki.apache.org/confluence/display/solr/Authentication+and+Authorization+Plugins
I also reviewed the code again and now I think I understand the design better.
BTW it looks like we initialize the PKIAuthenticationPlugin by default even
when it is not used. Can we initialize PKIAuthenticationPlugin lazily (on-need
basis) ? This will help us to avoid exposing an unsecured endpoint (to retrieve
public-key) in case PKIAuthenticationPlugin is unused.
Any thoughts?
> Support configurable authentication mechanism for internode communication
> -------------------------------------------------------------------------
>
> Key: SOLR-9541
> URL: https://issues.apache.org/jira/browse/SOLR-9541
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Affects Versions: 5.3, 6.0
> Reporter: Hrishikesh Gadre
>
> SOLR-7849 introduced PKI based authentication mechanism for internode
> communication. The main reason for introducing SOLR-7849 was,
> >> Relying on every Authentication plugin to secure the internode
> >> communication is error prone.
> At Cloudera we are using Kerberos protocol for all communication without any
> issues (i.e. between client/server as well as server/server). We should make
> this internode authentication mechanism configurable (with default as PKI
> based mechanism). This will allow users to decide the appropriate
> authentication mechanism based on their security requirements.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
