[
https://issues.apache.org/jira/browse/SOLR-9609?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15637788#comment-15637788
]
Hrishikesh Gadre commented on SOLR-9609:
----------------------------------------
[~erickerickson] Here is my initial analysis,
- Currently PKIAuthenticationPlugIn has given a *special* status in the sense
that its initialization doesn't follow the pattern used by rest of the
authentication plugins. Specifically the configuration parameters of this
plugin are not initialized via init(...) method.
https://github.com/apache/lucene-solr/blob/358bdd490b1b15f3af6a355f93a98caf83594b18/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java#L85
If we can fix this problem, then rest of the implementation is trivial. If you
look at the relevant code in CoreContainer.java - you can see that this is
something _easy_ to fix.
https://github.com/apache/lucene-solr/blob/f22b1da261b93f60687431b161828e2fb27fdc8f/solr/core/src/java/org/apache/solr/core/CoreContainer.java#L462
If we can read security.json at this point, we can easily invoke
PKIAuthenticationPlugin#init(...) method and pass appropriate configuration
parameters to it. Now the question how to separate the config parameters for
client facing auth plugin (e.g. Basic auth) from solr <->solr communication
plugin (i.e. PKIAuthenticationPlugin) ? I can think of couple of options
- Have a predefined prefix for the config params related to
PKIAuthenticationPlugin. This way we can specify all the params in the
"authentication" section of security.json
- Define a new section for PKIAuthenticationPlugin (or specifically
authentication plugin for solr <->solr communication)
Let me know if it looks ok to you. I can try this myself.
> Change hard-coded keysize from 512 to 1024
> ------------------------------------------
>
> Key: SOLR-9609
> URL: https://issues.apache.org/jira/browse/SOLR-9609
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Reporter: Jeremy Martini
> Assignee: Erick Erickson
> Attachments: SOLR-9609.patch, SOLR-9609.patch, SOLR-9609.patch,
> solr.log
>
>
> In order to configure our dataSource without requiring a plaintext password
> in the configuration file, we extended JdbcDataSource to create our own
> custom implementation. Our dataSource config now looks something like this:
> {code:xml}
> <dataSource type="com.foo.FooDataSource" driver="oracle.jdbc.OracleDriver"
> url="jdbc:oracle:thin:@db-host-machine:1521:tst1" user="testuser"
> password="{ENC}{1.1}1ePOfWcbOIU056gKiLTrLw=="/>
> {code}
> We are using the RSA JSAFE Crypto-J libraries for encrypting/decrypting the
> password. However, this seems to cause an issue when we try use Solr in a
> Cloud Configuration (using Zookeeper). The error is "Strong key gen and
> multiprime gen require at least 1024-bit keysize." Full log attached.
> This seems to be due to the hard-coded value of 512 in the
> org.apache.solr.util.CryptoKeys$RSAKeyPair class:
> {code:java}
> public RSAKeyPair() {
> KeyPairGenerator keyGen = null;
> try {
> keyGen = KeyPairGenerator.getInstance("RSA");
> } catch (NoSuchAlgorithmException e) {
> throw new SolrException(SolrException.ErrorCode.SERVER_ERROR, e);
> }
> keyGen.initialize(512);
> {code}
> I pulled down the Solr code, changed the hard-coded value to 1024, rebuilt
> it, and now everything seems to work great.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
