[
https://issues.apache.org/jira/browse/SOLR-15388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17342751#comment-17342751
]
Gus Heck edited comment on SOLR-15388 at 5/11/21, 5:18 PM:
-----------------------------------------------------------
Yeah, sorry HttpClientUtil's name (which probably should be HttpSolrClientUtil)
fooled me into thinking you were contemplating creating an actual httpclient
instance ... and worried that you were talking about solr code not ranger code
(in this solr issue) I wanted to highlight that issue (but was short on time to
actually read the whole ticket). I have some timeout related scars so I'm a
little twitchy on that topic :).
Edit, no now looking at the class httpclientutil is creating clients... so hmm
but long story short, I need to read all the comments before commenting
further.
was (Author: gus_heck):
Yeah, sorry HttpClientUtil's name (which probably should be HttpSolrClientUtil)
fooled me into thinking you were contemplating creating an actual httpclient
instance ... and worried that you were talking about solr code not ranger code
(in this solr issue) I wanted to highlight that issue (but was short on time to
actually read the whole ticket). I have some timeout related scars so I'm a
little twitchy on that topic :).
> PKIAuthenticationPlugin intercepts every outgoing requests not just
> inter-nodes
> --------------------------------------------------------------------------------
>
> Key: SOLR-15388
> URL: https://issues.apache.org/jira/browse/SOLR-15388
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authentication
> Affects Versions: 8.8.2
> Environment: Solr
> Kerberos
> Ranger
> Reporter: Geza Nagy
> Priority: Major
> Attachments: SOLR-15388_Check_if_request_is_really_inter-node.patch
>
>
> PKIAuthentication plugin's HttpHeaderClientInterceptor runs process and auth
> plugin's interceptInternodeRequest method to every outgoing request which can
> be not necessarily an internode request.
> Use case:
> Solr is authorized with ranger and send audit logs to another solr. And the
> required authentication method is Kerberos. In this case the
> HttpHeaderClientInterceptor still intercept the request however it goes to
> another solr and puts the Solr user into the SolrAuth header. And this force
> the other solr to handle it with the PKIAuthentication plugin which will end
> in a PKIException:
> {code}
> 2021-03-19 07:39:07.027 WARN (qtp1961002599-9199) [ ]
> o.a.s.s.PKIAuthenticationPlugin Failed to decrypt header, trying after
> refreshing the key
> 2021-03-19 07:39:07.027 ERROR (qtp1961002599-9199) [ ]
> o.a.s.s.PKIAuthenticationPlugin Decryption failed , key must be wrong =>
> java.security.InvalidKeyException: No installed provider supports this key:
> (null)
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
