[jira] [Commented] (SOLR-15388) PKIAuthenticationPlugin intercepts every outgoing requests not just inter-nodes

Wed, 12 May 2021 00:46:08 -0700 


    [ 
https://issues.apache.org/jira/browse/SOLR-15388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17343089#comment-17343089
 ] 

Geza Nagy commented on SOLR-15388:
----------------------------------

Well, that can work, I need some time to test it.

> PKIAuthenticationPlugin intercepts every outgoing requests not just 
> inter-nodes 
> --------------------------------------------------------------------------------
>
>                 Key: SOLR-15388
>                 URL: https://issues.apache.org/jira/browse/SOLR-15388
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication
>    Affects Versions: 8.8.2
>         Environment: Solr
> Kerberos
> Ranger
>            Reporter: Geza Nagy
>            Priority: Major
>         Attachments: SOLR-15388_Check_if_request_is_really_inter-node.patch
>
>
> PKIAuthentication plugin's HttpHeaderClientInterceptor runs process and auth 
> plugin's interceptInternodeRequest method to every outgoing request which can 
> be not necessarily an internode request.
> Use case: 
> Solr is authorized with ranger and send audit logs to another solr. And the 
> required authentication method is Kerberos. In this case the 
> HttpHeaderClientInterceptor still intercept the request however it goes to 
> another solr and puts the Solr user into the SolrAuth header. And this force 
> the other solr to handle it with the PKIAuthentication plugin which will end 
> in a PKIException:
> {code}
> 2021-03-19 07:39:07.027 WARN (qtp1961002599-9199) [ ] 
> o.a.s.s.PKIAuthenticationPlugin Failed to decrypt header, trying after 
> refreshing the key
> 2021-03-19 07:39:07.027 ERROR (qtp1961002599-9199) [ ] 
> o.a.s.s.PKIAuthenticationPlugin Decryption failed , key must be wrong => 
> java.security.InvalidKeyException: No installed provider supports this key: 
> (null)
> {code}



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org

Reply via email to