[SOLR-15388] PKIAuthenticationPlugin intercepts every outgoing requests not just inter-nodes - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 8.8.2
Fix Version/s: None
Component/s: Authentication
Labels:
None
Environment:

Solr

Kerberos

Ranger

Description

PKIAuthentication plugin's HttpHeaderClientInterceptor runs process and auth plugin's interceptInternodeRequest method to every outgoing request which can be not necessarily an internode request.

Use case:
Solr is authorized with ranger and send audit logs to another solr. And the required authentication method is Kerberos. In this case the HttpHeaderClientInterceptor still intercept the request however it goes to another solr and puts the Solr user into the SolrAuth header. And this force the other solr to handle it with the PKIAuthentication plugin which will end in a PKIException:

2021-03-19 07:39:07.027 WARN (qtp1961002599-9199) [ ] o.a.s.s.PKIAuthenticationPlugin Failed to decrypt header, trying after refreshing the key
2021-03-19 07:39:07.027 ERROR (qtp1961002599-9199) [ ] o.a.s.s.PKIAuthenticationPlugin Decryption failed , key must be wrong => java.security.InvalidKeyException: No installed provider supports this key: (null)

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

SOLR-15388_Check_if_request_is_really_inter-node.patch
30/Apr/21 14:05
3 kB
Geza Nagy

Activity

People

Assignee:: Unassigned

Reporter:: Geza Nagy

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 30/Apr/21 14:02

Updated:: 23/Jun/21 13:49