[jira] [Resolved] (SOLR-7126) Secure loading of runtime external jars

[Noble Paul (JIRA)]

     [ 
https://issues.apache.org/jira/browse/SOLR-7126?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Noble Paul resolved SOLR-7126.
------------------------------
       Resolution: Fixed
    Fix Version/s: Trunk

> Secure loading of runtime external jars
> ---------------------------------------
>
>                 Key: SOLR-7126
>                 URL: https://issues.apache.org/jira/browse/SOLR-7126
>             Project: Solr
>          Issue Type: Sub-task
>            Reporter: Noble Paul
>            Assignee: Noble Paul
>              Labels: security
>             Fix For: Trunk
>
>         Attachments: SOLR-7126.patch, SOLR-7126.patch, SOLR-7126.patch
>
>
> We need to ensure that the jars loaded into solr are trusted 
> We shall use simple PKI to protect the jars/config loaded into the system
> The following are the steps involved for doing that.
> {noformat}
> #Step 1:
> # generate a 768-bit RSA private key. or whaterver strength you would need
> $ openssl genrsa -out priv_key.pem 768
> # store your private keys safely (with  a password if possible)
> # output public key portion in DER format (so that Java can read it)
> $ openssl rsa -in priv_key.pem -pubout -outform DER -out pub_key.der
> #Step 2:
> #Load the .DER files to ZK under /keys/exe
> Step3:
> # start all your servers with -Denable.runtime.lib=true 
> Step 4:
> # sign the sha1 digest of your jar with one of your private keys and get the 
> base64 string of that signature . 
> $ openssl dgst -sha1 -sign priv_key.pem myjar.jar | openssl enc -base64 
> #Step 5:
> # load your jars into blob store . refer SOLR-6787
> #Step 6:
> # use the command to add your jar to classpath as follows
> {noformat}
> {code}
> curl http://localhost:8983/solr/collection1/config -H 
> 'Content-type:application/json'  -d '{
> "add-runtimelib" : {"name": "jarname" , "version":2 , 
> "sig":"mW1Gwtz2QazjfVdrLFHfbGwcr8xzFYgUOLu68LHqWRDvLG0uLcy1McQ+AzVmeZFBf1yLPDEHBWJb5KXr8bdbHN/PYgUB1nsr9pk4EFyD9KfJ8TqeH/ijQ9waa/vjqyiKEI9U550EtSzruLVZ32wJ7smvV0fj2YYhrUaaPzOn9g0="
>  }// output of step 4. concatenate the lines 
> }' 
> {code}
> sig is the extra parameter that is nothing but the base64 encoded value of 
> the jar's sha1 signature 
> If no keys are present , the jar is loaded without any checking. 
> Before loading a jar from blob store , each Solr node would check if there 
> are keys present in the keys directory. If yes, each jar's signature will be 
> verified with all the available public keys. If atleast one succeeds , the 
> jar is loaded into memory. If nothing succeeds , it will be rejected 



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org