[ https://issues.apache.org/jira/browse/SOLR-15388?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17342485#comment-17342485 ]
Geza Nagy commented on SOLR-15388: ---------------------------------- I'm open to it. I checked the code and there are several places where HttpClientUtil.createClient is called. This is what registers the DynamicInterceptor for the clients. This is what global/static and might be changed to not contain the interceptors but leave this option for the objects which creates clients for themselves. I have a few way to go down: 1) Leave the current logic and create another createClient method in the HttpClientUtil which doesn't add the global interceptors inevitably so everyone can call that if they want the globally registered interceptors 2) Remove the whole interceptor logic out from HttpClientUtil and put into a stateful object which can be created and used by the client builders individually. This is much more a quick fix and not a robust solution for the root problem: 3) Add env variable which can tell PKIAuth plugin to not register its interceptor. So when other auth plugin is used the interceptor can be turned off. > PKIAuthenticationPlugin intercepts every outgoing requests not just > inter-nodes > -------------------------------------------------------------------------------- > > Key: SOLR-15388 > URL: https://issues.apache.org/jira/browse/SOLR-15388 > Project: Solr > Issue Type: Bug > Security Level: Public(Default Security Level. Issues are Public) > Components: Authentication > Affects Versions: 8.8.2 > Environment: Solr > Kerberos > Ranger > Reporter: Geza Nagy > Priority: Major > Attachments: SOLR-15388_Check_if_request_is_really_inter-node.patch > > > PKIAuthentication plugin's HttpHeaderClientInterceptor runs process and auth > plugin's interceptInternodeRequest method to every outgoing request which can > be not necessarily an internode request. > Use case: > Solr is authorized with ranger and send audit logs to another solr. And the > required authentication method is Kerberos. In this case the > HttpHeaderClientInterceptor still intercept the request however it goes to > another solr and puts the Solr user into the SolrAuth header. And this force > the other solr to handle it with the PKIAuthentication plugin which will end > in a PKIException: > {code} > 2021-03-19 07:39:07.027 WARN (qtp1961002599-9199) [ ] > o.a.s.s.PKIAuthenticationPlugin Failed to decrypt header, trying after > refreshing the key > 2021-03-19 07:39:07.027 ERROR (qtp1961002599-9199) [ ] > o.a.s.s.PKIAuthenticationPlugin Decryption failed , key must be wrong => > java.security.InvalidKeyException: No installed provider supports this key: > (null) > {code} -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org