[
https://issues.apache.org/jira/browse/SOLR-16551?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17642063#comment-17642063
]
Alex Deparvu commented on SOLR-16551:
-------------------------------------
[~janhoy] could you provide some thoughts on the list thread? [0] just to make
sure this does not get lost in the archives.
> I don't see how disabling PKI will give you better security.
I didn't say disabling it provides better security. I said under specific
circumstances this mechanism provides no better security and it actually hurts
very overloaded systems.
> We could look at whether the 5s default is too low, but it is configurable,
> right?
Yes it is configurable. We area already increasing the value (I think I
mentioned this in the description already), but it feels like we're playing a
game of Whack-A-Mole. If we can setup encryption, why also have this TTL
constraint?
[0] https://lists.apache.org/thread/0xh87z9pwqy2x234588lk4dwn4mc1w5w
> Provide a way to disable the PKIAuthenticationPlugin
> ----------------------------------------------------
>
> Key: SOLR-16551
> URL: https://issues.apache.org/jira/browse/SOLR-16551
> Project: Solr
> Issue Type: Improvement
> Security Level: Public(Default Security Level. Issues are Public)
> Components: Authentication
> Affects Versions: 8.6.3
> Reporter: Alex Deparvu
> Priority: Minor
>
> The PKIAuthenticationPlugin [0] plugin will secure inter-node communication
> by injecting a custom header that will allow any destination node to verify
> tampering of message by checking against source node's public key. This
> header also contains a TTL value that exists to prevent replay attacks
> (default is 5 seconds).
> Under very high load for increased periods of time, messages can start to
> expire, causing a spike in authorization errors. by trial and error,
> increasing the TTL value high enough seems to help the cluster get over the
> hump, but setting it too high will raise security concerns.
> This begs the question: is there any circumstance under which it is safe to
> disable the "header sign and check with TTL" mechanism. It seems that
> enabling inter-node encryption [1] can provide sufficient protection in
> transit so that the header approach would no longer be required.
> I am opening this ticket to gather feedback from the community. First, is
> this something that others have seen (heavy load can lead to 401s on
> inter-node requests). Second, is the approach to disable the PKI plugin
> sensible or would it cause more confusion and/or security troubles?
> [0]
> https://solr.apache.org/guide/solr/latest/deployment-guide/authentication-and-authorization-plugins.html#pkiauthenticationplugin
> [1]
> https://solr.apache.org/guide/solr/latest/deployment-guide/enabling-ssl.html
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
