Copilot commented on code in PR #4405:
URL: https://github.com/apache/solr/pull/4405#discussion_r3208133922
##########
solr/solr-ref-guide/modules/upgrade-notes/pages/major-changes-in-solr-10.adoc:
##########
@@ -49,6 +49,12 @@ The `blockUnknown` setting in the JWT Authentication plugin
now defaults to `tru
In Solr 10.0, the code default was `false` (pass-through), which contradicted
the reference guide documentation that described `true` as the default.
Users upgrading from 10.0 who relied on the pass-through behavior must
explicitly set `"blockUnknown": false` in their `security.json`.
+=== Security
+
+PKI Authentication v1 support has been removed.
+The system properties `solr.pki.sendVersion` and `solr.pki.acceptVersions` are
no longer recognized.
+Users upgrading should verify that these properties are not set, before
starting the upgrade.
Review Comment:
The upgrade note implies these system properties must be unset before
upgrading, but the preceding sentence says they’re “no longer recognized”
(i.e., ignored). Consider clarifying the guidance to avoid implying that
leaving them set would block startup/upgrade; e.g., state they can be removed
and will have no effect if still present.
##########
solr/core/src/test/org/apache/solr/security/TestPKIAuthenticationPlugin.java:
##########
@@ -197,20 +183,26 @@ PublicKey fetchPublicKeyFromRemote(String ignored) {
}
@Test
- public void testProtocolMismatch() throws Exception {
- System.setProperty(PKIAuthenticationPlugin.SEND_VERSION, "v1");
- System.setProperty(PKIAuthenticationPlugin.ACCEPT_VERSIONS, "v2");
- mock = new MockPKIAuthenticationPlugin(nodeName);
- mockMetrics(mock);
-
- principal.set(new SimplePrincipal("solr"));
- mock.solrRequestInfo = new SolrRequestInfo(solrQueryRequestBase, new
SolrQueryResponse());
- mockSetHeaderOnRequest();
+ public void testLegacyV1HeaderRejected() throws Exception {
+ // A request with only the legacy SolrAuth (v1) header and no SolrAuthV2
header should be
+ // rejected, since PKI v1 support has been removed.
+ HttpServletRequest legacyReq = mock(HttpServletRequest.class);
+ when(legacyReq.getHeader(any(String.class)))
+ .then(
+ invocation -> {
+ String headerName = invocation.getArgument(0);
+ // Return a non-null value for the old v1 header, null for v2
+ if ("SolrAuth".equals(headerName)) {
+ return "some-legacy-v1-value";
+ }
+ return null;
+ });
+ when(legacyReq.getRequestURI()).thenReturn("/collection1/select");
Review Comment:
This test sets a legacy v1 `SolrAuth` header value that is not a
valid/parseable v1 token, so it would still pass even if some future change
accidentally reintroduced v1 parsing (it could fail due to format rather than
because v1 is unsupported). To make the intent more robust, assert that the
plugin never calls `getHeader("SolrAuth")` (or otherwise explicitly asserts
that only `SolrAuthV2` is consulted).
##########
solr/solr-ref-guide/modules/deployment-guide/pages/authentication-and-authorization-plugins.adoc:
##########
@@ -211,8 +211,8 @@ They may do this through the so-called `HttpClientBuilder`
mechanism, or they ma
The `PKIAuthenticationPlugin` provides a built-in authentication mechanism
where each Solr node is a super user and is fully trusted by other Solr nodes
through the use of Public Key Infrastructure (PKI).
Each Authentication plugin may choose to delegate all or some inter-node
traffic to the PKI plugin.
-There are currently two versions of the PKI Authentication protocol available
in Solr. For each outgoing request `PKIAuthenticationPlugin` adds a special
header which carries the request timestamp and user principal.
-When a node receives a request with this special header, it will verify to
message using the corresponding source node's public key.
+For each outgoing request `PKIAuthenticationPlugin` adds a `SolrAuthV2` header
which contains: the source node name, user principal, request timestamp, and a
base64-encoded RSA signature.
+When a node receives a request with this header, it will verify the message
using the corresponding source node's public key.
Message validation is only attempted for incoming traffic from other Solr
nodes registered in ZooKeeper.
If the request passes PKI validation and the timestamp is less than 5 seconds
old, then the request will be trusted.
Review Comment:
This paragraph says requests are trusted only if the timestamp is “less than
5 seconds old”, but the default `pkiauth.ttl` is 10000ms (10 seconds) and the
example immediately below uses 10000ms as 10 seconds. Please reconcile the
stated default/threshold (either update the 5-second claim or explicitly tie it
to `pkiauth.ttl`).
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
