Hrishikesh Gadre commented on SOLR-9541:

Thanks for the feedback [~noble.paul], [~ichattopadhyaya] !

bq. AFAIK, with the kerberos plugin enabled, all internode communication is 
done via Kerberos. Every solr node has a server principal and a client 
principal. To have it use PKI, we might need to add the support.

No that is not really needed. Just having support for kerberos in all cases 
(client/server and server/server) is sufficient. 

bq. What do you mean? The documentation says it clearly

Sorry I missed that documentation section because it is in the of basic 
authentication page which I didn't go through (mostly because I am interested 
in kerberos integration and have no plans to use the basic auth). [~ctargett] 
May be we can add this information in the following page for better visibility?


I also reviewed the code again and now I think I understand the design better. 
BTW it looks like we initialize the PKIAuthenticationPlugin by default even 
when it is not used. Can we initialize PKIAuthenticationPlugin lazily (on-need 
basis) ? This will help us to avoid exposing an unsecured endpoint (to retrieve 
public-key) in case PKIAuthenticationPlugin is unused.

Any thoughts?

> Support configurable authentication mechanism for internode communication
> -------------------------------------------------------------------------
>                 Key: SOLR-9541
>                 URL: https://issues.apache.org/jira/browse/SOLR-9541
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 5.3, 6.0
>            Reporter: Hrishikesh Gadre
> SOLR-7849 introduced PKI based authentication mechanism for internode 
> communication. The main reason for introducing SOLR-7849 was,
> >> Relying on every Authentication plugin to secure the internode 
> >> communication is error prone. 
> At Cloudera we are using Kerberos protocol for all communication without any 
> issues (i.e. between client/server as well as server/server). We should make 
> this internode authentication mechanism configurable (with default as PKI 
> based mechanism). This will allow users to decide the appropriate 
> authentication mechanism based on their security requirements.

This message was sent by Atlassian JIRA

To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org

Reply via email to