Geza Nagy created SOLR-15388:
--------------------------------
Summary: PKIAuthenticationPlugin intercepts every outgoing
requests not just inter-nodes
Key: SOLR-15388
URL: https://issues.apache.org/jira/browse/SOLR-15388
Project: Solr
Issue Type: Bug
Security Level: Public (Default Security Level. Issues are Public)
Components: Authentication
Affects Versions: 8.8.2
Environment: Solr
Kerberos
Ranger
Reporter: Geza Nagy
PKIAuthentication plugin's HttpHeaderClientInterceptor runs process and auth
plugin's interceptInternodeRequest method to every outgoing request which can
be not necessarily an internode request.
Use case:
Solr is authorized with ranger and send audit logs to another solr. And the
required authentication method is Kerberos. In this case the
HttpHeaderClientInterceptor still intercept the request however it goes to
another solr and puts the Solr user into the SolrAuth header. And this force
the other solr to handle it with the PKIAuthentication plugin which will end in
a PKIException:
{code}
2021-03-19 07:39:07.027 WARN (qtp1961002599-9199) [ ]
o.a.s.s.PKIAuthenticationPlugin Failed to decrypt header, trying after
refreshing the key
2021-03-19 07:39:07.027 ERROR (qtp1961002599-9199) [ ]
o.a.s.s.PKIAuthenticationPlugin Decryption failed , key must be wrong =>
java.security.InvalidKeyException: No installed provider supports this key:
(null)
{code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
