[
https://issues.apache.org/jira/browse/SOLR-15388?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mayya Sharipova updated SOLR-15388:
-----------------------------------
Security: (was: Public)
> PKIAuthenticationPlugin intercepts every outgoing requests not just
> inter-nodes
> --------------------------------------------------------------------------------
>
> Key: SOLR-15388
> URL: https://issues.apache.org/jira/browse/SOLR-15388
> Project: Solr
> Issue Type: Bug
> Components: Authentication
> Affects Versions: 8.8.2
> Environment: Solr
> Kerberos
> Ranger
> Reporter: Geza Nagy
> Priority: Major
> Attachments: SOLR-15388_Check_if_request_is_really_inter-node.patch
>
>
> PKIAuthentication plugin's HttpHeaderClientInterceptor runs process and auth
> plugin's interceptInternodeRequest method to every outgoing request which can
> be not necessarily an internode request.
> Use case:
> Solr is authorized with ranger and send audit logs to another solr. And the
> required authentication method is Kerberos. In this case the
> HttpHeaderClientInterceptor still intercept the request however it goes to
> another solr and puts the Solr user into the SolrAuth header. And this force
> the other solr to handle it with the PKIAuthentication plugin which will end
> in a PKIException:
> {code}
> 2021-03-19 07:39:07.027 WARN (qtp1961002599-9199) [ ]
> o.a.s.s.PKIAuthenticationPlugin Failed to decrypt header, trying after
> refreshing the key
> 2021-03-19 07:39:07.027 ERROR (qtp1961002599-9199) [ ]
> o.a.s.s.PKIAuthenticationPlugin Decryption failed , key must be wrong =>
> java.security.InvalidKeyException: No installed provider supports this key:
> (null)
> {code}
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
