[jira] [Updated] (SOLR-16551) Provide a way to disable the PKIAuthenticationPlugin TTL verification

Thu, 19 Jan 2023 15:16:21 -0800 


     [ 
https://issues.apache.org/jira/browse/SOLR-16551?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Alex Deparvu updated SOLR-16551:
--------------------------------
    Summary: Provide a way to disable the PKIAuthenticationPlugin TTL 
verification  (was: Provide a way to disable the PKIAuthenticationPlugin)

> Provide a way to disable the PKIAuthenticationPlugin TTL verification
> ---------------------------------------------------------------------
>
>                 Key: SOLR-16551
>                 URL: https://issues.apache.org/jira/browse/SOLR-16551
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication
>    Affects Versions: 8.6.3
>            Reporter: Alex Deparvu
>            Priority: Minor
>
> The PKIAuthenticationPlugin [0] plugin will secure inter-node communication 
> by injecting a custom header that will allow any destination node to verify 
> tampering of message by checking against source node's public key. This 
> header also contains a TTL value that exists to prevent replay attacks 
> (default is 5 seconds).
> Under very high load for increased periods of time, messages can start to 
> expire, causing a spike in authorization errors. by trial and error, 
> increasing the TTL value high enough seems to help the cluster get over the 
> hump but it potentially only pushes the problem a bit futher ahead. Enabling 
> inter-node encryption [1] can provide sufficient protection in transit so 
> that the TTL check could be skipped.
> I am proposing to introduce a new system property that will allow disabling 
> of the TTL check only ("pkiauth.disableTTLVerification" name open to 
> suggestions).
> Note. The original description of this ticket has changed. based on the 
> discussion below I have reduced the scope to introducing a system property as 
> needed, off by default.
> [0] 
> https://solr.apache.org/guide/solr/latest/deployment-guide/authentication-and-authorization-plugins.html#pkiauthenticationplugin
> [1] 
> https://solr.apache.org/guide/solr/latest/deployment-guide/enabling-ssl.html



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to