[jira] [Commented] (SOLR-14158) package manager to read keys from packagestore and not ZK
[
https://issues.apache.org/jira/browse/SOLR-14158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17012773#comment-17012773
]
ASF subversion and git services commented on SOLR-14158:
Commit 6fb085943c6e9c6f82db67c6ccfe641e64e1899e in lucene-solr's branch
refs/heads/gradle-master from Ishan Chattopadhyaya
[ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=6fb0859 ]
SOLR-14158: Package manager to read keys from package store, not ZK
> package manager to read keys from packagestore and not ZK
> --
>
> Key: SOLR-14158
> URL: https://issues.apache.org/jira/browse/SOLR-14158
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: packages
>Affects Versions: 8.4
>Reporter: Noble Paul
>Assignee: Noble Paul
>Priority: Blocker
> Labels: packagemanager
> Fix For: 8.4.1
>
> Time Spent: 1h
> Remaining Estimate: 0h
>
> The security of the package system relies on securing ZK. It's much easier
> for users to secure the file system than securing ZK.
> We provide an option to read public keys from file store.
> This will
> * Have a special directory called {{_trusted_}} . Direct writes are forbidden
> to that directory over http
> * The CLI directly writes to the keys to
> {{/filestore/_trusted_/keys/}} directory. Other nodes are asked to
> fetch the public key files from that node
> * Package artifacts will continue to be uploaded over http
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-14158) package manager to read keys from packagestore and not ZK
[
https://issues.apache.org/jira/browse/SOLR-14158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17012461#comment-17012461
]
ASF subversion and git services commented on SOLR-14158:
Commit 832bf13dd9187095831caf69783179d41059d013 in lucene-solr's branch
refs/heads/branch_8_4 from Ishan Chattopadhyaya
[ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=832bf13 ]
SOLR-14158: Package manager to read keys from package store, not ZK
> package manager to read keys from packagestore and not ZK
> --
>
> Key: SOLR-14158
> URL: https://issues.apache.org/jira/browse/SOLR-14158
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: packages
>Affects Versions: 8.4
>Reporter: Noble Paul
>Assignee: Noble Paul
>Priority: Blocker
> Labels: packagemanager
> Fix For: 8.4.1
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> The security of the package system relies on securing ZK. It's much easier
> for users to secure the file system than securing ZK.
> We provide an option to read public keys from file store.
> This will
> * Have a special directory called {{_trusted_}} . Direct writes are forbidden
> to that directory over http
> * The CLI directly writes to the keys to
> {{/filestore/_trusted_/keys/}} directory. Other nodes are asked to
> fetch the public key files from that node
> * Package artifacts will continue to be uploaded over http
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-14158) package manager to read keys from packagestore and not ZK
[
https://issues.apache.org/jira/browse/SOLR-14158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17012455#comment-17012455
]
ASF subversion and git services commented on SOLR-14158:
Commit f701ffd8cfe32253b0431b2ae6b4c6c94a07450b in lucene-solr's branch
refs/heads/branch_8x from Ishan Chattopadhyaya
[ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=f701ffd ]
SOLR-14158: Package manager to read keys from package store, not ZK
> package manager to read keys from packagestore and not ZK
> --
>
> Key: SOLR-14158
> URL: https://issues.apache.org/jira/browse/SOLR-14158
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: packages
>Affects Versions: 8.4
>Reporter: Noble Paul
>Assignee: Noble Paul
>Priority: Blocker
> Labels: packagemanager
> Fix For: 8.4.1
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> The security of the package system relies on securing ZK. It's much easier
> for users to secure the file system than securing ZK.
> We provide an option to read public keys from file store.
> This will
> * Have a special directory called {{_trusted_}} . Direct writes are forbidden
> to that directory over http
> * The CLI directly writes to the keys to
> {{/filestore/_trusted_/keys/}} directory. Other nodes are asked to
> fetch the public key files from that node
> * Package artifacts will continue to be uploaded over http
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-14158) package manager to read keys from packagestore and not ZK
[
https://issues.apache.org/jira/browse/SOLR-14158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17012452#comment-17012452
]
ASF subversion and git services commented on SOLR-14158:
Commit 6fb085943c6e9c6f82db67c6ccfe641e64e1899e in lucene-solr's branch
refs/heads/master from Ishan Chattopadhyaya
[ https://gitbox.apache.org/repos/asf?p=lucene-solr.git;h=6fb0859 ]
SOLR-14158: Package manager to read keys from package store, not ZK
> package manager to read keys from packagestore and not ZK
> --
>
> Key: SOLR-14158
> URL: https://issues.apache.org/jira/browse/SOLR-14158
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: packages
>Affects Versions: 8.4
>Reporter: Noble Paul
>Assignee: Noble Paul
>Priority: Blocker
> Labels: packagemanager
> Fix For: 8.4.1
>
> Time Spent: 40m
> Remaining Estimate: 0h
>
> The security of the package system relies on securing ZK. It's much easier
> for users to secure the file system than securing ZK.
> We provide an option to read public keys from file store.
> This will
> * Have a special directory called {{_trusted_}} . Direct writes are forbidden
> to that directory over http
> * The CLI directly writes to the keys to
> {{/filestore/_trusted_/keys/}} directory. Other nodes are asked to
> fetch the public key files from that node
> * Package artifacts will continue to be uploaded over http
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-14158) package manager to read keys from packagestore and not ZK
[
https://issues.apache.org/jira/browse/SOLR-14158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17010679#comment-17010679
]
Ishan Chattopadhyaya commented on SOLR-14158:
-
I'm planning to merge this soon. Please let me know if someone has any
objections.
> package manager to read keys from packagestore and not ZK
> --
>
> Key: SOLR-14158
> URL: https://issues.apache.org/jira/browse/SOLR-14158
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: packages
>Affects Versions: 8.4
>Reporter: Noble Paul
>Assignee: Noble Paul
>Priority: Blocker
> Labels: packagemanager
> Fix For: 8.4.1
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> The security of the package system relies on securing ZK. It's much easier
> for users to secure the file system than securing ZK.
> We provide an option to read public keys from file store.
> This will
> * Have a special directory called {{_trusted_}} . Direct writes are forbidden
> to that directory over http
> * The CLI directly writes to the keys to
> {{/filestore/_trusted_/keys/}} directory. Other nodes are asked to
> fetch the public key files from that node
> * Package artifacts will continue to be uploaded over http
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-14158) package manager to read keys from packagestore and not ZK
[
https://issues.apache.org/jira/browse/SOLR-14158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17008846#comment-17008846
]
David Smiley commented on SOLR-14158:
-
This is perhaps a bigger issue that needs discussion on the dev list. It gets
at Solr's security posture and what assumptions we have about securing Solr.
I'm for/against what's happening in the issue but just want more eye-balls on
it.
> package manager to read keys from packagestore and not ZK
> --
>
> Key: SOLR-14158
> URL: https://issues.apache.org/jira/browse/SOLR-14158
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: packages
>Affects Versions: 8.4
>Reporter: Noble Paul
>Assignee: Noble Paul
>Priority: Blocker
> Labels: packagemanager
> Fix For: 8.4.1
>
>
> The security of the package system relies on securing ZK. It's much easier
> for users to secure the file system than securing ZK.
> We provide an option to read public keys from file store.
> This will
> * Have a special directory called {{_trusted_}} . Direct writes are forbidden
> to that directory over http
> * The CLI directly writes to the keys to
> {{/filestore/_trusted_/keys/}} directory. Other nodes are asked to
> fetch the public key files from that node
> * Package artifacts will continue to be uploaded over http
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-14158) package manager to read keys from packagestore and not ZK
[
https://issues.apache.org/jira/browse/SOLR-14158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17008760#comment-17008760
]
Noble Paul commented on SOLR-14158:
---
The problem is anyone who uses this new feature will have a backward
incompatible system that's insecure by nature.
The threat levels are much higher in this case. An attacker can run malicious
code if ZK is compromised. We should not leave this hole open
> package manager to read keys from packagestore and not ZK
> --
>
> Key: SOLR-14158
> URL: https://issues.apache.org/jira/browse/SOLR-14158
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: packages
>Affects Versions: 8.4
>Reporter: Noble Paul
>Assignee: Noble Paul
>Priority: Blocker
> Labels: packagemanager
> Fix For: 8.4.1
>
>
> The security of the package system relies on securing ZK. It's much easier
> for users to secure the file system than securing ZK.
> We provide an option to read public keys from file store.
> This will
> * Have a special directory called {{_trusted_}} . Direct writes are forbidden
> to that directory over http
> * The CLI directly writes to the keys to
> {{/filestore/_trusted_/keys/}} directory. Other nodes are asked to
> fetch the public key files from that node
> * Package artifacts will continue to be uploaded over http
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-14158) package manager to read keys from packagestore and not ZK
[
https://issues.apache.org/jira/browse/SOLR-14158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17008755#comment-17008755
]
Jan Høydahl commented on SOLR-14158:
This should go in 8.5 and not be a blocker. It has ALWAYS been the case that a
production Solr cluster needs a secure Zookeeper one way or another. Nothing
has changed here.
> package manager to read keys from packagestore and not ZK
> --
>
> Key: SOLR-14158
> URL: https://issues.apache.org/jira/browse/SOLR-14158
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: packages
>Affects Versions: 8.4
>Reporter: Noble Paul
>Assignee: Noble Paul
>Priority: Blocker
> Labels: packagemanager
> Fix For: 8.4.1
>
>
> The security of the package system relies on securing ZK. It's much easier
> for users to secure the file system than securing ZK.
> We provide an option to read public keys from file store.
> This will
> * Have a special directory called {{_trusted_}} . Direct writes are forbidden
> to that directory over http
> * The CLI directly writes to the keys to
> {{/filestore/_trusted_/keys/}} directory. Other nodes are asked to
> fetch the public key files from that node
> * Package artifacts will continue to be uploaded over http
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-14158) package manager to read keys from packagestore and not ZK
[
https://issues.apache.org/jira/browse/SOLR-14158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17008467#comment-17008467
]
Noble Paul commented on SOLR-14158:
---
I agree with you [~ichattopadhyaya]. Storing keys in ZK makes this feature
vulnerable.
* People do not know how to secure their ZK properly. However, most ops people
know how to secure their file system.
* Any security vulnerability in ZK in the future will result in Solr being
vulnerable as well. At that point, our only choice will be to totally disable
this feature. We cannot make Solr rely on the security of some other system
> package manager to read keys from packagestore and not ZK
> --
>
> Key: SOLR-14158
> URL: https://issues.apache.org/jira/browse/SOLR-14158
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: packages
>Reporter: Noble Paul
>Assignee: Noble Paul
>Priority: Major
> Labels: packagemanager
>
> The security of the package system relies on securing ZK. It's much easier
> for users to secure the file system than securing ZK.
> We provide an option to read public keys from file store.
> This will
> * Have a special directory called {{_trusted_}} . Direct writes are forbidden
> to that directory over http
> * The CLI directly writes to the keys to
> {{/filestore/_trusted_/keys/}} directory. Other nodes are asked to
> fetch the public key files from that node
> * Package artifacts will continue to be uploaded over http
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-14158) package manager to read keys from packagestore and not ZK
[
https://issues.apache.org/jira/browse/SOLR-14158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17007910#comment-17007910
]
Ishan Chattopadhyaya commented on SOLR-14158:
-
I think this option should be the default. Also, I think we should remove the
ZK keys option as it is not secure and supporting it (even with a flag) might
lead to confusion for the user.
> package manager to read keys from packagestore and not ZK
> --
>
> Key: SOLR-14158
> URL: https://issues.apache.org/jira/browse/SOLR-14158
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: packages
>Reporter: Noble Paul
>Assignee: Noble Paul
>Priority: Major
> Labels: packagemanager
>
> The security of the package system relies on securing ZK. It's much easier
> for users to secure the file system than securing ZK.
> We provide an option to read public keys from file store. The default
> behavior will be to read from ZK
> The nodes must be started with {{-Dpkg.keys=filestore}}
> This will
> * disable the remote {{PUT /api/cluster/files}}
> * The CLI will directly write to the keys to
> {{/filestore/_trusted_keys/}} dir
> * The CLI directly writes the package artifacts to the local solr and ask
> other nodes to fetch from this node. Nobody can upload executable jars over a
> remote call
> * Keys stored in ZK will not be used or trusted. So nobody can attack the
> cluster by publishing a malicious key into Solr
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-14158) package manager to read keys from packagestore and not ZK
[
https://issues.apache.org/jira/browse/SOLR-14158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17007148#comment-17007148
]
Noble Paul commented on SOLR-14158:
---
Sorry, this was supposed to be an opt-in feature. We are not eliminating the ZK
option. In fact, this will be an alternate
> package manager to read keys from packagestore and not ZK
> --
>
> Key: SOLR-14158
> URL: https://issues.apache.org/jira/browse/SOLR-14158
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: packages
>Reporter: Noble Paul
>Assignee: Noble Paul
>Priority: Major
> Labels: packagemanager
>
> The security of the package system relies on securing ZK. It's much easier
> for users to secure the file system than securing ZK.
> We provide an option to read public keys from file store. The default
> behavior will be to read from ZK
> The nodes must be started with {{-Dpkg.keys=filestore}}
> This will
> * disable the remote {{PUT /api/cluster/files}}
> * The CLI will directly write to the keys to
> {{/filestore/_trusted_keys/}} dir
> * The CLI directly writes the package artifacts to the local solr and ask
> other nodes to fetch from this node. Nobody can upload executable jars over a
> remote call
> * Keys stored in ZK will not be used or trusted. So nobody can attack the
> cluster by publishing a malicious key into Solr
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
[jira] [Commented] (SOLR-14158) package manager to read keys from packagestore and not ZK
[
https://issues.apache.org/jira/browse/SOLR-14158?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17007103#comment-17007103
]
David Smiley commented on SOLR-14158:
-
Ideally abstractions are in place that allow both. I'm not sure we should be
forcing people to use the File Store _yet_. It's very new.
> package manager to read keys from packagestore and not ZK
> --
>
> Key: SOLR-14158
> URL: https://issues.apache.org/jira/browse/SOLR-14158
> Project: Solr
> Issue Type: Bug
> Security Level: Public(Default Security Level. Issues are Public)
> Components: packages
>Reporter: Noble Paul
>Assignee: Noble Paul
>Priority: Major
> Labels: packagemanager
>
> The security of the package system relies on securing ZK. It's much easier
> for users to secure the file system than securing ZK.
> This will
> * disable the remote {{PUT /api/cluster/files}} by default
> * The CLI will directly write to the keys to
> {{/filestore/_trusted_keys/}} dir
> * The CLI directly writes the package artifacts to the local solr and ask
> other nodes to fetch from this node. Nobody can upload executable jars over a
> remote call
> * Keys stored in ZK will not be used or trusted. So nobody can attack the
> cluster by publishing a malicious key into Solr
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
-
To unsubscribe, e-mail: issues-unsubscr...@lucene.apache.org
For additional commands, e-mail: issues-h...@lucene.apache.org
