Return-Path: 
 <dev-return-214661-apmail-lucene-dev-archive=lucene.apache.org@lucene.apache.org>
X-Original-To: apmail-lucene-dev-archive@www.apache.org
Delivered-To: apmail-lucene-dev-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id B56A318AE9
	for <apmail-lucene-dev-archive@www.apache.org>;
 Wed,  5 Aug 2015 14:00:10 +0000 (UTC)
Received: (qmail 35232 invoked by uid 500); 5 Aug 2015 14:00:09 -0000
Delivered-To: apmail-lucene-dev-archive@lucene.apache.org
Received: (qmail 35163 invoked by uid 500); 5 Aug 2015 14:00:09 -0000
Mailing-List: contact dev-help@lucene.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:dev-help@lucene.apache.org>
List-Unsubscribe: <mailto:dev-unsubscribe@lucene.apache.org>
List-Post: <mailto:dev@lucene.apache.org>
List-Id: <dev.lucene.apache.org>
Reply-To: dev@lucene.apache.org
Delivered-To: mailing list dev@lucene.apache.org
Received: (qmail 35150 invoked by uid 99); 5 Aug 2015 14:00:09 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 Aug 2015 14:00:09 +0000
Date: Wed, 5 Aug 2015 14:00:09 +0000 (UTC)
From: "ASF subversion and git services (JIRA)" <jira@apache.org>
To: dev@lucene.apache.org
Message-ID: <JIRA.12849944.1438180408000.377776.1438783209377@Atlassian.JIRA>
In-Reply-To: <JIRA.12849944.1438180408000@Atlassian.JIRA>
References: <JIRA.12849944.1438180408000@Atlassian.JIRA>
 <JIRA.12849944.1438180408660@arcas>
Subject: [jira] [Commented] (SOLR-7849) Secure Inter-node communication in a
  standard mechanism
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/SOLR-7849?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14658249#comment-14658249 ] 

ASF subversion and git services commented on SOLR-7849:
-------------------------------------------------------

Commit 1694217 from [~noble.paul] in branch 'dev/trunk'
[ https://svn.apache.org/r1694217 ]

SOLR-7849: Solr-managed inter-node authentication when authentication enabled

> Secure Inter-node communication in a  standard mechanism
> --------------------------------------------------------
>
>                 Key: SOLR-7849
>                 URL: https://issues.apache.org/jira/browse/SOLR-7849
>             Project: Solr
>          Issue Type: Sub-task
>            Reporter: Noble Paul
>            Assignee: Noble Paul
>         Attachments: SOLR-7849.patch, SOLR-7849.patch, SOLR-7849.patch, SOLR-7849.patch
>
>
> Relying on every Authentication plugin to secure the internode communication is error prone. Solr can standardize the authentication so that only the first request that comes from outside the cluster needs to be authenticated by the authentication plugin
> The scheme to protect the communication will be as follows
> * Every Solr node creates a an RSA key pair 
> * The private key is kept private and the public key is made available through a  core admin API
> * If authentication is enabled , every outgoing request will carry an extra header {{ SolrAuth : <nodename> encrypt_with_pvt_key(<original-user-principal> <timestamp>) }}
> * If authentication is enabled {{SolrDispatchFilter}} would look for this header and see the nodename
> ** If the public key of the nodename is available in cache , make a request to the node and fetch the public key
> ** If the public key has changed (because of a server restart) decryption fails and the public keyis fetched again
> * If the decryption succeeds , the user-name is set to what the header has encoded



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org