[jira] [Commented] (SOLR-14223) PublicKeyHandler consumes a lot of entropy during tests

Thu, 06 Feb 2020 10:28:25 -0800 


    [ 
https://issues.apache.org/jira/browse/SOLR-14223?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17031847#comment-17031847
 ] 

Mike Drob commented on SOLR-14223:
----------------------------------

Based on [~rcmuir]'s suggestions, we can read a key from disk instead of 
generating a new one each time in our tests - this has the advantage of 
skipping the entropy consumption and also the expensive primality testing. PR 
is ready for final review if anybody is interested in taking a look.

> PublicKeyHandler consumes a lot of entropy during tests
> -------------------------------------------------------
>
>                 Key: SOLR-14223
>                 URL: https://issues.apache.org/jira/browse/SOLR-14223
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>    Affects Versions: 7.4, 8.0
>            Reporter: Mike Drob
>            Priority: Major
>          Time Spent: 1h 50m
>  Remaining Estimate: 0h
>
> After the changes in SOLR-12354 to eagerly create a {{PublicKeyHandler}} for 
> the CoreContainer, the creation of the underlying {{RSAKeyPair}} uses 
> {{SecureRandom}} to generate primes. This eats up a lot of system entropy and 
> can slow down tests significantly (I observed it adding 10s to an individual 
> test).
> Similar to what we do for SSL config for tests, we can swap in a non blocking 
> implementation of SecureRandom for the key pair generation to allow multiple 
> tests to run better in parallel. Primality testing with BigInteger is also 
> slow, so I'm not sure how much total speedup we can get here, maybe it's 
> worth checking if there are faster implementations out there in other 
> libraries.
> In production cases, this also blocks creation of all cores. We should only 
> create the Handler if necessary, i.e. if the existing authn/z tell us that 
> they won't support internode requests.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to