Thanks. Solr uses Zk 3.4.x with no support for TLS. Zk communication is over low level binary TCP. I’m aware that if/when we get 3.5.x support we should deploy SSL.
My question is, how do folks secure their current zk and is there a way to circumvent the lack of SSL? I don’t care if people can read the traffic but I do care if the auth credentials can easily be sniffed and replayed, thus enable write acces to zk, which lets you disable all Solr security. Jan > 16. sep. 2018 kl. 22:45 skrev Christopher Schultz > <ch...@christopherschultz.net>: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Jan, > >> On 9/16/18 16:22, Jan Høydahl wrote: >> We plan to enable (digest) authentication and ACL with Zookeeper to >> improve security. > > Can you be more explicit? There is HTTP DIGEST auth and then there are > "digested" (hashed) passwords for the user-database. The former is > secure on the wire and the other one is wire-agnostic. > >> However, we have not been able to answer the question of how secure >> such a setup will be, given that ZK 3.4.x TCP communication is >> unencrypted. >> >> So, do anyone know if ZK sends the password in cleartext over the >> network, so that anyone who can sniff the network can also pick up >> the password, and connect and read/write nodes in ZK? >> >> We'll of course add all the firewall and IP filtering we can. Do >> you have any other tricks you use to increase ZK security? > > I'm not using ZK (yet) so this may be supremely ignorant since I don't > know what protocol it uses to communicate: I would recommend using > mutual-TLS authentication everywhere. I have just deployed such a > system (single-node, no cluster/ZK) and all of the communication for > both admin and querying are over client-authenticated TLS. > > Even if an attacker gets onto the box where Solr is running, they > cannot attack it without also breaking filesystem privileges or > exploiting the users who have access to the Solr client key stores. > > (I just did a little Googling and it looks like only ZK 3.5+ has TLS > available. At any rate, that should be your target for the future if > you really want a secure environment. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAluewOgACgkQHPApP6U8 > pFiE1g/8CiRxFySxCPZRU+OdGaw5JjtMNGs3oBDaf75LIQYDnsXAU9wJFjaEKymD > snceusjikN85XyPIFBWLhbWvrdjKhJxm29q8xqqnwTkY1WmGis53Es9NHyT/I1UX > dY3UGAbf148+ZR6NtCFDQPVQtKKfHqE/VAl2bJzMARTC1nPS3v3mtgKEbrAC5ZqX > WMMkb6pOFH58Yj7jeEdHi/y8MKEOeXV3MynWrsSRqGsJsG4Ms55pdBvWtZmIZR+c > 0sM4d7zUl18/JjP82YvhhHvHW0IQL+TGKLE1s22p6JRrMU9fzcxNoD9b1r9WORGl > UixQETpBPkKw+VWXBesTxTNkprddMH6oGzm2KkWb9zOH0BehF/ChjB1W0vnC7RXB > lEKWdNkwbLfrP1r+plpy2aVc3PV0lw3jsJdxLf3tMTEPgzeU6wweiJR+YMW6J0iS > 4TWFouuL6yGSY7jT99lW+CmBfKHGEXoUlrxS2WSM9BvYuV8pJvzVuEkb1PmXUQdI > rgQIW30Vk0jDwS6SMxdOy/TkbCDAV9dFqsqmYFTSN9W8jBdSx9RevOPnJyVnvCvI > qq96sTqhPa0iSHYWWK5PAzZAvfbcRmohcut/1ZWml1pNZlZzBT0QGQUJm9CzXfS7 > v6FNf7PrpIiqOlai1Js67Fm6QrWzjGPVhDl474Q1tAG1rFU2cSM= > =U0Fj > -----END PGP SIGNATURE-----
