diff --git a/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java b/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java index 845bf9341f..5ddc01e8db 100644 --- a/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java +++ b/solr/core/src/java/org/apache/solr/security/PKIAuthenticationPlugin.java @@ -58,6 +58,10 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import static java.nio.charset.StandardCharsets.UTF_8; +import java.util.Arrays; +import java.util.HashSet; +import java.util.Set; +import static org.apache.solr.common.cloud.ZkStateReader.EXTERNAL_NODES; public class PKIAuthenticationPlugin extends AuthenticationPlugin implements HttpClientInterceptorPlugin { private static final Logger log = LoggerFactory.getLogger(MethodHandles.lookup().lookupClass()); @@ -194,7 +198,20 @@ public class PKIAuthenticationPlugin extends AuthenticationPlugin implements Htt } PublicKey getRemotePublicKey(String nodename) { - if (!cores.getZkController().getZkStateReader().getClusterState().getLiveNodes().contains(nodename)) return null; + if (!cores.getZkController().getZkStateReader().getClusterState().getLiveNodes().contains(nodename)) { + // This isn't a native cluster member, check if it's a permitted remote member (CDCR, etc) + String externalNodeString = cores.getZkController().getZkStateReader().getClusterProperty(EXTERNAL_NODES, (String) null); + if (externalNodeString == null) { + // External node list is not set, so all nodes not in the liveNodes set are disallowed. + return null; + } + Set externalNodes = new HashSet<>(Arrays.asList(externalNodeString.split(","))); + if (!externalNodes.contains(nodename)) { + log.warn("Tried to fetch public key from unknown node {}", nodename); + return null; + } + log.debug("About to fetch public key from external node {}", nodename); + } String url = cores.getZkController().getZkStateReader().getBaseUrlForNodeName(nodename); try { String uri = url + PATH + "?wt=json&omitHeader=true"; diff --git a/solr/solrj/src/java/org/apache/solr/common/cloud/ZkStateReader.java b/solr/solrj/src/java/org/apache/solr/common/cloud/ZkStateReader.java index 40411a1405..925333f703 100644 --- a/solr/solrj/src/java/org/apache/solr/common/cloud/ZkStateReader.java +++ b/solr/solrj/src/java/org/apache/solr/common/cloud/ZkStateReader.java @@ -105,6 +105,7 @@ public class ZkStateReader implements Closeable { public static final String LEGACY_CLOUD = "legacyCloud"; public static final String URL_SCHEME = "urlScheme"; + public static final String EXTERNAL_NODES = "externalNodes"; /** A view of the current state of all collections; combines all the different state sources into a single view. */ @@ -158,6 +159,7 @@ public class ZkStateReader implements Closeable { public static final Set KNOWN_CLUSTER_PROPS = unmodifiableSet(new HashSet<>(asList( LEGACY_CLOUD, URL_SCHEME, + EXTERNAL_NODES, AUTO_ADD_REPLICAS, CoreAdminParams.BACKUP_LOCATION, MAX_CORES_PER_NODE)));