You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@solr.apache.org by "Jason Gerlowski (Jira)" <ji...@apache.org> on 2023/03/27 16:18:00 UTC

[jira] [Commented] (SOLR-16720) PKI should decorate outgoing requests at "sending", not "enqueueing" time

    [ https://issues.apache.org/jira/browse/SOLR-16720?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17705431#comment-17705431 ] 

Jason Gerlowski commented on SOLR-16720:
----------------------------------------

The biggest challenge for this change I think is finding if there's a good way to test it.

The problem is pretty theoretical without a heavy load profile.  To ease manual reproduction, I've attached a patch that simulates this load with a Thread.sleep, and a script that can be used to reproduce.

Detecting this in an automated test though will be difficult - Solr doesn't offer any way to wire up or customize the PKI plugin in running Solr (nor would it be smart to add one due to the security risks).  So if this is a change we want to go forward with, we might have to settle for relying on existing testing.  (At least, unless someone thinks of something clever!)

> PKI should decorate outgoing requests at "sending", not "enqueueing" time
> -------------------------------------------------------------------------
>
>                 Key: SOLR-16720
>                 URL: https://issues.apache.org/jira/browse/SOLR-16720
>             Project: Solr
>          Issue Type: Improvement
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication
>    Affects Versions: 9.2
>            Reporter: Jason Gerlowski
>            Priority: Minor
>
> Currently, PKIAuthenticationPlugin decorates intra-node requests using an 'onQueue' lifecycle hook, which is triggered when the request is enqueued for processing by the (asynchronous) Jetty http client.
> This works great on many systems.  However on heavily loaded clusters the time between Jetty "queueing" the request and it actually being sent out can be non-negligible.  If this gap becomes wide enough, the TTL encoded into the PKI auth header might have substantially or fully expired by the time the receiving node gets the request.
> We should experiment with moving PKI header decoration to the 'onBegin' hook instead, which fires much closer to the actual request-send time on heavily loaded servers.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@solr.apache.org
For additional commands, e-mail: issues-help@solr.apache.org