You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Ishan Chattopadhyaya (JIRA)" <ji...@apache.org> on 2015/12/07 18:01:11 UTC

[jira] [Commented] (SOLR-8373) KerberosPlugin: Using multiple nodes on same machine leads clients to fetch TGT for every request

    [ https://issues.apache.org/jira/browse/SOLR-8373?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15045239#comment-15045239 ] 

Ishan Chattopadhyaya commented on SOLR-8373:
--------------------------------------------

It seems if ticket caching (credentials cache) isn't set up properly, ignoring cookies always (as in this patch) will have the client fetch the TGT from the KDC again. 

Since, fetching the ticket from the KDC (or even the ticket cache) and sending again and again isn't ideal, I am now looking to have a modified cookie spec implemented within the realms of HttpClient (which SolrJ depends on), which will restrict the cookies by host *and port*, since the standard cookie RFCs and the browsers are okay to share cookies for the same host across different applications running on different ports. This will allow multiple solr nodes on the same host to work properly without the clients going to the KDC (or even ticket cache) for the tickets.

I shall post a patch for this approach in a while.

> KerberosPlugin: Using multiple nodes on same machine leads clients to fetch TGT for every request
> -------------------------------------------------------------------------------------------------
>
>                 Key: SOLR-8373
>                 URL: https://issues.apache.org/jira/browse/SOLR-8373
>             Project: Solr
>          Issue Type: Bug
>            Reporter: Ishan Chattopadhyaya
>            Assignee: Noble Paul
>            Priority: Critical
>         Attachments: SOLR-8373.patch
>
>
> Kerberized solr nodes accept negotiate/spnego/kerberos requests and processes them. It also passes back to the client a cookie called "hadoop.auth" (which is currently unused, but will eventually be used for delegation tokens). 
> If two or more nodes are on the same machine, they all send out the cookie which have the same domain (hostname) and same path, but different cookie values.
> Upon receipt at the client, if a cookie is rejected (which in this case will be), the client compulsorily gets a ​​*new*​​ TGT from the KDC instead of reading the same ticket from the ticketcache. This is causing the heavy traffic at the KDC, plus intermittent "Request is a replay" (which indicates race condition at KDC while handing out the TGT for the same principal).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org