You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@lucene.apache.org by "Ishan Chattopadhyaya (JIRA)" <ji...@apache.org> on 2015/12/07 23:47:11 UTC
[jira] [Comment Edited] (SOLR-8373) KerberosPlugin: Using multiple
nodes on same machine leads clients to fetch TGT for every request
[ https://issues.apache.org/jira/browse/SOLR-8373?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15045877#comment-15045877 ]
Ishan Chattopadhyaya edited comment on SOLR-8373 at 12/7/15 10:46 PM:
----------------------------------------------------------------------
Updated patch.
# All authentication plugins are CoreContainer aware. This was needed for letting the plugin know the port number on which Solr was started.
# Introduces a new startup parameter, {{solr.kerberos.cookie.portaware=true}}. When using SolrCloud, and this parameter is true, the cookies use both the host and the port to identify the domain. This should be enabled only on hosts where more than one solr node needs to be setup. This can go in the {{bin/solr.in.sh}}.
was (Author: ichattopadhyaya):
Updated patch.
# All authentication plugins are CoreContainer aware. This was needed for letting the plugin know the port number on which Solr was started.
# Introduces a new startup parameter, {{solr.kerberos.cookie.portaware=true}}. When using SolrCloud, and this parameter is true, the cookies use both the host and the port to identify the domain. This should be enabled only on hosts where more than one solr node needs to be setup.
> KerberosPlugin: Using multiple nodes on same machine leads clients to fetch TGT for every request
> -------------------------------------------------------------------------------------------------
>
> Key: SOLR-8373
> URL: https://issues.apache.org/jira/browse/SOLR-8373
> Project: Solr
> Issue Type: Bug
> Reporter: Ishan Chattopadhyaya
> Assignee: Noble Paul
> Priority: Critical
> Attachments: SOLR-8373.patch, SOLR-8373.patch, SOLR-8373.patch
>
>
> Kerberized solr nodes accept negotiate/spnego/kerberos requests and processes them. It also passes back to the client a cookie called "hadoop.auth" (which is currently unused, but will eventually be used for delegation tokens).
> If two or more nodes are on the same machine, they all send out the cookie which have the same domain (hostname) and same path, but different cookie values.
> Upon receipt at the client, if a cookie is rejected (which in this case will be), the client compulsorily gets a *new* TGT from the KDC instead of reading the same ticket from the ticketcache. This is causing the heavy traffic at the KDC, plus intermittent "Request is a replay" (which indicates race condition at KDC while handing out the TGT for the same principal).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@lucene.apache.org
For additional commands, e-mail: dev-help@lucene.apache.org