[
https://issues.apache.org/jira/browse/SOLR-8373?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ishan Chattopadhyaya updated SOLR-8373:
---------------------------------------
Attachment: SOLR-8373.patch
Here's a patch I'm working on.
As of this patch, to invoke this, Solr nodes (that are on a shared hosting, so
to speak) need to start Solr using the port number as part of the cookie domain:
{{bin/solr -c -p 8983 -Dsolr.kerberos.cookie.domain=hostname:8983}}
(This, obviously, cannot go into the solr.in.sh, and hence needs to be removed
from there).
Looking to see if there's something better that can be done to pass the port
number to the kerberos authentication plugin.
> KerberosPlugin: Using multiple nodes on same machine leads clients to fetch
> TGT for every request
> -------------------------------------------------------------------------------------------------
>
> Key: SOLR-8373
> URL: https://issues.apache.org/jira/browse/SOLR-8373
> Project: Solr
> Issue Type: Bug
> Reporter: Ishan Chattopadhyaya
> Assignee: Noble Paul
> Priority: Critical
> Attachments: SOLR-8373.patch, SOLR-8373.patch
>
>
> Kerberized solr nodes accept negotiate/spnego/kerberos requests and processes
> them. It also passes back to the client a cookie called "hadoop.auth" (which
> is currently unused, but will eventually be used for delegation tokens).
> If two or more nodes are on the same machine, they all send out the cookie
> which have the same domain (hostname) and same path, but different cookie
> values.
> Upon receipt at the client, if a cookie is rejected (which in this case will
> be), the client compulsorily gets a *new* TGT from the KDC instead of
> reading the same ticket from the ticketcache. This is causing the heavy
> traffic at the KDC, plus intermittent "Request is a replay" (which indicates
> race condition at KDC while handing out the TGT for the same principal).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
