[
https://issues.apache.org/jira/browse/SOLR-8373?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ishan Chattopadhyaya updated SOLR-8373:
---------------------------------------
Attachment: SOLR-8373.patch
Added test cases, minor refactoring here and there. I did some end to end
testing and the changes look good to me thus far.
Was just wondering if the change to have all authentication and authorization
plugins now accept a CoreContainer warrants a separate issue?
> KerberosPlugin: Using multiple nodes on same machine leads clients to fetch
> TGT for every request
> -------------------------------------------------------------------------------------------------
>
> Key: SOLR-8373
> URL: https://issues.apache.org/jira/browse/SOLR-8373
> Project: Solr
> Issue Type: Bug
> Reporter: Ishan Chattopadhyaya
> Assignee: Noble Paul
> Priority: Critical
> Attachments: SOLR-8373.patch, SOLR-8373.patch, SOLR-8373.patch,
> SOLR-8373.patch
>
>
> Kerberized solr nodes accept negotiate/spnego/kerberos requests and processes
> them. It also passes back to the client a cookie called "hadoop.auth" (which
> is currently unused, but will eventually be used for delegation tokens).
> If two or more nodes are on the same machine, they all send out the cookie
> which have the same domain (hostname) and same path, but different cookie
> values.
> Upon receipt at the client, if a cookie is rejected (which in this case will
> be), the client compulsorily gets a *new* TGT from the KDC instead of
> reading the same ticket from the ticketcache. This is causing the heavy
> traffic at the KDC, plus intermittent "Request is a replay" (which indicates
> race condition at KDC while handing out the TGT for the same principal).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
