[
https://issues.apache.org/jira/browse/SOLR-8373?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ishan Chattopadhyaya updated SOLR-8373:
---------------------------------------
Description:
Kerberized solr nodes accept negotiate/spnego/kerberos requests and processes
them. It also passes back to the client a cookie called "hadoop.auth" (which is
currently unused, but will eventually be used for delegation tokens).
If two or more nodes are on the same machine, they all send out the cookie
which have the same domain (hostname) and same path, but different cookie
values.
Upon receipt at the client, if a cookie is rejected (which in this case will
be), the client gets a TGT from the KDC. This is causing the heavy traffic at
the KDC, plus intermittent "Request is a replay" (which indicates race
condition at KDC while handing out the TGT for the same principal). I think
having a (well configured) ticket cache is a potential solution, but having
cookies get rejected is bad enough.
was:
Kerberized solr nodes accept negotiate/spnego/kerberos requests and processes
them. It also passes back to the client a cookie called "hadoop.auth" (which is
currently unused, but will eventually be used for delegation tokens).
If two or more nodes are on the same machine, they all send out the cookie
which have the same domain (hostname) and same path, but different cookie
values.
Upon receipt at the client, if a cookie is rejected (which in this case will
be), the client compulsorily gets a *new* TGT from the KDC instead of
reading the same ticket from the ticketcache. This is causing the heavy traffic
at the KDC, plus intermittent "Request is a replay" (which indicates race
condition at KDC while handing out the TGT for the same principal).
> KerberosPlugin: Using multiple nodes on same machine leads clients to fetch
> TGT for every request
> -------------------------------------------------------------------------------------------------
>
> Key: SOLR-8373
> URL: https://issues.apache.org/jira/browse/SOLR-8373
> Project: Solr
> Issue Type: Bug
> Reporter: Ishan Chattopadhyaya
> Assignee: Noble Paul
> Priority: Critical
> Attachments: SOLR-8373.patch, SOLR-8373.patch, SOLR-8373.patch,
> SOLR-8373.patch, SOLR-8373.patch
>
>
> Kerberized solr nodes accept negotiate/spnego/kerberos requests and processes
> them. It also passes back to the client a cookie called "hadoop.auth" (which
> is currently unused, but will eventually be used for delegation tokens).
> If two or more nodes are on the same machine, they all send out the cookie
> which have the same domain (hostname) and same path, but different cookie
> values.
> Upon receipt at the client, if a cookie is rejected (which in this case will
> be), the client gets a TGT from the KDC. This is causing the heavy traffic
> at the KDC, plus intermittent "Request is a replay" (which indicates race
> condition at KDC while handing out the TGT for the same principal). I think
> having a (well configured) ticket cache is a potential solution, but having
> cookies get rejected is bad enough.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
