Tushar, I am going to take a look at this issue and then come back to you.
Thanks, Lina On Wed, Apr 19, 2017 at 9:45 PM, Waterline Data <[email protected]> wrote: > Hello, > > My question is about the Solr Sentry plugin in a Kerberos environment. > > We are encountering an issue with the Solr Sentry plugin. The issue is more > fully described in SENTRY-1703 > <https://issues.apache.org/jira/browse/SENTRY-1703>, but here's the > summary: > > We suspect that in a kerberized solr-sentry environment, a Solr create > query containing multiple documents as part of the request creates multiple > redundant sentry authorization checks (same user, same collection, same > privilege) and hence multiple downstream KDC requests. In a high volume > scenario, such as a multi-node spark cluster writing to Solr, this ends up > creating a huge load on KDC and eventually sentry times out on a few random > KDC requests, which causes it to fail to the clients with exceptions like > "User X does not have privileges for Ycollection", which is an incorrect > error because the client clearly has write privilege on the collection and > it works at other times. The stacktraces and sample code to reproduce are > attached to the bug. > > My question is: > > 1. Can someone kindly confirm the above mentioned hypothesis? > 2. Suggest any pointers to work around this issue in the meantime? > > Thanks, > Tushar. >
