Jason Gerlowski created SOLR-16720:
--------------------------------------
Summary: PKI should decorate outgoing requests at "sending", not
"enqueueing" time
Key: SOLR-16720
URL: https://issues.apache.org/jira/browse/SOLR-16720
Project: Solr
Issue Type: Improvement
Security Level: Public (Default Security Level. Issues are Public)
Components: Authentication
Affects Versions: 9.2
Reporter: Jason Gerlowski
Currently, PKIAuthenticationPlugin decorates intra-node requests using an
'onQueue' lifecycle hook, which is triggered when the request is enqueued for
processing by the (asynchronous) Jetty http client.
This works great on many systems. However on heavily loaded clusters the time
between Jetty "queueing" the request and it actually being sent out can be
non-negligible. If this gap becomes wide enough, the TTL encoded into the PKI
auth header might have substantially or fully expired by the time the receiving
node gets the request.
We should experiment with moving PKI header decoration to the 'onBegin' hook
instead, which fires much closer to the actual request-send time on heavily
loaded servers.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
