Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-8373

KerberosPlugin: Using multiple nodes on same machine leads clients to fetch TGT for every request

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Critical
    • Resolution: Fixed
    • None
    • 5.3.2, 5.4.1, 5.5, 6.0
    • None
    • None

    Description

      Kerberized solr nodes accept negotiate/spnego/kerberos requests and processes them. It also passes back to the client a cookie called "hadoop.auth" (which is currently unused, but will eventually be used for delegation tokens).

      If two or more nodes are on the same machine, they all send out the cookie which have the same domain (hostname) and same path, but different cookie values.

      Upon receipt at the client, if a cookie is rejected (which in this case will be), the client gets a​​ TGT from the KDC. This is causing the heavy traffic at the KDC, plus intermittent "Request is a replay" (which indicates race condition at KDC while handing out the TGT for the same principal). I think having a (well configured) ticket cache is a potential solution, but having cookies get rejected is bad enough.

      Attachments

        1. SOLR-8373.patch
          19 kB
          Noble Paul
        2. SOLR-8373.patch
          23 kB
          Ishan Chattopadhyaya
        3. SOLR-8373.patch
          15 kB
          Ishan Chattopadhyaya
        4. SOLR-8373.patch
          5 kB
          Ishan Chattopadhyaya
        5. SOLR-8373.patch
          1 kB
          Ishan Chattopadhyaya

        Activity

          People

            noble.paul Noble Paul
            ichattopadhyaya Ishan Chattopadhyaya
            Votes:
            1 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: