[jira] [Commented] (SOLR-8373) KerberosPlugin: Using multiple nodes on same machine leads clients to fetch TGT for every request

[Ishan Chattopadhyaya (JIRA)]

    [ 
https://issues.apache.org/jira/browse/SOLR-8373?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15045239#comment-15045239
 ] 

Ishan Chattopadhyaya commented on SOLR-8373:
--------------------------------------------

It seems if ticket caching (credentials cache) isn't set up properly, ignoring 
cookies always (as in this patch) will have the client fetch the TGT from the 
KDC again. 

Since, fetching the ticket from the KDC (or even the ticket cache) and sending 
again and again isn't ideal, I am now looking to have a modified cookie spec 
implemented within the realms of HttpClient (which SolrJ depends on), which 
will restrict the cookies by host *and port*, since the standard cookie RFCs 
and the browsers are okay to share cookies for the same host across different 
applications running on different ports. This will allow multiple solr nodes on 
the same host to work properly without the clients going to the KDC (or even 
ticket cache) for the tickets.

I shall post a patch for this approach in a while.

> KerberosPlugin: Using multiple nodes on same machine leads clients to fetch 
> TGT for every request
> -------------------------------------------------------------------------------------------------
>
>                 Key: SOLR-8373
>                 URL: https://issues.apache.org/jira/browse/SOLR-8373
>             Project: Solr
>          Issue Type: Bug
>            Reporter: Ishan Chattopadhyaya
>            Assignee: Noble Paul
>            Priority: Critical
>         Attachments: SOLR-8373.patch
>
>
> Kerberized solr nodes accept negotiate/spnego/kerberos requests and processes 
> them. It also passes back to the client a cookie called "hadoop.auth" (which 
> is currently unused, but will eventually be used for delegation tokens). 
> If two or more nodes are on the same machine, they all send out the cookie 
> which have the same domain (hostname) and same path, but different cookie 
> values.
> Upon receipt at the client, if a cookie is rejected (which in this case will 
> be), the client compulsorily gets a ​​*new*​​ TGT from the KDC instead of 
> reading the same ticket from the ticketcache. This is causing the heavy 
> traffic at the KDC, plus intermittent "Request is a replay" (which indicates 
> race condition at KDC while handing out the TGT for the same principal).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org