[
https://issues.apache.org/jira/browse/SOLR-8373?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15073576#comment-15073576
]
ASF subversion and git services commented on SOLR-8373:
-------------------------------------------------------
Commit 1722061 from [~anshumg] in branch 'dev/branches/branch_5x'
[ https://svn.apache.org/r1722061 ]
SOLR-8373: Add change log entry to 5.3.2 section (merge from trunk)
> KerberosPlugin: Using multiple nodes on same machine leads clients to fetch
> TGT for every request
> -------------------------------------------------------------------------------------------------
>
> Key: SOLR-8373
> URL: https://issues.apache.org/jira/browse/SOLR-8373
> Project: Solr
> Issue Type: Bug
> Reporter: Ishan Chattopadhyaya
> Assignee: Noble Paul
> Priority: Critical
> Fix For: 5.3.2, 5.5, Trunk
>
> Attachments: SOLR-8373.patch, SOLR-8373.patch, SOLR-8373.patch,
> SOLR-8373.patch, SOLR-8373.patch
>
>
> Kerberized solr nodes accept negotiate/spnego/kerberos requests and processes
> them. It also passes back to the client a cookie called "hadoop.auth" (which
> is currently unused, but will eventually be used for delegation tokens).
> If two or more nodes are on the same machine, they all send out the cookie
> which have the same domain (hostname) and same path, but different cookie
> values.
> Upon receipt at the client, if a cookie is rejected (which in this case will
> be), the client gets a TGT from the KDC. This is causing the heavy traffic
> at the KDC, plus intermittent "Request is a replay" (which indicates race
> condition at KDC while handing out the TGT for the same principal). I think
> having a (well configured) ticket cache is a potential solution, but having
> cookies get rejected is bad enough.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org
For additional commands, e-mail: dev-h...@lucene.apache.org
