[ https://issues.apache.org/jira/browse/SOLR-8373?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15073576#comment-15073576 ]
ASF subversion and git services commented on SOLR-8373: ------------------------------------------------------- Commit 1722061 from [~anshumg] in branch 'dev/branches/branch_5x' [ https://svn.apache.org/r1722061 ] SOLR-8373: Add change log entry to 5.3.2 section (merge from trunk) > KerberosPlugin: Using multiple nodes on same machine leads clients to fetch > TGT for every request > ------------------------------------------------------------------------------------------------- > > Key: SOLR-8373 > URL: https://issues.apache.org/jira/browse/SOLR-8373 > Project: Solr > Issue Type: Bug > Reporter: Ishan Chattopadhyaya > Assignee: Noble Paul > Priority: Critical > Fix For: 5.3.2, 5.5, Trunk > > Attachments: SOLR-8373.patch, SOLR-8373.patch, SOLR-8373.patch, > SOLR-8373.patch, SOLR-8373.patch > > > Kerberized solr nodes accept negotiate/spnego/kerberos requests and processes > them. It also passes back to the client a cookie called "hadoop.auth" (which > is currently unused, but will eventually be used for delegation tokens). > If two or more nodes are on the same machine, they all send out the cookie > which have the same domain (hostname) and same path, but different cookie > values. > Upon receipt at the client, if a cookie is rejected (which in this case will > be), the client gets a TGT from the KDC. This is causing the heavy traffic > at the KDC, plus intermittent "Request is a replay" (which indicates race > condition at KDC while handing out the TGT for the same principal). I think > having a (well configured) ticket cache is a potential solution, but having > cookies get rejected is bad enough. -- This message was sent by Atlassian JIRA (v6.3.4#6332) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@lucene.apache.org For additional commands, e-mail: dev-h...@lucene.apache.org