[SOLR-16720] PKI should decorate outgoing requests at "sending", not "enqueueing" time - ASF JIRA

Attach files

Attach Screenshot

Voters

Watch issue

Watchers

Create sub-task

Link

Clone

Update Comment Author

Replace String in Comment

Update Comment Visibility

Delete Comments

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Minor
Resolution: Fixed
Affects Version/s: 9.2
Fix Version/s: main (10.0), 9.3
Component/s: Authentication
Labels:
None

Description

Currently, PKIAuthenticationPlugin decorates intra-node requests using an 'onQueue' lifecycle hook, which is triggered when the request is enqueued for processing by the (asynchronous) Jetty http client.

This works great on many systems. However on heavily loaded clusters the time between Jetty "queueing" the request and it actually being sent out can be non-negligible. If this gap becomes wide enough, the TTL encoded into the PKI auth header might have substantially or fully expired by the time the receiving node gets the request.

We should experiment with moving PKI header decoration to the 'onBegin' hook instead, which fires much closer to the actual request-send time on heavily loaded servers.

Attachments

SOLR-16720-reproduce.patch
27/Mar/23 16:19
1 kB
Jason Gerlowski
Screen Shot 2023-04-07 at 9.16.30 AM.png
07/Apr/23 13:19
1.61 MB
Jason Gerlowski
reproduce.sh
27/Mar/23 16:20
0.4 kB
Jason Gerlowski