Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-16720

PKI should decorate outgoing requests at "sending", not "enqueueing" time

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Minor
    • Resolution: Fixed
    • 9.2
    • main (10.0), 9.3
    • Authentication
    • None

    Description

      Currently, PKIAuthenticationPlugin decorates intra-node requests using an 'onQueue' lifecycle hook, which is triggered when the request is enqueued for processing by the (asynchronous) Jetty http client.

      This works great on many systems. However on heavily loaded clusters the time between Jetty "queueing" the request and it actually being sent out can be non-negligible. If this gap becomes wide enough, the TTL encoded into the PKI auth header might have substantially or fully expired by the time the receiving node gets the request.

      We should experiment with moving PKI header decoration to the 'onBegin' hook instead, which fires much closer to the actual request-send time on heavily loaded servers.

      Attachments

        1. SOLR-16720-reproduce.patch
          1 kB
          Jason Gerlowski
        2. Screen Shot 2023-04-07 at 9.16.30 AM.png
          1.61 MB
          Jason Gerlowski
        3. reproduce.sh
          0.4 kB
          Jason Gerlowski

        Activity

          People

            gerlowskija Jason Gerlowski
            gerlowskija Jason Gerlowski
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Time Tracking

                Estimated:
                Original Estimate - Not Specified
                Not Specified
                Remaining:
                Remaining Estimate - 0h
                0h
                Logged:
                Time Spent - 1h 10m
                1h 10m