Uploaded image for project: 'Solr'
  1. Solr
  2. SOLR-8373

KerberosPlugin: Using multiple nodes on same machine leads clients to fetch TGT for every request


    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 5.3.2, 5.4.1, 5.5, 6.0
    • Component/s: None
    • Labels:


      Kerberized solr nodes accept negotiate/spnego/kerberos requests and processes them. It also passes back to the client a cookie called "hadoop.auth" (which is currently unused, but will eventually be used for delegation tokens).

      If two or more nodes are on the same machine, they all send out the cookie which have the same domain (hostname) and same path, but different cookie values.

      Upon receipt at the client, if a cookie is rejected (which in this case will be), the client gets a​​ TGT from the KDC. This is causing the heavy traffic at the KDC, plus intermittent "Request is a replay" (which indicates race condition at KDC while handing out the TGT for the same principal). I think having a (well configured) ticket cache is a potential solution, but having cookies get rejected is bad enough.


        1. SOLR-8373.patch
          1 kB
          Ishan Chattopadhyaya
        2. SOLR-8373.patch
          5 kB
          Ishan Chattopadhyaya
        3. SOLR-8373.patch
          15 kB
          Ishan Chattopadhyaya
        4. SOLR-8373.patch
          23 kB
          Ishan Chattopadhyaya
        5. SOLR-8373.patch
          19 kB
          Noble Paul



            • Assignee:
              noble.paul Noble Paul
              ichattopadhyaya Ishan Chattopadhyaya
            • Votes:
              1 Vote for this issue
              5 Start watching this issue


              • Created: