[
https://issues.apache.org/jira/browse/SOLR-16720?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17709410#comment-17709410
]
ASF subversion and git services commented on SOLR-16720:
--------------------------------------------------------
Commit 8b8f9f6726296749551a6edfffe7aa2ccae7dc0e in solr's branch
refs/heads/main from Jason Gerlowski
[ https://gitbox.apache.org/repos/asf?p=solr.git;h=8b8f9f67262 ]
SOLR-16720: Defer PKI header creation to send-time (#1495)
Prior to this commit, the PKIAuthPlugin decorates outgoing requests at
'queue' time instead of later when they're actually sent. This can
cause scenarios where, under heavy load, queue time and sending time are
far enough apart that much or all of the TTL window for the outgoing
request is expired by the time its even sent.
This commit switches header-decoration to occur using a different
lifecycle hook offered by Jetty, 'onBegin', so that it's done as close
as possible to the actual time the request is sent.
This won't eliminate the possibility of errant TTL expiry - a JVM might go
into a long GC right after 'onBegin' for a request but before sending it on
the wire. But it should reduce errant TTL expiry substantially.
> PKI should decorate outgoing requests at "sending", not "enqueueing" time
> -------------------------------------------------------------------------
>
> Key: SOLR-16720
> URL: https://issues.apache.org/jira/browse/SOLR-16720
> Project: Solr
> Issue Type: Improvement
> Components: Authentication
> Affects Versions: 9.2
> Reporter: Jason Gerlowski
> Priority: Minor
> Attachments: SOLR-16720-reproduce.patch, reproduce.sh
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Currently, PKIAuthenticationPlugin decorates intra-node requests using an
> 'onQueue' lifecycle hook, which is triggered when the request is enqueued for
> processing by the (asynchronous) Jetty http client.
> This works great on many systems. However on heavily loaded clusters the
> time between Jetty "queueing" the request and it actually being sent out can
> be non-negligible. If this gap becomes wide enough, the TTL encoded into the
> PKI auth header might have substantially or fully expired by the time the
> receiving node gets the request.
> We should experiment with moving PKI header decoration to the 'onBegin' hook
> instead, which fires much closer to the actual request-send time on heavily
> loaded servers.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org
For additional commands, e-mail: issues-h...@solr.apache.org
