You are viewing a plain text version of this content. The canonical link for it is here.
Posted to reviews@kudu.apache.org by "Todd Lipcon (Code Review)" <ge...@cloudera.org> on 2018/02/22 18:09:54 UTC
[kudu-CR] java: provide our own preferred cipher suite list
Hello Alexey Serbin, Dan Burkert,
I'd like you to do a code review. Please visit
http://gerrit.cloudera.org:8080/9398
to review the following change.
Change subject: java: provide our own preferred cipher suite list
......................................................................
java: provide our own preferred cipher suite list
This updates the Java client to use a cipher suite list which matches
the server side. This has a very big performance benefit since it
prioritizes GCM-based ciphers which are significantly faster than those
that use SHA256 or SHA384 HMAC for integrity.
In particular, a YCSB in-memory random-read workload I was running got
~60% faster. The CPU profile on the server previously showed most of its
time in SHA hash calculation, and now shows only relatively little CPU
in GCM-related calls.
Change-Id: I4b2853dfd8d330bdf003924a5574fde865f54249
---
M java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
1 file changed, 29 insertions(+), 0 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/98/9398/1
--
To view, visit http://gerrit.cloudera.org:8080/9398
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newchange
Gerrit-Change-Id: I4b2853dfd8d330bdf003924a5574fde865f54249
Gerrit-Change-Number: 9398
Gerrit-PatchSet: 1
Gerrit-Owner: Todd Lipcon <to...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@cloudera.com>
[kudu-CR] java: provide our own preferred cipher suite list
Posted by "Dan Burkert (Code Review)" <ge...@cloudera.org>.
Dan Burkert has posted comments on this change. ( http://gerrit.cloudera.org:8080/9398 )
Change subject: java: provide our own preferred cipher suite list
......................................................................
Patch Set 3: Code-Review+2
--
To view, visit http://gerrit.cloudera.org:8080/9398
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I4b2853dfd8d330bdf003924a5574fde865f54249
Gerrit-Change-Number: 9398
Gerrit-PatchSet: 3
Gerrit-Owner: Todd Lipcon <to...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@gmail.com>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-Comment-Date: Thu, 22 Feb 2018 20:02:06 +0000
Gerrit-HasComments: No
[kudu-CR] java: provide our own preferred cipher suite list
Posted by "Todd Lipcon (Code Review)" <ge...@cloudera.org>.
Todd Lipcon has posted comments on this change. ( http://gerrit.cloudera.org:8080/9398 )
Change subject: java: provide our own preferred cipher suite list
......................................................................
Patch Set 2:
(1 comment)
http://gerrit.cloudera.org:8080/#/c/9398/2/java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
File java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java:
http://gerrit.cloudera.org:8080/#/c/9398/2/java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java@520
PS2, Line 520: engine.setEnabledCipherSuites(toEnable.toArray(new String[0]));
> I would fail with an exception. IMHO falling back to defaults which may not
Done
--
To view, visit http://gerrit.cloudera.org:8080/9398
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I4b2853dfd8d330bdf003924a5574fde865f54249
Gerrit-Change-Number: 9398
Gerrit-PatchSet: 2
Gerrit-Owner: Todd Lipcon <to...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@gmail.com>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-Comment-Date: Thu, 22 Feb 2018 19:27:13 +0000
Gerrit-HasComments: Yes
[kudu-CR] java: provide our own preferred cipher suite list
Posted by "Todd Lipcon (Code Review)" <ge...@cloudera.org>.
Todd Lipcon has posted comments on this change. ( http://gerrit.cloudera.org:8080/9398 )
Change subject: java: provide our own preferred cipher suite list
......................................................................
Patch Set 2:
(1 comment)
http://gerrit.cloudera.org:8080/#/c/9398/2/java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
File java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java:
http://gerrit.cloudera.org:8080/#/c/9398/2/java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java@520
PS2, Line 520: engine.setEnabledCipherSuites(toEnable.toArray(new String[0]));
> Maybe add an assert that the toEnable list isn't empty, or is that sufficie
sure You think I should just assert or should I throw a RuntimeException or somesuch? Or should I continue on with a warning that we are falling back to system default?
--
To view, visit http://gerrit.cloudera.org:8080/9398
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I4b2853dfd8d330bdf003924a5574fde865f54249
Gerrit-Change-Number: 9398
Gerrit-PatchSet: 2
Gerrit-Owner: Todd Lipcon <to...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-Comment-Date: Thu, 22 Feb 2018 19:21:25 +0000
Gerrit-HasComments: Yes
[kudu-CR] java: provide our own preferred cipher suite list
Posted by "Grant Henke (Code Review)" <ge...@cloudera.org>.
Grant Henke has posted comments on this change. ( http://gerrit.cloudera.org:8080/9398 )
Change subject: java: provide our own preferred cipher suite list
......................................................................
Patch Set 2:
(1 comment)
http://gerrit.cloudera.org:8080/#/c/9398/2/java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
File java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java:
http://gerrit.cloudera.org:8080/#/c/9398/2/java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java@520
PS2, Line 520: engine.setEnabledCipherSuites(toEnable.toArray(new String[0]));
> sure You think I should just assert or should I throw a RuntimeException or
I would fail with an exception. IMHO falling back to defaults which may not be secure could be worse than failing.
--
To view, visit http://gerrit.cloudera.org:8080/9398
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I4b2853dfd8d330bdf003924a5574fde865f54249
Gerrit-Change-Number: 9398
Gerrit-PatchSet: 2
Gerrit-Owner: Todd Lipcon <to...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@gmail.com>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
Gerrit-Comment-Date: Thu, 22 Feb 2018 19:25:14 +0000
Gerrit-HasComments: Yes
[kudu-CR] java: provide our own preferred cipher suite list
Posted by "Dan Burkert (Code Review)" <ge...@cloudera.org>.
Dan Burkert has posted comments on this change. ( http://gerrit.cloudera.org:8080/9398 )
Change subject: java: provide our own preferred cipher suite list
......................................................................
Patch Set 2:
(1 comment)
http://gerrit.cloudera.org:8080/#/c/9398/2/java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
File java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java:
http://gerrit.cloudera.org:8080/#/c/9398/2/java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java@520
PS2, Line 520: engine.setEnabledCipherSuites(toEnable.toArray(new String[0]));
Maybe add an assert that the toEnable list isn't empty, or is that sufficiently unlikely?
--
To view, visit http://gerrit.cloudera.org:8080/9398
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: comment
Gerrit-Change-Id: I4b2853dfd8d330bdf003924a5574fde865f54249
Gerrit-Change-Number: 9398
Gerrit-PatchSet: 2
Gerrit-Owner: Todd Lipcon <to...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Comment-Date: Thu, 22 Feb 2018 19:02:26 +0000
Gerrit-HasComments: Yes
[kudu-CR] java: provide our own preferred cipher suite list
Posted by "Todd Lipcon (Code Review)" <ge...@cloudera.org>.
Hello Alexey Serbin, Dan Burkert, Kudu Jenkins,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/9398
to look at the new patch set (#2).
Change subject: java: provide our own preferred cipher suite list
......................................................................
java: provide our own preferred cipher suite list
This updates the Java client to use a cipher suite list which matches
the server side. This has a very big performance benefit since it
prioritizes GCM-based ciphers which are significantly faster than those
that use SHA256 or SHA384 HMAC for integrity.
In particular, a YCSB in-memory random-read workload I was running got
~60% faster. The CPU profile on the server previously showed most of its
time in SHA hash calculation, and now shows only relatively little CPU
in GCM-related calls.
Change-Id: I4b2853dfd8d330bdf003924a5574fde865f54249
---
M java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
1 file changed, 32 insertions(+), 0 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/98/9398/2
--
To view, visit http://gerrit.cloudera.org:8080/9398
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I4b2853dfd8d330bdf003924a5574fde865f54249
Gerrit-Change-Number: 9398
Gerrit-PatchSet: 2
Gerrit-Owner: Todd Lipcon <to...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@cloudera.com>
Gerrit-Reviewer: Kudu Jenkins
[kudu-CR] java: provide our own preferred cipher suite list
Posted by "Todd Lipcon (Code Review)" <ge...@cloudera.org>.
Hello Alexey Serbin, Dan Burkert, Kudu Jenkins, Grant Henke,
I'd like you to reexamine a change. Please visit
http://gerrit.cloudera.org:8080/9398
to look at the new patch set (#3).
Change subject: java: provide our own preferred cipher suite list
......................................................................
java: provide our own preferred cipher suite list
This updates the Java client to use a cipher suite list which matches
the server side. This has a very big performance benefit since it
prioritizes GCM-based ciphers which are significantly faster than those
that use SHA256 or SHA384 HMAC for integrity.
In particular, a YCSB in-memory random-read workload I was running got
~60% faster. The CPU profile on the server previously showed most of its
time in SHA hash calculation, and now shows only relatively little CPU
in GCM-related calls.
Change-Id: I4b2853dfd8d330bdf003924a5574fde865f54249
---
M java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
1 file changed, 39 insertions(+), 0 deletions(-)
git pull ssh://gerrit.cloudera.org:29418/kudu refs/changes/98/9398/3
--
To view, visit http://gerrit.cloudera.org:8080/9398
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: newpatchset
Gerrit-Change-Id: I4b2853dfd8d330bdf003924a5574fde865f54249
Gerrit-Change-Number: 9398
Gerrit-PatchSet: 3
Gerrit-Owner: Todd Lipcon <to...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@gmail.com>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>
[kudu-CR] java: provide our own preferred cipher suite list
Posted by "Todd Lipcon (Code Review)" <ge...@cloudera.org>.
Todd Lipcon has submitted this change and it was merged. ( http://gerrit.cloudera.org:8080/9398 )
Change subject: java: provide our own preferred cipher suite list
......................................................................
java: provide our own preferred cipher suite list
This updates the Java client to use a cipher suite list which matches
the server side. This has a very big performance benefit since it
prioritizes GCM-based ciphers which are significantly faster than those
that use SHA256 or SHA384 HMAC for integrity.
In particular, a YCSB in-memory random-read workload I was running got
~60% faster. The CPU profile on the server previously showed most of its
time in SHA hash calculation, and now shows only relatively little CPU
in GCM-related calls.
Change-Id: I4b2853dfd8d330bdf003924a5574fde865f54249
Reviewed-on: http://gerrit.cloudera.org:8080/9398
Reviewed-by: Dan Burkert <da...@cloudera.com>
Tested-by: Kudu Jenkins
---
M java/kudu-client/src/main/java/org/apache/kudu/client/Negotiator.java
1 file changed, 39 insertions(+), 0 deletions(-)
Approvals:
Dan Burkert: Looks good to me, approved
Kudu Jenkins: Verified
--
To view, visit http://gerrit.cloudera.org:8080/9398
To unsubscribe, visit http://gerrit.cloudera.org:8080/settings
Gerrit-Project: kudu
Gerrit-Branch: master
Gerrit-MessageType: merged
Gerrit-Change-Id: I4b2853dfd8d330bdf003924a5574fde865f54249
Gerrit-Change-Number: 9398
Gerrit-PatchSet: 4
Gerrit-Owner: Todd Lipcon <to...@apache.org>
Gerrit-Reviewer: Alexey Serbin <as...@cloudera.com>
Gerrit-Reviewer: Dan Burkert <da...@cloudera.com>
Gerrit-Reviewer: Grant Henke <gr...@gmail.com>
Gerrit-Reviewer: Kudu Jenkins
Gerrit-Reviewer: Todd Lipcon <to...@apache.org>