You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by Sankalp Bhatia <sa...@gmail.com> on 2020/07/05 12:35:17 UTC
Use cases of client.portUnification
Hi Devs,
Can someone share some insights on what is a good use case for the feature
*client.portUnification*? I have a use case where clients would want both
PLAINTEXT and TLS traffic to be served by ZooKeeper server and I want to
avoid exposing and managing 2 different zookeeper ports. Is this a valid
use case? or is this feature only supposed to be used for some rolling
upgrades like the one for quorum port unification?
Thanks in advance!
-Sankalp
Re: Use cases of client.portUnification
Posted by Sankalp Bhatia <sa...@gmail.com>.
Thanks Mate for pointing the code out. Exactly what I was looking for.
Although it doesn't look like it has any impact, I will try to do some perf
tests to verify.
Thanks,
Sankalp
On Mon, 6 Jul 2020 at 15:55, Szalay-Bekő Máté <sz...@gmail.com>
wrote:
> > Should I also be worried about any performance impacts here in terms of
> CPU/Runtime? Will my Plaintext requests be as fast as they are with a
> vanilla Plaintext port? Would be helpful if someone can help me with some
> documentation around this.
>
> Using SSL vs using unsecure socket does have some performance impact for
> sure. But I don't know about any documentation / measurement around this
> specific question... I don't know if using non-SSL with or without port
> unification makes any difference. I would say most probably not.
> I see that the code path for socket / connection initialization is a bit
> different for the two cases. But I wouldn't expect real performance impact.
> Only the connection initialization part should be impacted, the performance
> for the rest of the communication over the socket should be the same, I
> assume.
>
> This is the point in the code where the client socket handler gets defined
> (either using or not using portUnification):
>
> https://github.com/apache/zookeeper/blob/6ab1822ec431bb3309021c1ddc613a5eaa28d83b/zookeeper-server/src/main/java/org/apache/zookeeper/server/NettyServerCnxnFactory.java#L489
>
> I have some performance measures around SSL vs. unsecure. It is not exactly
> what you are asking for, but maybe can be useful:
>
> https://drive.google.com/drive/folders/1uG3JI6sXiuWJ15IjtUMGTJwNY_pP3yhZ?usp=sharing
>
> Cheers,
> Mate
>
> On Mon, Jul 6, 2020 at 11:38 AM Sankalp Bhatia <sa...@gmail.com>
> wrote:
>
> > Thanks Enrico and Mate for the valuable comments.
> >
> > Mate, regarding your point- *I don't consider the use of
> > client.portUnification to be 'bad' or 'unsecure' in itself *
> >
> > I agree. This is as bad as the case of having a plaintext and TLS port
> open
> > at the same time in terms of security.
> >
> > Should I also be worried about any performance impacts here in terms of
> > CPU/Runtime? Will my Plaintext requests be as fast as they are with a
> > vanilla Plaintext port? Would be helpful if someone can help me with some
> > documentation around this.
> >
> > Thanks
> > -Sankalp
> >
> > On Sun, 5 Jul 2020 at 17:09, Enrico Olivelli <eo...@gmail.com>
> wrote:
> >
> > > In my opinion you can use port unification during a rolling upgrade of
> > your
> > > ZK cluster and you are moving your servers to TLS.
> > >
> > > Another case is that you have to connect to two different ZK clusters,
> > one
> > > with TLS and one with plain connections, some configurations are system
> > > properties so it is hard sometimes to implement this scenario.
> > >
> > > I have not used it, so I am just sharing a couple of ideas.
> > >
> > > The feature has been contributed by our Facebook friends, I hope that
> > > someone from that crew can tell more
> > >
> > > Regards
> > > Enrico
> > >
> > > Il Dom 5 Lug 2020, 16:41 Szalay-Bekő Máté <sz...@gmail.com>
> > ha
> > > scritto:
> > >
> > > > Hi Sankalp,
> > > >
> > > > I think it really depends on your security policies. I don't consider
> > the
> > > > use of client.portUnification to be 'bad' or 'unsecure' in itself.
> > > > Especially, if you can make sure in your cluster that all sensitive
> > data
> > > is
> > > > protected with ACLs and modified / listed using TLS.
> > > >
> > > > But still the most secure is to use TLS-only connections. In our case
> > we
> > > > found it tricky to configure all the clients to connect to ZooKeeper
> > > using
> > > > TLS, so we are following a step-by-step approach to migrate all our
> > > clients
> > > > to TLS. But instead of using client.portUnification, we decided to
> > > maintain
> > > > two separate ports in our configs. I don't exactly remember our
> > > reasoning,
> > > > but e.g for me it seems to be easier to debug connection issues. (so
> if
> > > the
> > > > client is able to connect to the secure-only port, then you can make
> > sure
> > > > TLS is really used - and you don't have a false sense of security)
> > > >
> > > > Cheers,
> > > > Mate
> > > >
> > > > On Sun, Jul 5, 2020 at 2:35 PM Sankalp Bhatia <
> > sankalpbhatia92@gmail.com
> > > >
> > > > wrote:
> > > >
> > > > > Hi Devs,
> > > > >
> > > > > Can someone share some insights on what is a good use case for the
> > > > feature
> > > > > *client.portUnification*? I have a use case where clients would
> want
> > > both
> > > > > PLAINTEXT and TLS traffic to be served by ZooKeeper server and I
> want
> > > to
> > > > > avoid exposing and managing 2 different zookeeper ports. Is this a
> > > valid
> > > > > use case? or is this feature only supposed to be used for some
> > rolling
> > > > > upgrades like the one for quorum port unification?
> > > > >
> > > > > Thanks in advance!
> > > > >
> > > > > -Sankalp
> > > > >
> > > >
> > >
> >
>
Re: Use cases of client.portUnification
Posted by Szalay-Bekő Máté <sz...@gmail.com>.
> Should I also be worried about any performance impacts here in terms of
CPU/Runtime? Will my Plaintext requests be as fast as they are with a
vanilla Plaintext port? Would be helpful if someone can help me with some
documentation around this.
Using SSL vs using unsecure socket does have some performance impact for
sure. But I don't know about any documentation / measurement around this
specific question... I don't know if using non-SSL with or without port
unification makes any difference. I would say most probably not.
I see that the code path for socket / connection initialization is a bit
different for the two cases. But I wouldn't expect real performance impact.
Only the connection initialization part should be impacted, the performance
for the rest of the communication over the socket should be the same, I
assume.
This is the point in the code where the client socket handler gets defined
(either using or not using portUnification):
https://github.com/apache/zookeeper/blob/6ab1822ec431bb3309021c1ddc613a5eaa28d83b/zookeeper-server/src/main/java/org/apache/zookeeper/server/NettyServerCnxnFactory.java#L489
I have some performance measures around SSL vs. unsecure. It is not exactly
what you are asking for, but maybe can be useful:
https://drive.google.com/drive/folders/1uG3JI6sXiuWJ15IjtUMGTJwNY_pP3yhZ?usp=sharing
Cheers,
Mate
On Mon, Jul 6, 2020 at 11:38 AM Sankalp Bhatia <sa...@gmail.com>
wrote:
> Thanks Enrico and Mate for the valuable comments.
>
> Mate, regarding your point- *I don't consider the use of
> client.portUnification to be 'bad' or 'unsecure' in itself *
>
> I agree. This is as bad as the case of having a plaintext and TLS port open
> at the same time in terms of security.
>
> Should I also be worried about any performance impacts here in terms of
> CPU/Runtime? Will my Plaintext requests be as fast as they are with a
> vanilla Plaintext port? Would be helpful if someone can help me with some
> documentation around this.
>
> Thanks
> -Sankalp
>
> On Sun, 5 Jul 2020 at 17:09, Enrico Olivelli <eo...@gmail.com> wrote:
>
> > In my opinion you can use port unification during a rolling upgrade of
> your
> > ZK cluster and you are moving your servers to TLS.
> >
> > Another case is that you have to connect to two different ZK clusters,
> one
> > with TLS and one with plain connections, some configurations are system
> > properties so it is hard sometimes to implement this scenario.
> >
> > I have not used it, so I am just sharing a couple of ideas.
> >
> > The feature has been contributed by our Facebook friends, I hope that
> > someone from that crew can tell more
> >
> > Regards
> > Enrico
> >
> > Il Dom 5 Lug 2020, 16:41 Szalay-Bekő Máté <sz...@gmail.com>
> ha
> > scritto:
> >
> > > Hi Sankalp,
> > >
> > > I think it really depends on your security policies. I don't consider
> the
> > > use of client.portUnification to be 'bad' or 'unsecure' in itself.
> > > Especially, if you can make sure in your cluster that all sensitive
> data
> > is
> > > protected with ACLs and modified / listed using TLS.
> > >
> > > But still the most secure is to use TLS-only connections. In our case
> we
> > > found it tricky to configure all the clients to connect to ZooKeeper
> > using
> > > TLS, so we are following a step-by-step approach to migrate all our
> > clients
> > > to TLS. But instead of using client.portUnification, we decided to
> > maintain
> > > two separate ports in our configs. I don't exactly remember our
> > reasoning,
> > > but e.g for me it seems to be easier to debug connection issues. (so if
> > the
> > > client is able to connect to the secure-only port, then you can make
> sure
> > > TLS is really used - and you don't have a false sense of security)
> > >
> > > Cheers,
> > > Mate
> > >
> > > On Sun, Jul 5, 2020 at 2:35 PM Sankalp Bhatia <
> sankalpbhatia92@gmail.com
> > >
> > > wrote:
> > >
> > > > Hi Devs,
> > > >
> > > > Can someone share some insights on what is a good use case for the
> > > feature
> > > > *client.portUnification*? I have a use case where clients would want
> > both
> > > > PLAINTEXT and TLS traffic to be served by ZooKeeper server and I want
> > to
> > > > avoid exposing and managing 2 different zookeeper ports. Is this a
> > valid
> > > > use case? or is this feature only supposed to be used for some
> rolling
> > > > upgrades like the one for quorum port unification?
> > > >
> > > > Thanks in advance!
> > > >
> > > > -Sankalp
> > > >
> > >
> >
>
Re: Use cases of client.portUnification
Posted by Sankalp Bhatia <sa...@gmail.com>.
Thanks Enrico and Mate for the valuable comments.
Mate, regarding your point- *I don't consider the use of
client.portUnification to be 'bad' or 'unsecure' in itself *
I agree. This is as bad as the case of having a plaintext and TLS port open
at the same time in terms of security.
Should I also be worried about any performance impacts here in terms of
CPU/Runtime? Will my Plaintext requests be as fast as they are with a
vanilla Plaintext port? Would be helpful if someone can help me with some
documentation around this.
Thanks
-Sankalp
On Sun, 5 Jul 2020 at 17:09, Enrico Olivelli <eo...@gmail.com> wrote:
> In my opinion you can use port unification during a rolling upgrade of your
> ZK cluster and you are moving your servers to TLS.
>
> Another case is that you have to connect to two different ZK clusters, one
> with TLS and one with plain connections, some configurations are system
> properties so it is hard sometimes to implement this scenario.
>
> I have not used it, so I am just sharing a couple of ideas.
>
> The feature has been contributed by our Facebook friends, I hope that
> someone from that crew can tell more
>
> Regards
> Enrico
>
> Il Dom 5 Lug 2020, 16:41 Szalay-Bekő Máté <sz...@gmail.com> ha
> scritto:
>
> > Hi Sankalp,
> >
> > I think it really depends on your security policies. I don't consider the
> > use of client.portUnification to be 'bad' or 'unsecure' in itself.
> > Especially, if you can make sure in your cluster that all sensitive data
> is
> > protected with ACLs and modified / listed using TLS.
> >
> > But still the most secure is to use TLS-only connections. In our case we
> > found it tricky to configure all the clients to connect to ZooKeeper
> using
> > TLS, so we are following a step-by-step approach to migrate all our
> clients
> > to TLS. But instead of using client.portUnification, we decided to
> maintain
> > two separate ports in our configs. I don't exactly remember our
> reasoning,
> > but e.g for me it seems to be easier to debug connection issues. (so if
> the
> > client is able to connect to the secure-only port, then you can make sure
> > TLS is really used - and you don't have a false sense of security)
> >
> > Cheers,
> > Mate
> >
> > On Sun, Jul 5, 2020 at 2:35 PM Sankalp Bhatia <sankalpbhatia92@gmail.com
> >
> > wrote:
> >
> > > Hi Devs,
> > >
> > > Can someone share some insights on what is a good use case for the
> > feature
> > > *client.portUnification*? I have a use case where clients would want
> both
> > > PLAINTEXT and TLS traffic to be served by ZooKeeper server and I want
> to
> > > avoid exposing and managing 2 different zookeeper ports. Is this a
> valid
> > > use case? or is this feature only supposed to be used for some rolling
> > > upgrades like the one for quorum port unification?
> > >
> > > Thanks in advance!
> > >
> > > -Sankalp
> > >
> >
>
Re: Use cases of client.portUnification
Posted by Enrico Olivelli <eo...@gmail.com>.
In my opinion you can use port unification during a rolling upgrade of your
ZK cluster and you are moving your servers to TLS.
Another case is that you have to connect to two different ZK clusters, one
with TLS and one with plain connections, some configurations are system
properties so it is hard sometimes to implement this scenario.
I have not used it, so I am just sharing a couple of ideas.
The feature has been contributed by our Facebook friends, I hope that
someone from that crew can tell more
Regards
Enrico
Il Dom 5 Lug 2020, 16:41 Szalay-Bekő Máté <sz...@gmail.com> ha
scritto:
> Hi Sankalp,
>
> I think it really depends on your security policies. I don't consider the
> use of client.portUnification to be 'bad' or 'unsecure' in itself.
> Especially, if you can make sure in your cluster that all sensitive data is
> protected with ACLs and modified / listed using TLS.
>
> But still the most secure is to use TLS-only connections. In our case we
> found it tricky to configure all the clients to connect to ZooKeeper using
> TLS, so we are following a step-by-step approach to migrate all our clients
> to TLS. But instead of using client.portUnification, we decided to maintain
> two separate ports in our configs. I don't exactly remember our reasoning,
> but e.g for me it seems to be easier to debug connection issues. (so if the
> client is able to connect to the secure-only port, then you can make sure
> TLS is really used - and you don't have a false sense of security)
>
> Cheers,
> Mate
>
> On Sun, Jul 5, 2020 at 2:35 PM Sankalp Bhatia <sa...@gmail.com>
> wrote:
>
> > Hi Devs,
> >
> > Can someone share some insights on what is a good use case for the
> feature
> > *client.portUnification*? I have a use case where clients would want both
> > PLAINTEXT and TLS traffic to be served by ZooKeeper server and I want to
> > avoid exposing and managing 2 different zookeeper ports. Is this a valid
> > use case? or is this feature only supposed to be used for some rolling
> > upgrades like the one for quorum port unification?
> >
> > Thanks in advance!
> >
> > -Sankalp
> >
>
Re: Use cases of client.portUnification
Posted by Szalay-Bekő Máté <sz...@gmail.com>.
Hi Sankalp,
I think it really depends on your security policies. I don't consider the
use of client.portUnification to be 'bad' or 'unsecure' in itself.
Especially, if you can make sure in your cluster that all sensitive data is
protected with ACLs and modified / listed using TLS.
But still the most secure is to use TLS-only connections. In our case we
found it tricky to configure all the clients to connect to ZooKeeper using
TLS, so we are following a step-by-step approach to migrate all our clients
to TLS. But instead of using client.portUnification, we decided to maintain
two separate ports in our configs. I don't exactly remember our reasoning,
but e.g for me it seems to be easier to debug connection issues. (so if the
client is able to connect to the secure-only port, then you can make sure
TLS is really used - and you don't have a false sense of security)
Cheers,
Mate
On Sun, Jul 5, 2020 at 2:35 PM Sankalp Bhatia <sa...@gmail.com>
wrote:
> Hi Devs,
>
> Can someone share some insights on what is a good use case for the feature
> *client.portUnification*? I have a use case where clients would want both
> PLAINTEXT and TLS traffic to be served by ZooKeeper server and I want to
> avoid exposing and managing 2 different zookeeper ports. Is this a valid
> use case? or is this feature only supposed to be used for some rolling
> upgrades like the one for quorum port unification?
>
> Thanks in advance!
>
> -Sankalp
>