Hi Sankalp, I think it really depends on your security policies. I don't consider the use of client.portUnification to be 'bad' or 'unsecure' in itself. Especially, if you can make sure in your cluster that all sensitive data is protected with ACLs and modified / listed using TLS.
But still the most secure is to use TLS-only connections. In our case we found it tricky to configure all the clients to connect to ZooKeeper using TLS, so we are following a step-by-step approach to migrate all our clients to TLS. But instead of using client.portUnification, we decided to maintain two separate ports in our configs. I don't exactly remember our reasoning, but e.g for me it seems to be easier to debug connection issues. (so if the client is able to connect to the secure-only port, then you can make sure TLS is really used - and you don't have a false sense of security) Cheers, Mate On Sun, Jul 5, 2020 at 2:35 PM Sankalp Bhatia <sankalpbhati...@gmail.com> wrote: > Hi Devs, > > Can someone share some insights on what is a good use case for the feature > *client.portUnification*? I have a use case where clients would want both > PLAINTEXT and TLS traffic to be served by ZooKeeper server and I want to > avoid exposing and managing 2 different zookeeper ports. Is this a valid > use case? or is this feature only supposed to be used for some rolling > upgrades like the one for quorum port unification? > > Thanks in advance! > > -Sankalp >
