> Should I also be worried about any performance impacts here in terms of CPU/Runtime? Will my Plaintext requests be as fast as they are with a vanilla Plaintext port? Would be helpful if someone can help me with some documentation around this.
Using SSL vs using unsecure socket does have some performance impact for sure. But I don't know about any documentation / measurement around this specific question... I don't know if using non-SSL with or without port unification makes any difference. I would say most probably not. I see that the code path for socket / connection initialization is a bit different for the two cases. But I wouldn't expect real performance impact. Only the connection initialization part should be impacted, the performance for the rest of the communication over the socket should be the same, I assume. This is the point in the code where the client socket handler gets defined (either using or not using portUnification): https://github.com/apache/zookeeper/blob/6ab1822ec431bb3309021c1ddc613a5eaa28d83b/zookeeper-server/src/main/java/org/apache/zookeeper/server/NettyServerCnxnFactory.java#L489 I have some performance measures around SSL vs. unsecure. It is not exactly what you are asking for, but maybe can be useful: https://drive.google.com/drive/folders/1uG3JI6sXiuWJ15IjtUMGTJwNY_pP3yhZ?usp=sharing Cheers, Mate On Mon, Jul 6, 2020 at 11:38 AM Sankalp Bhatia <sankalpbhati...@gmail.com> wrote: > Thanks Enrico and Mate for the valuable comments. > > Mate, regarding your point- *I don't consider the use of > client.portUnification to be 'bad' or 'unsecure' in itself * > > I agree. This is as bad as the case of having a plaintext and TLS port open > at the same time in terms of security. > > Should I also be worried about any performance impacts here in terms of > CPU/Runtime? Will my Plaintext requests be as fast as they are with a > vanilla Plaintext port? Would be helpful if someone can help me with some > documentation around this. > > Thanks > -Sankalp > > On Sun, 5 Jul 2020 at 17:09, Enrico Olivelli <eolive...@gmail.com> wrote: > > > In my opinion you can use port unification during a rolling upgrade of > your > > ZK cluster and you are moving your servers to TLS. > > > > Another case is that you have to connect to two different ZK clusters, > one > > with TLS and one with plain connections, some configurations are system > > properties so it is hard sometimes to implement this scenario. > > > > I have not used it, so I am just sharing a couple of ideas. > > > > The feature has been contributed by our Facebook friends, I hope that > > someone from that crew can tell more > > > > Regards > > Enrico > > > > Il Dom 5 Lug 2020, 16:41 Szalay-Bekő Máté <szalay.beko.m...@gmail.com> > ha > > scritto: > > > > > Hi Sankalp, > > > > > > I think it really depends on your security policies. I don't consider > the > > > use of client.portUnification to be 'bad' or 'unsecure' in itself. > > > Especially, if you can make sure in your cluster that all sensitive > data > > is > > > protected with ACLs and modified / listed using TLS. > > > > > > But still the most secure is to use TLS-only connections. In our case > we > > > found it tricky to configure all the clients to connect to ZooKeeper > > using > > > TLS, so we are following a step-by-step approach to migrate all our > > clients > > > to TLS. But instead of using client.portUnification, we decided to > > maintain > > > two separate ports in our configs. I don't exactly remember our > > reasoning, > > > but e.g for me it seems to be easier to debug connection issues. (so if > > the > > > client is able to connect to the secure-only port, then you can make > sure > > > TLS is really used - and you don't have a false sense of security) > > > > > > Cheers, > > > Mate > > > > > > On Sun, Jul 5, 2020 at 2:35 PM Sankalp Bhatia < > sankalpbhati...@gmail.com > > > > > > wrote: > > > > > > > Hi Devs, > > > > > > > > Can someone share some insights on what is a good use case for the > > > feature > > > > *client.portUnification*? I have a use case where clients would want > > both > > > > PLAINTEXT and TLS traffic to be served by ZooKeeper server and I want > > to > > > > avoid exposing and managing 2 different zookeeper ports. Is this a > > valid > > > > use case? or is this feature only supposed to be used for some > rolling > > > > upgrades like the one for quorum port unification? > > > > > > > > Thanks in advance! > > > > > > > > -Sankalp > > > > > > > > > >
