Thanks Mate for pointing the code out. Exactly what I was looking for. Although it doesn't look like it has any impact, I will try to do some perf tests to verify.
Thanks, Sankalp On Mon, 6 Jul 2020 at 15:55, Szalay-Bekő Máté <szalay.beko.m...@gmail.com> wrote: > > Should I also be worried about any performance impacts here in terms of > CPU/Runtime? Will my Plaintext requests be as fast as they are with a > vanilla Plaintext port? Would be helpful if someone can help me with some > documentation around this. > > Using SSL vs using unsecure socket does have some performance impact for > sure. But I don't know about any documentation / measurement around this > specific question... I don't know if using non-SSL with or without port > unification makes any difference. I would say most probably not. > I see that the code path for socket / connection initialization is a bit > different for the two cases. But I wouldn't expect real performance impact. > Only the connection initialization part should be impacted, the performance > for the rest of the communication over the socket should be the same, I > assume. > > This is the point in the code where the client socket handler gets defined > (either using or not using portUnification): > > https://github.com/apache/zookeeper/blob/6ab1822ec431bb3309021c1ddc613a5eaa28d83b/zookeeper-server/src/main/java/org/apache/zookeeper/server/NettyServerCnxnFactory.java#L489 > > I have some performance measures around SSL vs. unsecure. It is not exactly > what you are asking for, but maybe can be useful: > > https://drive.google.com/drive/folders/1uG3JI6sXiuWJ15IjtUMGTJwNY_pP3yhZ?usp=sharing > > Cheers, > Mate > > On Mon, Jul 6, 2020 at 11:38 AM Sankalp Bhatia <sankalpbhati...@gmail.com> > wrote: > > > Thanks Enrico and Mate for the valuable comments. > > > > Mate, regarding your point- *I don't consider the use of > > client.portUnification to be 'bad' or 'unsecure' in itself * > > > > I agree. This is as bad as the case of having a plaintext and TLS port > open > > at the same time in terms of security. > > > > Should I also be worried about any performance impacts here in terms of > > CPU/Runtime? Will my Plaintext requests be as fast as they are with a > > vanilla Plaintext port? Would be helpful if someone can help me with some > > documentation around this. > > > > Thanks > > -Sankalp > > > > On Sun, 5 Jul 2020 at 17:09, Enrico Olivelli <eolive...@gmail.com> > wrote: > > > > > In my opinion you can use port unification during a rolling upgrade of > > your > > > ZK cluster and you are moving your servers to TLS. > > > > > > Another case is that you have to connect to two different ZK clusters, > > one > > > with TLS and one with plain connections, some configurations are system > > > properties so it is hard sometimes to implement this scenario. > > > > > > I have not used it, so I am just sharing a couple of ideas. > > > > > > The feature has been contributed by our Facebook friends, I hope that > > > someone from that crew can tell more > > > > > > Regards > > > Enrico > > > > > > Il Dom 5 Lug 2020, 16:41 Szalay-Bekő Máté <szalay.beko.m...@gmail.com> > > ha > > > scritto: > > > > > > > Hi Sankalp, > > > > > > > > I think it really depends on your security policies. I don't consider > > the > > > > use of client.portUnification to be 'bad' or 'unsecure' in itself. > > > > Especially, if you can make sure in your cluster that all sensitive > > data > > > is > > > > protected with ACLs and modified / listed using TLS. > > > > > > > > But still the most secure is to use TLS-only connections. In our case > > we > > > > found it tricky to configure all the clients to connect to ZooKeeper > > > using > > > > TLS, so we are following a step-by-step approach to migrate all our > > > clients > > > > to TLS. But instead of using client.portUnification, we decided to > > > maintain > > > > two separate ports in our configs. I don't exactly remember our > > > reasoning, > > > > but e.g for me it seems to be easier to debug connection issues. (so > if > > > the > > > > client is able to connect to the secure-only port, then you can make > > sure > > > > TLS is really used - and you don't have a false sense of security) > > > > > > > > Cheers, > > > > Mate > > > > > > > > On Sun, Jul 5, 2020 at 2:35 PM Sankalp Bhatia < > > sankalpbhati...@gmail.com > > > > > > > > wrote: > > > > > > > > > Hi Devs, > > > > > > > > > > Can someone share some insights on what is a good use case for the > > > > feature > > > > > *client.portUnification*? I have a use case where clients would > want > > > both > > > > > PLAINTEXT and TLS traffic to be served by ZooKeeper server and I > want > > > to > > > > > avoid exposing and managing 2 different zookeeper ports. Is this a > > > valid > > > > > use case? or is this feature only supposed to be used for some > > rolling > > > > > upgrades like the one for quorum port unification? > > > > > > > > > > Thanks in advance! > > > > > > > > > > -Sankalp > > > > > > > > > > > > > > >
