[jira] [Commented] (BOOKKEEPER-588) SSL support

Mon, 01 Jul 2013 09:07:35 -0700 

    [ 
https://issues.apache.org/jira/browse/BOOKKEEPER-588?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13696906#comment-13696906
 ] 

Ivan Kelly commented on BOOKKEEPER-588:
---------------------------------------

{quote}I don't think mixing SSL protocol with bookie protocol is a good 
idea.{quote}
It's not mixing the protocol anymore than having authentication mixes the 
protocol. This is adds to the argument for using protobufs[1], as you can have 
the protobuf decoder decode the data, and then a netty handler for the 
startTLS/auth messages, separate from the BookieRequestHandler. I didn't do 
this in my ssl branch as we didn't have netty when i did it (i've just noticed 
I never posted that branch here 
[https://github.com/ivankelly/bookkeeper/tree/ssl]), but its quite easy to do.

StartTLS is pretty standard practice, smtp, imap, pop, ldap, xmpp all use it. 
And given the id issue we have with using a new port, I think it's wise to use 
it for our case also.

{quote}a bookie should listen on different ports for ssl and non-ssl 
connections as what Hedwig does. when the bookie with SSL support, it 
registered itself as 'bookiehost:port:sslPort', so an old client could connect 
to new bookie, while an new client could still connect to old bookie with 
non-ssl port. it is easy to do backward compatibility and without taking the 
cluster down for SSL upgrading.{quote}
And if a bookie has been non-ssl only in the past? does its id change? If so, 
what happens when a client tries to read a ledger which was on that bookie. 
Changing the ID format means either throwing away the old bookie, or putting 
special conversion code all over the place. I think this is a very high price 
to pay when we have StartTLS available to us to solve the problem seamlessly.

[1] this doesn't have to be protobufs necessarily, but it should be something 
that separates decoding from handling.
                
> SSL support
> -----------
>
>                 Key: BOOKKEEPER-588
>                 URL: https://issues.apache.org/jira/browse/BOOKKEEPER-588
>             Project: Bookkeeper
>          Issue Type: Sub-task
>            Reporter: Ivan Kelly
>            Assignee: Ivan Kelly
>             Fix For: 4.3.0
>
>         Attachments: 0004-BOOKKEEPER-588-SSL-support-for-bookkeeper.patch
>
>
> SSL support using startTLS

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to