The test environment should be set up to support both SASL RPC with QoP of
"privacy" ("auth-conf") and TLS RPC. I believe we are going to want to see
most of all the differences between operation with SASL RPC and TLS RPC.
These options both provide authentication and encryption. You'll probably
also want to bench on Java 11 to capture the typical user experience.The top consideration is going to be stability: For all the testers out there, what is the difference in error rates between SASL and TLS? Is there any difference? A related concern would be communication issues in abnormal conditions. Should manifest as inability to recover from the usual chaos test, i.e. IntegrationTestBigLinkedList with slowDeterministic and/or serverKilling policy. The runner up is performance. For all the testers out there, if it would be possible to share high level throughput and latency measures and their differences, that would be great. More detail in depth would be helpful too, such as per operation breakdown, if you have the numbers, but that is not critical. My personal expectation is TLS RPC will perform better as TLS has the benefit of modern investment. On Mon, Oct 3, 2022 at 11:43 AM Andor Molnar <[email protected]> wrote: > Hi Bryan, > > We (Cloudera) also planning to start deploying TLS-based clusters to > production in early November. We'll do feature validation and perf > benchmarks from our private fork in October. > > Regards, > Andor > > > > On Mon, 2022-10-03 at 13:58 -0400, Bryan Beaudreault wrote: > > Hi all, > > > > The core work for TLS in the HBase RPC is mostly complete. With > > what's been > > committed so far, one can connect end-to-end with TLS between > > client/server > > and server/server. By default, we also enable mTLS (clients and > > servers > > validate the certificate and hostname at handshake). > > > > Here is a list of all TLS related work so far (finished and > > remaining): > > > https://issues.apache.org/jira/browse/HBASE-26666?jql=project%20%3D%20HBASE%20AND%20labels%20%3D%20tls > > > > As we now have the basic functionality done, I wanted to discuss what > > the > > release criteria should be. We had originally discussed releasing > > this in > > 2.6.0, which Andrew proposed tentatively planning for mid-December. > > > > Beyond the code being well tested with unit tests, I've also deployed > > this > > end-to-end in a basic test cluster in my company's environment. I > > deployed > > it to an existing cluster in a rolling fashion based on the steps > > described > > in Andor's documentation [1]. I will be out most of October, but when > > I > > return in November I hope to start deploying this on some production > > clusters after backporting to our main fork. > > > > What else would people like to see before including in a release, and > > would > > anyone be willing to give some testing a try themselves? > > -- Best regards, Andrew Unrest, ignorance distilled, nihilistic imbeciles - It's what we’ve earned Welcome, apocalypse, what’s taken you so long? Bring us the fitting end that we’ve been counting on - A23, Welcome, Apocalypse
