Thanks Andrew. I can probably provide some performance numbers for the
following:
1. Comparing no protection vs native TLS. We would expect a regression, and
might be able to compare that regression to what is known about SASL.
2. Comparing native TLS to my company's setup which uses haproxy as a proxy
between client/server for SSL termination. This may not be interesting
to everyone, but I will be doing it anyway so I could provide it.
I can similarly try running ITBLL against TLS and no protection. We aren't
set up for that in-house (especially expect issues getting the killers to
work), but can try.
We run java 11 exclusively on the server side, and a mix of java 11 and 17
on the client side.
I do not have access to a SASL setup, and part of the point here is that
SASL is so complicated to setup that TLS is an attractive alternative. I
don't think I'll be able to provide a baseline for that, but maybe
someone else can? In terms of that requirement, I think if TLS is
considered performant and reliable enough, one could decide which to use
based on how they want to setup their environment. Both are off by default,
so it's a decision for them to evaluate based on the needs and existing
ecosystem they're working in.
I won't be doing any of this until November, and will be juggling a few
other things at that time. Hopefully I should have something mid-november.
On Wed, Oct 5, 2022 at 9:00 PM Andrew Purtell <apurt...@apache.org> wrote:
> The test environment should be set up to support both SASL RPC with QoP of
> "privacy" ("auth-conf") and TLS RPC. I believe we are going to want to see
> most of all the differences between operation with SASL RPC and TLS RPC.
> These options both provide authentication and encryption. You'll probably
> also want to bench on Java 11 to capture the typical user experience.
>
> The top consideration is going to be stability: For all the testers out
> there, what is the difference in error rates between SASL and TLS? Is there
> any difference? A related concern would be communication issues in abnormal
> conditions. Should manifest as inability to recover from the usual chaos
> test, i.e. IntegrationTestBigLinkedList with slowDeterministic and/or
> serverKilling policy.
>
> The runner up is performance. For all the testers out there, if it would be
> possible to share high level throughput and latency measures and their
> differences, that would be great. More detail in depth would be helpful
> too, such as per operation breakdown, if you have the numbers, but that is
> not critical. My personal expectation is TLS RPC will perform better as TLS
> has the benefit of modern investment.
>
> On Mon, Oct 3, 2022 at 11:43 AM Andor Molnar <an...@apache.org> wrote:
>
> > Hi Bryan,
> >
> > We (Cloudera) also planning to start deploying TLS-based clusters to
> > production in early November. We'll do feature validation and perf
> > benchmarks from our private fork in October.
> >
> > Regards,
> > Andor
> >
> >
> >
> > On Mon, 2022-10-03 at 13:58 -0400, Bryan Beaudreault wrote:
> > > Hi all,
> > >
> > > The core work for TLS in the HBase RPC is mostly complete. With
> > > what's been
> > > committed so far, one can connect end-to-end with TLS between
> > > client/server
> > > and server/server. By default, we also enable mTLS (clients and
> > > servers
> > > validate the certificate and hostname at handshake).
> > >
> > > Here is a list of all TLS related work so far (finished and
> > > remaining):
> > >
> >
> https://issues.apache.org/jira/browse/HBASE-26666?jql=project%20%3D%20HBASE%20AND%20labels%20%3D%20tls
> <https://issues.apache.org/jira/browse/HBASE-26666?jql=project%20%3D%20HBASE%20AND%20labels%20%3D%20tls>
> > >
> > > As we now have the basic functionality done, I wanted to discuss what
> > > the
> > > release criteria should be. We had originally discussed releasing
> > > this in
> > > 2.6.0, which Andrew proposed tentatively planning for mid-December.
> > >
> > > Beyond the code being well tested with unit tests, I've also deployed
> > > this
> > > end-to-end in a basic test cluster in my company's environment. I
> > > deployed
> > > it to an existing cluster in a rolling fashion based on the steps
> > > described
> > > in Andor's documentation [1]. I will be out most of October, but when
> > > I
> > > return in November I hope to start deploying this on some production
> > > clusters after backporting to our main fork.
> > >
> > > What else would people like to see before including in a release, and
> > > would
> > > anyone be willing to give some testing a try themselves?
> >
> >
>
> --
> Best regards,
> Andrew
>
> Unrest, ignorance distilled, nihilistic imbeciles -
> It's what we’ve earned
> Welcome, apocalypse, what’s taken you so long?
> Bring us the fitting end that we’ve been counting on
> - A23, Welcome, Apocalypse
>
