I can certainly contribute SASL vs TLS comparison as microbenchmarks and
single system chaos testing. I have a VM image set up with Kerberos and
related services to provide repeatable results, something I did recently
for HBASE-27097.
We also have in house tooling to deploy into k8s pods in a secure
configuration that provides the SASL QoP I'd be looking for, so perhaps I
can borrow some team bandwidth to try out an open source RC, but can't
commit to that one.
On Thu, Oct 6, 2022 at 4:39 AM Bryan Beaudreault
<bbeaudrea...@hubspot.com.invalid> wrote:
> Thanks Andrew. I can probably provide some performance numbers for the
> following:
>
> 1. Comparing no protection vs native TLS. We would expect a regression, and
> might be able to compare that regression to what is known about SASL.
> 2. Comparing native TLS to my company's setup which uses haproxy as a proxy
> between client/server for SSL termination. This may not be interesting
> to everyone, but I will be doing it anyway so I could provide it.
>
> I can similarly try running ITBLL against TLS and no protection. We aren't
> set up for that in-house (especially expect issues getting the killers to
> work), but can try.
>
> We run java 11 exclusively on the server side, and a mix of java 11 and 17
> on the client side.
>
> I do not have access to a SASL setup, and part of the point here is that
> SASL is so complicated to setup that TLS is an attractive alternative. I
> don't think I'll be able to provide a baseline for that, but maybe
> someone else can? In terms of that requirement, I think if TLS is
> considered performant and reliable enough, one could decide which to use
> based on how they want to setup their environment. Both are off by default,
> so it's a decision for them to evaluate based on the needs and existing
> ecosystem they're working in.
>
> I won't be doing any of this until November, and will be juggling a few
> other things at that time. Hopefully I should have something mid-november.
>
> On Wed, Oct 5, 2022 at 9:00 PM Andrew Purtell <apurt...@apache.org> wrote:
>
> > The test environment should be set up to support both SASL RPC with QoP
> of
> > "privacy" ("auth-conf") and TLS RPC. I believe we are going to want to
> see
> > most of all the differences between operation with SASL RPC and TLS RPC.
> > These options both provide authentication and encryption. You'll probably
> > also want to bench on Java 11 to capture the typical user experience.
> >
> > The top consideration is going to be stability: For all the testers out
> > there, what is the difference in error rates between SASL and TLS? Is
> there
> > any difference? A related concern would be communication issues in
> abnormal
> > conditions. Should manifest as inability to recover from the usual chaos
> > test, i.e. IntegrationTestBigLinkedList with slowDeterministic and/or
> > serverKilling policy.
> >
> > The runner up is performance. For all the testers out there, if it would
> be
> > possible to share high level throughput and latency measures and their
> > differences, that would be great. More detail in depth would be helpful
> > too, such as per operation breakdown, if you have the numbers, but that
> is
> > not critical. My personal expectation is TLS RPC will perform better as
> TLS
> > has the benefit of modern investment.
> >
> > On Mon, Oct 3, 2022 at 11:43 AM Andor Molnar <an...@apache.org> wrote:
> >
> > > Hi Bryan,
> > >
> > > We (Cloudera) also planning to start deploying TLS-based clusters to
> > > production in early November. We'll do feature validation and perf
> > > benchmarks from our private fork in October.
> > >
> > > Regards,
> > > Andor
> > >
> > >
> > >
> > > On Mon, 2022-10-03 at 13:58 -0400, Bryan Beaudreault wrote:
> > > > Hi all,
> > > >
> > > > The core work for TLS in the HBase RPC is mostly complete. With
> > > > what's been
> > > > committed so far, one can connect end-to-end with TLS between
> > > > client/server
> > > > and server/server. By default, we also enable mTLS (clients and
> > > > servers
> > > > validate the certificate and hostname at handshake).
> > > >
> > > > Here is a list of all TLS related work so far (finished and
> > > > remaining):
> > > >
> > >
> >
> https://issues.apache.org/jira/browse/HBASE-26666?jql=project%20%3D%20HBASE%20AND%20labels%20%3D%20tls
> > <
> https://issues.apache.org/jira/browse/HBASE-26666?jql=project%20%3D%20HBASE%20AND%20labels%20%3D%20tls
> >
> > > >
> > > > As we now have the basic functionality done, I wanted to discuss what
> > > > the
> > > > release criteria should be. We had originally discussed releasing
> > > > this in
> > > > 2.6.0, which Andrew proposed tentatively planning for mid-December.
> > > >
> > > > Beyond the code being well tested with unit tests, I've also deployed
> > > > this
> > > > end-to-end in a basic test cluster in my company's environment. I
> > > > deployed
> > > > it to an existing cluster in a rolling fashion based on the steps
> > > > described
> > > > in Andor's documentation [1]. I will be out most of October, but when
> > > > I
> > > > return in November I hope to start deploying this on some production
> > > > clusters after backporting to our main fork.
> > > >
> > > > What else would people like to see before including in a release, and
> > > > would
> > > > anyone be willing to give some testing a try themselves?
> > >
> > >
> >
> > --
> > Best regards,
> > Andrew
> >
> > Unrest, ignorance distilled, nihilistic imbeciles -
> > It's what we’ve earned
> > Welcome, apocalypse, what’s taken you so long?
> > Bring us the fitting end that we’ve been counting on
> > - A23, Welcome, Apocalypse
> >
>
--
Best regards,
Andrew
Unrest, ignorance distilled, nihilistic imbeciles -
It's what we’ve earned
Welcome, apocalypse, what’s taken you so long?
Bring us the fitting end that we’ve been counting on
- A23, Welcome, Apocalypse
