In my opinion you can use port unification during a rolling upgrade of your ZK cluster and you are moving your servers to TLS.
Another case is that you have to connect to two different ZK clusters, one with TLS and one with plain connections, some configurations are system properties so it is hard sometimes to implement this scenario. I have not used it, so I am just sharing a couple of ideas. The feature has been contributed by our Facebook friends, I hope that someone from that crew can tell more Regards Enrico Il Dom 5 Lug 2020, 16:41 Szalay-Bekő Máté <szalay.beko.m...@gmail.com> ha scritto: > Hi Sankalp, > > I think it really depends on your security policies. I don't consider the > use of client.portUnification to be 'bad' or 'unsecure' in itself. > Especially, if you can make sure in your cluster that all sensitive data is > protected with ACLs and modified / listed using TLS. > > But still the most secure is to use TLS-only connections. In our case we > found it tricky to configure all the clients to connect to ZooKeeper using > TLS, so we are following a step-by-step approach to migrate all our clients > to TLS. But instead of using client.portUnification, we decided to maintain > two separate ports in our configs. I don't exactly remember our reasoning, > but e.g for me it seems to be easier to debug connection issues. (so if the > client is able to connect to the secure-only port, then you can make sure > TLS is really used - and you don't have a false sense of security) > > Cheers, > Mate > > On Sun, Jul 5, 2020 at 2:35 PM Sankalp Bhatia <sankalpbhati...@gmail.com> > wrote: > > > Hi Devs, > > > > Can someone share some insights on what is a good use case for the > feature > > *client.portUnification*? I have a use case where clients would want both > > PLAINTEXT and TLS traffic to be served by ZooKeeper server and I want to > > avoid exposing and managing 2 different zookeeper ports. Is this a valid > > use case? or is this feature only supposed to be used for some rolling > > upgrades like the one for quorum port unification? > > > > Thanks in advance! > > > > -Sankalp > > >
