Thanks Enrico and Mate for the valuable comments. Mate, regarding your point- *I don't consider the use of client.portUnification to be 'bad' or 'unsecure' in itself *
I agree. This is as bad as the case of having a plaintext and TLS port open at the same time in terms of security. Should I also be worried about any performance impacts here in terms of CPU/Runtime? Will my Plaintext requests be as fast as they are with a vanilla Plaintext port? Would be helpful if someone can help me with some documentation around this. Thanks -Sankalp On Sun, 5 Jul 2020 at 17:09, Enrico Olivelli <[email protected]> wrote: > In my opinion you can use port unification during a rolling upgrade of your > ZK cluster and you are moving your servers to TLS. > > Another case is that you have to connect to two different ZK clusters, one > with TLS and one with plain connections, some configurations are system > properties so it is hard sometimes to implement this scenario. > > I have not used it, so I am just sharing a couple of ideas. > > The feature has been contributed by our Facebook friends, I hope that > someone from that crew can tell more > > Regards > Enrico > > Il Dom 5 Lug 2020, 16:41 Szalay-Bekő Máté <[email protected]> ha > scritto: > > > Hi Sankalp, > > > > I think it really depends on your security policies. I don't consider the > > use of client.portUnification to be 'bad' or 'unsecure' in itself. > > Especially, if you can make sure in your cluster that all sensitive data > is > > protected with ACLs and modified / listed using TLS. > > > > But still the most secure is to use TLS-only connections. In our case we > > found it tricky to configure all the clients to connect to ZooKeeper > using > > TLS, so we are following a step-by-step approach to migrate all our > clients > > to TLS. But instead of using client.portUnification, we decided to > maintain > > two separate ports in our configs. I don't exactly remember our > reasoning, > > but e.g for me it seems to be easier to debug connection issues. (so if > the > > client is able to connect to the secure-only port, then you can make sure > > TLS is really used - and you don't have a false sense of security) > > > > Cheers, > > Mate > > > > On Sun, Jul 5, 2020 at 2:35 PM Sankalp Bhatia <[email protected] > > > > wrote: > > > > > Hi Devs, > > > > > > Can someone share some insights on what is a good use case for the > > feature > > > *client.portUnification*? I have a use case where clients would want > both > > > PLAINTEXT and TLS traffic to be served by ZooKeeper server and I want > to > > > avoid exposing and managing 2 different zookeeper ports. Is this a > valid > > > use case? or is this feature only supposed to be used for some rolling > > > upgrades like the one for quorum port unification? > > > > > > Thanks in advance! > > > > > > -Sankalp > > > > > >
