-
Notifications
You must be signed in to change notification settings - Fork 300
GIRAPH-1251: Add optional SSLHandler for all Netty Communication #150
Conversation
628570e
to
55013ce
Compare
Can you add a high-level description of how the authentication mechanism works and also how this was tested? |
/** SSLConfigReader class - optional */ | ||
ClassConfOption<SSLConfigReader> SSL_CONFIG_READER_CLASS = | ||
ClassConfOption.create("giraph.sslConfigReader", | ||
null, SSLConfigReader.class, | ||
"SSLConfigReader class - optional"); | ||
|
||
/** SSLEventHandler class - optional */ | ||
ClassConfOption<SSLEventHandler> SSL_EVENT_HANDLER_CLASS = | ||
ClassConfOption.create("giraph.sslEventHandler", | ||
null, SSLEventHandler.class, | ||
"SSLEventHandler class - optional"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you describe in the documentation what these are?
import javax.net.ssl.SSLException; | ||
|
||
/** | ||
* Utility class for all SSL related functions |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: this doesn't look like the typical utility class
giraph-core/src/main/java/org/apache/giraph/comm/netty/NettySSLHandler.java
Show resolved
Hide resolved
extends ImmutableClassesGiraphConfigurable | ||
{ | ||
/** | ||
* Read certificate authority Path from Env variable |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Regarding the naming of the methods, is the assumption that everything is is going to be read from environment variables? If not, maybe choose different naming?
* @param client whether it is the client or server involved | ||
* @param sslHandler the SslHandler | ||
*/ | ||
void handleOnSslHandshakeComplete(boolean client, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: name the boolean isClient
?
* @param keyPath key file path | ||
*/ | ||
public SslConfig( | ||
boolean client, VerifyMode verifyMode, String caPath, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: name isClient
?
this.caPath = CA_PATH.get(conf); | ||
|
||
if (sslConfigReader != null) { | ||
String envVarTlsCAPath = sslConfigReader.readCAPathFromEnv(); | ||
if (envVarTlsCAPath != null) { | ||
this.caPath = envVarTlsCAPath; | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the reason for having both a Giraph option for the path and a Giraph option for the SslConfigReader class?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed this logic
if (!future.isSuccess()) { | ||
throw new SSLException("SSL Handshake failure", future.cause()); | ||
} | ||
if (sslEventHandler != null) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why would we create a NettySSLHandler, if this is not defined?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Its not necessary to have sslEventHandler (onSslHandshakeComplete) event defined. Its required for facebook use case where we need to do custom authn and authz. If you want the default behavior then do nothing on onSslHandshakeComplete. So sslEventHandler is null by default
f8a452d
to
8d715bb
Compare
In the summary you mean? |
5073094
to
675c7f1
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you add a high-level description of how the authentication mechanism works and also how this was tested?
In the summary you mean?
Yes, please add in the summary a description and also a summary of how this was tested. Please do run mvn clean verify
as well.
Also, can you comment here about the optimizations you have identified, for instance, you mentioned not creating the ssl config multiple times.
Also, have we checked whether performance is impacted? |
Performance will be impacted quite a bit. The testing of that is something planned for next half. For now we have to block the migration, |
I agree, but I still think we should have a couple of data points. As an
extreme, say this makes runtime 3x more. Would it be acceptable?
…On Fri, May 14, 2021 at 2:27 AM Atanu Ghosh ***@***.***> wrote:
Performance will be impacted quite a bit. The testing of that is something
planned for next half. For now we have to block the migration,
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#150 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAPZYOER7NBJQ5YQRMOU4EDTNTUJRANCNFSM43F6K5DA>
.
|
7a35d43
to
3f196b2
Compare
With this change its possible to encrypt all communication via Netty with SSL Handler. It also exposes function to add custom authn and authz checks on tls handshake complete. Once this flag is set, all Netty traffic will be ensured to be encrypted. Testing: - mvn clean verify passes. - When the sslEncrypt flag is off there were no changes to the existing workflow. - On enabling the flag (sslEncrypt) and having a custom SSL Event Handler, there was no performance hit. A standard set of tests were run with and without this flag in the same enviornment and the results showed -5% to 5% difference in total CPU time utilized by the jobs. This is within acceptable limits and is normal variance.
GIRAPH-1251: Add optional SSLHandler for all Netty Communication
With this change its possible to encrypt all communication via Netty
with SSL Handler. It also exposes function to add custom authn and
authz checks on tls handshake complete. Once this flag is set, all
Netty traffic will be ensured to be encrypted.
Testing:
SSL Event Handler, thhe performance was varied, on some test cases
there was an improvement in perf (+25%), while few others showed
~30+% degrade. Initial tests didnt give any strong indications
of severe performance degrade throghout.