GIRAPH-1251: Add optional SSLHandler for all Netty Communication #150
Conversation
atanu1991
force-pushed
the
netty
branch
4 times, most recently
from
628570e
to
55013ce
Compare
|
Can you add a high-level description of how the authentication mechanism works and also how this was tested? |
| /** SSLConfigReader class - optional */ | ||
| ClassConfOption<SSLConfigReader> SSL_CONFIG_READER_CLASS = | ||
| ClassConfOption.create("giraph.sslConfigReader", | ||
| null, SSLConfigReader.class, | ||
| "SSLConfigReader class - optional"); | ||
|
|
||
| /** SSLEventHandler class - optional */ | ||
| ClassConfOption<SSLEventHandler> SSL_EVENT_HANDLER_CLASS = | ||
| ClassConfOption.create("giraph.sslEventHandler", | ||
| null, SSLEventHandler.class, | ||
| "SSLEventHandler class - optional"); |
There was a problem hiding this comment.
Can you describe in the documentation what these are?
| import javax.net.ssl.SSLException; | ||
|
|
||
| /** | ||
| * Utility class for all SSL related functions |
There was a problem hiding this comment.
nit: this doesn't look like the typical utility class
giraph-core/src/main/java/org/apache/giraph/comm/netty/NettySSLHandler.java
Show resolved
Hide resolved
| extends ImmutableClassesGiraphConfigurable | ||
| { | ||
| /** | ||
| * Read certificate authority Path from Env variable |
There was a problem hiding this comment.
Regarding the naming of the methods, is the assumption that everything is is going to be read from environment variables? If not, maybe choose different naming?
| * @param client whether it is the client or server involved | ||
| * @param sslHandler the SslHandler | ||
| */ | ||
| void handleOnSslHandshakeComplete(boolean client, |
There was a problem hiding this comment.
nit: name the boolean isClient?
| * @param keyPath key file path | ||
| */ | ||
| public SslConfig( | ||
| boolean client, VerifyMode verifyMode, String caPath, |
| this.caPath = CA_PATH.get(conf); | ||
|
|
||
| if (sslConfigReader != null) { | ||
| String envVarTlsCAPath = sslConfigReader.readCAPathFromEnv(); | ||
| if (envVarTlsCAPath != null) { | ||
| this.caPath = envVarTlsCAPath; | ||
| } | ||
| } |
There was a problem hiding this comment.
What is the reason for having both a Giraph option for the path and a Giraph option for the SslConfigReader class?
There was a problem hiding this comment.
Removed this logic
| if (!future.isSuccess()) { | ||
| throw new SSLException("SSL Handshake failure", future.cause()); | ||
| } | ||
| if (sslEventHandler != null) { |
There was a problem hiding this comment.
Why would we create a NettySSLHandler, if this is not defined?
There was a problem hiding this comment.
Its not necessary to have sslEventHandler (onSslHandshakeComplete) event defined. Its required for facebook use case where we need to do custom authn and authz. If you want the default behavior then do nothing on onSslHandshakeComplete. So sslEventHandler is null by default
atanu1991
force-pushed
the
netty
branch
4 times, most recently
from
f8a452d
to
8d715bb
Compare
In the summary you mean? |
atanu1991
force-pushed
the
netty
branch
2 times, most recently
from
5073094
to
675c7f1
Compare
atanu1991
changed the title
There was a problem hiding this comment.
Can you add a high-level description of how the authentication mechanism works and also how this was tested?
In the summary you mean?
Yes, please add in the summary a description and also a summary of how this was tested. Please do run mvn clean verify as well.
Also, can you comment here about the optimizations you have identified, for instance, you mentioned not creating the ssl config multiple times.
|
Also, have we checked whether performance is impacted? |
|
Performance will be impacted quite a bit. The testing of that is something planned for next half. For now we have to block the migration, |
|
I agree, but I still think we should have a couple of data points. As an
extreme, say this makes runtime 3x more. Would it be acceptable?
…On Fri, May 14, 2021 at 2:27 AM Atanu Ghosh ***@***.***> wrote:
Performance will be impacted quite a bit. The testing of that is something
planned for next half. For now we have to block the migration,
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#150 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AAPZYOER7NBJQ5YQRMOU4EDTNTUJRANCNFSM43F6K5DA>
.
|
atanu1991
force-pushed
the
netty
branch
3 times, most recently
from
7a35d43
to
3f196b2
Compare
With this change its possible to encrypt all communication via Netty with SSL Handler. It also exposes function to add custom authn and authz checks on tls handshake complete. Once this flag is set, all Netty traffic will be ensured to be encrypted. Testing: - mvn clean verify passes. - When the sslEncrypt flag is off there were no changes to the existing workflow. - On enabling the flag (sslEncrypt) and having a custom SSL Event Handler, there was no performance hit. A standard set of tests were run with and without this flag in the same enviornment and the results showed -5% to 5% difference in total CPU time utilized by the jobs. This is within acceptable limits and is normal variance.
GIRAPH-1251: Add optional SSLHandler for all Netty Communication
With this change its possible to encrypt all communication via Netty
with SSL Handler. It also exposes function to add custom authn and
authz checks on tls handshake complete. Once this flag is set, all
Netty traffic will be ensured to be encrypted.
Testing:
SSL Event Handler, thhe performance was varied, on some test cases
there was an improvement in perf (+25%), while few others showed
~30+% degrade. Initial tests didnt give any strong indications
of severe performance degrade throghout.