-
Notifications
You must be signed in to change notification settings - Fork 3.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create SSL context in constructor of ChannelInitializer #3550
Conversation
rerun java8 tests |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great catch! 👍
run java8 tests |
@massakam There appears to be a legitimate test failure:
|
@merlimat With this modification, broker now loads a private key and certificates at startup. Therefore, if Initially, I modified So deleted setting of the ports to be used for TLS from |
Yes, new certificates will not be loaded until the broker is restarted. |
@rdhabalia Good point. Maybe we could either cache for some configurable time (eg: 1hour) or monitor the file for changes |
Yes, we can fix it with that alternative. I will make the change to fix it. 👍 |
https://github.com/apache/pulsar/pull/3568/files - this PR should do what
Rajan suggested.
…On Mon, Feb 11, 2019 at 10:00 AM Rajan Dhabalia ***@***.***> wrote:
Maybe we could either cache for some configurable time (eg: 1hour) or
monitor the file for changes
Yes, we can fix it with that alternative. I will make the change to fix
it. 👍
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#3550 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AIQh_HR2SR3xy3Tl5QiPs8Q2ORvL0iLOks5vMa-3gaJpZM4avlQr>
.
|
Motivation
To use TLS, it is necessary to read a private key and certificate files to create an SSL context. Currently, Pulsar reads these files every time a new TLS session is established.
pulsar/pulsar-broker/src/main/java/org/apache/pulsar/broker/service/PulsarChannelInitializer.java
Lines 51 to 67 in a62633b
Therefore, when many TLS sessions are started at the same time, the load on the broker increases exponentially. This becomes pronounced if the size of the trusted certificate file is large.
Modifications
Currently, a SSL context is created in
initChannel
methods of subclasses ofChannelInitializer
.Moving that process to the constructors eliminate the need to read private key and certificates every time.
Verifying this change
This change is already covered by existing tests, such as TlsProducerConsumerTest.
Does this pull request potentially affect one of the following parts:
Documentation