HBASE-27226 Document native TLS support in Netty RPC #4717
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
🎊 +1 overall
This message was automatically generated. |
|
🎊 +1 overall
This message was automatically generated. |
|
🎊 +1 overall
This message was automatically generated. |
|
|
||
| . Create the necessary key stores and trust stores for all server participants as described in the previous section. | ||
|
|
||
| . Enable secure communication on the Master node with `supportplaintext=True`. Restart the Master. |
There was a problem hiding this comment.
I actually think there needs to be more steps here, because the server side actually is impacted by both hbase.client.netty.tls.enabled AND hbase.server.netty.tls.enabled. If in this step you enable both, the HMaster will not be able to communicate with RegionServers (who will be enabled below). If you only enable server side, when you get to the "disable plaintext" step below you'll start to see failures because regionservers will be trying to communicate with the HMaster over plaintext.
So really the user needs to fully restart the cluster a few times:
- Enable
hbase.server.netty.tls.enabledonly, with supportPlaintext=true. Servers will accept TLS, but not send TLS.. - Additionally enable
hbase.client.netty.tls.enabledon servers, keeping supportPlaintext=true. Servers will now accept and send TLS. - Remove supportPlaintext=true. Servers will reject requests if not TLS.
Clients can be updated to use hbase.client.netty.tls.enabled either after step 1 or 2, but before 3.
There was a problem hiding this comment.
It is probably also worth calling out somewhere that once hbase.client.netty.tls.enabled is enabled on the server side, the cluster will only be able to communicate with other clusters which have TLS enabled. For example, this would impact intra-cluster replication.
There was a problem hiding this comment.
Is it possible to implement some fallback logic at client side?
There was a problem hiding this comment.
Theoretically at client side it is possible. In the NettyRpcConnection implementation, before the ssl handshake finishes, we will not send any data out. So if we want to fallback to non ssl communication, we could just remove the ssl handler and set up the connection without encryption. But probably at server side we will just close the connection...
There was a problem hiding this comment.
Good idea @Apache9. I logged an issue for that: https://issues.apache.org/jira/browse/HBASE-27318
| </property> | ||
| <property> | ||
| <name>hbase.rpc.tls.keystore.password</name> | ||
| <value>keyStor3pa$$w0rd</value> |
There was a problem hiding this comment.
It may be worth calling out that the users should make sure their hbase-site.xml has appropriate permissions since we're now putting a password in it. We could leave that out, but just thinking you went into such detail on the other stuff below that maybe it makes sense to mention.
There was a problem hiding this comment.
I would say that we should avoid putting passwords in the configuration file at all costs. Possible the hdfs approach when you have the default password/password received through the environment variable/a special file that contains the password would be more suitable.
|
@bbeaudreault Docs updated. Please re-validate the rolling upgrade steps. Hope I got it right. |
|
🎊 +1 overall
This message was automatically generated. |
|
🎊 +1 overall
This message was automatically generated. |
There was a problem hiding this comment.
Getting closer @anmolnar. I like the explicit xml for each step. A few more comments
| ...keystore / truststore setup ... | ||
| ---- | ||
|
|
||
| Restart RSs in rolling restart fashion. RSs accepts both TLS/non-TLS communication. |
There was a problem hiding this comment.
nitpick: Change second sentence to "RSs send requests with TLS and accept both TLS/non-TLS communication."
Just calling out the implications of each step.
| restart fashion. | ||
|
|
||
| WARNING: Once `hbase.client.netty.tls.enabled` is enabled on the server side, the cluster will only be able to communicate | ||
| with other clusters which have TLS enabled. For example, this would impact intra-cluster replication. |
There was a problem hiding this comment.
Sorry I typod before, it's actually inter-cluster replication (intra meaning within)
|
🎊 +1 overall
This message was automatically generated. |
|
@bbeaudreault Another round of code review fixes. Let's see how the upgrade process looks like now. |
|
🎊 +1 overall
This message was automatically generated. |
|
🎊 +1 overall
This message was automatically generated. |
|
🎊 +1 overall
This message was automatically generated. |
meszibalu
approved these changes
Aug 26, 2022
|
@bbeaudreault Are u happy to commit this patch? |
There was a problem hiding this comment.
Hey @anmolnar i am out this week. I will take a look next week. I do wonder if we should keep this open until your credentials API PR lands at least. Just because that will directly solve some of the comments here and change the content of this doc. So it might not make sense to bother merging this everywhere just to quickly push addendums to it after those land.
Will loop back to hear your thoughts next week though.
|
Latest commit fast forwards with 2 new features:
|
|
🎊 +1 overall
This message was automatically generated. |
|
🎊 +1 overall
This message was automatically generated. |
|
🎊 +1 overall
This message was automatically generated. |
bbeaudreault
approved these changes
Sep 8, 2022
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
TLS docs.
cc @Apache9 @bbeaudreault @meszibalu @petersomogyi @joshelser