[infinispan-dev] Multi tenancy support for Infinispan

Radim Vansa rvansa at redhat.com
Mon May 9 09:30:18 EDT 2016 

On 05/09/2016 07:52 AM, Sebastian Laskawiec wrote:
> Hey Radim!
>
> Comments inlined.
>
> Thanks
> Sebastian
>
> On Mon, May 9, 2016 at 12:55 PM, Radim Vansa <rvansa at redhat.com 
> <mailto:rvansa at redhat.com>> wrote:
>
>     As for the questions:
>     * Is SSL required for SNI? I can imagine that multi-tenancy would make
>     sense even in situations when the connection does not need to be
>     encrypted. Moreover, if we plan to eventually have HR clients with
>     async
>     API (and using async I/O), SSL is even more PITA. Btw., do we have any
>     numbers how much SSL affects perf? (that's a question for QA, though)
>
>
> Unfortunately no. SNI is an extension of TLS [2] which is an upgrade 
> of SSL. In Java SNI Host names are specified in SSLParameters [3].
>
> Of course SSL slows things down a bit, that's why we also need a 
> "switch-to-tenant" command which would be used by the clients who do 
> not want SSL. However if someone uses SNI and SSL (and only then) we 
> can switch him to proper tenant automatically (because we have enough 
> information at that point).

So you can initiate connection with SSL (+SNI) and then downgrade it to 
plain-text?

>
>     * I don't think that dynamic switching of tenants would make sense,
>     since that would require to invalidate all RemoteCache instances, near
>     caches, connection pools, everything. So it's the same as starting
>     from
>     scratch.
>
>
> Frankly I also have a mixed feelings about this feature. I think it 
> would be much nicer if we switched to another tenant by doing 
> disconnect/connect sequence (and not switching dynamically).
>
>
>     R.
>
>
>
>
>
>     On 04/29/2016 05:29 PM, Sebastian Laskawiec wrote:
>     > Dear Community,
>     >
>     > Please have a look at the design of Multi tenancy support for
>     > Infinispan [1]. I would be more than happy to get some feedback
>     from you.
>     >
>     > Highlights:
>     >
>     >   * The implementation will be based on a Router (which will be
>     built
>     >     based on Netty)
>     >   * Multiple Hot Rod and REST servers will be attached to the router
>     >     which in turn will be attached to the endpoint
>     >   * The router will operate on a binary protocol when using Hot Rod
>     >     clients and path-based routing when using REST
>     >   * Memcached will be out of scope
>     >   * The router will support SSL+SNI
>     >
>     > Thanks
>     > Sebastian
>     >
>     > [1]
>     >
>     https://github.com/infinispan/infinispan/wiki/Multi-tenancy-for-Hotrod-Server
>
> [2] https://tools.ietf.org/html/rfc6066#page-6
> [3] 
> https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLParameters.html#getServerNames--
>
>
>     >
>     >
>     > _______________________________________________
>     > infinispan-dev mailing list
>     > infinispan-dev at lists.jboss.org
>     <mailto:infinispan-dev at lists.jboss.org>
>     > https://lists.jboss.org/mailman/listinfo/infinispan-dev
>
>
>     --
>     Radim Vansa <rvansa at redhat.com <mailto:rvansa at redhat.com>>
>     JBoss Performance Team
>
>     _______________________________________________
>     infinispan-dev mailing list
>     infinispan-dev at lists.jboss.org <mailto:infinispan-dev at lists.jboss.org>
>     https://lists.jboss.org/mailman/listinfo/infinispan-dev
>
>
>
>
> _______________________________________________
> infinispan-dev mailing list
> infinispan-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/infinispan-dev


-- 
Radim Vansa <rvansa at redhat.com>
JBoss Performance Team

More information about the infinispan-dev mailing list