[infinispan-dev] Multi tenancy support for Infinispan
Radim Vansa
rvansa at redhat.com
Mon May 9 09:30:18 EDT 2016
On 05/09/2016 07:52 AM, Sebastian Laskawiec wrote:
> Hey Radim!
>
> Comments inlined.
>
> Thanks
> Sebastian
>
> On Mon, May 9, 2016 at 12:55 PM, Radim Vansa <rvansa at redhat.com
> <mailto:rvansa at redhat.com>> wrote:
>
> As for the questions:
> * Is SSL required for SNI? I can imagine that multi-tenancy would make
> sense even in situations when the connection does not need to be
> encrypted. Moreover, if we plan to eventually have HR clients with
> async
> API (and using async I/O), SSL is even more PITA. Btw., do we have any
> numbers how much SSL affects perf? (that's a question for QA, though)
>
>
> Unfortunately no. SNI is an extension of TLS [2] which is an upgrade
> of SSL. In Java SNI Host names are specified in SSLParameters [3].
>
> Of course SSL slows things down a bit, that's why we also need a
> "switch-to-tenant" command which would be used by the clients who do
> not want SSL. However if someone uses SNI and SSL (and only then) we
> can switch him to proper tenant automatically (because we have enough
> information at that point).
So you can initiate connection with SSL (+SNI) and then downgrade it to
plain-text?
>
> * I don't think that dynamic switching of tenants would make sense,
> since that would require to invalidate all RemoteCache instances, near
> caches, connection pools, everything. So it's the same as starting
> from
> scratch.
>
>
> Frankly I also have a mixed feelings about this feature. I think it
> would be much nicer if we switched to another tenant by doing
> disconnect/connect sequence (and not switching dynamically).
>
>
> R.
>
>
>
>
>
> On 04/29/2016 05:29 PM, Sebastian Laskawiec wrote:
> > Dear Community,
> >
> > Please have a look at the design of Multi tenancy support for
> > Infinispan [1]. I would be more than happy to get some feedback
> from you.
> >
> > Highlights:
> >
> > * The implementation will be based on a Router (which will be
> built
> > based on Netty)
> > * Multiple Hot Rod and REST servers will be attached to the router
> > which in turn will be attached to the endpoint
> > * The router will operate on a binary protocol when using Hot Rod
> > clients and path-based routing when using REST
> > * Memcached will be out of scope
> > * The router will support SSL+SNI
> >
> > Thanks
> > Sebastian
> >
> > [1]
> >
> https://github.com/infinispan/infinispan/wiki/Multi-tenancy-for-Hotrod-Server
>
> [2] https://tools.ietf.org/html/rfc6066#page-6
> [3]
> https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLParameters.html#getServerNames--
>
>
> >
> >
> > _______________________________________________
> > infinispan-dev mailing list
> > infinispan-dev at lists.jboss.org
> <mailto:infinispan-dev at lists.jboss.org>
> > https://lists.jboss.org/mailman/listinfo/infinispan-dev
>
>
> --
> Radim Vansa <rvansa at redhat.com <mailto:rvansa at redhat.com>>
> JBoss Performance Team
>
> _______________________________________________
> infinispan-dev mailing list
> infinispan-dev at lists.jboss.org <mailto:infinispan-dev at lists.jboss.org>
> https://lists.jboss.org/mailman/listinfo/infinispan-dev
>
>
>
>
> _______________________________________________
> infinispan-dev mailing list
> infinispan-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/infinispan-dev
--
Radim Vansa <rvansa at redhat.com>
JBoss Performance Team
More information about the infinispan-dev
mailing list