cassandra-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ben Standefer <...@simplegeo.com>
Subject Re: Authentication
Date Tue, 13 Jul 2010 21:22:59 GMT
Many apps would find it realistic or feasible to failover database
connections across the country (going from <1ms latency to ~90ms latency).
 The scheme of failing over client database connections across the country
is probably the minority case.  SSL between Cassandra nodes, even without
encryption in the clients connecting to a Cassandra node, would still be
very useful if you want to mirror infrastructure in different parts of the
world to provide users with localized low-latency access.  Failover for end
users would happen at the data center level with DNS-based load balancing (
http://dyn.com/dynect-traffic-management).  If a client could not connect to
a node in it's data center, it is probably indicative of the whole data
center having issues.  We're fine with client connections to Cassandra not
being encrypted, because our Cassandra clients are located in the same data
centers as the nodes being queried.  It would be very valuable for internal
Cassandra communication across the country to be encrypted.

VPN solutions and their failure scenarios do not scale horizontally with
Cassandra.  Cassandra's eventually consistent design affords it powerful
worldwide replication use cases, and having to setup a VPN overlay network
just to get the data transmitted securely within Cassandra seems silly when
the nodes could handle SSL on an end-to-end basis.

-Ben


On Tue, Jul 13, 2010 at 1:28 PM, Jonathan Ellis <jbellis@gmail.com> wrote:

> It's been suggested, but it's not very useful w/o having encryption
> for Thrift as well (in case a client has to fail over to the
> cross-country Cassandra nodes).  So using a secure VPN makes the most
> sense to me.
>
> On Tue, Jul 13, 2010 at 12:02 PM, Ben Standefer <ben@simplegeo.com> wrote:
> > Are there any plans or talks of adding SSL/encryption support between
> > Cassandra nodes?  This would make setting up secure cross-country
> Cassandra
> > clusters much easier, without having to setup a secure overlay network.
> >  MySQL supports this in it's replication.
> >
> > -Ben
> >
> >
> > On Mon, Jul 12, 2010 at 11:23 PM, Michael Pearson <mjpearson@gmail.com>
> > wrote:
> >>
> >> Hey Stu,
> >>
> >>  I've been using 0.6.3's SimpleAuthenticator without a hitch (just
> >> had to figure out the daemon args
> >> -Dpasswd.properties=conf/passwd.properties
> >> -Daccess.properties=conf/access.properties) - why do you ask?
> >>
> >> -michael
> >>
> >> --
> >> http://www.github.com/mjpearson
> >> http://www.linkedin.com/in/mjpearson
> >>
> >>
> >> On Mon, Jul 12, 2010 at 2:32 PM, Stu Hood <stu.hood@rackspace.com>
> wrote:
> >> > Hello out there,
> >> >
> >> > If you are running Cassandra 0.6.*, and are using Cassandra's
> >> > authentication (IAuthenticator/SimpleAuthenticator), I'd love to hear
> about
> >> > it!
> >> >
> >> > Thanks,
> >> >
> >> > Stu Hood
> >> > @stuhood
> >> > Architecture Software Developer
> >> > Rackspace Hosting
> >> >
> >> >
> >
> >
>
>
>
> --
> Jonathan Ellis
> Project Chair, Apache Cassandra
> co-founder of Riptano, the source for professional Cassandra support
> http://riptano.com
>

Mime
View raw message