On 20/03/2016 5:58 PM, Joshua Harlow wrote: > On 03/20/2016 10:00 AM, Adam Young wrote: >> I started with a blog post here: >> >> http://adam.younglogic.com/2016/03/what-can-talk-to-what-on-the-openstack-message-broker/ >> >> >> >> and did a brief spike here: >> >> http://adam.younglogic.com/2016/03/tie-your-rabbit-down/ >> >> We made the mistake of pursuing HMAC back several releases ago. It lead >> to Kite. We don't need that yet. > > Nice I like the big table @ > http://adam.younglogic.com/2016/03/what-can-talk-to-what-on-the-openstack-message-broker/ > > > As for HMAC several years/releases ago, what was the issue (just > wondering)? Just to much load on controller nodes to do verification? > Not enough adoption, something else...? > we have HMAC signing in Ceilometer[1] when we passed messages between the different services. i added support a long while back to support disabling signing because it does add quite a bit of overhead to the whole process. unfortunately the bug description i wrote was terrible[2] so i don't have any numbers (though should be easy enough to figure out). i don't believe it adds a lot of CPU load (not that i recall) but it does add quite a bit of latency (10s of ms) to the whole process so it will affect scenarios where you are dealing with large amounts of messages or 'real-time' stories. i tend to agree with ayoung that ideally we should leverage authentication capabilities before considering the crypto scenario. Kafka itself started to implement security in the latest release and from what i can tell, there's a lot of disclaimers that you will experience serious performance degradation if you enable it[3]. [1] https://github.com/openstack/ceilometer/blob/master/ceilometer/publisher/utils.py#L43 [2] https://bugs.launchpad.net/ceilometer/+bug/1436077 [3] https://blog.cloudera.com/blog/2016/02/whats-new-in-clouderas-distribution-of-apache-kafka/ cheers, -- gord