Many apps would find it realistic or feasible to failover database connections across the country (going from <1ms latency to ~90ms latency). The scheme of failing over client database connections across the country is probably the minority case. SSL between Cassandra nodes, even without encryption in the clients connecting to a Cassandra node, would still be very useful if you want to mirror infrastructure in different parts of the world to provide users with localized low-latency access. Failover for end users would happen at the data center level with DNS-based load balancing ( http://dyn.com/dynect-traffic-management). If a client could not connect to a node in it's data center, it is probably indicative of the whole data center having issues. We're fine with client connections to Cassandra not being encrypted, because our Cassandra clients are located in the same data centers as the nodes being queried. It would be very valuable for internal Cassandra communication across the country to be encrypted.
VPN solutions and their failure scenarios do not scale horizontally with Cassandra. Cassandra's eventually consistent design affords it powerful worldwide replication use cases, and having to setup a VPN overlay network just to get the data transmitted securely within Cassandra seems silly when the nodes could handle SSL on an end-to-end basis. -Ben On Tue, Jul 13, 2010 at 1:28 PM, Jonathan Ellis <jbel...@gmail.com> wrote: > It's been suggested, but it's not very useful w/o having encryption > for Thrift as well (in case a client has to fail over to the > cross-country Cassandra nodes). So using a secure VPN makes the most > sense to me. > > On Tue, Jul 13, 2010 at 12:02 PM, Ben Standefer <b...@simplegeo.com> wrote: > > Are there any plans or talks of adding SSL/encryption support between > > Cassandra nodes? This would make setting up secure cross-country > Cassandra > > clusters much easier, without having to setup a secure overlay network. > > MySQL supports this in it's replication. > > > > -Ben > > > > > > On Mon, Jul 12, 2010 at 11:23 PM, Michael Pearson <mjpear...@gmail.com> > > wrote: > >> > >> Hey Stu, > >> > >> I've been using 0.6.3's SimpleAuthenticator without a hitch (just > >> had to figure out the daemon args > >> -Dpasswd.properties=conf/passwd.properties > >> -Daccess.properties=conf/access.properties) - why do you ask? > >> > >> -michael > >> > >> -- > >> http://www.github.com/mjpearson > >> http://www.linkedin.com/in/mjpearson > >> > >> > >> On Mon, Jul 12, 2010 at 2:32 PM, Stu Hood <stu.h...@rackspace.com> > wrote: > >> > Hello out there, > >> > > >> > If you are running Cassandra 0.6.*, and are using Cassandra's > >> > authentication (IAuthenticator/SimpleAuthenticator), I'd love to hear > about > >> > it! > >> > > >> > Thanks, > >> > > >> > Stu Hood > >> > @stuhood > >> > Architecture Software Developer > >> > Rackspace Hosting > >> > > >> > > > > > > > > > -- > Jonathan Ellis > Project Chair, Apache Cassandra > co-founder of Riptano, the source for professional Cassandra support > http://riptano.com >
