Support Questions

Find answers, ask questions, and share your expertise

Performance Impact of Security (SSL, TDE, Ranger, Kerberos, Knox)

avatar

Hi All,

I am looking for what the overall and by component performance impact for implementing all security components in HDP including SSL, TDE, Ranger Kerberos and Knox.

I have found a few links regarding SSL and Knox but can't seem to find anything comprehensive enough.

Thanks,

1 ACCEPTED SOLUTION

avatar

Hi Andrew,

The recommendation is to start with an unsecure cluster and to add levels of protections one by one to allow benchmarking. Overhead will depend of the use of the cluster.

The numbers I have are the following:

- wire encryption inside the cluster: 2x overhead

- data encryption (Ranger KMS): 15%-20% overhead (but I guess it highly depends of what you are encrypting, not sure every single file must be encrypted).

- for Kerberos, Knox and Ranger: this is not significant and it depends of the installation and the use (network performance to KDC, number of Knox gateways, etc). regarding Ranger, since rules are "copied" locally for each service this not significant.

Hope that helps.

View solution in original post

2 REPLIES 2

avatar

Hi Andrew,

The recommendation is to start with an unsecure cluster and to add levels of protections one by one to allow benchmarking. Overhead will depend of the use of the cluster.

The numbers I have are the following:

- wire encryption inside the cluster: 2x overhead

- data encryption (Ranger KMS): 15%-20% overhead (but I guess it highly depends of what you are encrypting, not sure every single file must be encrypted).

- for Kerberos, Knox and Ranger: this is not significant and it depends of the installation and the use (network performance to KDC, number of Knox gateways, etc). regarding Ranger, since rules are "copied" locally for each service this not significant.

Hope that helps.

avatar
New Contributor

Hi,

 

I can see significant impact on the hive query after implementation of Ranger and using mysql 5.7.

How can we reduce the response time added due to the Ranger.