Changeset View
Changeset View
Standalone View
Standalone View
src/docs/user/cluster/cluster_repositories.diviner
| Show First 20 Lines • Show All 52 Lines • ▼ Show 20 Lines | |||||
| Before responding to a read, replicas make sure their version of the repository | Before responding to a read, replicas make sure their version of the repository | ||||
| is up to date (no node in the cluster has a newer version of the repository). | is up to date (no node in the cluster has a newer version of the repository). | ||||
| If it isn't, they block the read until they can complete a fetch. | If it isn't, they block the read until they can complete a fetch. | ||||
| Before responding to a write, replicas obtain a global lock, perform the same | Before responding to a write, replicas obtain a global lock, perform the same | ||||
| version check and fetch if necessary, then allow the write to continue. | version check and fetch if necessary, then allow the write to continue. | ||||
| HTTP vs HTTPS | |||||
| ============= | |||||
| Intracluster requests (from the daemons to repository servers, or from | |||||
| webservers to repository servers) are permitted to use HTTP, even if you have | |||||
| set `security.require-https` in your configuration. | |||||
| It is common to terminate SSL at a load balancer and use plain HTTP beyond | |||||
| that, and the `security.require-https` feature is primarily focused on making | |||||
| client browser behavior more convenient for users, so it does not apply to | |||||
| intracluster traffic. | |||||
| Using HTTP within the cluster leaves you vulnerable to attackers who can | |||||
| observe traffic within a datacenter, or observe traffic between datacenters. | |||||
| This is normally very difficult, but within reach for state-level adversaries | |||||
| like the NSA. | |||||
| If you are concerned about these attackers, you can terminate HTTPS on | |||||
| repository hosts and bind to them with the "https" protocol. Just be aware that | |||||
| the `security.require-https` setting won't prevent you from making | |||||
| configuration mistakes, as it doesn't cover intracluster traffic. | |||||
| Other mitigations are possible, but securing a network against the NSA and | |||||
| similar agents of other rogue nations is beyond the scope of this document. | |||||
| Backups | Backups | ||||
| ====== | ====== | ||||
| Even if you configure clustering, you should still consider retaining separate | Even if you configure clustering, you should still consider retaining separate | ||||
| backup snapshots. Replicas protect you from data loss if you lose a host, but | backup snapshots. Replicas protect you from data loss if you lose a host, but | ||||
| they do not let you rewind time to recover from data mutation mistakes. | they do not let you rewind time to recover from data mutation mistakes. | ||||
| If something issues a `--force` push that destroys branch heads, the mutation | If something issues a `--force` push that destroys branch heads, the mutation | ||||
| Show All 18 Lines | |||||