[
https://issues.apache.org/jira/browse/SPARK-26239?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16715318#comment-16715318
]
ASF GitHub Bot commented on SPARK-26239:
----------------------------------------
ifilonenko commented on a change in pull request #23252: [SPARK-26239]
File-based secret key loading for SASL.
URL: https://github.com/apache/spark/pull/23252#discussion_r240327773
##########
File path:
resource-managers/kubernetes/core/src/test/scala/org/apache/spark/deploy/k8s/features/BasicExecutorFeatureStepSuite.scala
##########
@@ -158,6 +162,25 @@ class BasicExecutorFeatureStepSuite extends SparkFunSuite
with BeforeAndAfter {
checkEnv(executor, conf, Map(SecurityManager.ENV_AUTH_SECRET ->
secMgr.getSecretKey()))
}
+ test("Auth secret shouldn't propagate if files are loaded.") {
+ val secretDir = Utils.createTempDir("temp-secret")
+ val secretFile = new File(secretDir, "secret-file.txt")
+ Files.write(secretFile.toPath,
"some-secret".getBytes(StandardCharsets.UTF_8))
+ val conf = baseConf.clone()
+ .set(NETWORK_AUTH_ENABLED, true)
+ .set(AUTH_SECRET_FILE, secretFile.getAbsolutePath)
+ .set("spark.master", "k8s://127.0.0.1")
+ val secMgr = new SecurityManager(conf)
+ secMgr.initializeAuth()
+
+ val step = new
BasicExecutorFeatureStep(KubernetesTestConf.createExecutorConf(sparkConf =
conf),
+ secMgr)
+
+ val executor = step.configurePod(SparkPod.initialPod())
+ assert(!KubernetesFeaturesTestUtils.containerHasEnvVar(
+ executor.container, SecurityManager.ENV_AUTH_SECRET))
Review comment:
Probably unnecessary, but maybe check contents?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
> Add configurable auth secret source in k8s backend
> --------------------------------------------------
>
> Key: SPARK-26239
> URL: https://issues.apache.org/jira/browse/SPARK-26239
> Project: Spark
> Issue Type: New Feature
> Components: Kubernetes
> Affects Versions: 3.0.0
> Reporter: Marcelo Vanzin
> Priority: Major
>
> This is a follow up to SPARK-26194, which aims to add auto-generated secrets
> similar to the YARN backend.
> There's a desire to support different ways to generate and propagate these
> auth secrets (e.g. using things like Vault). Need to investigate:
> - exposing configuration to support that
> - changing SecurityManager so that it can delegate some of the
> secret-handling logic to custom implementations
> - figuring out whether this can also be used in client-mode, where the driver
> is not created by the k8s backend in Spark.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org
