[ https://issues.apache.org/jira/browse/SPARK-26998?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16789653#comment-16789653 ]
Gabor Somogyi commented on SPARK-26998: --------------------------------------- Since the first part of the PR solved (http URLs in case of secure mode) continuing with the second issue. In my view the problem can be mitigated to ask users to provide configuration parameters either in configuration file (several commercial products does this) * Either spark-defaults.conf * or --properties-file That way the command line options will show either nothing (spark-defaults.conf picked up by default) or something like "... --properties-file my-secret-spark-properties.conf ...". As a side note this workaround is available at the moment but I would like to warn users for such situations. The other approach what I've considered (and abandoned) is to open a pipe and send the password through this channel but since this approach is not really conform with Spark's configuration system it would imply heavy changes and don't see the return of investment. [~vanzin] what do you think since you have quite a bit experience with security? > spark.ssl.keyStorePassword in plaintext on 'ps -ef' output of executor > processes in Standalone mode > --------------------------------------------------------------------------------------------------- > > Key: SPARK-26998 > URL: https://issues.apache.org/jira/browse/SPARK-26998 > Project: Spark > Issue Type: Bug > Components: Scheduler, Security, Spark Core > Affects Versions: 2.3.3, 2.4.0 > Reporter: t oo > Priority: Major > Labels: SECURITY, Security, secur, security, security-issue > > Run spark standalone mode, then start a spark-submit requiring at least 1 > executor. Do a 'ps -ef' on linux (ie putty terminal) and you will be able to > see spark.ssl.keyStorePassword value in plaintext! > > spark.ssl.keyStorePassword and spark.ssl.keyPassword don't need to be passed > to CoarseGrainedExecutorBackend. Only spark.ssl.trustStorePassword is used. > > Can be resolved if below PR is merged: > [[Github] Pull Request #21514 > (tooptoop4)|https://github.com/apache/spark/pull/21514] -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org