[jira] [Commented] (SPARK-8129) Securely pass auth secrets to executors in standalone cluster mode

Thu, 18 Jun 2015 11:13:47 -0700 

    [ 
https://issues.apache.org/jira/browse/SPARK-8129?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14592243#comment-14592243
 ] 

Kan Zhang commented on SPARK-8129:
----------------------------------

Checked on my Linux box that env variables are only shown by `ps` if it is run 
by the process owner or root. This is ok for our purpose of preventing 
non-Spark users from getting the auth secret. Please report if this is not true 
in some environments.

> Securely pass auth secrets to executors in standalone cluster mode
> ------------------------------------------------------------------
>
>                 Key: SPARK-8129
>                 URL: https://issues.apache.org/jira/browse/SPARK-8129
>             Project: Spark
>          Issue Type: New Feature
>          Components: Deploy, Spark Core
>            Reporter: Kan Zhang
>            Assignee: Kan Zhang
>            Priority: Minor
>             Fix For: 1.5.0
>
>
> Currently, when authentication is turned on, the standalone cluster manager 
> passes auth secrets to executors (also drivers in cluster mode) as java 
> options on the command line, which isn't secure. The passed secret can be 
> seen by anyone running 'ps' command, e.g.,
> bq.  501 94787 94734   0  2:32PM ??         0:00.78 
> /Library/Java/JavaVirtualMachines/jdk1.7.0_60.jdk/Contents/Home/jre/bin/java 
> -cp 
> /Users/kan/github/spark/sbin/../conf/:/Users/kan/github/spark/assembly/target/scala-2.10/spark-assembly-1.4.0-SNAPSHOT-hadoop2.3.0.jar:/Users/kan/github/spark/lib_managed/jars/datanucleus-api-jdo-3.2.6.jar:/Users/kan/github/spark/lib_managed/jars/datanucleus-core-3.2.10.jar:/Users/kan/github/spark/lib_managed/jars/datanucleus-rdbms-3.2.9.jar
>  -Xms512M -Xmx512M 
> *-Dspark.authenticate.secret=090A030E0F0A05010900000A0C0E0C0B03050D05* 
> -Dspark.driver.port=49625 -Dspark.authenticate=true -XX:MaxPermSize=128m 
> org.apache.spark.executor.CoarseGrainedExecutorBackend --driver-url 
> akka.tcp://sparkDriver@192.168.1.152:49625/user/CoarseGrainedScheduler 
> --executor-id 0 --hostname 192.168.1.152 --cores 8 --app-id 
> app-20150605143259-0000 --worker-url 
> akka.tcp://sparkWorker@192.168.1.152:49623/user/Worker



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org
For additional commands, e-mail: issues-h...@spark.apache.org

Reply via email to