hasnain-db commented on code in PR #43240:
URL: https://github.com/apache/spark/pull/43240#discussion_r1376768939
##########
docs/security.md:
##########
@@ -563,7 +604,52 @@ replaced with one of the above namespaces.
<tr>
<td><code>${ns}.trustStoreType</code></td>
<td>JKS</td>
- <td>The type of the trust store.</td>
+ <td>The type of the trust store. This setting is not applicable to the
`rpc` namespace.</td>
+ </tr>
+ <tr>
+ <td><code>${ns}.openSSLEnabled</code></td>
+ <td>false</td>
+ <td>
+ Whether to use OpenSSL for cryptographic operations instead of the JDK
SSL provider.
+ This setting is only applicable to the `rpc` namespace, and also
requires the `certChain`
+ and `privateKey` settings to be set.
Review Comment:
Documented. Updating the PR in a second..
> QQ: Would be interesting to see what would happen in case jks and openssl
configs are not 'compatible' (if jks was being specified for UI) - how spark
behaves: perhaps we should disable that fallback ?
Could you clarify what you mean?
I see a few cases:
1. OpenSSL requested, and privateKey/certChain not set in the configs. This
is an error and will throw saying keys are missing.
2. OpenSSL not requested, and JKS keys are specified (keyStore/trustStore).
The JKS keys will be used
3. OpenSSL requested, but not available at runtime. This uses the JDK SSL
implementation, but with the keys specified in `certChain` and `privateKey`.
Was that what you were asking about?
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For queries about this service, please contact Infrastructure at:
us...@infra.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org
