sweisdb commented on code in PR #45425: URL: https://github.com/apache/spark/pull/45425#discussion_r1552042143
########## docs/security.md: ########## @@ -149,24 +149,32 @@ secret file agrees with the executors' secret file. # Network Encryption -Spark supports two mutually exclusive forms of encryption for RPC connections. +Spark supports two mutually exclusive forms of encryption for RPC connections: -The first is an AES-based encryption which relies on a shared secret, and thus requires -RPC authentication to also be enabled. +The **preferred method** uses TLS (aka SSL) encryption via Netty's support for SSL. Enabling SSL +requires keys and certificates to be properly configured. SSL is standardized and considered more +secure. -The second is an SSL based encryption mechanism utilizing Netty's support for SSL. This requires -keys and certificates to be properly configured. It can be used with or without the authentication -mechanism discussed earlier. - -One may prefer to use the SSL based encryption in scenarios where compliance mandates the usage -of specific protocols; or to leverage the security of a more standard encryption library. However, -the AES based encryption is simpler to configure and may be preferred if the only requirement -is that data be encrypted in transit. +The legacy method is an AES-based encryption mechanism relying on a shared secret. This requires +RPC authentication to also be enabled. This method uses a bespoke protocol and it is recommended +to use SSL instead. Review Comment: Updated in the section about the Legacy protocol. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org For additional commands, e-mail: reviews-h...@spark.apache.org
