[jira] [Commented] (SPARK-3883) Provide SSL support for Akka and HttpServer based connections
[ https://issues.apache.org/jira/browse/SPARK-3883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14174005#comment-14174005 ] Marcelo Vanzin commented on SPARK-3883: --- FYI, any PR here should make sure the default configuration is safe against the "POODLE" attack (https://access.redhat.com/security/cve/CVE-2014-3566). Here's something for Jetty: http://stackoverflow.com/questions/26382540/how-to-disable-the-sslv3-protocol-in-jetty-to-prevent-poodle-attack > Provide SSL support for Akka and HttpServer based connections > - > > Key: SPARK-3883 > URL: https://issues.apache.org/jira/browse/SPARK-3883 > Project: Spark > Issue Type: Improvement > Components: Spark Core >Reporter: Jacek Lewandowski > > Spark uses at least 4 logical communication channels: > 1. Control messages - Akka based > 2. JARs and other files - Jetty based (HttpServer) > 3. Computation results - Java NIO based > 4. Web UI - Jetty based > The aim of this feature is to enable SSL for (1) and (2). > Why: > Spark configuration is sent through (1). Spark configuration may contain > sensitive information like credentials for accessing external data sources or > streams. Application JAR files (2) may include the application logic and > therefore they may include information about the structure of the external > data sources, and credentials as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-3883) Provide SSL support for Akka and HttpServer based connections
[ https://issues.apache.org/jira/browse/SPARK-3883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14169458#comment-14169458 ] Apache Spark commented on SPARK-3883: - User 'jacek-lewandowski' has created a pull request for this issue: https://github.com/apache/spark/pull/2739 > Provide SSL support for Akka and HttpServer based connections > - > > Key: SPARK-3883 > URL: https://issues.apache.org/jira/browse/SPARK-3883 > Project: Spark > Issue Type: Improvement > Components: Spark Core >Reporter: Jacek Lewandowski > > Spark uses at least 4 logical communication channels: > 1. Control messages - Akka based > 2. JARs and other files - Jetty based (HttpServer) > 3. Computation results - Java NIO based > 4. Web UI - Jetty based > The aim of this feature is to enable SSL for (1) and (2). > Why: > Spark configuration is sent through (1). Spark configuration may contain > sensitive information like credentials for accessing external data sources or > streams. Application JAR files (2) may include the application logic and > therefore they may include information about the structure of the external > data sources, and credentials as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
[jira] [Commented] (SPARK-3883) Provide SSL support for Akka and HttpServer based connections
[ https://issues.apache.org/jira/browse/SPARK-3883?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14165986#comment-14165986 ] Jacek Lewandowski commented on SPARK-3883: -- https://github.com/apache/spark/pull/2739 > Provide SSL support for Akka and HttpServer based connections > - > > Key: SPARK-3883 > URL: https://issues.apache.org/jira/browse/SPARK-3883 > Project: Spark > Issue Type: Improvement > Components: Spark Core >Reporter: Jacek Lewandowski > > Spark uses at least 4 logical communication channels: > 1. Control messages - Akka based > 2. JARs and other files - Jetty based (HttpServer) > 3. Computation results - Java NIO based > 4. Web UI - Jetty based > The aim of this feature is to enable SSL for (1) and (2). > Why: > Spark configuration is sent through (1). Spark configuration may contain > sensitive information like credentials for accessing external data sources or > streams. Application JAR files (2) may include the application logic and > therefore they may include information about the structure of the external > data sources, and credentials as well. -- This message was sent by Atlassian JIRA (v6.3.4#6332) - To unsubscribe, e-mail: issues-unsubscr...@spark.apache.org For additional commands, e-mail: issues-h...@spark.apache.org
