[SPARK-2750] support https in spark web ui #1980
Conversation
|
Can one of the admins verify this patch? |
|
ok to test |
|
Looks like this is a duplicate of #1714, which is now closed, however. @WangTaoTheTonic you originally filed the issue to support this. Is there a particular motivation? How is this related to the view ACLs we already have (http://spark.apache.org/docs/latest/security.html)? |
|
QA tests have started for PR 1980 at commit
|
|
QA tests have finished for PR 1980 at commit
|
|
I did not make very much stuty of SecurityManager, but it only does authentication while not the encryption in communication. |
| @@ -30,7 +30,7 @@ private[spark] class WorkerInfo( | |||
| val cores: Int, | |||
| val memory: Int, | |||
| val actor: ActorRef, | |||
| val webUiPort: Int, | |||
| val webUiAddress: String, | |||
| val publicAddress: String) | |||
There was a problem hiding this comment.
It looks like this publicAddress field is never read anymore, so we should remove it.
|
Is Whatever configuration options we end up using, we should add documentation for them to the Spark Security and Configuration guides. |
| @@ -53,6 +53,9 @@ private[spark] class WorkerArguments(args: Array[String], conf: SparkConf) { | |||
| if (System.getenv("SPARK_WORKER_DIR") != null) { | |||
| workDir = System.getenv("SPARK_WORKER_DIR") | |||
| } | |||
| if (conf.contains("worker.ui.port")) { | |||
There was a problem hiding this comment.
This should be spark.worker.ui.port.
There was a problem hiding this comment.
In fact, spark.worker.ui.port is already read on line 51, so this is unnecessary.
|
Also, it looks like this adds configuration options under several (new) namespaces:
Are these the best names? What if we decide to add HTTPS / SSL to other components? What is |
|
What happens if I've configured the web UI to use |
|
QA tests have started for PR 1980 at commit
|
|
QA tests have finished for PR 1980 at commit
|
|
@JoshRosen, here i named the configuration options refer to how hadoop does(actually just use |
|
QA tests have started for PR 1980 at commit
|
|
QA tests have started for PR 1980 at commit
|
|
QA tests have finished for PR 1980 at commit
|
|
QA tests have finished for PR 1980 at commit
|
|
QA tests have started for PR 1980 at commit
|
| val url = newURI(schema, baseRequest.getServerName, securePort, | ||
| baseRequest.getRequestURI, baseRequest.getQueryString) | ||
| response.setContentLength(0) | ||
| response.sendRedirect(url) |
There was a problem hiding this comment.
Might be a good idea to call response.encodeRedirectURL() first.
|
For some reason I downloaded the patch but it doesn't apply cleanly to my copy of the repo... I'll try again later. |
|
QA tests have started for PR 1980 at commit
|
|
QA tests have finished for PR 1980 at commit
|
| @@ -205,10 +231,74 @@ private[spark] object JettyUtils extends Logging { | |||
| ServerInfo(server, boundPort, collection) | |||
| } | |||
|
|
|||
| // to generate a new url string scheme://server:port+path | |||
There was a problem hiding this comment.
Hi @scwf,
The reason I asked for a comment is that it seems like the method is doing a little more than just that. For example, L238 seems to be doing some sort of parsing of the server string, so it's more than just concatenating the different arguments into a URL.
It would be nice if the comment explained exactly what the relationship between the input and the output is. A unit test wouldn't hurt either.
There was a problem hiding this comment.
Hi @vanzin, actually here i just refer to the code of jetty 9 see(https://github.com/eclipse/jetty.project/blob/master/jetty-util/src/main/java/org/eclipse/jetty/util/URIUtil.java#L726-L733) since there is no newURImethod in spark jetty version(spark use jetty 8).
And L238 is for the case to handle IPv6 address, here we can remove it if unnecessary.
There was a problem hiding this comment.
Could you put that reference in the code itself, so we know where it comes from? Thanks!
|
QA tests have started for PR 1980 at commit
|
|
Tests timed out for PR 1980 at commit |
|
QA tests have started for PR 1980 at commit
|
|
QA tests have finished for PR 1980 at commit
|
|
@scwf can you take a look at #2739? I created PR which aim is to add SSL support for Akka based connections and for HttpServer which in turn bases on Jetty. I use SSLOptions object to configure SSL. All the settings are being kept in a separate file |
|
Btw. I was trying to do SSL for UI as well. One thing I'm afraid of is that this solution would break any recovery information for Spark Master (different signature of WorkerInfo). Also, it doesn't allow to run the cluster in mixed mode during upgrade - some nodes running older Spark and some nodes running newer Spark, because it changes the signature of messages. Anyway, this is very minor I think. |
|
@jacek-lewandowski, you mean in For the second one "some nodes running older Spark and some nodes running newer Spark", i don't think there is this situation. @JoshRosen @vanzin is this ok to go? I think we can merge this first then in #2739 to unify the ssl configs. |
|
Hi @scwf, I just merged #3571, which added SSL support for Akka and the HTTPServer. That PR added a common configuration mechanism for SSL, plus some useful utilities for testing this functionality. If you're interested, it would be great to revisit HTTPS for the web UI now that we've merged that other patch. |
|
@JoshRosen in that PR now no https support for web ui right? if so i will rework this to support it. |
|
@scwf Yep, that PR only added SSL support to Akka and the HTTP FileServer, not the web UI or the shuffle service. |
|
i am closing this in favor of #5664 |
|
I want to enable https on spark UI. I added following config to spark-defaults.config, but when we access spark ui via https::/:8080 or https://:443 or https://:8480, it's not able to connect. spark.ui.https.enabled true |
https://issues.apache.org/jira/browse/SPARK-2750
enable spark web ui to support https, also compatible with old web ui(http).
user can switch between https and http by configure "spark.http.policy".