-
Notifications
You must be signed in to change notification settings - Fork 28.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SPARK-45408][CORE] Add RPC SSL settings to TransportConf #43220
Conversation
I am waiting on a few more CI retries to get a clear CI signal, but this should be ready to review (had to rebase to fix python lint issues but otherwise the original build was mostly good) |
CI looks green so this should be good to review. cc @JoshRosen @mridulm |
*/ | ||
public boolean sslRpcEnabled() { | ||
return conf.getBoolean("spark.ssl.rpc.enabled", false); | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typically, there are two cases -
a) Use of signed certificates, which can be validated,
b) Use of self-signed certificates.
Given the configs documented here, how are we planning to support these ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We support both of these.
If you like to use the JDK SSL provider, we require a keyStore
argument which takes in the key being used for the server, and the trustStore
is used to verify the peer we talk to.
If the openSSL provider is used, we require the privateKey
and certChain
arguments which have similar purposes.
You can look at the SSLFactory
in the reference PR #42685 (I was going to put it up after this PR and another one) to see how it's used.
The tests in the reference PR #42685 use self signed certificates and work fine.
Does that answer your question? Happy to clarify as needed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, so we are relying on the fact the if truststore is not specified, it implies self signed cert as we are going to bypass cert check.
That sounds fine to me given this is different from 'typical' usage where client is accepting server's cert and does not know if it will be trusted, or should bypass trust (if cert is trusted, use that - but if it no, should it still be trusted).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually, looking at it again, I want to make sure I am not missing something here.
Currently, sslRpcEnabledAndKeysAreValid
will return false
when key store is specified, but trust store is not - and so ssl factory will be null
.
Within ssl factory, we do have code to handle the case of trust store being null resulting in accepting all server certs - but this will never get triggered since factory is null.
What am I missing here ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are not missing anything. Thank you for catching this. In my testing, I was using a trust store that accepts the self signed certificate and copied this check to make the branches similar. But in the JDK SSL provider case, we do not always need the trust store as you rightly pointed out, so I'm going to remove the check
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
updated, PTAL
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added a comment
3e11ff8
to
e323867
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for addressing the queries @hasnain-db !
Merged to master. |
### What changes were proposed in this pull request? This change adds new settings to `TransportConf` which are needed for the RPC SSL functionality to work. Additionally, add some sample configurations which are used by tests in follow up PRs (see apache#42685 for the full context) ### Why are the changes needed? These changes are needed so that other modules can easily access configurations, and that the sample configurations are easily accessible for tests. ### Does this PR introduce _any_ user-facing change? No ### How was this patch tested? Added a test, then ran: ``` ./build/sbt > project network-common > testOnly org.apache.spark.network.TransportConfSuite ``` There are more follow up tests coming (see apache#42685) ### Was this patch authored or co-authored using generative AI tooling? No Closes apache#43220 from hasnain-db/spark-tls-configs-low. Authored-by: Hasnain Lakhani <hasnain.lakhani@databricks.com> Signed-off-by: Mridul Muralidharan <mridul<at>gmail.com>
|
||
/** | ||
* | ||
*/ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please supply the comment or remove it.
@hasnain-db You can do the job at #43238.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I missed this, thanks for flagging it @beliefer !
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
will do, thanks for catching this!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
addressing in #43249
…portConf ### What changes were proposed in this pull request? This PR adds the options added in #43220 to `SSLOptions` and `SparkTransportConf`. By adding it to the `SSLOptions` we can support inheritance of options, so settings for the UI and RPC SSL settings can be shared as much as possible. The `SparkTransportConf` changes are needed to support propagating these settings. I also make some changes to `SecurityManager` to log when this feature is enabled, and make the existing `spark.network.crypto` options mutually exclusive with this new settings (it would just involve double encryption then). Lastly, make these flags propagate down to when executors are launched, and allow the passwords to be sent via environment variables (similar to how it's done for an existing secret). This ensures they are not visible in plaintext, but also ensures they are available at executor startup (otherwise it can never talk to the driver/worker) ### Why are the changes needed? The propagation of these options are needed for the RPC functionality to work ### Does this PR introduce _any_ user-facing change? No ### How was this patch tested? CI Added some unit tests which I verified passed: ``` build/sbt > project core > testOnly org.apache.spark.SparkConfSuite org.apache.spark.SSLOptionsSuite org.apache.spark.SecurityManagerSuite org.apache.spark.deploy.worker.CommandUtilsSuite ``` The rest of the changes and integration were tested as part of #42685 ### Was this patch authored or co-authored using generative AI tooling? No Closes #43238 from hasnain-db/spark-tls-ssloptions. Authored-by: Hasnain Lakhani <hasnain.lakhani@databricks.com> Signed-off-by: Mridul Muralidharan <mridul<at>gmail.com>
What changes were proposed in this pull request?
This change adds new settings to
TransportConf
which are needed for the RPC SSL functionality to work. Additionally, add some sample configurations which are used by tests in follow up PRs (see #42685 for the full context)Why are the changes needed?
These changes are needed so that other modules can easily access configurations, and that the sample configurations are easily accessible for tests.
Does this PR introduce any user-facing change?
No
How was this patch tested?
Added a test, then ran:
There are more follow up tests coming (see #42685)
Was this patch authored or co-authored using generative AI tooling?
No