[SPARK-45427][CORE] Add RPC SSL settings to SSLOptions and SparkTransportConf #43238
Conversation
|
cc: @mridulm @JoshRosen |
There was a problem hiding this comment.
w.r.t the config namespace, we currently have:
spark.sslfor UI related SSL configs.- rpc IO is currently under
spark.network.crypto spark.rpc.for various rpc related configs, but they dont deal with security.spark.io.encryptionwhich deals with block encryption.
IMO we should namespace to spark.network and add ssl there, instead of moving these configs for rpc to spark.ssl.
Thoughts @JoshRosen, @hasnain-db ?
core/src/main/scala/org/apache/spark/network/netty/SparkTransportConf.scala
Outdated
Show resolved
Hide resolved
core/src/main/scala/org/apache/spark/network/netty/SparkTransportConf.scala
Outdated
Show resolved
Hide resolved
My main preference here was to use the existing I agree it's a little confusing as it's not under the network settings, but I don't see it being a stretch for a user to expect SSL settings to be under What do you think? I'm happy to defer to you and @JoshRosen for the final call here. |
hasnain-db
force-pushed
the
spark-tls-ssloptions
branch
from
ed3dea0
to
91ba3a8
Compare
|
addressed part of the feedback. Still waiting for @JoshRosen to also chime in with his thoughts re: which config namespace to use. |
There was a problem hiding this comment.
I don't have super strong feelings about the configuration namespacing: I'm okay with any option as long as our docs help users to chart a clear course for common deployment scenarios.
Some assorted thoughts:
- As we think through this, it might be useful to also review some of the proposed documentation updates from the main PR at https://github.com/apache/spark/pull/42685/files#diff-2c506cc756a5333f8fb5acb850d443980706602048f9ddb3dc515abacbfbce6a (in
security.md) to see if we think these scenarios make sense.- Re-reading this now, I think we might want to re-work the page's introduction to offer more clarity on the different options for encryption so users have a clearer understanding of which options are mutually-exclusive. For example, we should clarify whether the existing shared secret authentication can be used with SSL.
- We might want to re-work the intro to more clearly state that there are two mutually-exclusive choices for RPC encryption, and might want to leave some breadcrums cross-linking some sub-sections to reiterate this point.
- There may be some advantages to the hierarchical namespacing of SSL configurations for the sake of giving users a single place to configure
enabledAlgorithms(e.g. if a user has a compliance protocol that allows only certain algorithms then they shouldn't have to repeat themselves and keep multiple configurations in sync (although I suppose we could have a separate configuration that just inherits its default from the main SSL options)). - In the long run, do we expect that new users would choose to use non-SSL RPC encryption mechanisms? Or would they configure SSL everywhere? Do we expect the existing non-UI encryption configurations to eventually be deprecated (SASL already is)? I'm wondering if we use some long-term vision of a future end state to guide us here.
|
FYI The open PR for the docs is here: #43240 -- happy to address and make changes there. |
|
@JoshRosen I updated the docs PR to hopefully add more clarity around the various encryption options (and, to your request, clarified how they overlap with the authentication setting).
Agreed. If we reuse the
I don't have enough context to make a call here and defer to @mridulm . I will say that as a random observer here who hasn't had to manage too many spark deployments just yet, I feel like the current encryption mechanism has a strong point in its favor: it's quite simple to configure just a shared secret. SSL requires provisioning keys and certs which is always more work. |
|
I was trying to see if We used to have more ssl related configs in the past under that namespace - Given this, even though today it is just UI, it does make more sense to go back to that approach. |
core/src/main/scala/org/apache/spark/network/netty/SparkTransportConf.scala
Show resolved
Hide resolved
|
test failure looks unrelated, retrying for the third time |
|
|
|
The failures are not related. |
…rtConf ### What changes were proposed in this pull request? This change ensures that RPC SSL options settings inheritance works properly after #43238 - we pass `sslOptions` wherever we call `fromSparkConf`. In addition to that minor mechanical change, duplicate/add tests for every place that calls this method, to add a test case that runs with SSL support in the config. ### Why are the changes needed? These changes are needed to ensure that the RPC SSL functionality can work properly with settings inheritance. In addition, through these tests we can ensure that any changes to these modules are also tested with SSL support and avoid regressions in the future. ### Does this PR introduce _any_ user-facing change? No ### How was this patch tested? Full integration testing also done as part of #42685 Added some tests and ran them: ``` build/sbt > project core > testOnly org.apache.spark.*Ssl* > testOnly org.apache.spark.network.netty.NettyBlockTransferSecuritySuite ``` and ``` build/sbt -Pyarn > project yarn > testOnly org.apache.spark.network.yarn.SslYarnShuffleServiceWithRocksDBBackendSuite ``` ### Was this patch authored or co-authored using generative AI tooling? No Closes #43387 from hasnain-db/spark-tls-integrate-everywhere. Authored-by: Hasnain Lakhani <hasnain.lakhani@databricks.com> Signed-off-by: Mridul Muralidharan <mridul<at>gmail.com>
What changes were proposed in this pull request?
This PR adds the options added in #43220 to
SSLOptionsandSparkTransportConf.By adding it to the
SSLOptionswe can support inheritance of options, so settings for the UI and RPC SSL settings can be shared as much as possible. TheSparkTransportConfchanges are needed to support propagating these settings.I also make some changes to
SecurityManagerto log when this feature is enabled, and make the existingspark.network.cryptooptions mutually exclusive with this new settings (it would just involve double encryption then).Lastly, make these flags propagate down to when executors are launched, and allow the passwords to be sent via environment variables (similar to how it's done for an existing secret). This ensures they are not visible in plaintext, but also ensures they are available at executor startup (otherwise it can never talk to the driver/worker)
Why are the changes needed?
The propagation of these options are needed for the RPC functionality to work
Does this PR introduce any user-facing change?
No
How was this patch tested?
CI
Added some unit tests which I verified passed:
The rest of the changes and integration were tested as part of #42685
Was this patch authored or co-authored using generative AI tooling?
No