This is an automated email from the ASF dual-hosted git repository.
dongjoon pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/spark.git
The following commit(s) were added to refs/heads/master by this push:
new df0e34c5a1c3 [SPARK-49648][DOCS] Update `Configuring Ports for Network
Security` section with JWS
df0e34c5a1c3 is described below
commit df0e34c5a1c30956cb16e8af5569ed72387b6fc3
Author: Dongjoon Hyun <[email protected]>
AuthorDate: Fri Sep 13 18:09:48 2024 -0700
[SPARK-49648][DOCS] Update `Configuring Ports for Network Security` section
with JWS
### What changes were proposed in this pull request?
This PR aims to update `Configuring Ports for Network Security` section of
`Security` page with new JWS feature.
### Why are the changes needed?
In addition to the existing restriction, Spark 4 can take advantage of new
JWS feature. This PR informs it more clearly.
https://github.com/apache/spark/blob/08a26bb56cfb48f27c68a79be1e15bc4c9e466e0/docs/security.md?plain=1#L811-L814
### Does this PR introduce _any_ user-facing change?
No.
### How was this patch tested?
Manual review.
<img width="921" alt="Screenshot 2024-09-13 at 15 04 43"
src="https://github.com/user-attachments/assets/2250e65b-cddd-4541-b42f-5284d5ce4b02";>
<img width="930" alt="Screenshot 2024-09-13 at 15 04 16"
src="https://github.com/user-attachments/assets/0c853380-081a-41a3-b66b-7774ec62fd3e";>
### Was this patch authored or co-authored using generative AI tooling?
No.
Closes #48112 from dongjoon-hyun/SPARK-49648.
Authored-by: Dongjoon Hyun <[email protected]>
Signed-off-by: Dongjoon Hyun <[email protected]>
---
docs/security.md | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
diff --git a/docs/security.md b/docs/security.md
index a8f4e4ec5389..b97abfeacf24 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -55,7 +55,8 @@ To enable authorization, Spark Master should have
`spark.master.rest.filters=org.apache.spark.ui.JWSFilter` and
`spark.org.apache.spark.ui.JWSFilter.param.secretKey=BASE64URL-ENCODED-KEY`
configurations, and
client should provide HTTP `Authorization` header which contains JSON Web
Token signed by
-the shared secret key.
+the shared secret key. Please note that this feature requires a Spark
distribution built with
+`jjwt` profile.
### YARN
@@ -813,6 +814,12 @@ They are generally private services, and should only be
accessible within the ne
organization that deploys Spark. Access to the hosts and ports used by Spark
services should
be limited to origin hosts that need to access the services.
+However, like the REST Submission port, Spark also supports HTTP
`Authorization` header
+with a cryptographically signed JSON Web Token (JWT) for all UI ports.
+To use it, a user needs the Spark distribution built with `jjwt` profile and
to configure
+`spark.ui.filters=org.apache.spark.ui.JWSFilter` and
+`spark.org.apache.spark.ui.JWSFilter.param.secretKey=BASE64URL-ENCODED-KEY`.
+
Below are the primary ports that Spark uses for its communication and how to
configure those ports.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
