mridulm commented on code in PR #2481: URL: https://github.com/apache/celeborn/pull/2481#discussion_r1582554034
########## docs/configuration/network-module.md: ########## @@ -0,0 +1,34 @@ +--- +license: | + Licensed to the Apache Software Foundation (ASF) under one or more + contributor license agreements. See the NOTICE file distributed with + this work for additional information regarding copyright ownership. + The ASF licenses this file to You under the Apache License, Version 2.0 + (the "License"); you may not use this file except in compliance with + the License. You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. +--- + +<!--begin-include--> + +The various transport modules, which can be configured, are: + +| Module | Parent Module | Description | +| ------ | ------------- | ----------- | +| rpc_app | rpc | Configure control plane RPC environment used by Celeborn within the application. For backward compatibility, supports fallback to `rpc` parent module for missing configuration.<br/> Note, this is for RPC environment - see below for other transport modules | Review Comment: Not sure if I am missing some nuance in the query. They are not configuring client versus server, but rather a service - for example, for rpc, this would be the rpc server at lifecyclemanager (`rpc_app`) versus rpc server at master/workers (`rpc_service`). The client side should be compatible with what the server has been configured with. Given this, `rpc_app` is configuring the ssl config to be used entirely within the application side : so the ssl configuration for executors (client) talking to lifecyclemanager's tls enabled rpc server (server). When talking to service side (Master/Workers), it should all be under `rpc_service`. This includes clients from lifecyclemanager/executors and clients from other service components (workers -> masters). A different way to look at it is, the client and server side of ssl configs should be compatible (ssl enabled, compatible config for certificate/trust store, etc) - and each SSL enabled server can have its own set of configurations. For example, in our deployment internally, once we deploy TLS, we will have: * Signed certificates for each Masters/workers to start the servers * Trust store which has the CA certificate which can be used validate the server certificates. ** This will be available at each client - hence all masters/workers (since they all talk to each other), and on all compute nodes (for applications talking to service nodes). On other hand, for the lifecyclemanager rpc service, we will simply enable SSL and auto ssl. That is, there will be a self signed certificate generated at driver - which will be used to secure the communication, but no identity validation of lifecyclemanager - when executors connect to it. Hope this clarifies ! I want to make sure this part of the documentation is clear to users - please do suggest how we can improve it to remove confusion and improve clarity, thanks !! -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
