dongjoon-hyun commented on code in PR #45425: URL: https://github.com/apache/spark/pull/45425#discussion_r1525398491
########## docs/security.md: ########## @@ -149,24 +149,32 @@ secret file agrees with the executors' secret file. # Network Encryption -Spark supports two mutually exclusive forms of encryption for RPC connections. +Spark supports two mutually exclusive forms of encryption for RPC connections: -The first is an AES-based encryption which relies on a shared secret, and thus requires -RPC authentication to also be enabled. +The **preferred method** uses TLS (aka SSL) encryption via Netty's support for SSL. Enabling SSL +requires keys and certificates to be properly configured. SSL is standardized and considered more +secure. -The second is an SSL based encryption mechanism utilizing Netty's support for SSL. This requires -keys and certificates to be properly configured. It can be used with or without the authentication -mechanism discussed earlier. - -One may prefer to use the SSL based encryption in scenarios where compliance mandates the usage -of specific protocols; or to leverage the security of a more standard encryption library. However, -the AES based encryption is simpler to configure and may be preferred if the only requirement -is that data be encrypted in transit. +The legacy method is an AES-based encryption mechanism relying on a shared secret. This requires +RPC authentication to also be enabled. This method uses a bespoke protocol and should be considered +deprecated in favor of SSL. If both options are enabled in the configuration, the SSL based RPC encryption takes precedence and the AES based encryption will not be used (and a warning message will be emitted). -## AES based Encryption +## SSL Encryption (Preferred) + +Spark supports SSL based encryption for RPC connections. Please refer to the SSL Configuration +section below to understand how to configure it. The SSL settings are mostly similar across the UI +and RPC, however there are a few additional settings which are specific to the RPC implementation. +The RPC implementation uses Netty under the hood (while the UI uses Jetty), which supports a +different set of options. + +Unlike the other SSL settings for the UI, the RPC SSL is *not* automatically enabled if Review Comment: Since this layer is completely irrelevant to UI, we don't need to say like this. Shall we omit this paragraph? > Unlike the other SSL settings for the UI ########## docs/security.md: ########## @@ -149,24 +149,32 @@ secret file agrees with the executors' secret file. # Network Encryption -Spark supports two mutually exclusive forms of encryption for RPC connections. +Spark supports two mutually exclusive forms of encryption for RPC connections: -The first is an AES-based encryption which relies on a shared secret, and thus requires -RPC authentication to also be enabled. +The **preferred method** uses TLS (aka SSL) encryption via Netty's support for SSL. Enabling SSL +requires keys and certificates to be properly configured. SSL is standardized and considered more +secure. -The second is an SSL based encryption mechanism utilizing Netty's support for SSL. This requires -keys and certificates to be properly configured. It can be used with or without the authentication -mechanism discussed earlier. - -One may prefer to use the SSL based encryption in scenarios where compliance mandates the usage -of specific protocols; or to leverage the security of a more standard encryption library. However, -the AES based encryption is simpler to configure and may be preferred if the only requirement -is that data be encrypted in transit. +The legacy method is an AES-based encryption mechanism relying on a shared secret. This requires +RPC authentication to also be enabled. This method uses a bespoke protocol and should be considered +deprecated in favor of SSL. If both options are enabled in the configuration, the SSL based RPC encryption takes precedence and the AES based encryption will not be used (and a warning message will be emitted). -## AES based Encryption +## SSL Encryption (Preferred) + +Spark supports SSL based encryption for RPC connections. Please refer to the SSL Configuration +section below to understand how to configure it. The SSL settings are mostly similar across the UI +and RPC, however there are a few additional settings which are specific to the RPC implementation. +The RPC implementation uses Netty under the hood (while the UI uses Jetty), which supports a +different set of options. + +Unlike the other SSL settings for the UI, the RPC SSL is *not* automatically enabled if Review Comment: Since this layer is completely irrelevant to UI, we don't need to say like this. Shall we omit this paragraph? > Unlike the other SSL settings for the UI -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
