Github user vanzin commented on the pull request:
https://github.com/apache/spark/pull/6676#issuecomment-110847288
> it is only private to the user, not private to the process
That's not a thing. You're not gonna get anywhere, security-wise, without
user isolation. Think:
- You can use `jmap` to read the other process's heap if both are being run
by the same user. Pretty easy to find any secrets by just searching for the
right object in the heap dump.
- Let's say that for some reason `jmap` does not work, and that you
implement the "per-app keys" you talk about. The malicious user can kill the
`Master` or `Worker` process, starts his own one in their place, and starts
recoding all the keys being distributed to apps. All processes are running as
the same user, so that's totally feasible.
The change to remove the secret from the command line is a good one,
because it makes the secret private to the user, in your own jargon. But that
is a trivial change, and has no side-effect on anything else you're trying to
do. So unless you provide an explanation of exactly where you want to go with
this "stdin communication channel", it's just a complication that doesn't add
any security, and thus should be avoided.
We're talking about a patch that would be a few lines long with my
suggestion, instead of all the changes you currently have, while achieving
exactly the same result.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
