Github user vanzin commented on the pull request:
https://github.com/apache/spark/pull/8218#issuecomment-137238198
Hi @andrewor14,
This patch is not very useful outside YARN. On Standalone, all apps run as
the same user, and authenticate using the same user and secret. So there's no
way to prevent one app from reading another's shuffle files (either through the
shuffle service or reading them directly from disk).
On YARN, each app authenticates itself using the app's ID as the user name,
and a secure, per-app secret (see `SecurityManager::generateSecretKey`).
Authentication is not based on the app simply saying who it is - the app needs
to know that secret. After the SASL auth occurs, then we just do simple
matching of what app the shuffle file belongs to and what app the connection
was authenticated as. You can't spoof it.
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
