Github user jacek-lewandowski commented on the pull request:
https://github.com/apache/spark/pull/9287#issuecomment-154496831
@vanzin I've changed it a little bit. The master doesn't create two
endpoints now but different users can be used with a single endpoint. So
basically the user can plug his own password authenticator if he wants to which
will be used to authenticate Spark users with the master.
To authenticate workers with the master, and clients when no special
password authenticator is plugged in, the default SASL user is used (as it was
used so far). When the user wants to enable more sophisticated authentication,
he simply needs to provide some authenticator or just set different secrets for
the default user {{sparkSaslUser}} (which is used by the workers) and other
users (the default authenticator allows to set multiple secrets like
{{spark.authenticate.secrets.<username>=password}} while the default password
is set as usual with {{spark.authenticate.secret}}). In this case, the users
should just do not need to know the default user password. Obviously, this only
works for Netty RPC. The whole original behaviour when no-secret or a single
shared secret is provided remains unchanged.
The last PR is not polished, but it removes most of the changes from the
master. The remaining thing is authorisation - determining who is communicating
with the master and authorising the requests (for example, only a default user
can exchange worker messages, or only the application owner can remove his
application).
---
If your project is set up for it, you can reply to this email and have your
reply appear on GitHub as well. If your project does not have this feature
enabled and wishes so, or if the feature is enabled but not working, please
contact infrastructure at [email protected] or file a JIRA ticket
with INFRA.
---
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
