[GitHub] spark pull request #23174: [SPARK-26194][k8s] Auto generate auth secret for ...

[vanzin]

GitHub user vanzin opened a pull request:

    https://github.com/apache/spark/pull/23174

    [SPARK-26194][k8s] Auto generate auth secret for k8s apps.

    This change modifies the logic in the SecurityManager to do two
    things:
    
    - generate unique app secrets also when k8s is being used
    - only store the secret in the user's UGI on YARN
    
    The latter is needed so that k8s won't unnecessarily create
    k8s secrets for the UGI credentials when only the auth token
    is stored there.
    
    On the k8s side, the secret is propagated to executors using
    an environment variable instead. This ensures it works in both
    client and cluster mode.
    
    Security doc was updated to mention the feature and clarify that
    proper access control in k8s should be enabled for it to be secure.

You can merge this pull request into a Git repository by running:

    $ git pull https://github.com/vanzin/spark SPARK-26194

Alternatively you can review and apply these changes as the patch at:

    https://github.com/apache/spark/pull/23174.patch

To close this pull request, make a commit to your master/trunk branch
with (at least) the following in the commit message:

    This closes #23174
    
----
commit 0e36a4bb4a5a1ad9abee7e003b7d5f3588cba126
Author: Marcelo Vanzin <vanzin@...>
Date:   2018-11-16T23:21:00Z

    [SPARK-26194][k8s] Auto generate auth secret for k8s apps.
    
    This change modifies the logic in the SecurityManager to do two
    things:
    
    - generate unique app secrets also when k8s is being used
    - only store the secret in the user's UGI on YARN
    
    The latter is needed so that k8s won't unnecessarily create
    k8s secrets for the UGI credentials when only the auth token
    is stored there.
    
    On the k8s side, the secret is propagated to executors using
    an environment variable instead. This ensures it works in both
    client and cluster mode.
    
    Security doc was updated to mention the feature and clarify that
    proper access control in k8s should be enabled for it to be secure.

----


---

---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscr...@spark.apache.org
For additional commands, e-mail: reviews-h...@spark.apache.org