gaborgsomogyi opened a new pull request #24170: [SPARK-26998][CORE] Add secure alternatives of ssl password parameters URL: https://github.com/apache/spark/pull/24170 ## What changes were proposed in this pull request? Different SSL passwords can be provided as command line arguments: * keyStorePassword * keyPassword * trustStorePassword Configuring them as a command line argument causes security issues. Namely plain text password can be dumped by listing the process command line arguments. In this PR I've introduced their secure alternatives: * keyStorePasswordFile * keyPasswordFile * trustStorePasswordFile and introduced a warning when the unsecure parameters used. As a minor fix added some further debug printouts to `SSLOptions`. ## How was this patch tested? Existing + additional unit tests. Additionally tested with standalone mode and checked the command line arguments: ``` 502 60950 1 0 6:44PM ttys007 0:05.24 /Library/Java/JavaVirtualMachines/jdk1.8.0_152.jdk/Contents/Home/bin/java -cp /Users/gaborsomogyi/spark/conf/:/Users/gaborsomogyi/spark/assembly/target/scala-2.12/jars/* -Xmx1g org.apache.spark.deploy.master.Master --host gsomogyi-MBP.local --port 7077 --webui-port 8080 --properties-file conf/spark-defaults.conf 502 61227 1 0 6:44PM ttys007 0:07.41 /Library/Java/JavaVirtualMachines/jdk1.8.0_152.jdk/Contents/Home/bin/java -cp /Users/gaborsomogyi/spark/conf/:/Users/gaborsomogyi/spark/assembly/target/scala-2.12/jars/* -Xmx1g org.apache.spark.deploy.worker.Worker --webui-port 8081 --properties-file conf/spark-defaults.conf spark://gsomogyi-MBP.local:7077 502 61514 61227 0 6:46PM ttys007 0:05.99 /Library/Java/JavaVirtualMachines/jdk1.8.0_152.jdk/Contents/Home/bin/java -cp /Users/gaborsomogyi/spark/conf/:/Users/gaborsomogyi/spark/assembly/target/scala-2.12/jars/* -Xmx1024M -Dspark.ssl.keyStorePasswordFile=/Users/gaborsomogyi/certs/password -Dspark.ssl.enabledAlgorithms=ECDHE-RSA-AES256-SHA,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 -Dspark.ssl.trustStore=/Users/gaborsomogyi/certs/truststore.jks -Dspark.ssl.protocol=TLSv1.2 -Dspark.ssl.ui.port=0 -Dspark.ssl.trustStoreType=JKS -Dspark.ssl.keyPasswordFile=/Users/gaborsomogyi/certs/password -Dspark.ssl.keyStore=/Users/gaborsomogyi/certs/spark-keystore.jks -Dspark.driver.port=51603 -Dspark.ssl.trustStorePasswordFile=/Users/gaborsomogyi/certs/password -Dspark.ssl.enabled=true org.apache.spark.executor.CoarseGrainedExecutorBackend --driver-url spark://[email protected]:51603 --executor-id 0 --hostname 192.168.100.112 --cores 8 --app-id app-20190321184653-0000 --worker-url spark://[email protected]:51598 ```
---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: [email protected] With regards, Apache Git Services --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
