[GitHub] [spark] HeartSaVioR commented on a change in pull request #24170: [SPARK-26998][CORE] Add secure alternatives of ssl password parameters

Thu, 21 Mar 2019 20:53:48 -0700 

HeartSaVioR commented on a change in pull request #24170: [SPARK-26998][CORE] 
Add secure alternatives of ssl password parameters
URL: https://github.com/apache/spark/pull/24170#discussion_r268030333
 
 

 ##########
 File path: core/src/main/scala/org/apache/spark/SSLOptions.scala
 ##########
 @@ -231,5 +230,45 @@ private[spark] object SSLOptions extends Logging {
       enabledAlgorithms)
   }
 
+  private def getPassword(
+      conf: SparkConf,
+      hadoopConf: Configuration,
+      ns: String,
+      parameter: String,
+      default: Option[String]): Option[String] = {
+    var parameterValue = conf.getWithSubstitution(s"$ns.$parameter")
+      .orElse(Option(hadoopConf.getPassword(s"$ns.$parameter")).map(new 
String(_)))
+      .orElse(default)
+    if (parameterValue.isDefined && default.isDefined && parameterValue.get != 
default.get) {
+      logWarning(
+        s"$ns.$parameter configuration parameter defined which may cause 
security problems. When " +
+        "its configured as command line argument then plain text password can 
be dumped by " +
+        "listing the process command line arguments. The more secure 
alternative solution is to " +
+        s"use $ns.${parameter}File."
+      )
+    }
+
+    val parameterFileValue = conf.getWithSubstitution(s"$ns.${parameter}File")
+      .orElse(Option(hadoopConf.getPassword(s"$ns.${parameter}File")).map(new 
String(_)))
+    if (parameterFileValue.isDefined) {
+      val parameterFileContent = readPasswordFile(parameterFileValue.get)
+      if (parameterValue.isDefined && parameterValue.get != 
parameterFileContent) {
+        throw new IllegalArgumentException(s"Both $ns.$parameter and 
$ns.${parameter}File " +
+          "parameters defined but the they differ.")
 
 Review comment:
   nit: remove `the` 

----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
 
For queries about this service, please contact Infrastructure at:
[email protected]


With regards,
Apache Git Services

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to