You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/security.md
+13-1Lines changed: 13 additions & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -23,7 +23,8 @@ If your applications are using event logging, the directory where the event logs
23
23
24
24
## Encryption
25
25
26
-
Spark supports SSL for Akka and HTTP (for broadcast and file server) protocols. However SSL is not supported yet for WebUI and block transfer service.
26
+
Spark supports SSL for Akka and HTTP (for broadcast and file server) protocols. SASL encryption is
27
+
supported for the block transfer service. Encryption is not yet supported for the WebUI.
27
28
28
29
Connection encryption (SSL) configuration is organized hierarchically. The user can configure the default SSL settings which will be used for all the supported communication protocols unless they are overwritten by protocol-specific settings. This way the user can easily provide the common settings for all the protocols without disabling the ability to configure each one individually. The common SSL settings are at `spark.ssl` namespace in Spark configuration, while Akka SSL configuration is at `spark.ssl.akka` and HTTP for broadcast and file server SSL configuration is at `spark.ssl.fs`. The full breakdown can be found on the [configuration page](configuration.html).
29
30
@@ -47,6 +48,17 @@ follows:
47
48
* Import all exported public keys into a single trust-store
48
49
* Distribute the trust-store over the nodes
49
50
51
+
### Configuring SASL Encryption
52
+
53
+
To enable SASL encryption for an application, set `spark.authenticate.enableSaslEncryption` to
54
+
`true`. Authentication (`spark.authenticate`) must also be turned on for this option to take
55
+
effect.
56
+
57
+
When using an external shuffle service, it's possible to disable unencrypted connections by setting
58
+
`spark.network.sasl.serverAlwaysEncrypt` to `true` in the shuffle service's configuration. If that
59
+
option is enabled, applications that are not set up to use SASL encryption will fail to connect to
60
+
the shuffle service.
61
+
50
62
## Configuring Ports for Network Security
51
63
52
64
Spark makes heavy use of the network, and some environments have strict requirements for using tight
0 commit comments