[SPARK-16796] [Web UI] Visible passwords on Spark environment page #14409
Conversation
There was a problem hiding this comment.
Could we use Set for this?
|
@ajbozarth What if some property will be intoruduced containing "password" in its name, but not having password in its value? @dongjoon-hyun I can change it to Set. |
|
I'd say that that a property like that was poorly named, but it is still a valid possibility so leaving it as you have it is probably better |
|
All in all I think this looks good |
|
Perhaps everything with the name "password" we should just hide it? |
| val passwordProperties: Set[String] = Set("spark.ssl.keyPassword", | ||
| "spark.ssl.keyStorePassword", "spark.ssl.trustStorePassword") | ||
|
|
||
| def removePass(kv: (String, String)): (String, String) = { |
There was a problem hiding this comment.
private? agree with filtering anything whose key has "password" (not case sensitive). Check for other instances where listener.sparkProperties is accessed too?
Devian-ua
force-pushed
the
maskpass
branch
2 times, most recently
from
37b11ca to
e97f894
Compare
|
@srowen Made removePass |
| propertyHeader, jvmRow, listener.jvmInformation, fixedWidth = true) | ||
| val sparkPropertiesTable = UIUtils.listingTable( | ||
| propertyHeader, propertyRow, listener.sparkProperties, fixedWidth = true) | ||
| propertyHeader, propertyRow, listener.sparkProperties.map(removePass), fixedWidth = true) |
There was a problem hiding this comment.
This may be just taste, but isn't this easier inline?
val redactedProperties = listener.sparkProperties.map { case (key, value) =>
(key, if (key.toLowerCase.contains("password")) "******" else value)
}
Are there any other instances where properties are displayed that need redacting?
|
@srowen I think it looks cleaner when it is not inline. |
|
Jenkins test this please |
|
@Devian-ua what is your ASF JIRA handle? |
|
@srowen You mean username? It is |
|
Test build #63128 has finished for PR 14409 at commit
|
|
Merged to master |
|
@Devian-ua Also curious if you have any plans to backport this small change to 1.5.x and 1.6.x |
|
I'm OK back-porting further. It's minor and a potential security improvement. I don't think the 1.5 branch is active though. |
## What changes were proposed in this pull request? Mask spark.ssl.keyPassword, spark.ssl.keyStorePassword, spark.ssl.trustStorePassword in Web UI environment page. (Changes their values to ***** in env. page) ## How was this patch tested? I've built spark, run spark shell and checked that this values have been masked with *****. Also run tests: ./dev/run-tests [info] ScalaTest [info] Run completed in 1 hour, 9 minutes, 5 seconds. [info] Total number of tests run: 2166 [info] Suites: completed 65, aborted 0 [info] Tests: succeeded 2166, failed 0, canceled 0, ignored 590, pending 0 [info] All tests passed.  Author: Artur Sukhenko <[email protected]> Closes #14409 from Devian-ua/maskpass. (cherry picked from commit 3861273) Signed-off-by: Sean Owen <[email protected]>
## What changes were proposed in this pull request? Mask spark.ssl.keyPassword, spark.ssl.keyStorePassword, spark.ssl.trustStorePassword in Web UI environment page. (Changes their values to ***** in env. page) ## How was this patch tested? I've built spark, run spark shell and checked that this values have been masked with *****. Also run tests: ./dev/run-tests [info] ScalaTest [info] Run completed in 1 hour, 9 minutes, 5 seconds. [info] Total number of tests run: 2166 [info] Suites: completed 65, aborted 0 [info] Tests: succeeded 2166, failed 0, canceled 0, ignored 590, pending 0 [info] All tests passed.  Author: Artur Sukhenko <[email protected]> Closes #14409 from Devian-ua/maskpass. (cherry picked from commit 3861273) Signed-off-by: Sean Owen <[email protected]>
|
@srowen @a-roberts So what should we do with |
|
Lets open a follow up JIRA on this, but I would say that similar to |
|
If it's truly just an addendum to this issue, tacked on, just attach to the existing issue. |
|
@srowen So what should I do? |
|
Just another PR for the same JIRA |
|
@srowen Different branch? |
|
Yes, this is merged now. |
## What changes were proposed in this pull request? Mask spark.ssl.keyPassword, spark.ssl.keyStorePassword, spark.ssl.trustStorePassword in Web UI environment page. (Changes their values to ***** in env. page) ## How was this patch tested? I've built spark, run spark shell and checked that this values have been masked with *****. Also run tests: ./dev/run-tests [info] ScalaTest [info] Run completed in 1 hour, 9 minutes, 5 seconds. [info] Total number of tests run: 2166 [info] Suites: completed 65, aborted 0 [info] Tests: succeeded 2166, failed 0, canceled 0, ignored 590, pending 0 [info] All tests passed.  Author: Artur Sukhenko <[email protected]> Closes apache#14409 from Devian-ua/maskpass. (cherry picked from commit 3861273) Signed-off-by: Sean Owen <[email protected]> (cherry picked from commit 52d8837)
## What changes were proposed in this pull request? Mask `spark.authenticate.secret` on Spark environment page (Web UI). This is addition to #14409 ## How was this patch tested? `./dev/run-tests` [info] ScalaTest [info] Run completed in 1 hour, 8 minutes, 38 seconds. [info] Total number of tests run: 2166 [info] Suites: completed 65, aborted 0 [info] Tests: succeeded 2166, failed 0, canceled 0, ignored 590, pending 0 [info] All tests passed. Author: Artur Sukhenko <[email protected]> Closes #14484 from Devian-ua/SPARK-16796.
|
A related commit #14484 hasn't been added to Spark 2.0 for 2.0.1 or 2.0.2 |
|
This was all merged to master, meaning 2.1.x |
|
Thanks for the quick response. I did see this in 2.1.X branch; but #14409 made it into 2.0.X, which was merged on August 3rd, while #14484 didn't which was merged on August 5th. Although its a small change, providing sensitive information on a web UI isn't ideal, it is IMO important enough to make it into Spark 2.0.2. |
|
Aha I see it now. Yes I think it's fair to put in 2.0 as well. It may or may not make 2.0.2. |
|
Appreciate that. Thank you. |
## What changes were proposed in this pull request? Mask `spark.authenticate.secret` on Spark environment page (Web UI). This is addition to #14409 ## How was this patch tested? `./dev/run-tests` [info] ScalaTest [info] Run completed in 1 hour, 8 minutes, 38 seconds. [info] Total number of tests run: 2166 [info] Suites: completed 65, aborted 0 [info] Tests: succeeded 2166, failed 0, canceled 0, ignored 590, pending 0 [info] All tests passed. Author: Artur Sukhenko <[email protected]> Closes #14484 from Devian-ua/SPARK-16796. (cherry picked from commit 14dba45) Signed-off-by: Sean Owen <[email protected]>
8 participants
What changes were proposed in this pull request?
Mask spark.ssl.keyPassword, spark.ssl.keyStorePassword, spark.ssl.trustStorePassword in Web UI environment page.
(Changes their values to ***** in env. page)
How was this patch tested?
I've built spark, run spark shell and checked that this values have been masked with *****.
Also run tests:
./dev/run-tests
[info] ScalaTest
[info] Run completed in 1 hour, 9 minutes, 5 seconds.
[info] Total number of tests run: 2166
[info] Suites: completed 65, aborted 0
[info] Tests: succeeded 2166, failed 0, canceled 0, ignored 590, pending 0
[info] All tests passed.