diff --git a/core/src/main/scala/org/apache/spark/SSLOptions.scala b/core/src/main/scala/org/apache/spark/SSLOptions.scala
index 2cdc167f85af0..73313988f1c7e 100644
--- a/core/src/main/scala/org/apache/spark/SSLOptions.scala
+++ b/core/src/main/scala/org/apache/spark/SSLOptions.scala
@@ -35,8 +35,11 @@ import org.eclipse.jetty.util.ssl.SslContextFactory
* @param keyStore a path to the key-store file
* @param keyStorePassword a password to access the key-store file
* @param keyPassword a password to access the private key in the key-store
+ * @param keyStoreType the type of the key-store
+ * @param needClientAuth set true if SSL needs client authentication
* @param trustStore a path to the trust-store file
* @param trustStorePassword a password to access the trust-store file
+ * @param trustStoreType the type of the trust-store
* @param protocol SSL protocol (remember that SSLv3 was compromised) supported by Java
* @param enabledAlgorithms a set of encryption algorithms to use
*/
@@ -45,8 +48,11 @@ private[spark] case class SSLOptions(
keyStore: Option[File] = None,
keyStorePassword: Option[String] = None,
keyPassword: Option[String] = None,
+ keyStoreType: Option[String] = None,
+ needClientAuth: Boolean = false,
trustStore: Option[File] = None,
trustStorePassword: Option[String] = None,
+ trustStoreType: Option[String] = None,
protocol: Option[String] = None,
enabledAlgorithms: Set[String] = Set.empty) {
@@ -58,12 +64,18 @@ private[spark] case class SSLOptions(
val sslContextFactory = new SslContextFactory()
keyStore.foreach(file => sslContextFactory.setKeyStorePath(file.getAbsolutePath))
- trustStore.foreach(file => sslContextFactory.setTrustStore(file.getAbsolutePath))
keyStorePassword.foreach(sslContextFactory.setKeyStorePassword)
- trustStorePassword.foreach(sslContextFactory.setTrustStorePassword)
keyPassword.foreach(sslContextFactory.setKeyManagerPassword)
+ keyStoreType.foreach(sslContextFactory.setKeyStoreType)
+ if (needClientAuth) {
+ trustStore.foreach(file => sslContextFactory.setTrustStore(file.getAbsolutePath))
+ trustStorePassword.foreach(sslContextFactory.setTrustStorePassword)
+ trustStoreType.foreach(sslContextFactory.setTrustStoreType)
+ }
protocol.foreach(sslContextFactory.setProtocol)
- sslContextFactory.setIncludeCipherSuites(enabledAlgorithms.toSeq: _*)
+ if (enabledAlgorithms.nonEmpty) {
+ sslContextFactory.setIncludeCipherSuites(enabledAlgorithms.toSeq: _*)
+ }
Some(sslContextFactory)
} else {
@@ -119,9 +131,12 @@ private[spark] object SSLOptions extends Logging {
* $ - `[ns].keyStore` - a path to the key-store file; can be relative to the current directory
* $ - `[ns].keyStorePassword` - a password to the key-store file
* $ - `[ns].keyPassword` - a password to the private key
+ * $ - `[ns].keyStoreType` - the type of the key-store
+ * $ - `[ns].needClientAuth` - whether SSL needs client authentication
* $ - `[ns].trustStore` - a path to the trust-store file; can be relative to the current
* directory
* $ - `[ns].trustStorePassword` - a password to the trust-store file
+ * $ - `[ns].trustStoreType` - the type of trust-store
* $ - `[ns].protocol` - a protocol name supported by a particular Java version
* $ - `[ns].enabledAlgorithms` - a comma separated list of ciphers
*
@@ -149,12 +164,21 @@ private[spark] object SSLOptions extends Logging {
val keyPassword = conf.getOption(s"$ns.keyPassword")
.orElse(defaults.flatMap(_.keyPassword))
+ val keyStoreType = conf.getOption(s"$ns.keyStoreType")
+ .orElse(defaults.flatMap(_.keyStoreType))
+
+ val needClientAuth =
+ conf.getBoolean(s"$ns.needClientAuth", defaultValue = defaults.exists(_.needClientAuth))
+
val trustStore = conf.getOption(s"$ns.trustStore").map(new File(_))
.orElse(defaults.flatMap(_.trustStore))
val trustStorePassword = conf.getOption(s"$ns.trustStorePassword")
.orElse(defaults.flatMap(_.trustStorePassword))
+ val trustStoreType = conf.getOption(s"$ns.trustStoreType")
+ .orElse(defaults.flatMap(_.trustStoreType))
+
val protocol = conf.getOption(s"$ns.protocol")
.orElse(defaults.flatMap(_.protocol))
@@ -168,8 +192,11 @@ private[spark] object SSLOptions extends Logging {
keyStore,
keyStorePassword,
keyPassword,
+ keyStoreType,
+ needClientAuth,
trustStore,
trustStorePassword,
+ trustStoreType,
protocol,
enabledAlgorithms)
}
diff --git a/core/src/main/scala/org/apache/spark/SecurityManager.scala b/core/src/main/scala/org/apache/spark/SecurityManager.scala
index 3653f724ba192..54a2f2c80588b 100644
--- a/core/src/main/scala/org/apache/spark/SecurityManager.scala
+++ b/core/src/main/scala/org/apache/spark/SecurityManager.scala
@@ -241,9 +241,11 @@ private[spark] class SecurityManager(sparkConf: SparkConf)
// configuration at a specified namespace. The namespace *must* start with spark.ssl.
val fileServerSSLOptions = SSLOptions.parse(sparkConf, "spark.ssl.fs", Some(defaultSSLOptions))
val akkaSSLOptions = SSLOptions.parse(sparkConf, "spark.ssl.akka", Some(defaultSSLOptions))
+ val webUISSLOptions = SSLOptions.parse(sparkConf, "spark.ssl.ui", Some(defaultSSLOptions))
logDebug(s"SSLConfiguration for file server: $fileServerSSLOptions")
logDebug(s"SSLConfiguration for Akka: $akkaSSLOptions")
+ logDebug(s"SSLConfiguration for web UI: $webUISSLOptions")
val (sslSocketFactory, hostnameVerifier) = if (fileServerSSLOptions.enabled) {
val trustStoreManagers =
diff --git a/core/src/main/scala/org/apache/spark/deploy/DeployMessage.scala b/core/src/main/scala/org/apache/spark/deploy/DeployMessage.scala
index 9db6fd1ac4dbe..4f66aba700f50 100644
--- a/core/src/main/scala/org/apache/spark/deploy/DeployMessage.scala
+++ b/core/src/main/scala/org/apache/spark/deploy/DeployMessage.scala
@@ -39,8 +39,7 @@ private[deploy] object DeployMessages {
port: Int,
cores: Int,
memory: Int,
- webUiPort: Int,
- publicAddress: String)
+ workerWebUiUrl: String)
extends DeployMessage {
Utils.checkHost(host, "Required hostname")
assert (port > 0)
diff --git a/core/src/main/scala/org/apache/spark/deploy/master/Master.scala b/core/src/main/scala/org/apache/spark/deploy/master/Master.scala
index ff2eed6dee70a..b906c5318f28e 100644
--- a/core/src/main/scala/org/apache/spark/deploy/master/Master.scala
+++ b/core/src/main/scala/org/apache/spark/deploy/master/Master.scala
@@ -227,7 +227,7 @@ private[master] class Master(
System.exit(0)
}
- case RegisterWorker(id, workerHost, workerPort, cores, memory, workerUiPort, publicAddress) =>
+ case RegisterWorker(id, workerHost, workerPort, cores, memory, workerWebUiUrl) =>
{
logInfo("Registering worker %s:%d with %d cores, %s RAM".format(
workerHost, workerPort, cores, Utils.megabytesToString(memory)))
@@ -237,7 +237,7 @@ private[master] class Master(
sender ! RegisterWorkerFailed("Duplicate worker ID")
} else {
val worker = new WorkerInfo(id, workerHost, workerPort, cores, memory,
- sender, workerUiPort, publicAddress)
+ sender, workerWebUiUrl)
if (registerWorker(worker)) {
persistenceEngine.addWorker(worker)
sender ! RegisteredWorker(masterUrl, masterWebUiUrl)
diff --git a/core/src/main/scala/org/apache/spark/deploy/master/WorkerInfo.scala b/core/src/main/scala/org/apache/spark/deploy/master/WorkerInfo.scala
index 9b3d48c6edc84..15969da8af4a9 100644
--- a/core/src/main/scala/org/apache/spark/deploy/master/WorkerInfo.scala
+++ b/core/src/main/scala/org/apache/spark/deploy/master/WorkerInfo.scala
@@ -31,8 +31,7 @@ private[spark] class WorkerInfo(
val cores: Int,
val memory: Int,
val actor: ActorRef,
- val webUiPort: Int,
- val publicAddress: String)
+ val webUiAddress: String)
extends Serializable {
Utils.checkHost(host, "Expected hostname")
@@ -100,10 +99,6 @@ private[spark] class WorkerInfo(
coresUsed -= driver.desc.cores
}
- def webUiAddress : String = {
- "http://" + this.publicAddress + ":" + this.webUiPort
- }
-
def setState(state: WorkerState.Value): Unit = {
this.state = state
}
diff --git a/core/src/main/scala/org/apache/spark/deploy/worker/Worker.scala b/core/src/main/scala/org/apache/spark/deploy/worker/Worker.scala
index 3ee2eb69e8a4e..dc4dcef4ba461 100755
--- a/core/src/main/scala/org/apache/spark/deploy/worker/Worker.scala
+++ b/core/src/main/scala/org/apache/spark/deploy/worker/Worker.scala
@@ -88,7 +88,7 @@ private[worker] class Worker(
private val CLEANUP_INTERVAL_MILLIS =
conf.getLong("spark.worker.cleanup.interval", 60 * 30) * 1000
// TTL for app folders/data; after TTL expires it will be cleaned up
- private val APP_DATA_RETENTION_SECS =
+ private val APP_DATA_RETENTION_SECS =
conf.getLong("spark.worker.cleanup.appDataTtl", 7 * 24 * 3600)
private val testing: Boolean = sys.props.contains("spark.testing")
@@ -96,6 +96,7 @@ private[worker] class Worker(
private var masterAddress: Address = null
private var activeMasterUrl: String = ""
private[worker] var activeMasterWebUiUrl : String = ""
+ private var workerWebUiUrl: String = ""
private val akkaUrl = AkkaUtils.address(
AkkaUtils.protocol(context.system),
actorSystemName,
@@ -172,6 +173,7 @@ private[worker] class Worker(
shuffleService.startIfEnabled()
webUi = new WorkerWebUI(this, workDir, webUiPort)
webUi.bind()
+ workerWebUiUrl = "http://" + publicAddress + ":" + webUi.boundPort
registerWithMaster()
metricsSystem.registerSource(workerSource)
@@ -197,7 +199,7 @@ private[worker] class Worker(
for (masterAkkaUrl <- masterAkkaUrls) {
logInfo("Connecting to master " + masterAkkaUrl + "...")
val actor = context.actorSelection(masterAkkaUrl)
- actor ! RegisterWorker(workerId, host, port, cores, memory, webUi.boundPort, publicAddress)
+ actor ! RegisterWorker(workerId, host, port, cores, memory, workerWebUiUrl)
}
}
@@ -236,7 +238,7 @@ private[worker] class Worker(
*/
if (master != null) {
master ! RegisterWorker(
- workerId, host, port, cores, memory, webUi.boundPort, publicAddress)
+ workerId, host, port, cores, memory, workerWebUiUrl)
} else {
// We are retrying the initial registration
tryRegisterAllMasters()
diff --git a/core/src/main/scala/org/apache/spark/ui/JettyUtils.scala b/core/src/main/scala/org/apache/spark/ui/JettyUtils.scala
index a091ca650c60c..cf51a81f36371 100644
--- a/core/src/main/scala/org/apache/spark/ui/JettyUtils.scala
+++ b/core/src/main/scala/org/apache/spark/ui/JettyUtils.scala
@@ -17,21 +17,25 @@
package org.apache.spark.ui
-import java.net.{InetSocketAddress, URL}
+import java.net.{URI, URL}
import javax.servlet.DispatcherType
import javax.servlet.http.{HttpServlet, HttpServletRequest, HttpServletResponse}
+import scala.collection.mutable.{ArrayBuffer, StringBuilder}
import scala.language.implicitConversions
import scala.xml.Node
-import org.eclipse.jetty.server.Server
+import org.eclipse.jetty.server.{Connector, Request, Server}
import org.eclipse.jetty.server.handler._
import org.eclipse.jetty.servlet._
import org.eclipse.jetty.util.thread.QueuedThreadPool
+import org.eclipse.jetty.server.nio.SelectChannelConnector
+import org.eclipse.jetty.server.ssl.SslSelectChannelConnector
+
import org.json4s.JValue
import org.json4s.jackson.JsonMethods.{pretty, render}
-import org.apache.spark.{Logging, SecurityManager, SparkConf}
+import org.apache.spark.{Logging, SSLOptions, SecurityManager, SparkConf}
import org.apache.spark.util.Utils
/**
@@ -201,17 +205,41 @@ private[spark] object JettyUtils extends Logging {
def startJettyServer(
hostName: String,
port: Int,
+ securityManager: SecurityManager,
handlers: Seq[ServletContextHandler],
conf: SparkConf,
serverName: String = ""): ServerInfo = {
val collection = new ContextHandlerCollection
- collection.setHandlers(handlers.toArray)
addFilters(handlers, conf)
// Bind to the given port, or throw a java.net.BindException if the port is occupied
def connect(currentPort: Int): (Server, Int) = {
- val server = new Server(new InetSocketAddress(hostName, currentPort))
+ val server = new Server
+ val connectors = new ArrayBuffer[Connector]
+ // Create a connector on port currentPort to listen for HTTP requests
+ val httpConnector = new SelectChannelConnector()
+ httpConnector.setPort(currentPort)
+ connectors += httpConnector
+
+ val sslContextFactory = securityManager.webUISSLOptions.createJettySslContextFactory()
+ sslContextFactory.foreach { factory =>
+ // If the new port wraps around, do not try a privilege port
+ val securePort = (currentPort + 400 - 1024) % (65536 - 1024) + 1024
+ val scheme = "https"
+ // Create a connector on port securePort to listen for HTTPS requests
+ val connector = new SslSelectChannelConnector(factory)
+ connector.setPort(securePort)
+ connectors += connector
+
+ // redirect the HTTP requests to HTTPS port
+ collection.addHandler(createRedirectHttpsHandler(securePort, scheme))
+ }
+
+ handlers.foreach(collection.addHandler)
+ connectors.foreach(_.setHost(hostName))
+ server.setConnectors(connectors.toArray)
+
val pool = new QueuedThreadPool
pool.setDaemon(true)
server.setThreadPool(pool)
@@ -231,6 +259,41 @@ private[spark] object JettyUtils extends Logging {
ServerInfo(server, boundPort, collection)
}
+ private def createRedirectHttpsHandler(securePort: Int, scheme: String): ContextHandler = {
+ val redirectHandler: ContextHandler = new ContextHandler
+ redirectHandler.setContextPath("/")
+ redirectHandler.setHandler(new AbstractHandler {
+ override def handle(
+ target: String,
+ baseRequest: Request,
+ request: HttpServletRequest,
+ response: HttpServletResponse): Unit = {
+ if (baseRequest.isSecure) {
+ return
+ }
+ val httpsURI = createRedirectURI(scheme, baseRequest.getServerName, securePort,
+ baseRequest.getRequestURI, baseRequest.getQueryString)
+ response.setContentLength(0)
+ response.encodeRedirectURL(httpsURI)
+ response.sendRedirect(httpsURI)
+ baseRequest.setHandled(true)
+ }
+ })
+ redirectHandler
+ }
+
+ // Create a new URI from the arguments, handling IPv6 host encoding and default ports.
+ private def createRedirectURI(
+ scheme: String, server: String, port: Int, path: String, query: String) = {
+ val redirectServer = if (server.contains(":") && !server.startsWith("[")) {
+ s"[${server}]"
+ } else {
+ server
+ }
+ val authority = s"$redirectServer:$port"
+ new URI(scheme, authority, path, query, null).toString
+ }
+
/** Attach a prefix to the given path, but avoid returning an empty path */
private def attachPrefix(basePath: String, relativePath: String): String = {
if (basePath == "") relativePath else (basePath + relativePath).stripSuffix("/")
diff --git a/core/src/main/scala/org/apache/spark/ui/WebUI.scala b/core/src/main/scala/org/apache/spark/ui/WebUI.scala
index f9860d1a5ce76..99a3ba7a4f7ef 100644
--- a/core/src/main/scala/org/apache/spark/ui/WebUI.scala
+++ b/core/src/main/scala/org/apache/spark/ui/WebUI.scala
@@ -117,7 +117,7 @@ private[spark] abstract class WebUI(
def bind() {
assert(!serverInfo.isDefined, "Attempted to bind %s more than once!".format(className))
try {
- serverInfo = Some(startJettyServer("0.0.0.0", port, handlers, conf, name))
+ serverInfo = Some(startJettyServer("0.0.0.0", port, securityManager, handlers, conf, name))
logInfo("Started %s at http://%s:%d".format(className, publicHostName, boundPort))
} catch {
case e: Exception =>
diff --git a/core/src/test/resources/spark.keystore b/core/src/test/resources/spark.keystore
new file mode 100644
index 0000000000000..f30716b57b302
Binary files /dev/null and b/core/src/test/resources/spark.keystore differ
diff --git a/core/src/test/scala/org/apache/spark/deploy/JsonProtocolSuite.scala b/core/src/test/scala/org/apache/spark/deploy/JsonProtocolSuite.scala
index b58d62567afe1..2ad1f29e5fe49 100644
--- a/core/src/test/scala/org/apache/spark/deploy/JsonProtocolSuite.scala
+++ b/core/src/test/scala/org/apache/spark/deploy/JsonProtocolSuite.scala
@@ -112,7 +112,7 @@ class JsonProtocolSuite extends FunSuite {
createDriverDesc(), new Date())
def createWorkerInfo(): WorkerInfo = {
- val workerInfo = new WorkerInfo("id", "host", 8080, 4, 1234, null, 80, "publicAddress")
+ val workerInfo = new WorkerInfo("id", "host", 8080, 4, 1234, null, "http://publicAddress:80")
workerInfo.lastHeartbeat = JsonConstants.currTimeInMillis
workerInfo
}
diff --git a/core/src/test/scala/org/apache/spark/ui/UISuite.scala b/core/src/test/scala/org/apache/spark/ui/UISuite.scala
index 77a038dc1720d..78980c22865f8 100644
--- a/core/src/test/scala/org/apache/spark/ui/UISuite.scala
+++ b/core/src/test/scala/org/apache/spark/ui/UISuite.scala
@@ -17,18 +17,18 @@
package org.apache.spark.ui
-import java.net.ServerSocket
+import java.net.{BindException, ServerSocket}
import scala.io.Source
-import scala.util.{Failure, Success, Try}
+import org.eclipse.jetty.server.Server
import org.eclipse.jetty.servlet.ServletContextHandler
import org.scalatest.FunSuite
import org.scalatest.concurrent.Eventually._
import org.scalatest.time.SpanSugar._
import org.apache.spark.LocalSparkContext._
-import org.apache.spark.{SparkConf, SparkContext}
+import org.apache.spark.{SecurityManager, SparkConf, SparkContext}
class UISuite extends FunSuite {
@@ -71,33 +71,105 @@ class UISuite extends FunSuite {
}
test("jetty selects different port under contention") {
- val server = new ServerSocket(0)
- val startPort = server.getLocalPort
- val serverInfo1 = JettyUtils.startJettyServer(
- "0.0.0.0", startPort, Seq[ServletContextHandler](), new SparkConf)
- val serverInfo2 = JettyUtils.startJettyServer(
- "0.0.0.0", startPort, Seq[ServletContextHandler](), new SparkConf)
- // Allow some wiggle room in case ports on the machine are under contention
- val boundPort1 = serverInfo1.boundPort
- val boundPort2 = serverInfo2.boundPort
- assert(boundPort1 != startPort)
- assert(boundPort2 != startPort)
- assert(boundPort1 != boundPort2)
- serverInfo1.server.stop()
- serverInfo2.server.stop()
- server.close()
+ var server: ServerSocket = null
+ var serverInfo1: ServerInfo = null
+ var serverInfo2: ServerInfo = null
+ val conf = new SparkConf
+ val securityManager = new SecurityManager(conf)
+ try {
+ server = new ServerSocket(0)
+ val startPort = server.getLocalPort
+ serverInfo1 = JettyUtils.startJettyServer(
+ "0.0.0.0", startPort, securityManager, Seq[ServletContextHandler](), conf)
+ serverInfo2 = JettyUtils.startJettyServer(
+ "0.0.0.0", startPort, securityManager, Seq[ServletContextHandler](), conf)
+ // Allow some wiggle room in case ports on the machine are under contention
+ val boundPort1 = serverInfo1.boundPort
+ val boundPort2 = serverInfo2.boundPort
+ assert(boundPort1 != startPort)
+ assert(boundPort2 != startPort)
+ assert(boundPort1 != boundPort2)
+ } finally {
+ UISuite.stopServer(serverInfo1.server)
+ UISuite.stopServer(serverInfo2.server)
+ UISuite.closeSocket(server)
+ }
+ }
+
+ test("jetty with https selects different port under contention") {
+ var server: ServerSocket = null
+ var serverInfo1: ServerInfo = null
+ var serverInfo2: ServerInfo = null
+ try {
+ server = new ServerSocket(0)
+ val startPort = server.getLocalPort
+
+ val sparkConf = new SparkConf()
+ .set("spark.ssl.ui.enabled", "true")
+ .set("spark.ssl.ui.keyStore", "./src/test/resources/spark.keystore")
+ .set("spark.ssl.ui.keyStorePassword", "123456")
+ .set("spark.ssl.ui.keyPassword", "123456")
+ val securityManager = new SecurityManager(sparkConf)
+ serverInfo1 = JettyUtils.startJettyServer(
+ "0.0.0.0", startPort, securityManager, Seq[ServletContextHandler](), sparkConf, "server1")
+ serverInfo2 = JettyUtils.startJettyServer(
+ "0.0.0.0", startPort, securityManager, Seq[ServletContextHandler](), sparkConf, "server2")
+ // Allow some wiggle room in case ports on the machine are under contention
+ val boundPort1 = serverInfo1.boundPort
+ val boundPort2 = serverInfo2.boundPort
+ assert(boundPort1 != startPort)
+ assert(boundPort2 != startPort)
+ assert(boundPort1 != boundPort2)
+ } finally {
+ UISuite.stopServer(serverInfo1.server)
+ UISuite.stopServer(serverInfo2.server)
+ UISuite.closeSocket(server)
+ }
}
test("jetty binds to port 0 correctly") {
- val serverInfo = JettyUtils.startJettyServer(
- "0.0.0.0", 0, Seq[ServletContextHandler](), new SparkConf)
- val server = serverInfo.server
- val boundPort = serverInfo.boundPort
- assert(server.getState === "STARTED")
- assert(boundPort != 0)
- Try { new ServerSocket(boundPort) } match {
- case Success(s) => fail("Port %s doesn't seem used by jetty server".format(boundPort))
- case Failure(e) =>
+ var socket: ServerSocket = null
+ var serverInfo: ServerInfo = null
+ val conf = new SparkConf
+ val securityManager = new SecurityManager(conf)
+ try {
+ serverInfo = JettyUtils.startJettyServer(
+ "0.0.0.0", 0, securityManager, Seq[ServletContextHandler](), conf)
+ val server = serverInfo.server
+ val boundPort = serverInfo.boundPort
+ assert(server.getState === "STARTED")
+ assert(boundPort != 0)
+ intercept[BindException] {
+ socket = new ServerSocket(boundPort)
+ }
+ } finally {
+ UISuite.stopServer(serverInfo.server)
+ UISuite.closeSocket(socket)
+ }
+ }
+
+ test("jetty with https binds to port 0 correctly") {
+ var socket: ServerSocket = null
+ var serverInfo: ServerInfo = null
+ try {
+ val sparkConf = new SparkConf()
+ .set("spark.ssl.ui.enabled", "false")
+ .set("spark.ssl.ui.keyStore", "./src/test/resources/spark.keystore")
+ .set("spark.ssl.ui.keyStorePassword", "123456")
+ .set("spark.ssl.ui.keyPassword", "123456")
+ val securityManager = new SecurityManager(sparkConf)
+ serverInfo = JettyUtils.startJettyServer(
+ "0.0.0.0", 0, securityManager, Seq[ServletContextHandler](), sparkConf)
+ val server = serverInfo.server
+ val boundPort = serverInfo.boundPort
+ assert(server.getState === "STARTED")
+ assert(boundPort != 0)
+ intercept[BindException] {
+ socket = new ServerSocket(boundPort)
+ }
+ } finally {
+ UISuite.stopServer(serverInfo.server)
+ UISuite.closeSocket(socket)
}
}
@@ -119,3 +191,13 @@ class UISuite extends FunSuite {
}
}
}
+
+object UISuite {
+ def stopServer(server: Server): Unit = {
+ if (server != null) server.stop
+ }
+
+ def closeSocket(socket: ServerSocket): Unit = {
+ if (socket != null) socket.close
+ }
+}
diff --git a/docs/configuration.md b/docs/configuration.md
index d587b91124cb8..b8957caf87ac4 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -1340,6 +1340,7 @@ Apart from these, the following properties are also available, and may be useful
The reference list of protocols one can find on
this
page.
+ Note: If not set, it will use the default cipher suites of JVM.
@@ -1364,6 +1365,13 @@ Apart from these, the following properties are also available, and may be useful
A password to the key-store.
+
+ spark.ssl.keyStoreType |
+ JKS |
+
+ The type of the key-store.
+ |
+
spark.ssl.protocol |
None |
@@ -1373,6 +1381,13 @@ Apart from these, the following properties are also available, and may be useful
page.
+
+ spark.ssl.needClientAuth |
+ false |
+
+ Set true if SSL needs client authentication.
+ |
+
spark.ssl.trustStore |
None |
@@ -1388,6 +1403,13 @@ Apart from these, the following properties are also available, and may be useful
A password to the trust-store.
+
+ spark.ssl.trustStoreType |
+ JKS |
+
+ The type of the trust-store.
+ |
+
diff --git a/docs/security.md b/docs/security.md
index c034ba12ff1fc..048dc799f37c4 100644
--- a/docs/security.md
+++ b/docs/security.md
@@ -6,15 +6,19 @@ title: Security
Spark currently supports authentication via a shared secret. Authentication can be configured to be on via the `spark.authenticate` configuration parameter. This parameter controls whether the Spark communication protocols do authentication using the shared secret. This authentication is a basic handshake to make sure both sides have the same shared secret and are allowed to communicate. If the shared secret is not identical they will not be allowed to communicate. The shared secret is created as follows:
-* For Spark on [YARN](running-on-yarn.html) deployments, configuring `spark.authenticate` to `true` will automatically handle generating and distributing the shared secret. Each application will use a unique shared secret.
+* For Spark on [YARN](running-on-yarn.html) deployments, configuring `spark.authenticate` to `true` will automatically handle generating and distributing the shared secret. Each application will use a unique shared secret.
* For other types of Spark deployments, the Spark parameter `spark.authenticate.secret` should be configured on each of the nodes. This secret will be used by all the Master/Workers and applications.
## Web UI
-The Spark UI can also be secured by using [javax servlet filters](http://docs.oracle.com/javaee/6/api/javax/servlet/Filter.html) via the `spark.ui.filters` setting. A user may want to secure the UI if it has data that other users should not be allowed to see. The javax servlet filter specified by the user can authenticate the user and then once the user is logged in, Spark can compare that user versus the view ACLs to make sure they are authorized to view the UI. The configs `spark.acls.enable` and `spark.ui.view.acls` control the behavior of the ACLs. Note that the user who started the application always has view access to the UI. On YARN, the Spark UI uses the standard YARN web application proxy mechanism and will authenticate via any installed Hadoop filters.
+The Spark UI can be secured by using [javax servlet filters](http://docs.oracle.com/javaee/6/api/javax/servlet/Filter.html) via the `spark.ui.filters` setting
+and by using [https/SSL](http://en.wikipedia.org/wiki/HTTPS) via the `spark.ui.https.enabled` setting.
-Spark also supports modify ACLs to control who has access to modify a running Spark application. This includes things like killing the application or a task. This is controlled by the configs `spark.acls.enable` and `spark.modify.acls`. Note that if you are authenticating the web UI, in order to use the kill button on the web UI it might be necessary to add the users in the modify acls to the view acls also. On YARN, the modify acls are passed in and control who has modify access via YARN interfaces.
+### Authentication
+A user may want to secure the UI if it has data that other users should not be allowed to see. The javax servlet filter specified by the user can authenticate the user and then once the user is logged in, Spark can compare that user versus the view ACLs to make sure they are authorized to view the UI. The configs `spark.acls.enable` and `spark.ui.view.acls` control the behavior of the ACLs. Note that the user who started the application always has view access to the UI. On YARN, the Spark UI uses the standard YARN web application proxy mechanism and will authenticate via any installed Hadoop filters.
+
+Spark also supports modify ACLs to control who has access to modify a running Spark application. This includes things like killing the application or a task. This is controlled by the configs `spark.acls.enable` and `spark.modify.acls`. Note that if you are authenticating the web UI, in order to use the kill button on the web UI it might be necessary to add the users in the modify acls to the view acls also. On YARN, the modify acls are passed in and control who has modify access via YARN interfaces.
Spark allows for a set of administrators to be specified in the acls who always have view and modify permissions to all the applications. is controlled by the config `spark.admin.acls`. This is useful on a shared cluster where you might have administrators or support staff who help users debug applications.
## Event Logging
@@ -23,9 +27,14 @@ If your applications are using event logging, the directory where the event logs
## Encryption
-Spark supports SSL for Akka and HTTP (for broadcast and file server) protocols. However SSL is not supported yet for WebUI and block transfer service.
+Spark supports SSL for Akka and HTTP protocols. However SSL is not supported yet for block transfer service.
-Connection encryption (SSL) configuration is organized hierarchically. The user can configure the default SSL settings which will be used for all the supported communication protocols unless they are overwritten by protocol-specific settings. This way the user can easily provide the common settings for all the protocols without disabling the ability to configure each one individually. The common SSL settings are at `spark.ssl` namespace in Spark configuration, while Akka SSL configuration is at `spark.ssl.akka` and HTTP for broadcast and file server SSL configuration is at `spark.ssl.fs`. The full breakdown can be found on the [configuration page](configuration.html).
+Connection encryption (SSL) configuration is organized hierarchically. The user can configure the default SSL settings
+which will be used for all the supported communication protocols unless they are overwritten by protocol-specific settings.
+This way the user can easily provide the common settings for all the protocols without disabling the ability to configure each one individually.
+The common SSL settings are at `spark.ssl` namespace in Spark configuration, while Akka SSL configuration is at `spark.ssl.akka`,
+HTTP for broadcast and file server SSL configuration is at `spark.ssl.fs`, and HTTP for web UI configuration is at `spark.ssl.ui`.
+The full breakdown can be found on the [configuration page](configuration.html).
SSL must be configured on each node and configured for each component involved in communication using the particular protocol.