[SPARK-26998] spark.ssl.keyStorePassword in plaintext on 'ps -ef' output of executor processes in Standalone mode - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.3.3, 2.4.0
Fix Version/s: 2.3.4, 2.4.2, 3.0.0
Component/s: Scheduler, Security, Spark Core
Labels:
- SECURITY
- Security
- secur
- security
- security-issue

Description

Run spark standalone mode, then start a spark-submit requiring at least 1 executor. Do a 'ps -ef' on linux (ie putty terminal) and you will be able to see spark.ssl.keyStorePassword value in plaintext!

spark.ssl.keyStorePassword and spark.ssl.keyPassword don't need to be passed to CoarseGrainedExecutorBackend. Only spark.ssl.trustStorePassword is used.

Can be resolved if below PR is merged:

[Github] Pull Request #21514 (tooptoop4)

Attachments

Issue Links

relates to

SPARK-22860 Spark workers log ssl passwords passed to the executors

Resolved

links to

GitHub Pull Request #24170

Activity

People

Assignee:: Gabor Somogyi

Reporter:: t oo

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 26/Feb/19 23:08

Updated:: 12/Dec/22 18:10

Resolved:: 02/Apr/19 16:26