spark-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From G R <gregr...@gmail.com>
Subject Unable to verify in-transit encryption
Date Mon, 16 Sep 2019 18:25:31 GMT
This is a duplicate of my stack overflow question here:

https://stackoverflow.com/questions/57881044/verifying-in-transit-encryption-for-spark-shuffle

I'm running Spark over YARN on AWS EMR 5.20.

I've followed the following guide for running in-transit encryption for
spark shuffle:

https://docs.cloudera.com/HDPDocuments/HDP3/HDP-3.1.0/configuring-spark/content/configuring_spark_for_wire_encryption.html

First off, this doc *only* refers to self-signed certs, and we're using a
CA-signed cert. No big deal, I put the CA cert in the truststore.

Unfortunately, I'm not in a position to use the built-in Amazon In Transit
encryption, nor can I use Spark Defaults as we send along our spark
assembly with our jobs to allow multiple versions to be used.

The piece I'm tacking on to our spark jobs looks like this:

spark.shuffle.encryption.enabled=true
spark.ssl.enabled=true
spark.ssl.keyPassword=*****
spark.ssl.keyStore="/opt/my-cluster/keystore.jks"
spark.ssl.keyStorePassword=*****
spark.ssl.protocol=TLS
spark.ssl.trustStore="/opt/my-cluster/truststore.jks”
spark.ssl.trustStorePassword=*****
spark.authenticate=true
spark.network.crypto.enabled=true
spark.enableSaslEncryption=true
spark.ui.https.enabled=true
spark.io.encryption.enabled=true
spark.network.sasl.serverAlwaysEncrypt=true

Jobs are running fine. I'm running a simple job I'm assuming will force a
shuffle. Here's the code:

import org.apache.spark.sql.SparkSession

import scala.util.Random

object SparkShuffleTest {

  def main(args: Array[String]) {
    val randomText = for (i <- Range(0,100000)) yield Random.nextPrintableChar()
    val spark = SparkSession.builder.appName("Simple Application").getOrCreate()
    val logData = spark.sparkContext.parallelize(randomText)
    val pairs = logData.map(c => (c, 1))
    pairs.foreach(println(_))
    val outputs = pairs.reduceByKey(_ + _).collect()
    outputs.foreach({case (a, b) => println(s"$a:$b")})
    println("Outputs collected...")
    println(outputs)
    spark.stop()
  }
}

*So, here's the tough part:*

If I screw around with the location of the keystore and change it to a
bogus name, my jobs fail, as they should, because they can't find a valid
keystore. However, if I do this to the *truststore*, there's no failure.
It's like it's not even reading the truststore. How can I actually get this
to encrypt, or what am I configuring wrong? Obviously, if I'm giving it a
bogus truststore, it ought to fail at encrypting shuffle. Does that just
not throw an error at all?

Thanks!

Mime
View raw message