[SPARK-19720][CORE] Redact sensitive information from SparkSubmit console #17047
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…bmit console output This change redacts senstive information (based on spark.redaction.regex property) from the Spark Submit console logs. Such sensitive information is already being redacted from event logs and yarn logs, etc. Testing was done manually to make sure that the console logs were not printing any sensitive information. Here's some output from the console: Spark properties used, including those specified through --conf and those from the properties file /etc/spark2/conf/spark-defaults.conf: (spark.yarn.appMasterEnv.HADOOP_CREDSTORE_PASSWORD,*********(redacted)) (spark.authenticate,false) (spark.executorEnv.HADOOP_CREDSTORE_PASSWORD,*********(redacted))
|
Test build #73385 has finished for PR 17047 at commit
|
srowen
reviewed
Feb 25, 2017
| * @param kvs | ||
| * @return | ||
| */ | ||
| def redact(kvs: Map[String, String]): Seq[(String, String)] = { |
Member
There was a problem hiding this comment.
(Nit: I'd omit param and return if they're not filled in.)
So this is used in cases where there isn't a conf object available yet, but the argument itself has the redaction config? I was slightly worried about the parallel implementation but that would be a reasonable reason to do it.
Member
Author
There was a problem hiding this comment.
Correct, that's exactly the use case - where there isn't a conf object available yet. I will update the Javadoc. Thanks for reviewing!
|
Test build #73554 has finished for PR 17047 at commit
|
vanzin
reviewed
Feb 28, 2017
Contributor
vanzin
left a comment
vanzin
left a comment
There was a problem hiding this comment.
Look good. Can you replace "spark submit" with "core" in the title (since that's the right component)?
| private def redact(redactionPattern: Regex, kvs: Seq[(String, String)]): Seq[(String, String)] = { | ||
| kvs.map { kv => | ||
| redactionPattern.findFirstIn(kv._1) | ||
| .map { ignore => (kv._1, REDACTION_REPLACEMENT_TEXT) } |
vanzin
reviewed
Feb 28, 2017
| .longConf | ||
| .createWithDefault(4 * 1024 * 1024) | ||
|
|
||
| private[spark] val SECRET_REDACTION_PROPERTY = "spark.redaction.regex" |
Contributor
There was a problem hiding this comment.
Actually, instead of this you could use SECRET_REDACTION_PATTERN.key and SECRET_REDACTION_PATTERN.defaultValue in Utils.scala.
markgrover
changed the title
vanzin
reviewed
Mar 1, 2017
| kvs.map { kv => | ||
| redactionPattern.findFirstIn(kv._1) | ||
| .map { ignore => (kv._1, REDACTION_REPLACEMENT_TEXT) } | ||
| .map {ignore => (kv._1, REDACTION_REPLACEMENT_TEXT) } |
Contributor
There was a problem hiding this comment.
nit: replace "ignore" with "_" (in case my previous comment wasn't clear). also missing a space after '{'.
Member
Author
There was a problem hiding this comment.
Ah, right I misunderstood that - I took your comment as a bash + scala way to say eliminate space (partly because it's hard to understand spacing in github comments). My bad, let me fix that.
|
Test build #73625 has finished for PR 17047 at commit
|
Member
Author
|
Seems unrelated. |
Member
Author
|
Jenkins, test this again, please. |
Contributor
|
retest this please |
|
Test build #73626 has finished for PR 17047 at commit
|
|
Test build #73651 has finished for PR 17047 at commit
|
Contributor
|
Merging to master. |
Member
Author
|
Thanks @vanzin |
dmvieira
pushed a commit
to dmvieira/spark
that referenced
this pull request
Jul 29, 2017
…sole This change redacts senstive information (based on default password and secret regex) from the Spark Submit console logs. Such sensitive information is already being redacted from event logs and yarn logs, etc. Testing was done manually to make sure that the console logs were not printing any sensitive information. Here's some output from the console: ``` Spark properties used, including those specified through --conf and those from the properties file /etc/spark2/conf/spark-defaults.conf: (spark.yarn.appMasterEnv.HADOOP_CREDSTORE_PASSWORD,*********(redacted)) (spark.authenticate,false) (spark.executorEnv.HADOOP_CREDSTORE_PASSWORD,*********(redacted)) ``` ``` System properties: (spark.yarn.appMasterEnv.HADOOP_CREDSTORE_PASSWORD,*********(redacted)) (spark.authenticate,false) (spark.executorEnv.HADOOP_CREDSTORE_PASSWORD,*********(redacted)) ``` There is a risk if new print statements were added to the console down the road, sensitive information may still get leaked, since there is no test that asserts on the console log output. I considered it out of the scope of this JIRA to write an integration test to make sure new leaks don't happen in the future. Running unit tests to make sure nothing else is broken by this change. Using reference from Mark Grover <mark@apache.org> Closes apache#17047 for 2.1.2 spark vesion.
dmvieira
pushed a commit
to dmvieira/spark
that referenced
this pull request
Aug 1, 2017
…sole ## What changes were proposed in this pull request? This change redacts senstive information (based on `spark.redaction.regex` property) from the Spark Submit console logs. Such sensitive information is already being redacted from event logs and yarn logs, etc. ## How was this patch tested? Testing was done manually to make sure that the console logs were not printing any sensitive information. Here's some output from the console: ``` Spark properties used, including those specified through --conf and those from the properties file /etc/spark2/conf/spark-defaults.conf: (spark.yarn.appMasterEnv.HADOOP_CREDSTORE_PASSWORD,*********(redacted)) (spark.authenticate,false) (spark.executorEnv.HADOOP_CREDSTORE_PASSWORD,*********(redacted)) ``` ``` System properties: (spark.yarn.appMasterEnv.HADOOP_CREDSTORE_PASSWORD,*********(redacted)) (spark.authenticate,false) (spark.executorEnv.HADOOP_CREDSTORE_PASSWORD,*********(redacted)) ``` There is a risk if new print statements were added to the console down the road, sensitive information may still get leaked, since there is no test that asserts on the console log output. I considered it out of the scope of this JIRA to write an integration test to make sure new leaks don't happen in the future. Running unit tests to make sure nothing else is broken by this change. Author: Mark Grover <mark@apache.org> Closes apache#17047 from markgrover/master_redaction.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
What changes were proposed in this pull request?
This change redacts senstive information (based on
spark.redaction.regexproperty)from the Spark Submit console logs. Such sensitive information is already being
redacted from event logs and yarn logs, etc.
How was this patch tested?
Testing was done manually to make sure that the console logs were not printing any
sensitive information.
Here's some output from the console:
There is a risk if new print statements were added to the console down the road, sensitive information may still get leaked, since there is no test that asserts on the console log output. I considered it out of the scope of this JIRA to write an integration test to make sure new leaks don't happen in the future.
Running unit tests to make sure nothing else is broken by this change.