From 8b325b17ecdf013b7a6edcb7ee3773546bd914df Mon Sep 17 00:00:00 2001 From: Marcelo Vanzin Date: Mon, 28 Nov 2016 21:10:57 -0800 Subject: [SPARK-18547][CORE] Propagate I/O encryption key when executors register. This change modifies the method used to propagate encryption keys used during shuffle. Instead of relying on YARN's UserGroupInformation credential propagation, this change explicitly distributes the key using the messages exchanged between driver and executor during registration. When RPC encryption is enabled, this means key propagation is also secure. This allows shuffle encryption to work in non-YARN mode, which means that it's easier to write unit tests for areas of the code that are affected by the feature. The key is stored in the SecurityManager; because there are many instances of that class used in the code, the key is only guaranteed to exist in the instance managed by the SparkEnv. This path was chosen to avoid storing the key in the SparkConf, which would risk having the key being written to disk as part of the configuration (as, for example, is done when starting YARN applications). Tested by new and existing unit tests (which were moved from the YARN module to core), and by running apps with shuffle encryption enabled. Author: Marcelo Vanzin Closes #15981 from vanzin/SPARK-18547. --- docs/configuration.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'docs/configuration.md') diff --git a/docs/configuration.md b/docs/configuration.md index aa201c6b6a..d8800e93da 100644 --- a/docs/configuration.md +++ b/docs/configuration.md @@ -590,7 +590,8 @@ Apart from these, the following properties are also available, and may be useful spark.io.encryption.enabled false - Enable IO encryption. Only supported in YARN mode. + Enable IO encryption. Currently supported by all modes except Mesos. It's recommended that RPC encryption + be enabled when using this feature. -- cgit v1.2.3