Secret Folder configurable (apache#137)

CHANGELOG.md

@@ -5,6 +5,7 @@
 * Fixed Supervise mode
 * Separate stderr and stdout in dispatcher
 * Fix history server stderr/stdout. Now is possible to set log level through SPARK_LOG_LEVEL
+* Secret folder path configurable
 
 ## 2.2.0.4 (January 11, 2018)
 

core/src/main/scala/org/apache/spark/security/ConfigSecurity.scala

@@ -16,14 +16,18 @@
  */
 package org.apache.spark.security
 
-
 import scala.util.{Failure, Success, Try}
 
-
 import org.apache.spark.internal.Logging
+import org.apache.spark.util.Utils
+
+
 
 object ConfigSecurity extends Logging {
 
+  val secretsFolder = Utils.createTempDir(
+    s"${sys.env.getOrElse("SPARK_SECRETS_FOLDER", "/tmp")}", "spark").getAbsolutePath
+
   lazy val vaultToken: Option[String] =
 
     if (sys.env.get("VAULT_TOKEN").isDefined) {

core/src/main/scala/org/apache/spark/security/KerberosConfig.scala

@@ -40,7 +40,8 @@ object KerberosConfig extends Logging{
 
   private def getKeytabPrincipal(keytab64: String, principal: String): String = {
     val bytes = DatatypeConverter.parseBase64Binary(keytab64)
-    val kerberosSecretFile = Files.createFile(Paths.get(s"/tmp/$principal.keytab"),
+    val kerberosSecretFile = Files.createFile(Paths.get(
+      s"${ConfigSecurity.secretsFolder}/$principal.keytab"),
       PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rw-------")))
     kerberosSecretFile.toFile.deleteOnExit() // just to be sure
     val writePath = Files.write(kerberosSecretFile, bytes)

core/src/main/scala/org/apache/spark/security/SSLConfig.scala

@@ -88,10 +88,12 @@ object SSLConfig extends Logging {
       -> VaultHelper.getCertPassForAppFromVault(vaultKeyPassPath.get))
 
     val certFilesPath =
-      Map(s"$sparkSSLPrefix${sslType.toLowerCase}.certPem.path" -> "/tmp/cert.crt",
-        s"$sparkSSLPrefix${sslType.toLowerCase}.keyPKCS8.path" -> "/tmp/key.pkcs8",
-        s"$sparkSSLPrefix${sslType.toLowerCase}.caPem.path" -> "/tmp/ca.crt")
-
+      Map(s"$sparkSSLPrefix${sslType.toLowerCase}.certPem.path" ->
+        s"${ConfigSecurity.secretsFolder}/cert.crt",
+        s"$sparkSSLPrefix${sslType.toLowerCase}.keyPKCS8.path" ->
+          s"${ConfigSecurity.secretsFolder}/key.pkcs8",
+        s"$sparkSSLPrefix${sslType.toLowerCase}.caPem.path" ->
+          s"${ConfigSecurity.secretsFolder}/ca.crt")
     trustStoreOptions ++ keyStoreOptions ++ keyPass ++ certFilesPath
   }
 
@@ -107,7 +109,7 @@ object SSLConfig extends Logging {
     }
 
     val fileName = "trustStore.jks"
-    val dir = new File(s"/tmp/$sslType")
+    val dir = new File(s"${ConfigSecurity.secretsFolder}/$sslType")
     dir.mkdirs
     val downloadFile = Files.createFile(Paths.get(dir.getAbsolutePath, fileName),
       PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rw-------")))
@@ -121,7 +123,8 @@ object SSLConfig extends Logging {
 
   def generatePemFile(pem: String, fileName: String): Unit = {
       formatPem(pem)
-      val bosCA = new BufferedOutputStream(new FileOutputStream(s"/tmp/$fileName"))
+      val bosCA = new BufferedOutputStream(new FileOutputStream(s"${ConfigSecurity.secretsFolder}" +
+        s"/$fileName"))
       bosCA.write(formatPem(pem).getBytes)
       bosCA.close()
     }
@@ -145,7 +148,8 @@ object SSLConfig extends Logging {
       val decrypted = pkcs8.getDecryptedBytes
       val spec = new PKCS8EncodedKeySpec(decrypted)
       val pk = KeyFactory.getInstance("RSA").generatePrivate(spec)
-      val bos = new BufferedOutputStream(new FileOutputStream("/tmp/key.pkcs8"))
+      val bos = new BufferedOutputStream(new FileOutputStream(s"${ConfigSecurity.secretsFolder}" +
+        s"/key.pkcs8"))
       bos.write(pk.getEncoded)
       bos.close()
     }
@@ -200,7 +204,7 @@ object SSLConfig extends Logging {
     keystore.setKeyEntry(alias, key, password.toCharArray, arrayCert)
 
     val fileName = "keystore.jks"
-    val dir = new File(s"/tmp/$sslType")
+    val dir = new File(s"${ConfigSecurity.secretsFolder}/$sslType")
     dir.mkdirs
     val downloadFile = Files.createFile(Paths.get(dir.getAbsolutePath, fileName),
       PosixFilePermissions.asFileAttribute(PosixFilePermissions.fromString("rw-------")))

core/src/test/scala/org/apache/spark/security/SSLConfigTest.scala

@@ -33,28 +33,28 @@ class SSLConfigTest extends SparkFunSuite with ShouldMatchers{
     SSLConfig.pemToDer(Source.fromURL(getClass.getResource("/cert.key")).mkString)
     assert (
       calculateMD5(getClass.getResource("/key.pkcs8").getFile)
-        .equals(calculateMD5("/tmp/key.pkcs8")))
+        .equals(calculateMD5(s"${ConfigSecurity.secretsFolder}/key.pkcs8")))
   }
 
   test("generate cert.crt from valid data") {
-    SSLConfig.generatePemFile( pemString, "/cert.crt")
+    SSLConfig.generatePemFile(pemString, "/cert.crt")
     assert (
       calculateMD5(getClass.getResource("/cert.crt").getFile)
-        .equals(calculateMD5("/tmp/cert.crt")))
+        .equals(calculateMD5(s"${ConfigSecurity.secretsFolder}/cert.crt")))
   }
 
   test("generate ca-two-levels.crt from intermediate chain valid data") {
-    SSLConfig.generatePemFile( caString, "/ca-two-levels.crt")
+    SSLConfig.generatePemFile(caString, "/ca-two-levels.crt")
     assert (
       calculateMD5(getClass.getResource("/ca-two-levels.crt").getFile)
-        .equals(calculateMD5("/tmp/ca-two-levels.crt")))
+        .equals(calculateMD5(s"${ConfigSecurity.secretsFolder}/ca-two-levels.crt")))
   }
 
   test("generate ca-two-levels.crt from valid root ca") {
-    SSLConfig.generatePemFile( caRootString, "/ca-one-level.crt")
+    SSLConfig.generatePemFile(caRootString, "/ca-one-level.crt")
     assert (
       calculateMD5(getClass.getResource("/ca-one-level.crt").getFile)
-        .equals(calculateMD5("/tmp/ca-one-level.crt")))
+        .equals(calculateMD5(s"${ConfigSecurity.secretsFolder}/ca-one-level.crt")))
   }
 
 }