[SPARK-33504][CORE] The application log in the Spark history server contains sensitive attributes should be redacted

[echohlne]

What changes were proposed in this pull request?

To make sure the sensitive attributes to be redacted in the history server log.

Why are the changes needed?

We found the secure attributes like password in SparkListenerJobStart and SparkListenerStageSubmitted events would not been redated, resulting in sensitive attributes can be viewd directly.
The screenshot can be viewed in the attachment of JIRA spark-33504

Does this PR introduce any user-facing change?

no

How was this patch tested?

muntual test works well, I have also added unit testcase.

[mridulm]

Redaction support looks kind of inconsistent.
For ApplicationEnvironmentInfo, the event file contains unredacted event with the api redacting on demand.
On other hand, SparkListenerEnvironmentUpdate is redacted before getting logged into event file.

The current pr takes the approach of SparkListenerEnvironmentUpdate - and logs redacted events.
Personally I am inclined to have source of truth in the event file, and expose redacted view.

But then, all of these was last changed 4 years or so back (#15971).
Any thoughts @vanzin, @tgravescs ?

[mridulm]

ok to test

[SparkQA]

Kubernetes integration test starting
URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/36047/

[SparkQA]

Kubernetes integration test status success
URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/36047/

[SparkQA]

Test build #131441 has finished for PR 30446 at commit 33b6e24.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[SparkQA]

Test build #131466 has finished for PR 30446 at commit f03fdef.

• This patch fails Scala style tests.
• This patch merges cleanly.
• This patch adds no public classes.

[SparkQA]

Test build #131467 has finished for PR 30446 at commit fdb305c.

• This patch fails Scala style tests.
• This patch merges cleanly.
• This patch adds no public classes.

[SparkQA]

Test build #131468 has finished for PR 30446 at commit 26440c3.

• This patch fails Scala style tests.
• This patch merges cleanly.
• This patch adds no public classes.

[SparkQA]

Test build #131469 has finished for PR 30446 at commit 84a1a28.

• This patch fails to build.
• This patch merges cleanly.
• This patch adds no public classes.

[SparkQA]

Test build #131471 has finished for PR 30446 at commit a73f527.

• This patch fails to build.
• This patch merges cleanly.
• This patch adds no public classes.

[SparkQA]

Test build #131473 has finished for PR 30446 at commit 1a4e5c2.

• This patch fails Scala style tests.
• This patch merges cleanly.
• This patch adds no public classes.

[SparkQA]

Kubernetes integration test starting
URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/36103/

[SparkQA]

Kubernetes integration test status failure
URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/36103/

[SparkQA]

Test build #131499 has finished for PR 30446 at commit effbead.

• This patch passes all tests.
• This patch merges cleanly.
• This patch adds no public classes.

[echohlne]

@mridulm thanks for your great advice, Please review it again when you have time.

[tgravescs]

So both of the configs in the jira look like they are user generated configs. It sounds like you updated the spark.redaction.regex config but that didn't work for these events. It seems like we just missed these, so thanks for catching this.

I think the current approach makes sense and matches our previous implementations.

[SparkQA]

Test build #131591 has finished for PR 30446 at commit effbead.

• This patch fails Spark unit tests.
• This patch merges cleanly.
• This patch adds no public classes.

[mridulm]

@tgravescs The question I had was regarding when redaction is applied - while logging the event or when surfacing in UI/cli/etc.
Only for the case of EventLoggingListener.onEnvironmentUpdate we are redacting event file itself - in all other cases of application of redaction regex, we do not modify the source (event file, spark map, etc), but rather change when presenting to user.

I am not sure if this was done intentionally (allowing superuser to look at the unredact properties - and so onEnvironmentUpdate is a bug) or was an oversight (in which case all properties should be redacted before event logging).

Thoughts ? Thanks.

[tgravescs]

sorry for my delay, behind on reviews.

I think we should redact from both ui/rest or from event logging as people may not realize event logging has the password and history server could allow viewing from people who shouldn't see those. If people want it differently I would say we add a config to allow it but have it off by default - but I would wait until someone requests this.

I think it was an oversight that these events weren't redacted. so if you see other cases we aren't we should fix them.

[mridulm]

Thanks for clarifying Tom ! Sounds good to me.
I am fine with this patch given @tgravescs's comments above.

We can have follow up work to redact from other events as well - at event logging time.

[echohlne]

@mridulm @tgravescs thanks for your review!

[echohlne]

@mridulm Does it need someone else to continue reviewing, or can someone help me merge the code? thanks!

[tgravescs]

I will merge this shortly

[tgravescs]

thanks @akiyamaneko @mridulm merged to master and branch-3.0

[dongjoon-hyun]

Hi, @tgravescs .
There is a compilation error in branch-3.0.

[error] /home/runner/work/spark/spark/core/src/test/scala/org/apache/spark/scheduler/EventLoggingListenerSuite.scala:118: not found: value resourceProfileId
[error] Error occurred in an application involving default arguments.
[error]       resourceProfileId = ResourceProfile.DEFAULT_RESOURCE_PROFILE_ID)
[error]       ^

[dongjoon-hyun]

Could you take a look, please? I guess we need to recover the branch-3.0 first by reverting it and make a PR to branch-3.0 to pass all CIs. But, it's up to you. Thanks in advance.

[tgravescs]

yeah lets revert first

[tgravescs]

#30576 is revert

@akiyamaneko could you port this to branch-3.0 and put up a PR?

[tgravescs]

@akiyamaneko do you have time to back port?

[echohlne]

@tgravescs sorry for delay, Is there anything I can do？

[tgravescs]

I don't think anyone back ported it yet so if you have time it would be great to put up a version again branch-3.0