How to protect password and username in Spark (such as for JDBC connections/accessing RDBMS databases)?

Question

We have a use case where we need to export data from HDFS to a RDBMS. I saw this example . Here they have store the username and password in the code. Is there any way to hide the password while export the data like we have the option of password-alias in Sqoop.

Answer 1

By passing passwords and secrets as --conf doesn't feel right for couple of reasons:

• This might be visible in logs
• prone to middle man attack
• Even if the password is obfuscated, the middle man can use the obfuscated string to invoke same endpoint with malicious intend

---

Few approaches to be more secure

• Use deployment environment based credentials storage and have spark pull the credentials at runtime from them.
• For example, if Spark is deployed on AWS, using AWS Secrets manager or SSM parameter store or Vault, we could store the credentials. In spark, we could use client libraries like boto3 to fetch the password at run time.
• During development, this step can be avoided. In Spark logic, we could check for password in conf. If it's not there, we could check cloud provider based secret manager. So only in local box, we will use --conf based secrets.
• Another option is to have env variable to determine if it's run in local development environment or on cloud and take necessary action.

Answer 2

Setting the password

At the command line as a plaintext spark config:

spark-submit --conf spark.jdbc.password=test_pass ... 

Using environment variable:

export jdbc_password=test_pass_export
spark-submit --conf spark.jdbc.password=$jdbc_password ...

Using spark config properties file:

echo "spark.jdbc.b64password=test_pass_prop" > credentials.properties
spark-submit --properties-file credentials.properties

With base64 encoding to "obfuscate":

echo "spark.jdbc.b64password=$(echo -n test_pass_prop | base64)" > credentials_b64.properties
spark-submit --properties-file credentials_b64.properties

Using the password in code

import java.util.Base64 // for base64
import java.nio.charset.StandardCharsets // for base64
val properties = new java.util.Properties()
properties.put("driver", "com.mysql.jdbc.Driver")
properties.put("url", "jdbc:mysql://mysql-host:3306")
properties.put("user", "test_user")
val password = new String(Base64.getDecoder().decode(spark.conf.get("spark.jdbc.b64password")), StandardCharsets.UTF_8)
properties.put("password", password)
val models = spark.read.jdbc(properties.get("url").toString, "ml_models", properties)

Edit: spark command line interface help docs for --conf and --properties-file:

  --conf PROP=VALUE           Arbitrary Spark configuration property.
  --properties-file FILE      Path to a file from which to load extra properties. If not
                              specified, this will look for conf/spark-defaults.conf.

The properties-file name is arbitrary.