You are viewing a plain text version of this content. The canonical link for it is here.

Posted to reviews@spark.apache.org by "chenyu-opensource (via GitHub)" <gi...@apache.org> on 2023/09/21 07:28:02 UTC

[GitHub] [spark] chenyu-opensource opened a new pull request, #43028: [SPARK-45248][CORE][DOCS] Support for set the timeout for spark ui server

chenyu-opensource opened a new pull request, #43028:
URL: https://github.com/apache/spark/pull/43028

   **What changes were proposed in this pull request?**
   The PR supports to set the timeout for spark ui server.
   
   **Why are the changes needed?**
   It can avoid slow HTTP Denial of Service Attack because the jetty server's timeout is 300000 for deafult.
   
   **Does this PR introduce any user-facing change?**
   No
   
   **How was this patch tested?**
   Manual review
   
   **Was this patch authored or co-authored using generative AI tooling?**
   No


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] chenyu-opensource commented on pull request #43028: [SPARK-45248][CORE][DOCS] Support for set the timeout for spark ui server

Posted by "chenyu-opensource (via GitHub)" <gi...@apache.org>.

chenyu-opensource commented on PR #43028:
URL: https://github.com/apache/spark/pull/43028#issuecomment-1729032003

   Please give me a review when you have time.@srowen @HyukjinKwon @LuciferYang 
   Thank you so much.
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] chenyu-opensource commented on pull request #43028: [SPARK-45248][CORE][DOCS] [UI]Support for set the timeout for spark ui server

Posted by "chenyu-opensource (via GitHub)" <gi...@apache.org>.

chenyu-opensource commented on PR #43028:
URL: https://github.com/apache/spark/pull/43028#issuecomment-1730656458

   > Does this need to be configurable? What about just setting it to a better value? Is the idea to increase or decrease to deal with DoS
   
   @srowen Thank you for your review.
   Yes,it is better to be configurable. I had set a default value for the timeout, but it cannot be ruled out that there are other needs.
   It's related to [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27223](url)
   This solution has been verified to be feasible under actual vulnerability scanning conditions
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] chenyu-opensource commented on pull request #43028: [SPARK-45248][CORE]Set the timeout for spark ui server

Posted by "chenyu-opensource (via GitHub)" <gi...@apache.org>.

chenyu-opensource commented on PR #43028:
URL: https://github.com/apache/spark/pull/43028#issuecomment-1732148383

   > OK, please put a comment in the code about why this is set lower than usual.
   
   Thank you for your suggestion and i had follow it.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on pull request #43028: [SPARK-45248][CORE]Set the timeout for spark ui server

Posted by "srowen (via GitHub)" <gi...@apache.org>.

srowen commented on PR #43028:
URL: https://github.com/apache/spark/pull/43028#issuecomment-1732576148

   Can you rebase your branch on master? i think you need to pick up the latest test config for the CI/CD jobs


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on pull request #43028: [SPARK-45248][CORE][DOCS] [UI]Support for set the timeout for spark ui server

Posted by "srowen (via GitHub)" <gi...@apache.org>.

srowen commented on PR #43028:
URL: https://github.com/apache/spark/pull/43028#issuecomment-1730675157

   No, I mean, is there any downside to just hard coding it? I don't love exposing more configs if it's not clear when one would ever change it 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on pull request #43028: [SPARK-45248][CORE][DOCS] [UI]Support for set the timeout for spark ui server

Posted by "srowen (via GitHub)" <gi...@apache.org>.

srowen commented on PR #43028:
URL: https://github.com/apache/spark/pull/43028#issuecomment-1730669523

   What happens if we just set it to 8000?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on pull request #43028: [SPARK-45248][CORE][DOCS] [UI]Support for set the timeout for spark ui server

Posted by "srowen (via GitHub)" <gi...@apache.org>.

srowen commented on PR #43028:
URL: https://github.com/apache/spark/pull/43028#issuecomment-1729476484

   Does this need to be configurable? What about just setting it to a better value? Is the idea to increase or decrease to deal with DoS


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] chenyu-opensource commented on pull request #43028: [SPARK-45248][CORE]Set the timeout for spark ui server

Posted by "chenyu-opensource (via GitHub)" <gi...@apache.org>.

chenyu-opensource commented on PR #43028:
URL: https://github.com/apache/spark/pull/43028#issuecomment-1732448293

   @srowen Please give me a review again.Thank you so much.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] chenyu-opensource commented on pull request #43028: [SPARK-45248][CORE][DOCS] [UI]Support for set the timeout for spark ui server

Posted by "chenyu-opensource (via GitHub)" <gi...@apache.org>.

chenyu-opensource commented on PR #43028:
URL: https://github.com/apache/spark/pull/43028#issuecomment-1730679712

   > No, I mean, is there any downside to just hard coding it? I don't love exposing more configs if it's not clear when one would ever change it
   
   This is to prevent anyone from modifying this configuration to adapt to their business volume in the future. Hard coding itself has no drawbacks, and I can also change it to hard coding. What kind do you think is better?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] chenyu-opensource commented on pull request #43028: [SPARK-45248][CORE][DOCS] [UI]Support for set the timeout for spark ui server

Posted by "chenyu-opensource (via GitHub)" <gi...@apache.org>.

chenyu-opensource commented on PR #43028:
URL: https://github.com/apache/spark/pull/43028#issuecomment-1730704040

   > No, I mean, is there any downside to just hard coding it? I don't love exposing more configs if it's not clear when one would ever change it
   
   @srowen I have changed it to hard coding.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on pull request #43028: [SPARK-45248][CORE][DOCS] [UI]Support for set the timeout for spark ui server

Posted by "srowen (via GitHub)" <gi...@apache.org>.

srowen commented on PR #43028:
URL: https://github.com/apache/spark/pull/43028#issuecomment-1730661855

   Are you trying to make the value bigger than usual, or smaller?


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] srowen commented on pull request #43028: [SPARK-45248][CORE]Set the timeout for spark ui server

Posted by "srowen (via GitHub)" <gi...@apache.org>.

srowen commented on PR #43028:
URL: https://github.com/apache/spark/pull/43028#issuecomment-1731429696

   OK, please put a comment in the code about why this is set lower than usual.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] chenyu-opensource commented on pull request #43028: [SPARK-45248][CORE]Set the timeout for spark ui server

Posted by "chenyu-opensource (via GitHub)" <gi...@apache.org>.

chenyu-opensource commented on PR #43028:
URL: https://github.com/apache/spark/pull/43028#issuecomment-1732777744

   > Can you rebase your branch on master? i think you need to pick up the latest test config for the CI/CD jobs
   
   ok，i will checkout a new branch from the master and open a new pr


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] chenyu-opensource closed pull request #43028: [SPARK-45248][CORE]Set the timeout for spark ui server

Posted by "chenyu-opensource (via GitHub)" <gi...@apache.org>.

chenyu-opensource closed pull request #43028: [SPARK-45248][CORE]Set the timeout for spark ui server
URL: https://github.com/apache/spark/pull/43028


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] chenyu-opensource commented on pull request #43028: [SPARK-45248][CORE][DOCS] [UI]Support for set the timeout for spark ui server

Posted by "chenyu-opensource (via GitHub)" <gi...@apache.org>.

chenyu-opensource commented on PR #43028:
URL: https://github.com/apache/spark/pull/43028#issuecomment-1730669123

   > Does this need to be configurable? What about just setting it to a better value? Is the idea to increase or decrease to deal with DoS
   
   Yes,it is better to be configurable. I had set a default value for the timeout, but it cannot be ruled out that there are other needs.
   It's related to CVE-2020-27223
   [https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-27223](url)
   
   > Are you trying to make the value bigger than usual, or smaller?
   
   Yes, the default value is 30000, i had try Multiple values. 8000 may be the best.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org

[GitHub] [spark] chenyu-opensource commented on pull request #43028: [SPARK-45248][CORE][DOCS] [UI]Support for set the timeout for spark ui server

Posted by "chenyu-opensource (via GitHub)" <gi...@apache.org>.

chenyu-opensource commented on PR #43028:
URL: https://github.com/apache/spark/pull/43028#issuecomment-1730670778

   > What happens if we just set it to 8000?
   
   After using professional vulnerability scanning tools to detect, the relevant vulnerabilities have disappeared


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: reviews-unsubscribe@spark.apache.org
For additional commands, e-mail: reviews-help@spark.apache.org