Using SSL to secure H2O Flow¶
Sparkling Water supports security of H2O Flow user interface. There are two ways how to secure the Flow.
Provide the existing Java key store and password.
Let Sparkling Water automatically create the necessary files. This solution has several limitations which are described bellow.
Using existing Java keystore¶
In order to use https correctly, the following two options need to be specified:
spark.ext.h2o.jks
- path to Java keystore filespark.ext.h2o.jks.pass
- keystore file password
Scala
To enable https in Sparkling Water, you can start Sparkling Water as:
bin/sparkling-shell --conf "spark.ext.h2o.jks=/path/to/keystore" --conf "spark.ext.h2o.jks.pass=password"
and when you have the shell running, start H2OContext
as:
import org.apache.spark.h2o._
val hc = H2OContext.getOrCreate(spark)
You can also start Sparkling shell without the configuration and specify it using the setters on H2OConf
as:
import org.apache.spark.h2o._
val conf = new H2OConf(spark).setJks("/path/to/keystore").setJksPass("password")
val hc = H2OContext.getOrCreate(spark, conf)
Python
To enable https in PySparkling, you can start PySparkling as:
bin/pysparkling --conf "spark.ext.h2o.jks=/path/to/keystore" --conf "spark.ext.h2o.jks.pass=password"
and when you have the shell running, start H2OContext
as:
from pysparkling import *
hc = H2OContext.getOrCreate(spark)
You can also start PySparkling shell without the configuration
and specify it using the setters on H2OConf
as:
from pysparkling import *
conf = H2OConf(spark).setJks("/path/to/keystore").setJksPass("password)
hc = H2OContext.getOrCreate(spark, conf)
R
To enable https in RSparkling, run in RStudio:
library(rsparkling)
sc <- spark_connect(master = "local")
conf <- H2OConf(sc)$setJks("/path/to/keystore")$setJksPass("password")
hc <- H2OContext.getOrCreate(sc, conf)
In case your certificates are self-signed, the connection to the H2O cluster will fail due to the security
limitations. In this case, you can skip the certificates verification
by calling setVerifySslCertificates
on H2OConf
as:
Scala
val conf = new H2OConf(spark).setVerifySslCertificates(false)
val hc = H2OContext.getOrCreate(spark, conf)
Python
conf = H2OConf(spark).setVerifySslCertificates(False)
hc = H2OContext.getOrCreate(spark, conf)
R
conf <- H2OConf(sc)$setVerifySslCertificates(FALSE)
hc <- H2OContext.getOrCreate(sc, conf)
Generate the files automatically¶
Sparkling Water can generate the necessary key store and password automatically. To enable the automatic
generation, the spark.ext.h2o.auto.flow.ssl
option needs to be set to true
. In this mode only self-signed
certificates are created.
Scala
To enable the security using this mode in Sparkling Water, start Sparkling Shell as:
bin/sparkling-shell --conf "spark.ext.h2o.auto.flow.ssl=true" --conf "spark.ext.h2o.verify_ssl_certificates=false"
and when you have the shell running, start H2OContext
as:
import org.apache.spark.h2o._
val hc = H2OContext.getOrCreate(spark)
You can also start Sparkling shell without the configuration
and specify it using the setters on H2OConf
as:
import org.apache.spark.h2o._
val conf = new H2OConf(spark).setAutoFlowSslEnabled().setVerifySslCertificates(false)
val hc = H2OContext.getOrCreate(spark, conf)
Python
To enable https in PySparkling using this mode, you can start PySparkling as:
bin/pysparkling --conf "spark.ext.h2o.auto.flow.ssl=true" --conf "spark.ext.h2o.verify_ssl_certificates=false"
and when you have the shell running, start H2OContext
as:
from pysparkling import *
hc = H2OContext.getOrCreate(spark)
You can also start PySparkling shell without the configuration
and specify it using the setters on H2OConf
as:
from pysparkling import *
conf = H2OConf(spark).setAutoFlowSslEnabled().setVerifySslCertificates(False)
hc = H2OContext.getOrCreate(spark, conf)
R
To enable https in RSparkling using this mode, run in your RStudio:
library(rsparkling)
sc <- spark_connect(master = "local")
conf <- H2OConf(sc)$setAutoFlowSslEnabled()$setVerifySslCertificates(FALSE)
hc <- H2OContext.getOrCreate(sc, conf)