Spark internal RPC links the driver, executors, block managers, and cluster-manager daemons that coordinate a running application. Enabling RPC authentication makes those endpoints prove knowledge of a shared secret before they exchange control messages, which matters when Spark daemons listen on a private network shared by several hosts or teams.
The controlling switch is spark.authenticate. YARN and Kubernetes generate an application-specific secret after authentication is enabled, while Spark Standalone and other unmanaged deployments require the operator to provide the same spark.authenticate.secret anywhere masters, workers, drivers, and executors read Spark configuration.
Static-secret Spark Standalone deployments expose the full rollout boundary because the same credential must reach the master, workers, and submitting clients. RPC authentication is not traffic encryption, so use RPC SSL or Spark network encryption as a separate control when the network path also needs confidentiality.
| Deployment mode | Secret handling |
|---|---|
| Spark Standalone or other unmanaged daemons | Set spark.authenticate and distribute the same protected spark.authenticate.secret to masters, workers, and submitting clients. |
| YARN | Set spark.authenticate. Spark generates a unique secret per application, and secure secret distribution depends on YARN RPC encryption. |
| Kubernetes | Set spark.authenticate. Spark generates a unique secret per application unless mounted secret files are configured, and namespace RBAC must restrict pod-list access because executor pod environment can expose the secret. |
$ openssl rand -base64 32 W4aq2S8nQAO67NYYg6bd3LpZ21nJmRFfFRUex4iSSFA=
Treat the real value as a credential. Store it in a secret manager or protected deployment file, not in shell history, screenshots, tickets, or shared documentation.
$ sudoedit /etc/spark/conf/spark-defaults.conf
The active location can be a packaged /etc/spark/conf directory, a copied /opt/spark/conf directory, or a deployment-specific SPARK_CONF_DIR.
Related: How to configure Spark defaults
spark.authenticate true spark.authenticate.secret W4aq2S8nQAO67NYYg6bd3LpZ21nJmRFfFRUex4iSSFA= spark.master.rest.enabled false
spark.master.rest.enabled false is for the Spark Standalone static-secret path. Leave it out for YARN or Kubernetes submissions unless that setting belongs to a Standalone master in the same configuration set.
$ sudo chmod 640 /etc/spark/conf/spark-defaults.conf
Use the owner and group that run Spark on the host, such as spark:spark, and distribute the same secret through the same protected channel used for other cluster credentials.
$ SPARK_CONF_DIR=/etc/spark/conf spark-class \ org.apache.spark.deploy.master.Master \ --host spark-master.example.net \ --port 7077 INFO SecurityManager: SecurityManager: authentication enabled; RPC SSL disabled INFO Utils: Successfully started service 'sparkMaster' on port 7077. INFO Master: Starting Spark master at spark://spark-master.example.net:7077
Use the service unit, supervisor, or Spark start script that normally owns the daemon in production. The direct foreground command shows the same class and log signal used by the wrapper.
$ SPARK_CONF_DIR=/etc/spark/conf spark-class \ org.apache.spark.deploy.worker.Worker \ spark://spark-master.example.net:7077 INFO SecurityManager: SecurityManager: authentication enabled; RPC SSL disabled INFO Worker: Connecting to master spark-master.example.net:7077... INFO Worker: Successfully registered with master spark://spark-master.example.net:7077
The worker log should show authentication enabled and a successful registration with the master. Check the deployed worker log source when the process is managed by a service wrapper.
Related: How to view Apache Spark logs
from pyspark.sql import SparkSession spark = SparkSession.builder.appName("sg-rpc-auth-smoke").getOrCreate() spark.sparkContext.setLogLevel("ERROR") print(f"spark.authenticate={spark.sparkContext.getConf().get('spark.authenticate')}") print(f"count={spark.range(4).count()}") spark.stop()
$ spark-submit \ --properties-file /etc/spark/conf/spark-defaults.conf \ --master spark://spark-master.example.net:7077 \ sg_rpc_auth_smoke.py INFO SparkContext: Submitted application: sg-rpc-auth-smoke INFO StandaloneSchedulerBackend: Connected to Spark cluster with app ID app-20260706213200-0000 spark.authenticate=true count=4
The output should show spark.authenticate=true and the expected count, which means the submit client loaded the authenticated defaults and scheduled work through the authenticated master and worker.
$ SPARK_CONF_DIR=/tmp/wrong-spark-conf spark-class \ org.apache.spark.deploy.worker.Worker \ spark://spark-master.example.net:7077 INFO SecurityManager: SecurityManager: authentication enabled; RPC SSL disabled ERROR TransportClientFactory: Exception while bootstrapping client javax.security.sasl.SaslException: DIGEST-MD5: digest response format violation. Mismatched response. WARN Worker: Failed to connect to master spark-master.example.net:7077
Run this check only against a disposable or staging worker configuration. A wrong secret on a real worker prevents it from registering with the master.
$ rm -f sg_rpc_auth_smoke.py