Hi Gabor,
The issue is that, read permission is not getting checked when Flink FileSource
is listing the files under given source directory.
This is happening as Security Manager is coming as null.
public String[] list() {
SecurityManager security = System.getSecurityManager(); -> Here Security
Manager is coming as Null.
if (security != null) {
security.checkRead(path);
}
if (isInvalid()) {
return null;
}
return fs.list(this);
}
While debugging it, found a method in Flink Security manager like below, hence
I suspected towards it and queried to know the role of Flink Security manager.
public static void setFromConfiguration(Configuration configuration) {
final FlinkSecurityManager flinkSecurityManager =
FlinkSecurityManager.fromConfiguration(configuration);
if (flinkSecurityManager != null) {
try {
System.setSecurityManager(flinkSecurityManager);
} catch (Exception e) {
…
…
Regards,
Kirti Dhar
From: Gabor Somogyi <gabor.g.somo...@gmail.com>
Sent: Wednesday, March 6, 2024 7:17 PM
To: Kirti Dhar Upadhyay K <kirti.k.dhar.upadh...@ericsson.com>
Cc: User@flink.apache.org
Subject: Re: SecurityManager in Flink
Hi Kirti,
Not sure what is the exact issue here but I'm not convinced that having
FlinkSecurityManager is going to solve it.
Here is the condition however:
* cluster.intercept-user-system-exit != DISABLED (this must be changed)
* cluster.processes.halt-on-fatal-error == false (this is good by default)
Here is a gist what Flink's SecurityManager does:
/**
* {@code FlinkSecurityManager} to control certain behaviors that can be
captured by Java system
* security manager. It can be used to control unexpected user behaviors that
potentially impact
* cluster availability, for example, it can warn or prevent user code from
terminating JVM by
* System.exit or halt by logging or throwing an exception. This does not
necessarily prevent
* malicious users who try to tweak security manager on their own, but more for
being dependable
* against user mistakes by gracefully handling them informing users rather
than causing silent
* unavailability.
*/
G
On Wed, Mar 6, 2024 at 11:10 AM Kirti Dhar Upadhyay K via user
<user@flink.apache.org<mailto:user@flink.apache.org>> wrote:
Hi Team,
I am using Flink File Source with Local File System.
I am facing an issue, if source directory does not has read permission, it is
returning the list of files as null instead of throwing permission exception
(refer the highlighted line below), resulting in NPE.
final FileStatus[] containedFiles = fs.listStatus(fileStatus.getPath());
for (FileStatus containedStatus : containedFiles) {
addSplitsForPath(containedStatus, fs, target);
}
Debugging the issue found that, SecurityManager is coming as null while listing
the files, hence skipping the permissions on directory.
What is the way to set SecurityManager in Flink?
Regards,
Kirti Dhar
