flink-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wangtao (WangTao)" <wangtao...@huawei.com>
Subject [Disuss]Permission of checkpoint directory
Date Mon, 20 Mar 2017 03:34:20 GMT
Hi All,

Checkpoint directory will store user data and it is better to keep it with minimum access
right, like 700, in case of information leak.

Current situation:

User can specify a checkpoint directory(we called "root chp dir" for convenience) through
configuration system, either single mode or session mode.

In single mode, the job running will create a sub directory under root chp dir using its job
id and write checkpoint files into it.

In session mode, every job running in that session will create their own sub directory under
root chp dir using their own job id and write checkpoint files into it.

Now in session mode, we don't isolate users who submit jobs to this session, so it is to say
no matter who submit jobs to this session, we think jobs ran by same user(who start this session)
as long as it passed authentication(not supported now, will do in future).

Information Leak Threat:

Assume user1 submits a job(no matter single or session mode) and writes checkpoint files into
file systems, using default permission, let's say 755, in most cases.

Then user2 can directly read checkpoint files written by user1 and can get user1's data.


The simplest way to fix this is to set permission of sub directories for each job to minimum(like
700, we can also make it configurable) in creation.

What do you think guys?

Wang Tao
Huawei Technologies Co., Ltd.

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message