Configuring the FlinkServer UDF Sandbox

You can upload third-party JAR packages, such as UDFs and dependencies, on the Flink web UI based on job requirements, and invoke dependencies when verifying and running SQL jobs. To ensure that the uploaded JAR file is secure, the sandbox function is enabled for Flink by default. You can set the sandbox permission by setting the flinkserver.security.policy parameter by referring to Configuring Permission of a Specified JAR Package and disable the sandbox by setting the security.manager.enabled parameter by referring to Disabling the FlinkServer Sandbox.

Permissions

A permission consists of the type (mandatory), name, and allowed operation.

Default permission
- Property read permission: permission java.util.PropertyPermission "*", "read"
- Socket permission, allowing connect and resolve to all ports: permission java.net.SocketPermission "*", "connect,resolve"

Standard permission

**Table 1** File permission
Type	Name	Allowed Operation	Example
java.io.FilePermission	Name of a specified file -: all files in the directory and subdirectories *: all files in the directory	read write delete execute	The following permission allows all files to be read, written, deleted, and executed: permission java.io.FilePermission "<< ALL FILES>>", "read,write,delete,execute"; The following permission allows the read of the user's home directory: permission java.io.FilePermission "${user.home}/-", "read";

**Table 2** Socket permission
Type	Name	Allowed Operation	Examples
java.net.SocketPermission	Host name:Port *: all addresses and ports	accept listen connect resolve	The following permission allows all socket operations: permission java.net.SocketPermission ":1-", "accept,listen,connect,resolve"; The following permission allows the establishment of connections to and resolution of specific websites: permission java.net.SocketPermission ".abc.com:1-", "connect,resolve";

**Table 3** Property permission
Type	Name	Allowed Operation	Examples
java.util.PropertyPermission	JVM property name to be accessed	read write	The following permission allows standard read of Java properties: permission java.util.PropertyPermission "java.", "read";

**Table 4** Runtime permission
Type	Name
java.lang.RuntimePermission	accessDeclaredMembers: allows code to use reflection to access private or protected members in other classes. createClassLoader: allows code to create a class loader instance. createSecurityManager: allows code to create a security manager instance, which will allow programmatic implementations to control the sandbox. This is a high-risk operation. With this permission, the UDF can modify or disable the SecurityManager of a service. exitVM: allows the code to shut down the entire VM. getClassLoader: allows code to access the class loader to obtain a specific class. setContextClassLoader: allows code to set the context class loader for a thread. setFactory: allows code to create a socket factory. setIO: allows code to redirect System.in and System.out or System.err input and output streams. setSecurityManager: allows code to set the security manager. stopThread: allows code to invoke the stop() method of the thread class.

**Table 5** Security permission
Type	Name
java.security.SecurityPermission	createAccessControlContext: allows you to create a context environment for an access controller. getPolicy: allows the search of classes that can implement sandbox policies. setPolicy: allows you to set a class that can implement the sandbox policy. This is a high-risk operation. With this permission, the UDF can modify the policy of a service.

**Table 6** Reflection permission
Type	Name
java.lang.reflect.ReflectPermission	suppressAccessChecks: allows reflection to be used to check private variables of any class.

**Table 7** All permission
Type	Name
java.security.AllPermission	None (permission to perform any operation)

If a third-party JAR dependency is used and the following error message is displayed, the sandbox permission is required:

Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "xxxx" "read")       
at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)       
at java.security.AccessController.checkPermission(AccessController.java:886)       
at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)       
at java.lang.SecurityManager.checkRead(SecurityManager.java:888)       
at java.io.File.exists(File.java:825)       at com.xxx.ExpireUDF.(ExpireUDF.java:19)

Configuring Permission of a Specified JAR Package

Log in to FusionInsight Manager and access the Flink web UI. For details, see Accessing the Flink Web UI.
Check the storage path of the JAR package.
- Record the UDF storage path.
  Click UDF Management. In the UDF list, view and record the storage path.
- Record the storage path of the third-party dependency.
  Click Dependency Management. In the dependency list, view and record the storage path.
Configure permission for the specified dependency.

Return to FusionInsight Manager, choose Cluster > Services > Flink > Configurations > All Configurations > FlinkServer (Role) > Customization, set flinkserver.security.policy as follows, and save the settings:
- Name: Enter the storage path recorded in 2. If you need to add more paths, click the plus sign (+).
- Value: permission value, which ends with a semicolon (;). For example, permission java.util.PropertyPermission "*", "read";permission java.net.SocketPermission "*", "connect,resolve". For details, see Permissions.
Restart the FlinkServer instance.

Click Instances, select all FlinkServer instances, choose More > Restart Instance, and operate as prompted.

Disabling the FlinkServer Sandbox

Log in to FusionInsight Manager.
Choose Cluster > Services > Flink > Configurations > All Configurations.
Search for the security.manager.enabled parameter and set its value to false.
Click Save.
Click Instances, select all FlinkServer instances, choose More > Restart Instance, and operate as prompted.