Updated on 2024-12-13 GMT+08:00

Configuring the FlinkServer UDF Sandbox

You can upload third-party JAR packages, such as UDFs and dependencies, on the Flink web UI based on job requirements, and invoke dependencies when verifying and running SQL jobs. To ensure that the uploaded JAR file is secure, the sandbox function is enabled for Flink by default. You can set the sandbox permission by setting the flinkserver.security.policy parameter by referring to Configuring Permission of a Specified JAR Package and disable the sandbox by setting the security.manager.enabled parameter by referring to Disabling the FlinkServer Sandbox.

Permissions

A permission consists of the type (mandatory), name, and allowed operation.

  • Default permission
    • Property read permission: permission java.util.PropertyPermission "*", "read"
    • Socket permission, allowing connect and resolve to all ports: permission java.net.SocketPermission "*", "connect,resolve"
  • Standard permission
    Table 1 File permission

    Type

    Name

    Allowed Operation

    Example

    java.io.FilePermission

    • Name of a specified file
    • -: all files in the directory and subdirectories
    • *: all files in the directory
    • read
    • write
    • delete
    • execute
    • The following permission allows all files to be read, written, deleted, and executed:

      permission java.io.FilePermission "<< ALL FILES>>", "read,write,delete,execute";

    • The following permission allows the read of the user's home directory:

      permission java.io.FilePermission "${user.home}/-", "read";

    Table 2 Socket permission

    Type

    Name

    Allowed Operation

    Examples

    java.net.SocketPermission

    • Host name:Port
    • *: all addresses and ports
    • accept
    • listen
    • connect
    • resolve
    • The following permission allows all socket operations:

      permission java.net.SocketPermission ":1-", "accept,listen,connect,resolve";

    • The following permission allows the establishment of connections to and resolution of specific websites:

      permission java.net.SocketPermission ".abc.com:1-", "connect,resolve";

    Table 3 Property permission

    Type

    Name

    Allowed Operation

    Examples

    java.util.PropertyPermission

    JVM property name to be accessed

    • read
    • write

    The following permission allows standard read of Java properties:

    permission java.util.PropertyPermission "java.", "read";

    Table 4 Runtime permission

    Type

    Name

    java.lang.RuntimePermission

    • accessDeclaredMembers: allows code to use reflection to access private or protected members in other classes.
    • createClassLoader: allows code to create a class loader instance.
    • createSecurityManager: allows code to create a security manager instance, which will allow programmatic implementations to control the sandbox. This is a high-risk operation. With this permission, the UDF can modify or disable the SecurityManager of a service.
    • exitVM: allows the code to shut down the entire VM.
    • getClassLoader: allows code to access the class loader to obtain a specific class.
    • setContextClassLoader: allows code to set the context class loader for a thread.
    • setFactory: allows code to create a socket factory.
    • setIO: allows code to redirect System.in and System.out or System.err input and output streams.
    • setSecurityManager: allows code to set the security manager.
    • stopThread: allows code to invoke the stop() method of the thread class.
    Table 5 Security permission

    Type

    Name

    java.security.SecurityPermission

    • createAccessControlContext: allows you to create a context environment for an access controller.
    • getPolicy: allows the search of classes that can implement sandbox policies.
    • setPolicy: allows you to set a class that can implement the sandbox policy. This is a high-risk operation. With this permission, the UDF can modify the policy of a service.
    Table 6 Reflection permission

    Type

    Name

    java.lang.reflect.ReflectPermission

    suppressAccessChecks: allows reflection to be used to check private variables of any class.

    Table 7 All permission

    Type

    Name

    java.security.AllPermission

    None (permission to perform any operation)

    If a third-party JAR dependency is used and the following error message is displayed, the sandbox permission is required:

    Caused by: java.security.AccessControlException: access denied ("java.io.FilePermission" "xxxx" "read")       
    at java.security.AccessControlContext.checkPermission(AccessControlContext.java:472)       
    at java.security.AccessController.checkPermission(AccessController.java:886)       
    at java.lang.SecurityManager.checkPermission(SecurityManager.java:549)       
    at java.lang.SecurityManager.checkRead(SecurityManager.java:888)       
    at java.io.File.exists(File.java:825)       at com.xxx.ExpireUDF.(ExpireUDF.java:19)

Configuring Permission of a Specified JAR Package

  1. Log in to FusionInsight Manager and access the Flink web UI. For details, see Accessing the FlinkServer Web UI.
  2. Check the storage path of the JAR package.

    • Record the UDF storage path.

      Click UDF Management. In the UDF list, view and record the storage path.

    • Record the storage path of the third-party dependency.

      Click Dependency Management. In the dependency list, view and record the storage path.

  3. Configure permission for the specified dependency.

    Return to FusionInsight Manager, choose Cluster > Services > Flink > Configurations > All Configurations > FlinkServer (Role) > Customization, set flinkserver.security.policy as follows, and save the settings:

    • Name: Enter the storage path recorded in 2. If you need to add more paths, click the plus sign (+).
    • Value: permission value, which ends with a semicolon (;). For example, permission java.util.PropertyPermission "*", "read";permission java.net.SocketPermission "*", "connect,resolve". For details, see Permissions.

  4. Restart the FlinkServer instance.

    Click Instances, select all FlinkServer instances, choose More > Restart Instance, and operate as prompted.

Disabling the FlinkServer Sandbox

  1. Log in to FusionInsight Manager.
  2. Choose Cluster > Services > Flink > Configurations > All Configurations.
  3. Search for the security.manager.enabled parameter and set its value to false.
  4. Click Save.
  5. Click Instances, select all FlinkServer instances, choose More > Restart Instance, and operate as prompted.