Prior discussion at https://github.com/apache/flink/pull/3335 <https://github.com/apache/flink/pull/3335>
> On Mar 19, 2017, at 11:34 PM, Wangtao (WangTao) <wangtao...@huawei.com> wrote: > > Hi All, > > Checkpoint directory will store user data and it is better to keep it with > minimum access right, like 700, in case of information leak. > > Current situation: > > User can specify a checkpoint directory(we called "root chp dir" for > convenience) through configuration system, either single mode or session mode. > > In single mode, the job running will create a sub directory under root chp > dir using its job id and write checkpoint files into it. > > In session mode, every job running in that session will create their own sub > directory under root chp dir using their own job id and write checkpoint > files into it. > > Now in session mode, we don't isolate users who submit jobs to this session, > so it is to say no matter who submit jobs to this session, we think jobs ran > by same user(who start this session) as long as it passed authentication(not > supported now, will do in future). > > Information Leak Threat: > > Assume user1 submits a job(no matter single or session mode) and writes > checkpoint files into file systems, using default permission, let's say 755, > in most cases. > > Then user2 can directly read checkpoint files written by user1 and can get > user1's data. > > Solution: > > The simplest way to fix this is to set permission of sub directories for each > job to minimum(like 700, we can also make it configurable) in creation. > > What do you think guys? > > > Wang Tao > wangtao...@huawei.com<mailto:wangtao...@huawei.com> > Huawei Technologies Co., Ltd.
