I agree with Till. I think this should be a concern of the user configuring the port range.
– Ufuk On Mon, May 25, 2020 at 10:27 AM Till Rohrmann <trohrm...@apache.org> wrote: > Hi Weike, > > would it be good enough if the user did not include unsafe ranges when > specifying `rest.bind-port`? My concern with excluding unsafe ports is that > it adds some invisible magic which can be hard to understand for the user. > I think over the past couple of years it has proven that auto magic often > leads to hard to understand features. > > Cheers, > Till > > On Sat, May 23, 2020 at 7:46 AM DONG, Weike <kyled...@connect.hku.hk> > wrote: > > > Hi dev, > > > > Recently we have found that when* `rest.bind-port`* parameter is > specified > > as a port range (i.e. "5000-8000"), Flink may bind to some port (like > 6000) > > that is not allowed by Chrome (showing a "ERR_UNSAFE_PORT" message and > > preventing users to continue accessing the website), similarly Firefox > > blocks these unsafe port as well [1]. > > > > When I dig further into this issue, I do believe that this restriction is > > reasonable [2] as Flink may accidentally bind to some port that is > > generally considered to be used by other services, posing security risks > > and causing potential confusions to the network administrator. > > > > Here I propose that when Flink tries to do port selection in ` > > *NetUtils.getPortRangeFromString*`, we return an iterator that explicitly > > skips those unsafe ports, so that those unsafe ports would not be used > > unless users explicitly specify one in *`rest.port`* parameter. > > > > I would like to solicit opinions from the community on this matter, > thanks > > : ) > > > > Sincerely, > > Weike > > > > [1] https://www-archive.mozilla.org/projects/netlib/portbanning#portlist > > [2] > > > > > https://superuser.com/questions/188058/which-ports-are-considered-unsafe-by-chrome > > >
