XComp commented on a change in pull request #14499:
URL: https://github.com/apache/flink/pull/14499#discussion_r555769208



##########
File path: 
flink-runtime/src/main/java/org/apache/flink/runtime/security/FlinkSecurityManager.java
##########
@@ -0,0 +1,220 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one
+ * or more contributor license agreements.  See the NOTICE file
+ * distributed with this work for additional information
+ * regarding copyright ownership.  The ASF licenses this file
+ * to you under the Apache License, Version 2.0 (the
+ * "License"); you may not use this file except in compliance
+ * with the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.apache.flink.runtime.security;
+
+import org.apache.flink.annotation.VisibleForTesting;
+import org.apache.flink.configuration.ClusterOptions;
+import org.apache.flink.configuration.Configuration;
+import org.apache.flink.configuration.IllegalConfigurationException;
+import org.apache.flink.runtime.UserSystemExitException;
+import org.apache.flink.util.Preconditions;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import javax.annotation.Nullable;
+
+import java.security.Permission;
+import java.util.function.Consumer;
+
+/**
+ * {@code FlinkSecurityManager} to control certain behaviors that can be 
captured by Java system
+ * security manager. It can be used to control unexpected user behaviors that 
potentially impact
+ * cluster availability, for example, it can warn or prevent user code from 
terminating JVM by
+ * System.exit or halt by logging or throwing an exception. This does not 
necessarily prevent
+ * malicious users who try to tweak security manager on their own, but more 
for being dependable
+ * against user mistakes by gracefully handling them informing users rather 
than causing silent
+ * unavailability.
+ */
+public class FlinkSecurityManager extends SecurityManager {
+
+    static final Logger LOG = 
LoggerFactory.getLogger(FlinkSecurityManager.class);
+
+    /**
+     * Security manager reference lastly set to system's security manager by 
public API. As system
+     * security manager can be reset with another but still chain-called into 
this manager properly,
+     * this reference may not be referenced by System.getSecurityManager, but 
we still need to
+     * control runtime check behaviors such as monitoring exit from user code.
+     */
+    private static FlinkSecurityManager flinkSecurityManager;
+
+    private final SecurityManager originalSecurityManager;
+    private final ThreadLocal<Boolean> monitorUserSystemExit = new 
InheritableThreadLocal<>();
+    private final ClusterOptions.UserSystemExitMode userSystemExitMode;
+
+    /** The behavior to execute when the JVM exists. */
+    private final Consumer<Integer> onExitBehavior;
+
+    @VisibleForTesting
+    FlinkSecurityManager(
+            ClusterOptions.UserSystemExitMode userSystemExitMode,
+            @Nullable Consumer<Integer> onExitBehavior) {
+        this(userSystemExitMode, onExitBehavior, System.getSecurityManager());
+    }
+
+    @VisibleForTesting
+    FlinkSecurityManager(
+            ClusterOptions.UserSystemExitMode userSystemExitMode,
+            @Nullable Consumer<Integer> onExitBehavior,
+            SecurityManager originalSecurityManager) {
+        this.userSystemExitMode = 
Preconditions.checkNotNull(userSystemExitMode);
+        this.onExitBehavior = onExitBehavior;
+        this.originalSecurityManager = originalSecurityManager;
+    }
+
+    /**
+     * Instantiate FlinkUserSecurityManager from configuration. Return null if 
no security manager
+     * check is needed, so that a caller can skip setting security manager 
avoiding runtime check
+     * cost, if there is no security check set up already. Use {@link 
#setFromConfiguration} helper,
+     * which handles disabled case.
+     *
+     * @param configuration to instantiate the security manager from
+     * @return FlinkUserSecurityManager instantiated based on configuration. 
Return null if
+     *     disabled.
+     */
+    @VisibleForTesting
+    static FlinkSecurityManager fromConfiguration(Configuration configuration) 
{
+        final ClusterOptions.UserSystemExitMode userSystemExitMode =
+                configuration.get(ClusterOptions.INTERCEPT_USER_SYSTEM_EXIT);
+
+        boolean haltOnSystemExit = 
configuration.get(ClusterOptions.HALT_ON_SYSTEM_EXIT);
+
+        // If no check is needed, return null so that caller can avoid setting 
security manager not
+        // to incur any runtime cost.
+        if (userSystemExitMode == ClusterOptions.UserSystemExitMode.DISABLED 
&& !haltOnSystemExit) {
+            return null;
+        }
+        Consumer<Integer> onExitBehavior = null;
+        // If halt on system exit is configured, registers a custom 
SecurityManager which converts
+        // graceful exists calls using {@code System#exit} into forceful exit 
calls using
+        // {@code Runtime#halt}. The latter does not perform a clean shutdown 
using the registered
+        // shutdown hooks. This may be configured to prevent deadlocks with 
Java 8 and the G1
+        // garbage collection, see 
https://issues.apache.org/jira/browse/FLINK-16510.
+        if (haltOnSystemExit) {
+            onExitBehavior = status -> Runtime.getRuntime().halt(status);
+        }
+        LOG.info(
+                "FlinkSecurityManager is created with {} user system exit mode 
and {} exit",
+                userSystemExitMode,
+                haltOnSystemExit ? "forceful" : "graceful");
+        // Add more configuration parameters that need user security manager 
(currently only for
+        // system exit).
+        return new FlinkSecurityManager(userSystemExitMode, onExitBehavior);
+    }
+
+    public static void setFromConfiguration(Configuration configuration) {
+        final FlinkSecurityManager flinkSecurityManager =
+                FlinkSecurityManager.fromConfiguration(configuration);
+        if (flinkSecurityManager != null) {
+            try {
+                System.setSecurityManager(flinkSecurityManager);
+            } catch (Exception e) {
+                throw new IllegalConfigurationException(
+                        String.format(
+                                "Could not register security manager due to no 
permission to "
+                                        + "set a SecurityManager. Either 
update your existing "
+                                        + "SecurityManager to allow the 
permission or not using "
+                                        + "security manager features (e.g., 
'%s: %s', '%s: %s')",
+                                
ClusterOptions.INTERCEPT_USER_SYSTEM_EXIT.key(),
+                                
ClusterOptions.INTERCEPT_USER_SYSTEM_EXIT.defaultValue(),
+                                ClusterOptions.HALT_ON_SYSTEM_EXIT.key(),
+                                
ClusterOptions.HALT_ON_SYSTEM_EXIT.defaultValue(),
+                                e));
+            }
+        }
+        FlinkSecurityManager.flinkSecurityManager = flinkSecurityManager;
+    }
+
+    public static void monitorUserSystemExitForCurrentThread() {
+        if (FlinkSecurityManager.flinkSecurityManager != null) {
+            FlinkSecurityManager.flinkSecurityManager.monitorUserSystemExit();
+        }
+    }
+
+    public static void unmonitorUserSystemExitForCurrentThread() {
+        if (FlinkSecurityManager.flinkSecurityManager != null) {
+            
FlinkSecurityManager.flinkSecurityManager.unmonitorUserSystemExit();
+        }
+    }
+
+    @Override
+    public void checkPermission(Permission perm) {
+        if (originalSecurityManager != null) {
+            originalSecurityManager.checkPermission(perm);
+        }
+    }
+
+    @Override
+    public void checkPermission(Permission perm, Object context) {
+        if (originalSecurityManager != null) {
+            originalSecurityManager.checkPermission(perm, context);
+        }
+    }
+
+    @Override
+    public void checkExit(int status) {
+        if (userSystemExitMonitored()) {
+            switch (userSystemExitMode) {
+                case DISABLED:
+                    break;
+                case LOG:
+                    // Add exception trace log to help users to debug where 
exit came from.
+                    LOG.warn(
+                            "Exiting JVM with status {} is monitored, logging 
and exiting",
+                            status,
+                            new UserSystemExitException());

Review comment:
       A true, cool - that makes sense. Thanks for clarification. :-)




----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
us...@infra.apache.org


Reply via email to