XComp commented on a change in pull request #14499: URL: https://github.com/apache/flink/pull/14499#discussion_r558408690
########## File path: flink-runtime/src/main/java/org/apache/flink/runtime/security/FlinkSecurityManager.java ########## @@ -0,0 +1,220 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +package org.apache.flink.runtime.security; + +import org.apache.flink.annotation.VisibleForTesting; +import org.apache.flink.configuration.ClusterOptions; +import org.apache.flink.configuration.Configuration; +import org.apache.flink.configuration.IllegalConfigurationException; +import org.apache.flink.runtime.UserSystemExitException; +import org.apache.flink.util.Preconditions; + +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import javax.annotation.Nullable; + +import java.security.Permission; +import java.util.function.Consumer; + +/** + * {@code FlinkSecurityManager} to control certain behaviors that can be captured by Java system + * security manager. It can be used to control unexpected user behaviors that potentially impact + * cluster availability, for example, it can warn or prevent user code from terminating JVM by + * System.exit or halt by logging or throwing an exception. This does not necessarily prevent + * malicious users who try to tweak security manager on their own, but more for being dependable + * against user mistakes by gracefully handling them informing users rather than causing silent + * unavailability. + */ +public class FlinkSecurityManager extends SecurityManager { + + static final Logger LOG = LoggerFactory.getLogger(FlinkSecurityManager.class); + + /** + * Security manager reference lastly set to system's security manager by public API. As system + * security manager can be reset with another but still chain-called into this manager properly, + * this reference may not be referenced by System.getSecurityManager, but we still need to + * control runtime check behaviors such as monitoring exit from user code. + */ + private static FlinkSecurityManager flinkSecurityManager; + + private final SecurityManager originalSecurityManager; + private final ThreadLocal<Boolean> monitorUserSystemExit = new InheritableThreadLocal<>(); + private final ClusterOptions.UserSystemExitMode userSystemExitMode; + + /** The behavior to execute when the JVM exists. */ + private final Consumer<Integer> onExitBehavior; + + @VisibleForTesting + FlinkSecurityManager( + ClusterOptions.UserSystemExitMode userSystemExitMode, + @Nullable Consumer<Integer> onExitBehavior) { + this(userSystemExitMode, onExitBehavior, System.getSecurityManager()); + } + + @VisibleForTesting + FlinkSecurityManager( + ClusterOptions.UserSystemExitMode userSystemExitMode, + @Nullable Consumer<Integer> onExitBehavior, + SecurityManager originalSecurityManager) { + this.userSystemExitMode = Preconditions.checkNotNull(userSystemExitMode); + this.onExitBehavior = onExitBehavior; + this.originalSecurityManager = originalSecurityManager; + } + + /** + * Instantiate FlinkUserSecurityManager from configuration. Return null if no security manager + * check is needed, so that a caller can skip setting security manager avoiding runtime check + * cost, if there is no security check set up already. Use {@link #setFromConfiguration} helper, + * which handles disabled case. + * + * @param configuration to instantiate the security manager from + * @return FlinkUserSecurityManager instantiated based on configuration. Return null if + * disabled. + */ + @VisibleForTesting + static FlinkSecurityManager fromConfiguration(Configuration configuration) { Review comment: Fair enough, mentioning it in the docs should be good enough. ---------------------------------------------------------------- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. For queries about this service, please contact Infrastructure at: us...@infra.apache.org
