Gyula Fora created FLINK-36162:
----------------------------------
Summary: Remove flinkStateSnapshotReference and namespace from
FlinkStateSnapshot jobReference
Key: FLINK-36162
URL: https://issues.apache.org/jira/browse/FLINK-36162
Project: Flink
Issue Type: Sub-task
Components: Kubernetes Operator
Reporter: Gyula Fora
Assignee: Gyula Fora
I think in the initial version we should remove both the newly introduced
job.spec.flinkStateSnapshotReference and
FlinkStateSnapshot.jobReference.namspace fields as they generally allow users
to trigger and access savepoint paths from namespaces where the user may not
have permissions.
Let me give you 2 examples:
jobReference.namespace, allows us to trigger a savepoint for a job in a
different namespace. This works as long as the operator has access to the user
and does not verify that the current user in fact does. This may ultimately
allow us to trigger a savepoint to a custom place and even steal the state.
In a similar way the initial flinkStateSnapshot reference would allow us to
steal a savepoint path that we normally don't know/have access to and store it
in our resource.
I suggest to simply remove these until we have a good way to solve these
issues, I think there is generally not much use for these fields overall.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
