[
https://issues.apache.org/jira/browse/FLINK-5818?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15873718#comment-15873718
]
ASF GitHub Bot commented on FLINK-5818:
---------------------------------------
Github user StephanEwen commented on the issue:
https://github.com/apache/flink/pull/3335
@WangTaoTheTonic Am I right in assuming that your scenario assumes that
multiple different users submit Flink jobs and these jobs cannot be "prepared"
by a script that sets up a dedicated checkpoint directory with the respective
permissions?
If we see that as a use case we want to support, then I could see this as
an optional feature of the `FsStateBackend`. The configuration for that backend
could take an optional parameter `state.backend.fs.permissions`. If that
parameter is non-null, the state backed applies it onto the root directory.
That way we keep the change local to the `FsStateBackend` (which is implicitly
also used by the RocksDBStateBackend) and optional.
What you all think about that proposal?
> change checkpoint dir permission to 700 for security reason
> -----------------------------------------------------------
>
> Key: FLINK-5818
> URL: https://issues.apache.org/jira/browse/FLINK-5818
> Project: Flink
> Issue Type: Sub-task
> Components: Security, State Backends, Checkpointing
> Reporter: Tao Wang
>
> Now checkpoint directory is made w/o specified permission, so it is easy for
> another user to delete or read files under it, which will cause restore
> failure or information leak.
> It's better to lower it down to 700.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
