This is an automated email from the ASF dual-hosted git repository.
szetszwo pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ratis.git
The following commit(s) were added to refs/heads/master by this push:
new af42d0518 RATIS-2305. Add a security doc. (#1270)
af42d0518 is described below
commit af42d05187b7d82e06b8c89feef5228439d9732b
Author: Tsz-Wo Nicholas Sze <[email protected]>
AuthorDate: Mon Jun 2 12:59:37 2025 -0700
RATIS-2305. Add a security doc. (#1270)
---
ratis-docs/src/site/markdown/security.md | 46 ++++++++++++++++++++++++++++++++
1 file changed, 46 insertions(+)
diff --git a/ratis-docs/src/site/markdown/security.md
b/ratis-docs/src/site/markdown/security.md
new file mode 100644
index 000000000..eb233bf93
--- /dev/null
+++ b/ratis-docs/src/site/markdown/security.md
@@ -0,0 +1,46 @@
+<!---
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+# Security
+
+Raft is a consensus algorithm designed for fault tolerance.
+A basic assumption of Raft is that
+
+- the servers can trust each other.
+
+In contrast, Raft is not designed to solve the Byzantine Generals Problem,
+which assumes that some of the servers may be malicious.
+
+Apache Ratis is a Raft library
+which supports a pluggable transport.
+Applications using Ratis usually run a transport over a network.
+In such case,
+the applications must either provide secure communications between the servers
+or provide a safe network environment such as running the servers in a private
network.
+Applications must not accept requests from any untrusted servers.
+
+Below are the TLS Configuration Parameters.
+Applications may use them to build `RaftServer`/`RaftClient` objects for
establishing secure connections.
+
+| **Property** | **Description** |
+|:----------------------------------------|:----------------------------------|
+| `raft.grpc.tls.conf` | gRPC default TLS conf |
+| `raft.grpc.server.tls.conf` | gRPC server TLS conf |
+| `raft.grpc.client.tls.conf` | gRPC client TLS conf |
+| `raft.grpc.admin.tls.conf` | gRPC admin TLS conf |
+| `raft.netty.dataStream.server.tls.conf` | Netty data stream server TLS conf |
+| `raft.netty.dataStream.client.tls.conf` | Netty data stream client TLS conf |
