potiuk opened a new pull request, #994: URL: https://github.com/apache/ranger/pull/994
**This is a proposal for the Apache Ranger PMC to review — please correct, reject, or discuss as needed.** The maintainers are the decision-makers; nothing here is a requirement. This PR proposes a **draft v0 threat model** for Apache Ranger, plus the conventional `AGENTS.md → SECURITY.md → THREAT_MODEL.md` discoverability chain (Ranger currently has no `SECURITY.md`). Context: the ASF Security team is preparing the project for an automated agentic security scan we're piloting; such scans need the model to be mechanically discoverable, and run far less noisily when a model exists. The Security team reached out separately on the PMC's private list with the program details. The model is written from Ranger's own public artefacts (README, ranger.apache.org, the FAQ, the public REST API docs, the repo layout) and focuses on the high-value boundaries: the policy decision/distribution path (Admin authors → plugins pull + cache), the Admin REST API, the trust placed in the per-service plugins (PEPs), and Ranger KMS. Every claim carries a provenance tag: - *(documented)* — grounded in a Ranger doc/repo fact; cited inline. (18 claims) - *(inferred)* — the Security team's reasoning, **not yet confirmed**. (47 claims) Because this is v0 with no maintainer input yet, it's mostly *(inferred)*. **Every *(inferred)* claim has a matching question in §14 "Open questions"** (20 questions in 4 waves). The fastest path: walk §14 and reply confirm / correct / strike per line — react, don't compose. We fold your answers in and the *(inferred)* tags become *(maintainer)*. A few decisions reshape the whole model — Wave 1 especially: the no-match default (deny vs. fall-through to native ACLs), the transport-security default, and the default admin credential. Those three most determine which reports are real findings vs. by-design. If the PMC would rather author the model yourselves, close this PR and we'll wait — this is a starting point, not an imposition. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
