potiuk opened a new pull request, #10418: URL: https://github.com/apache/ozone/pull/10418
## What this is A **draft threat model** for Apache Ozone, proposed by the ASF Security team for the Ozone PMC to review, correct, or reject — drafted from Ozone's public docs/repo against the [ASF Security threat-model rubric](https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573). Scope + path were confirmed by the PMC on the security@ thread. This PR (HDDS-15465): - adds `THREAT_MODEL.md` — the draft model; - appends a `## Threat Model` pointer to the existing `SECURITY.md` (the reporting policy is unchanged); - adds `AGENTS.md`, wiring `AGENTS.md → SECURITY.md → THREAT_MODEL.md` for automated-scanner discoverability. ## How to read it Every claim is provenance-tagged — *(documented)* / *(inferred)* (reasoned from architecture, **not yet confirmed**) / *(maintainer)*. This v0 is ~14 documented / ~34 inferred. The **§14 Open questions** section is where review time is best spent; the highest-impact ones: - whether a **Kerberos-secured deployment is the in-model baseline** (so findings that only manifest with `ozone.security.enabled=false` / simple auth are out-of-model / non-default) — the single biggest ruling; - the delegation/block-token gate at the DataNode, the S3-gateway anonymous-access default, native-ACL vs Ranger enforcement, the Ratis inter-node trust posture, and where the resource/DoS line sits. Scope: `apache/ozone` (OM / SCM / DataNode / S3 gateway / Recon / client); `apache/ozone-thirdparty`'s packaging is in scope, its upstream internals out. Nothing here is a requirement — the model is the PMC's to own. Comment inline, edit the branch, or reply on the email thread. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
