potiuk opened a new pull request, #10483: URL: https://github.com/apache/ozone/pull/10483
## What Adds a **threat model** for Apache Ozone, drafted at the Ozone PMC's request (the GLASSWING / Mythos scan pre-flight needs a discoverable threat model), plus the discoverability chain: - **`THREAT_MODEL.md`** — the model, following Michael Scovetta's rubric ([public mirror](https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573)). - **`SECURITY.md`** — your existing policy, **preserved**, with a Threat Model pointer appended. - **`AGENTS.md`** — routes a vulnerability-research agent through `AGENTS.md -> SECURITY.md -> THREAT_MODEL.md`. ## The model in brief Ozone is modelled as a **cluster of network services** (S3 Gateway, OM, SCM/internal-CA, Datanodes/Ratis, Recon) with distinct actors: untrusted client, authenticated-but-unauthorized user, operator, service peer, and a **bounded-Byzantine datanode**. The load-bearing knob is **secure mode** (`ozone.security.enabled`): findings that only manifest in non-secure (dev) mode are out of model. The model makes explicit that the KDC, **Ranger policy correctness**, the **SCM CA private key**, KMS keys, and network isolation are operator responsibilities — so scanner/AI reports against those route to "operator-owned" rather than churning. ## DRAFT — you own and merge it Most claims are tagged *(documented)* from the source/`SECURITY.md`; the architectural assumptions I marked *(inferred)* are gathered as **open questions in section 14**. The two that most shape the model: - **Q-secure** — confirm secure mode is the supported production posture (and whether the S3 Gateway ever supports intended anonymous access). - **Q-ratis** — the Ratis honest-majority safety bound you stand behind, and whether there's an **independent block/container integrity check** so a single Byzantine datanode can't serve corrupted data undetected. Please edit freely. Once merged + discoverable, pre-flight passes and we queue the scan (no deadline pressure — the window is being extended as the ASF moves to Mythos 5). Generated by the ASF Security team's threat-model tooling (Claude Opus); reviewed before opening. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
