potiuk commented on PR #10483: URL: https://github.com/apache/ozone/pull/10483#issuecomment-4792566519
Thanks @smengcl — both answers folded into `THREAT_MODEL.md` (just pushed): - **Q-secure → confirmed.** Secure mode is now stated as the supported production posture (§3/§5a/§10), so non-secure-mode findings are `OUT-OF-MODEL: non-default-build`. For the S3 Gateway specifically I recorded that **with security enabled, anonymous access is rejected** (no plan otherwise, citing [HDDS-7961](https://issues.apache.org/jira/browse/HDDS-7961)) — so an "unauthenticated S3 request accepted in secure mode" finding is `VALID`, not a disclaimed mode. - **Q-ratis → confirmed.** §7/§8/§9 now state Ratis gives standard Raft safety under an **honest majority** (2 of 3 for `RATIS THREE`) and is **not** BFT. I also captured the integrity nuance you gave: checksum verification on normal reads + replica/container checks detect ordinary single-replica corruption, but there's **no full guarantee against a Byzantine datanode that forges both data and metadata on the path it serves** — that case is explicitly out of model. Both *(inferred)* tags on those points are now *(maintainer)*. No rush on the remaining wave-2/3 questions (authz default, token lifetimes, TDE/CSI/Recon scope) — whenever you get to them. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
