This is an automated email from the ASF dual-hosted git repository.

kumaab pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/ranger.git


The following commit(s) were added to refs/heads/master by this push:
     new b283bdad2 Add THREAT_MODEL.md + AGENTS.md/SECURITY.md discoverability 
chain (#994)
b283bdad2 is described below

commit b283bdad2a04c79e8e0925407a48ed70edc7b039
Author: Jarek Potiuk <[email protected]>
AuthorDate: Sun Jun 14 22:05:07 2026 +0200

    Add THREAT_MODEL.md + AGENTS.md/SECURITY.md discoverability chain (#994)
    
    Co-authored-by: Abhishek Kumar <[email protected]>
---
 AGENTS.md       |  27 +++++
 SECURITY.md     |  29 +++++
 THREAT_MODEL.md | 333 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 389 insertions(+)

diff --git a/AGENTS.md b/AGENTS.md
new file mode 100644
index 000000000..26c8b1241
--- /dev/null
+++ b/AGENTS.md
@@ -0,0 +1,27 @@
+<!--
+SPDX-License-Identifier: Apache-2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+# Agent Guide for ranger
+
+This file is read by automated agents (security scanners, code
+analyzers, AI assistants) operating on this repository.
+
+## Security
+
+Security model: [SECURITY.md](./SECURITY.md)
+
+Agents that scan this repository should consult `SECURITY.md` and the
+threat model it links before reporting issues.
diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 000000000..135e3dcaf
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,29 @@
+<!--
+SPDX-License-Identifier: Apache-2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+# Security Policy
+
+## Reporting a Vulnerability
+
+`apache/ranger` follows the [Apache Software Foundation security 
process](https://www.apache.org/security/). Please report suspected
+vulnerabilities privately to `[email protected]`; do not open public
+GitHub issues or pull requests for security reports.
+
+## Threat Model
+
+What the project treats as in scope and out of scope, the security
+properties it provides and disclaims, the adversary model, and how
+findings are triaged are documented in [THREAT_MODEL.md](./THREAT_MODEL.md).
diff --git a/THREAT_MODEL.md b/THREAT_MODEL.md
new file mode 100644
index 000000000..f879d0a41
--- /dev/null
+++ b/THREAT_MODEL.md
@@ -0,0 +1,333 @@
+<!--
+SPDX-License-Identifier: Apache-2.0
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+-->
+
+# Apache Ranger — Threat Model
+
+## §1 Header
+
+- **Project:** Apache Ranger
+- **Repository:** https://github.com/apache/ranger
+- **Version/commit modeled against:** `master` branch as of 2026-06-03 (no 
specific release tag; this v0 predates maintainer review).
+- **Threat-model authors:** Drafted by the ASF Security team as a v0 
pre-flight artifact for an automated agentic security scan; **reviewed by the 
Apache Ranger PMC (Abhishek Kumar, `@kumaab`) on 2026-06-12**, who answered 
every §14 question — those answers are folded into §1–§13 below.
+- **Date:** 2026-06-03 (v0); 2026-06-12 (v1, PMC-reviewed).
+- **Status:** v1 — PMC-reviewed. All §14 questions were answered by the Ranger 
PMC on 2026-06-12 and folded in; the claims they confirm are promoted to 
*(maintainer)*. Abhishek Kumar (PMC) volunteered to own ongoing revision (§14 
Q20).
+
+**Version binding.** Once ratified, this model is intended to be versioned 
alongside Ranger and tagged with releases. A report against Ranger version *N* 
should be triaged against the model as it stood at *N*, not at HEAD. This v0 
carries no such binding yet.
+
+**Reporting cross-reference.** Apache Ranger has no `SECURITY.md` in the 
repository (confirmed 404) and no dedicated security/threat-model page on 
https://ranger.apache.org/ at the time of writing *(documented — absence 
verified)*. Vulnerabilities in Apache projects are reported to 
`[email protected]` / `[email protected]` per the ASF-wide process. 
Findings that fall under §8 (claimed properties) should be reported through 
that channel; findings that fall under §3 or §9 will b [...]
+
+**Provenance legend.** Every non-trivial claim carries exactly one tag:
+- *(documented)* — stated in Ranger's own docs (README, ranger.apache.org, 
FAQ, API docs) or directly verifiable from the public repository layout; cited 
inline.
+- *(maintainer)* — stated by a Ranger maintainer in response to this process. 
As of 2026-06-12 the PMC has answered all 20 §14 questions (see §14); the 
load-bearing claims they confirmed are tagged *(maintainer, 2026-06-12)*.
+- *(inferred)* — reasoned from code/repo structure, absence of a feature, or 
general domain knowledge. Remaining *(inferred)* tags are claims the PMC has 
not yet individually ratified beyond the §14 answers.
+
+**Confidence:** PMC-reviewed v1 — all 20 §14 questions answered by the 
maintainer on 2026-06-12 and folded into §1–§13. A handful of items (e.g. the 
"no resource guarantee" line, §8 #6) were explicitly deferred by the PMC for 
later ratification.
+
+**What Apache Ranger is.** Apache Ranger is "a framework to enable, monitor 
and manage comprehensive data security across 20+ data processing services" 
*(documented — ranger.apache.org)*. It provides centralized & fine-grained 
authorization, audit, and key management for data services (Trino, Polaris, 
Ozone, HDFS, Hive, HBase, Kafka, NiFi, Knox, Kudu, YARN, Solr, Atlas and 
others). The administrator defines access-control policies in a central web 
application (Ranger Admin); lightweight  [...]
+
+---
+
+## §2 Scope and intended use
+
+**Primary intended use.** Centralized authoring of fine-grained authorization 
policies (resource-based and tag-based) and their enforcement across many 
independent data services, plus unified audit of access decisions and a 
key-management service (Ranger KMS) for HDFS transparent encryption 
*(documented — ranger.apache.org goals: "Centralized security administration", 
"Fine grained authorization", "Centralize auditing of user access")*.
+
+**Deployment context.** Ranger is **not** an in-process library. It is a 
multi-component distributed system deployed across a cluster: a central web 
application/daemon (Ranger Admin, default port 6080 *(documented — README)*), a 
user/group sync daemon, an optional tag-sync daemon, the Ranger KMS daemon, the 
Ranger PDP server that exposes a network authorization API for non-embedded 
callers and a fleet of plugins each embedded inside a separate data-service 
process on separate (typically  [...]
+
+**Caller roles.** Because Ranger is a distributed service rather than a single 
library, "the caller" splits into distinct roles, each modeled separately in 
§6/§7:
+
+- **Security administrator** — authors policies, manages users/roles, views 
audits via the Admin UI or REST API. Trusted for the instance.
+- **Delegated administrator** — a group owner to whom administration of a 
subset of resources has been delegated *(documented — FAQ: "delegate 
administration of certain data to other group owners")*. Trusted for their 
delegated scope only.
+- **Deployed plugin (PEP)** — code running inside a data service, 
authenticated to the Admin server, that downloads policy and enforces it. 
**Fully trusted once authenticated** — a deliberate design choice (§7) 
*(maintainer, 2026-06-12 — §14 Q8)*.
+- **End user of the guarded data service** — the principal whose 
HDFS/Hive/etc. access Ranger authorizes. **Untrusted** with respect to the 
decisions Ranger makes about them; they do not interact with Ranger directly 
but their identity and requested action are the inputs to the PEP. Ranger does 
**not** authenticate the end user at access time — the host service does 
*(maintainer, 2026-06-12 — §14 Q7)*.
+- **Identity source** — LDAP/AD/Unix that usersync reads from. Trusted as the 
authority for user/group membership *(maintainer, 2026-06-12 — §14 Q16)*.
+- **Auditor** — may view policies and access audits but not author them 
(writes are blocked) *(maintainer, 2026-06-12 — §14 Q5/Q10)*.
+- **Key Admin** — administers Ranger KMS keys only *(maintainer, 2026-06-12 — 
§14 Q5)*.
+
+**Component-family table.**
+
+| Family | Representative entry point | Touches outside its process | In this 
model? |
+| --- | --- | --- | --- |
+| Ranger Admin web app | `security-admin/`, `agents-common/`, REST 
`/service/...`, `/public/v2/api/...` *(documented — API docs)* | DB, network 
(serves plugins + UI), LDAP/AD | **In** |
+| PDP service | `pdp/`, `authz-api/`, `authz-embedded/`, `authz-remote/` | 
Network (serves remote authz API); Admin (policy pull); audit sink | **In** 
*(maintainer, 2026-06-12 — §14 Q6/Q10)* |
+| Per-service plugins (PEPs) | `*-agent/` (`hdfs-agent/`, `hive-agent/`, 
`hbase-agent/`), `plugin-*/` (`plugin-kafka/`, `plugin-nifi`, `plugin-ozone`, 
`plugin-trino`, `plugin-kms`), `agents-common/` | Embedded in host service; 
network to Admin; audit sink | **In** |
+| Plugin shims / classloader | `ranger-*-plugin-shim/`, 
`ranger-plugin-classloader/` | Class loading inside host service | **In** (as 
part of PEP delivery) |
+| User/group sync | `ugsync/`, `ugsync-util/` | LDAP/AD/Unix; writes to Admin 
DB | **In** |
+| Tag sync | `tagsync/` | Atlas/Kafka; writes to Admin | **In** |
+| Audit framework | `agents-audit/`, `audit-server/` | 
Solr/OpenSearch/Kafka/HDFS/DB audit sinks | **In** |
+| Ranger KMS | `kms/`, `plugin-kms/` | Key store (DB/HSM), HDFS 
NameNode/DataNode | **In** (model at its own trust level — handles key 
material) |
+| Authentication | `ranger-authn/`, `unixauthservice/`, `agents-cred/`, 
`credentialbuilder/` | Kerberos/SPNEGO/LDAP; credential stores | **In** |
+| Examples / sample app + tools | `ranger-examples/`, `ranger-tools/` 
*(documented — repo layout)* | Demo / utility | **In** *(maintainer, 2026-06-12 
— §14 Q4)* |
+| Build / install / migration / ugsync tooling | `distro/`, 
`agents-installer/`, `migration-util/`, ugsync 
`filesourceusersynctool`/`ldapconfigchecktool`, `dev-support/` | Build/deploy 
host | **Out** *(maintainer, 2026-06-12 — §14 Q4)* |
+
+---
+
+## §3 Out of scope (explicit non-goals)
+
+- **Build, packaging, install, and migration tooling** (`distro/`, 
`agents-installer/`, `migration-util/`, Docker build scripts) **and the ugsync 
utilities `filesourceusersynctool` / `ldapconfigchecktool`.** SDLC/deployment 
hygiene, not the runtime trust surface *(maintainer, 2026-06-12 — §14 Q4)*. 
**Note:** unlike a typical project, `ranger-examples/` and `ranger-tools/` are 
**IN** scope here per the PMC (§2) — do not treat example/tool code as 
out-of-model.
+- **The guarded data services themselves.** Ranger authorizes access *within* 
HDFS, Hive, HBase, etc., but it does not own those services' own attack surface 
(e.g., an HDFS RPC bug). Ranger's responsibility begins at the authorization 
decision and ends at returning allow/deny to the host service *(inferred)*.
+- **Authentication of end users.** Ranger authorizes an 
*already-authenticated* principal; establishing that the principal is who they 
claim (Kerberos ticket validation, etc.) is performed by the host data service 
/ cluster Kerberos infrastructure, not by Ranger's PDP. Ranger trusts the 
identity the PEP presents *(inferred)*.
+- **Network transport security as a Ranger guarantee.** Whether plugin↔Admin 
and UI↔Admin traffic is TLS-protected is a deployment configuration concern; 
Ranger supports it but does not enforce it at the protocol layer *(inferred)*.
+- **Correctness/security of third-party identity stores** (LDAP/AD) and 
audit/key backends (Solr, HDFS, RDBMS, HSM). Ranger integrates with them but 
does not model their internal threats *(inferred)*.
+- **Defense against a fully-compromised host running a plugin.** A plugin runs 
inside the data-service process on a cluster node; an attacker with code 
execution on that node has already defeated the PEP locally (see §7) 
*(inferred)*.
+
+---
+
+## §4 Trust boundaries and data flow
+
+**Where the boundary sits.** Ranger has several trust boundaries, not one:
+
+1. **End user ↔ guarded data service (the access request).** The user's 
identity + requested resource/action enters the host service, which calls the 
embedded Ranger plugin (PEP). This is the primary *untrusted-input* boundary: 
the requested resource name and action are derived from an untrusted user, 
though the *identity* is asserted by the host service's authentication layer, 
which Ranger trusts *(inferred)*.
+
+2. **Plugin (PEP) ↔ Ranger Admin (policy distribution).** Plugins "pull the 
policy-changes using REST API at a configured regular interval (e.g.: 30 
second)" *(documented — FAQ)*. The plugin trusts that the policy it downloads 
genuinely originates from the legitimate Admin server, and the Admin trusts 
that only authorized plugins download policy. This boundary is authenticated 
via **Kerberos, JWT, or header-based auth with a trusted proxy** — the 
policy-download path (and the separate PD [...]
+
+3. **Admin UI / REST client ↔ Ranger Admin (administration).** Administrators 
author policy and read audits over `/service/...` and `/public/v2/api/...` REST 
endpoints *(documented — API docs)*. This is the highest-value boundary: anyone 
who can author policy can grant themselves or others access to all guarded data.
+
+4. **Usersync/tagsync ↔ Admin, and Admin ↔ DB / audit sink / key store.** 
Internal data-plane boundaries; integrity of the user/group/role data and the 
policy store determines the integrity of every downstream decision *(inferred)*.
+
+5. **Client ↔ PDP service** (remote authorization request). Where a caller 
cannot embed a PEP, it calls the PDP's /authz/* API with (principal, resource, 
action). Authenticated (Kerberos/JWT/trusted-header); the resource/action are 
attacker-influenced, the principal is asserted by the authenticated caller — 
same trust split as the in-process PEP, but over the network (inferred).
+
+**Data flow (authorization path).** Untrusted user request → host service 
authenticates principal → host service calls embedded Ranger plugin with 
(principal, resource, action) → plugin evaluates locally-cached policy 
(resource-based + tag-based) → returns allow/deny → plugin emits an audit 
record to the configured sink → host service enforces the decision *(documented 
in part — FAQ; full flow inferred)*.
+
+**Reachability preconditions per component (the triager's first test):**
+
+- A finding in a **plugin / `agents-common`** is in-model only if reachable 
from a policy-evaluation input — i.e., from the (principal, resource, action) 
tuple of an untrusted access request, or from the downloaded policy document, 
or from the plugin's local config *(inferred)*.
+- A finding in the **PDP service (`pdp/`, `authz-api/`, `authz-embedded/`, 
`authz-remote/`)** is reached over the network, not in-process. Its 
authorization API (`/authz/*`) requires an authenticated client 
(Kerberos/JWT/trusted-header; the server refuses to start with no auth handler 
configured), so treat it like an authenticated **Ranger Admin REST** endpoint — 
there is no anonymous path into the authz API. Only the 
liveness/readiness/metrics probes (`/health/live`, `/health/ready`, `/ [...]
+- A finding in **Ranger Admin REST** is in-model only if reachable by an actor 
the endpoint's auth permits — distinguish endpoints reachable by an 
*unauthenticated* network peer from those requiring an authenticated 
admin/plugin identity *(inferred)*.
+- A finding in **usersync/tagsync** is in-model only if reachable from the 
external identity/tag source data or its configuration *(inferred)*.
+- A finding in **Ranger KMS** is in-model only if reachable from a 
key-operation request or the key store contents *(inferred)*.
+- A finding in **`ranger-examples/`** is out of model (§3) *(inferred)*.
+
+---
+
+## §5 Assumptions about the environment
+
+- **Runtime.** JVM-based (Java). The README mandates 
`--add-opens=java.base/java.nio=ALL-UNNAMED` and related flags for supported 
operation *(documented — README)*, implying modern JDK module assumptions.
+- **Network.** Components are assumed deployed within a cluster network where 
plugin nodes are administered hosts, not arbitrary internet-facing machines 
*(inferred)*. The Admin listens on 6080 by default *(documented — README)*.
+- **Cluster identity infrastructure.** Ranger assumes an external 
authentication authority (typically Kerberos in a Hadoop cluster, plus LDAP/AD 
for user/group identity) establishes principal identity before authorization is 
requested *(inferred)*.
+- **Persistent stores.** A relational database backs the Admin 
policy/audit/user store; audit may additionally target Solr and/or HDFS; KMS 
keys live in a DB or HSM. Ranger assumes these stores are themselves 
access-controlled and integrity-preserving *(inferred)*.
+- **Concurrency.** The Admin is a multi-user web application; plugins serve 
concurrent authorization calls inside multi-threaded host services. 
Thread-safety of the policy-evaluation engine under concurrent reads + periodic 
policy refresh is assumed *(inferred)*.
+- **Clock.** Time-bound policies (validity schedules) assume reasonably 
synchronized clocks across Admin and plugin nodes *(inferred)*.
+
+**What Ranger does *not* do to its host (negative side-effect inventory — 
predominantly inference, high-priority confirmation target):**
+- A plugin is assumed **not** to alter the host service's behavior beyond 
returning allow/deny + emitting audit (no spawning, no opening unrelated 
sockets, no mutating unrelated host state) *(inferred)*.
+- The plugin is assumed **not** to phone home anywhere except the configured 
Admin server and audit sink *(inferred)*.
+- Failure mode is assumed **fail-safe**: if policy cannot be evaluated, the 
documented behavior is to fall back to cached policy *(documented — FAQ)*; 
whether a total evaluation failure denies or defers to the host service's 
native ACLs is **unspecified here** *(inferred)*.
+
+---
+
+## §5a Build-time and configuration variants
+
+Ranger's security envelope is governed primarily by **runtime configuration**, 
not compile-time flags. The variants that change which properties hold:
+
+- **TLS on plugin↔Admin and UI↔Admin.** TLS is recommended in production, but 
**plaintext HTTP is the shipped and supported default** *(maintainer, 
2026-06-12 — §14 Q2)*. Because plaintext is a *supported* posture, a report 
that reduces to "traffic is unencrypted by default" is `BY-DESIGN` / 
operator-hardening, not `VALID`.
+- **Authentication mode for the Admin** (Kerberos/SPNEGO, LDAP/AD, Unix, PAM, 
Knox SSO, header/JWT, or internal DB) *(maintainer, 2026-06-12 — §14 Q7)*. 
Ranger seeds accounts (`admin`, `rangerusersync`, `rangertagsync`, `keyadmin`) 
at bootstrap, but **the installer mandates an explicit, complexity-checked 
password on fresh install** — a seeded/default password is **not** a supported 
production posture *(maintainer, 2026-06-12 — §14 Q3)*.
+- **Audit destination** (Solr / HDFS / DB / log file / none). Disabling audit 
voids the §8 auditability property *(inferred)*.
+- **No-match behavior:** when Ranger is the ACL enforcer and no policy 
matches, the result is **deny** — **except the HDFS service**, where it falls 
through to the host's native ACLs *(maintainer, 2026-06-12 — §14 Q1/Q9)*.
+- **KMS key store** (DB-backed vs. HSM/KeySecure). Changes the confidentiality 
guarantee for key material *(inferred)*.
+
+For each knob whose default is the less-secure value, the PMC's ruling 
(supported production posture → reports are `VALID`; vs. dev-convenience 
requiring operator action → `OUT-OF-MODEL: non-default-build`) is recorded once 
confirmed. **No ruling exists yet.**
+
+---
+
+## §6 Assumptions about inputs
+
+Ranger is a network service, so the trust table is keyed by endpoint/message, 
not function. Header-presence and identity-assertion checks are the prime 
"false friends."
+
+| Endpoint / input | Parameter | Attacker-controllable? | Caller/operator must 
enforce |
+| --- | --- | --- | --- |
+| Plugin authorization call (in-process, from host service) | principal 
identity | no — asserted by host service auth *(inferred)* | host service must 
authenticate before calling |
+| Plugin authorization call | resource name, action | **yes** — derived from 
untrusted user request *(inferred)* | plugin must evaluate policy correctly 
against arbitrary resource strings |
+| `GET /service/plugins/policies/download` (policy pull) | requesting plugin 
identity | no — must be authenticated plugin *(inferred)* | mutual auth between 
plugin and Admin |
+| `POST/PUT /public/v2/api/policy` *(documented — API docs)* | policy body | 
no — trusted admin only *(inferred)* | endpoint must require admin authz; never 
expose unauthenticated |
+| `/service/xusers/users`, `/groups`, `/roleassignments` *(documented — API 
docs)* | user/group/role data | partly — usersync feeds it from LDAP/AD 
*(inferred)* | trust in the identity source; admin authz on the endpoint |
+| `/service/assets/accessAudit`, `/xaudit/...` *(documented — API docs)* | 
audit query params | depends on who can reach it | restrict audit read to 
authorized roles |
+| Ranger KMS `/keys/key`, `/keys/keys` *(documented — API docs)* | key name, 
key ops | by an authenticated KMS client *(inferred)* | KMS must authorize each 
key operation against policy |
+| Usersync input | LDAP/AD/Unix records | as trusted as the identity source 
*(inferred)* | secure + authenticate the directory connection |
+| Tagsync input | tags from Atlas/Kafka | as trusted as the tag source 
*(inferred)* | secure the tag source channel |
+
+**Size/shape/rate.** Policy documents downloaded by plugins, audit batches, 
and REST payload sizes are assumed bounded by normal operation; explicit limits 
are unconfirmed *(inferred)*.
+
+---
+
+## §7 Adversary model
+
+**In-scope adversaries (hypothesized — all to be confirmed):**
+
+- **An end user of a guarded data service** attempting to access data they are 
not authorized for, by manipulating the resource/action they request, 
exploiting policy-evaluation edge cases (resource-name matching, 
wildcard/recursion handling, case sensitivity, tag-vs-resource precedence), or 
attempting privilege escalation through Ranger's own access paths *(inferred)*.
+- **A network peer on the cluster network** attempting to reach the Admin REST 
API or the policy-download endpoint without proper authentication, or to 
impersonate the Admin to a plugin / a plugin to the Admin *(inferred)*.
+- **A low-privilege or delegated administrator** attempting to exceed their 
delegated scope — author policy outside their delegation, escalate their own 
role, or read audits/keys they should not *(inferred)*.
+- **A malicious identity/tag source, or someone able to inject into 
usersync/tagsync inputs**, attempting to forge group/role membership and 
thereby gain policy grants *(inferred)*.
+- **A KMS client** attempting to obtain key material for keys it is not 
authorized to use *(inferred)*.
+
+**Attacker capabilities assumed.** Send arbitrary access requests to guarded 
services; reach Admin/KMS network endpoints; observe network traffic if 
transport is unprotected; supply arbitrary resource strings and policy/identity 
data at the boundaries marked attacker-controllable in §6 *(inferred)*.
+
+**Explicitly out of scope (hypothesized):**
+- **An attacker with code execution on a node running a plugin.** They are 
inside the PEP's own process/host and can bypass enforcement locally; Ranger 
cannot defend a PEP against its own compromised host *(inferred)*.
+- **A fully-trusted security administrator acting maliciously.** The top-level 
admin is the root of authority for the Ranger instance; the model does not 
defend the guarded data against a malicious omnipotent admin (delegated admins 
overreaching *is* in scope) *(inferred)*.
+- **Compromise of the backing database, audit store, or key store directly** 
(bypassing Ranger) — that is the store's own trust boundary *(inferred)*.
+- **Side-channel / timing adversaries** against the policy engine or KMS 
*(maintainer, 2026-06-12 — §14 Q19: out of scope)*.
+
+**Authenticated-but-Byzantine participant.** Ranger is a distributed PDP/PEP 
system: a plugin holds a legitimate service identity and could, if its host is 
compromised, behave arbitrarily (return wrong decisions, withhold audit). 
**Ranger treats every PEP as fully trusted once authenticated and makes no 
cross-node integrity claim** — complete plugin trust is a deliberate design 
choice that keeps runtime overhead low *(maintainer, 2026-06-12 — §14 Q8)*.
+
+---
+
+## §8 Security properties the project provides
+
+*(All entries below are hypothesized for the PMC to confirm; none are 
maintainer-ratified yet.)*
+
+1. **Authorization decisions reflect the authored policy.** Given 
correctly-distributed policy and a correctly-authenticated principal, a 
plugin's allow/deny matches what the central policy specifies for that 
(principal, resource, action). *Violation symptom:* a user is granted access 
the policy denies (or denied access the policy grants) — i.e., a 
policy-evaluation/matching bug. *Severity:* security-critical — **an existing 
deny-policy (or the absence of any grant) that nonetheless yiel [...]
+
+2. **Centralized policy is faithfully distributed to enforcement points.** 
Policy authored in Admin is delivered to plugins via the periodic pull and 
applied; plugins fall back to last-cached policy when Admin is unreachable 
rather than failing open arbitrarily. *Violation symptom:* a plugin enforces 
stale or wrong policy in a way that grants access the current policy denies; or 
distribution lets an attacker substitute policy. *Severity:* security-critical. 
*(documented in part — FAQ on  [...]
+
+3. **Administrative actions are access-controlled.** Authoring/modifying 
policy, managing users/roles, and reading audits via the REST API and UI 
require appropriate authenticated, authorized identity; delegated admins are 
confined to their delegated scope. *Violation symptom:* an unauthenticated or 
under-privileged actor authors/reads policy, escalates a role, or reads 
audit/keys. *Severity:* security-critical. *(documented in part — delegation in 
FAQ; enforcement details inferred)*
+
+4. **Access decisions are audited.** Allow/deny decisions and administrative 
actions are recorded to the configured audit sink. *Violation symptom:* an 
in-scope access produces no audit record, or audit can be silently 
suppressed/forged by a non-admin. *Severity:* security-relevant — **a non-admin 
able to tamper or forge audit records IS a security finding** *(maintainer, 
2026-06-12 — §14 Q14)*; missed records alone are correctness-grade. 
*(documented — ranger.apache.org: "Centralize aud [...]
+
+5. **KMS authorizes key access per policy.** Ranger KMS releases key material 
only to clients authorized by key-access policy. *Violation symptom:* 
unauthorized key retrieval / decryption capability. *Severity:* 
security-critical — **the key is the KMS-policy resource; unauthorized key 
retrieval is CVE-class `VALID`** *(maintainer, 2026-06-12 — §14 Q13)*.
+
+6. **Policy evaluation is bounded and thread-safe.** Each authorization call 
terminates promptly and concurrent evaluation during a policy refresh does not 
corrupt decisions. *Violation symptom:* hang/CPU exhaustion inside the host 
service on crafted resource input, or a race producing a wrong decision. 
*Severity:* the engine is bounded and thread-safe *(maintainer, 2026-06-12 — 
§14 Q12)*. **Super-linear evaluation cost in policy size or resource-string 
length is NOT a bug**; a **hang in [...]
+
+---
+
+## §9 Security properties the project does *not* provide
+
+*(Hypothesized; confirm/correct.)*
+
+- **No authentication of end users.** Ranger authorizes an 
already-authenticated principal; it does not establish identity. A 
forged/spoofed principal accepted by the host service's authentication layer is 
the host service's / cluster Kerberos's problem, not Ranger's *(inferred)*.
+- **No protection against a malicious top-level administrator.** The admin is 
the root of trust for the instance *(inferred)*.
+- **No defense of a plugin against its own compromised host.** A PEP running 
in a compromised data-service process can be bypassed locally *(inferred)*.
+- **No transport security by default.** Plaintext HTTP is the supported 
default *(maintainer, 2026-06-12 — §14 Q2)*; Ranger supports TLS but does not 
enforce it at the protocol layer. Plaintext deployment exposes policy and audit 
in transit.
+- **No guarantee about the guarded service's own attack surface.** Ranger only 
renders authorization decisions *(inferred)*.
+
+**False friends (highest-value warnings — confirm):**
+- **A Ranger "deny" is not a sandbox.** Enforcement depends on the host 
service actually calling the plugin for every access path. A code path in the 
guarded service that does not consult the plugin is not protected by Ranger 
*(inferred)*.
+- **Cached policy is availability, not authority.** The "works when Admin is 
down" cache *(documented — FAQ)* means a plugin can enforce *stale* policy: a 
just-revoked grant may persist until the next successful pull. Operators must 
not treat revocation as instantaneous — the propagation delay is **by design** 
*(maintainer, 2026-06-12 — §14 Q15)*.
+- **Audit is a record, not a control.** An audit entry does not prevent 
access; it documents it. Absence of an audit record is not proof access was 
blocked *(inferred)*.
+- **Tag-based policy depends on the freshness/integrity of tagsync.** A policy 
keyed on a classification tag is only as trustworthy as the tag feed from Atlas 
*(inferred)*.
+
+**Well-known attack classes left to the integrator/operator:**
+- Policy substitution / MITM on the plugin↔Admin channel if transport is 
unprotected *(inferred)*.
+- Identity/group spoofing upstream of Ranger (forged Kerberos/LDAP membership) 
*(inferred)*.
+- Resource-name canonicalization mismatches between the host service and the 
policy engine (path normalization, case, wildcards) leading to bypass 
*(inferred)*.
+- Audit-store injection (e.g., log/Solr injection via crafted resource names) 
*(inferred)*.
+
+---
+
+## §10 Downstream responsibilities
+
+For Ranger the "downstream user" is the **cluster operator** who deploys Admin 
+ plugins. To keep §5–§7 assumptions valid, the operator must (hypothesized — 
confirm):
+
+- Deploy plugins only on trusted, administered cluster nodes inside the trust 
boundary; never expose the Admin REST API or policy-download endpoint to 
untrusted networks *(inferred)*.
+- Enable and require TLS on UI↔Admin and plugin↔Admin channels, and mutual 
authentication so a plugin cannot be impersonated and policy cannot be MITM'd 
*(inferred)*.
+- Configure and verify the upstream authentication layer (Kerberos) so the 
principal identities Ranger authorizes are genuine *(inferred)*.
+- Rotate/secure any shipped default administrative credential before exposing 
the Admin *(inferred)*.
+- Confirm the no-match default behavior (deny vs. fall-through to native ACLs) 
matches the intended posture for each service *(inferred)*.
+- Secure the backing DB, audit sinks (Solr/HDFS), and KMS key store 
independently — Ranger trusts them *(inferred)*.
+- Constrain delegated administrators' scope deliberately *(inferred)*.
+- Understand that revocation propagates only at the policy-pull interval; size 
that interval to the data's sensitivity *(inferred)*.
+
+---
+
+## §11 Known misuse patterns
+
+*(Hypothesized — confirm/expand.)*
+
+- **Exposing the Admin REST API to an untrusted network.** Anyone reaching 
policy-write endpoints can grant themselves access to all guarded data 
*(inferred)*.
+- **Running plugin↔Admin in plaintext** on a shared network, allowing policy 
interception or substitution *(inferred)*.
+- **Treating Ranger as the sole gate while leaving a non-Ranger-consulting 
access path open** in the guarded service *(inferred)*.
+- **Assuming instant revocation** rather than accounting for the pull interval 
and cache *(inferred)*.
+- **Trusting tag-based policy without securing the tag source** 
(Atlas/tagsync) *(inferred)*.
+- **Leaving the default admin account credentials in place** *(inferred)*.
+- **Disabling audit and then relying on it for compliance evidence** 
*(inferred)*.
+
+---
+
+## §11a Known non-findings (recurring false positives)
+
+*(To be populated by the PMC from real scanner/report history — this is a 
high-value section the team cannot fill from public sources alone.)*
+
+Provisional candidates *(inferred)*:
+- Reports against build/install/migration tooling or the ugsync utilities 
(`filesourceusersynctool`, `ldapconfigchecktool`) — out of scope per §3. 
*(Note: `ranger-examples/` and `ranger-tools/` are **in** scope per the PMC — 
do not file them as non-findings.)*
+- "Plugin runs with the host service's privileges" — by design; the PEP is 
co-located inside the guarded service (§4). Not a privilege-escalation finding 
on its own.
+- "Plugin serves stale policy when Admin is down" — documented availability 
behavior (§8 #2, FAQ), not a bug.
+- "HTTP listener on 6080 / plaintext by default" flagged by a config scanner — 
plaintext is the supported default (§5a, §9), so this is `BY-DESIGN` / 
operator-hardening, not a code vulnerability *(maintainer, 2026-06-12 — §14 
Q2)*.
+- **Resource-name canonicalization mismatch** between the host service and the 
policy engine — a **shared responsibility** with the host service, not a 
Ranger-only defect *(maintainer, 2026-06-12 — §14 Q17)*.
+
+**Correction (do NOT wave off):** a "default/seeded admin password" finding is 
**not** a non-finding — the installer mandates a complexity-checked password on 
fresh install, so a seeded/default password is not a supported posture (§5a) 
*(maintainer, 2026-06-12 — §14 Q3/Q18)*.
+
+---
+
+## §12 Conditions that would change this model
+
+- A new plugin family or a new guarded service with a different trust profile.
+- A change to the policy-distribution mechanism (e.g., push instead of pull, 
or a new transport).
+- A change in the no-match default behavior or in the fail-open/fail-safe 
posture.
+- A new authentication mode for Admin or plugins.
+- Promotion of anything currently in `ranger-examples/` into core.
+- A change to KMS key-store options or key-release authorization.
+- **A vulnerability report that cannot be routed to a single §13 disposition** 
— this signals a model gap; revise §8/§9 rather than making an ad-hoc call.
+
+---
+
+## §13 Triage dispositions
+
+| Disposition | Meaning | Licensed by |
+| --- | --- | --- |
+| `VALID` | Violates a claimed property (e.g., authorization bypass via 
policy-eval bug, unauthenticated policy write) by an in-scope adversary/input. 
| §8, §6, §7 |
+| `VALID-HARDENING` | No §8 property broken, but Ranger elects to harden an 
easy misuse (e.g., tighten a default). Reported privately; CVE at maintainer 
discretion. | §11 |
+| `OUT-OF-MODEL: trusted-input` | Requires control of an input the model marks 
trusted (e.g., the authenticated principal identity, or directly-tampered 
DB/key store). | §6 |
+| `OUT-OF-MODEL: adversary-not-in-scope` | Requires an excluded capability 
(code execution on a plugin host; malicious top-level admin; side channel). | 
§7 |
+| `OUT-OF-MODEL: unsupported-component` | Lands in `ranger-examples/` or 
build/install/migration tooling. | §3 |
+| `OUT-OF-MODEL: non-default-build` | Only manifests under a 
discouraged/non-default config knob. | §5a |
+| `BY-DESIGN: property-disclaimed` | Concerns a property §9 explicitly 
disclaims (no end-user auth, no transport security by default, stale-policy 
window, etc.). | §9 |
+| `KNOWN-NON-FINDING` | Matches a documented recurring false positive. | §11a |
+| `MODEL-GAP` | Cannot be cleanly routed — triggers a model revision. | §12 |
+
+---
+
+## §14 Open questions — RESOLVED by the Ranger PMC (2026-06-12)
+
+The Apache Ranger PMC (**Abhishek Kumar, `@kumaab`**) reviewed this model on 
[apache/ranger#994](https://github.com/apache/ranger/pull/994) and answered all 
20 open questions on **2026-06-12**. The answers are recorded below and folded 
into §1–§13; confirmed claims are promoted to *(maintainer, 2026-06-12)*. 
Abhishek volunteered to own ongoing revision (Q20).
+
+**Wave 1 — scope & defaults**
+1. **No-match default:** when Ranger is the ACL enforcer the result is 
**deny**, **except HDFS**, where it falls through to the host's native ACLs.
+2. **Transport security default:** TLS is recommended in production; 
**plaintext HTTP is the shipped/supported default**.
+3. **Default admin credential:** Ranger seeds accounts (`admin`, 
`rangerusersync`, `rangertagsync`, `keyadmin`) as install-bootstrap values, but 
the standard installer **requires an explicit, complexity-checked password on 
fresh install** (changeable any time via UI/REST). **A seeded/default password 
is not a supported production posture.**
+4. **Scope:** **`ranger-examples` and `ranger-tools` are IN scope.** Out of 
model: `migration-util` and the ugsync utilities (`filesourceusersynctool`, 
`ldapconfigchecktool`).
+5. **Caller roles:** the breakdown is correct; **add an Auditor role** (view 
policies + audits, no writes) and a **Key Admin role** (KMS only).
+
+**Wave 2 — trust & authentication**
+6. **Plugin↔Admin auth:** plugins and the PDP service (a *separate process*, 
not a plugin) authenticate via **Kerberos, JWT, or header-based auth with a 
trusted proxy** to download policy.
+7. **End-user identity:** Ranger Admin authenticates **management/UI users** 
(LDAP, AD, Unix, PAM, Kerberos/SPNEGO, Knox SSO, header, JWT, internal DB). At 
**data-access time Ranger does not authenticate the end user** — the host 
service authenticates the principal and the PEP hands Ranger an 
already-authenticated principal.
+8. **Byzantine plugin:** **full trust once authenticated** — a deliberate 
design choice that keeps runtime overhead low; **Ranger makes no cross-node 
integrity claim**.
+9. **Fail mode:** if a plugin can neither evaluate fresh nor cached policy it 
**denies** — except the HDFS plugin, which can fall through to native ACLs.
+10. **REST endpoint matrix:** three buckets — (1) **public** (login/static, 
`/service/actuator/health`, `/service/metrics/**`); (2) **plugin/PEP identity** 
(policy/tag/role/user/GDS download + grant/revoke — `security="none"` at Spring 
but app-layer authenticated by service client-cert or SPNEGO, with 
`secure/...download` variants requiring a user in 
`policy.download.auth.users`); (3) **authenticated admin/user** (everything 
else: policy/service/user/role/zone/audit CRUD, plugin info, KM [...]
+
+**Wave 3 — properties, resources, KMS**
+11. **Authorization-bypass severity:** an existing deny-policy (or absence of 
a grant) that nonetheless yields access is **CVE-class `VALID`**.
+12. **Resource / DoS line:** "policy evaluation is bounded and thread-safe" is 
correct; **super-linear evaluation cost is NOT a bug**; a **hang inside the 
host service could be** a security issue; whether *no* resource guarantee is 
made is **left for later ratification**.
+13. **KMS authorization:** the key is the KMS-policy resource; **unauthorized 
key retrieval is CVE-class `VALID`**.
+14. **Audit integrity:** a non-admin able to **tamper audit records IS a 
security finding**.
+15. **Stale-policy window:** revocation-propagation delay (pull interval + 
cache) is **by design**.
+
+**Wave 4 — misuse, non-findings, ownership**
+16. **Tagsync/usersync trust:** confirmed — policy is only as trustworthy as 
the tag/identity source; upstream injection is out of model.
+17. **Resource canonicalization:** resource names must map correctly between 
service and policy — a **shared responsibility** with the host service.
+18. **Known non-findings:** the §11a list is a good starting point and can 
evolve; **one correction — admin password is mandated at installation, so an 
insecure default password is NOT a supported posture** (folded into §5a/§11a).
+19. **Side channels / co-tenancy:** **out of scope.**
+20. **Ownership:** yes — this becomes the canonical Ranger security model; 
**Abhishek Kumar volunteers to own its revision.**
+
+*Remaining genuinely-open item:* whether Ranger makes **no resource guarantee 
at all** (§8 #6) — the PMC deferred this for later ratification.


Reply via email to