potiuk opened a new pull request, #68: URL: https://github.com/apache/kudu/pull/68
**This is a v0 draft proposal for the Kudu PMC to review — please correct, reject, or discuss as needed.** The maintainer is the decision-maker; nothing here is a requirement. The threat model does not need to be "finished" for anything downstream — it just makes automated security review (and triage of inbound reports) far less noisy. **Context.** The ASF Security team is preparing the project for an automated agentic security scan we're piloting. Those scans run against a threat model that tells the scanner what's in scope, what's by-design, and what counts as a real finding — without one, the output buries maintainers in noise. This PR proposes the discoverable model plus the wiring the scanner needs. **What's in this PR (all new files):** - **`THREAT_MODEL.md`** — a v0 security threat model written from Kudu's public docs + codebase, following the [threat-model-producer rubric](https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573). Every claim carries a provenance tag: *(documented)* (from your docs/site) or *(inferred)* (our guess, for you to confirm / correct / strike). Draft confidence ~17 documented / 23 inferred. - **`SECURITY.md`** — disclosure pointer + link to the threat model. - **`AGENTS.md`** — entry point wiring the `AGENTS.md → SECURITY.md → THREAT_MODEL.md` chain for automated tooling. **The framing to sanity-check first:** Kudu's security controls are largely **optional and off by default** (`--rpc_authentication` / `--rpc_encryption` default to `optional`, the user ACL defaults to `*`), and Kudu assumes a trusted cluster network. So the model treats those as the operator's posture choice rather than defects — the interesting in-scope cases are auth bypass on a hardened (`required`) cluster, exceeding an ACL/Ranger grant, and Raft safety within the fault bound. **What we'd need from the PMC:** 1. **§14 wave 1 (the important one):** rule on the insecure defaults — are optional auth/encryption and ACL `*` the *supported production posture* (a report against them is `VALID`), or defaults operators are expected to change (`OUT-OF-MODEL: non-default-build`)? This reshapes the whole model. 2. Walk the §14 questions (waves 1–3) — a one-line confirm / correct / strike per question is enough; each *(inferred)* tag becomes *(maintainer)* as you answer. If you'd rather own the drafting yourselves, close the PR and we'll wait — entirely your call. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
