potiuk commented on PR #6535:
URL: https://github.com/apache/hive/pull/6535#issuecomment-4725113477
Thanks `okumin` — this is exactly the kind of detail that makes the model
useful. Folded your review in and pushed (THREAT_MODEL.md, +75/-23):
- **Direct Metastore access (your L186):** added as in-scope adversary §3.3
— HMS enforces caller authorization at the application level (since Spark and
similar talk to it directly), and §4 now frames network isolation as
defense-in-depth rather than the primary control. Correspondingly flipped the
§11a "Metastore Thrift port has no authorization" entry from out-of-scope to
**VALID/in-model**.
- **UDF / SerDe / TRANSFORM (your L190):** folded the whole breakdown into
§7, with the config levers in §8 — built-in code-exec UDFs (reflect, reflect2,
java_method, in_file) blocked via `hive.server2.builtin.udf.blacklist`; custom
UDF/SerDe/InputFormat/OutputFormat as admin-trusted jar installs; TRANSFORM
disabled via `DisallowTransformHook` in `hive.exec.pre.hooks`. Added a §11a
non-finding for the built-in-UDF case. (Your gist was very helpful — thanks for
the link.)
I've left these as "PMC reviewing" in §14 pending your follow-up, so
nothing's prematurely locked:
- **doAs (L203):** I noted `hive.server2.enable.doAs=false` as the
expected posture but flagged it for the second-pair-of-eyes check you asked for.
- **Ranger-only authz (L209):** left §6/§9 open while you weigh whether to
treat Ranger as the only supported authorization system.
- **TLS params (L215):** §8 TLS lever left unnamed until you confirm the
exact Hive-side parameter names.
On your off-topic question — separate THREAT_MODEL.md for the Metastore: my
lean is to keep a single THREAT_MODEL.md but with clearly separated HS2 vs HMS
scope/boundary/property subsections, since it's one repo and one
discoverability chain (AGENTS.md -> SECURITY.md -> THREAT_MODEL.md) and the
triage dispositions are shared. If you'd rather split them, that works too —
we'd just point SECURITY.md at both files. Your call; happy to restructure
either way.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
