potiuk commented on PR #6535: URL: https://github.com/apache/hive/pull/6535#issuecomment-4763096195
Thanks @okumin — really useful detail. Your answers are folded into `THREAT_MODEL.md`: - **Direct Metastore access (Q1)** — now in-scope: §3.3 + §4 state HMS enforces caller authorization at the **application level** (since Spark et al. talk to it directly), and §11a flips "Metastore Thrift port has no authz" to **VALID** rather than out-of-scope. - **UDF / SerDe / TRANSFORM (Q2)** — captured your full breakdown in §7/§8/§11a: the insecure built-ins (`reflect`, `reflect2`, `java_method`, `in_file`) blocked via `hive.server2.builtin.udf.blacklist` (Ranger configures it); custom UDFs/SerDes/InputFormats as admin-trusted code; `TRANSFORM` prohibited via `DisallowTransformHook` in `hive.exec.pre.hooks`. - **`doAs` (Q7)** — recorded your expectation that `hive.server2.enable.doAs=false` is the intended posture (HS2 enforces policy itself), flagged as **pending a second PMC member's double-check** before we finalize §4/§8. - **Metastore protection / Ranger-only (Q9)** — app-level (not network-level) folded in; "accept only Ranger as the authz system?" left open since you're still considering it. - **TLS params (Q12)** — left the §8 TLS lever unnamed pending the exact Hive-side parameter names you're checking. On your **off-topic question** — splitting HS2 and HMS into separate threat models: I think that's a good idea given they have genuinely different security models and parameters, and it also reads cleaner for the scan agent. I've noted it as §14 Q15; happy to split this into `THREAT_MODEL.md` (HS2) + a dedicated HMS model on your nod. No rush on the rest of your review — ping me when you've worked through the remaining points and I'll fold them in one pass. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
