potiuk commented on PR #6535: URL: https://github.com/apache/hive/pull/6535#issuecomment-4821872487
Thanks @okumin — this is exactly the maintainer input the §14 open questions were fishing for, and it sharpens the model a lot. How I'll fold it in: **Answered questions → maintainer-ratified.** Your adversary model (untrusted SQL/metastore clients; MITM when TLS is enabled), trusted dependencies (Hadoop, metastore RDBMS, the authz provider, KDC), and trusted-admin-out-of-scope will move from *(inferred)* to *(maintainer)* in the next push. **UDF / SerDe / TRANSFORM.** The built-in-UDF blacklist (`reflect`, `reflect2`, `java_method`, `in_file` via `hive.server2.builtin.udf.blacklist`), the custom-UDF / SerDe / InputFormat trust model, and the `TRANSFORM` prohibition via `DisallowTransformHook` are exactly the detail the "properties / downstream responsibilities" sections needed — I'll write them in close to as you stated them. **Metastore direct access (line 186).** Agreed it belongs in scope — I'll add direct Hive Metastore access (e.g. from Spark) as an in-scope interface and cite your gist. **On a separate `THREAT_MODEL.md` for the Metastore:** my suggestion is to keep one file but split it into clearly-labelled **HiveServer2** and **Hive Metastore** sections, each with its own scope / adversary / trust-boundary subsection — rather than two files. Automated scanners discover the model by following `AGENTS.md → SECURITY.md → THREAT_MODEL.md` per repo; since HS2 and the Metastore live in this one repo, a single well-sectioned file keeps that chain intact while still giving each component a distinct model. Happy to split into two files instead if the PMC prefers — your call. **Still open (no rush), left as open questions pending your word:** - `hive.server2.enable.doAs=false` under auth — you wanted a second pair of eyes; flagging for other reviewers here. - Whether to treat Ranger as the only authorization system, or keep SQL-standard authz in the model too. - The TLS parameters you're still checking. I'll push the fold-in and re-request your review. Thanks again. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
