sungwy commented on code in PR #16538: URL: https://github.com/apache/iceberg/pull/16538#discussion_r3314526462
########## SECURITY-THREAT-MODEL.md: ########## @@ -0,0 +1,260 @@ +<!-- + Licensed to the Apache Software Foundation (ASF) under one + or more contributor license agreements. See the NOTICE file + distributed with this work for additional information + regarding copyright ownership. The ASF licenses this file + to you under the Apache License, Version 2.0 (the + "License"); you may not use this file except in compliance + with the License. You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, + software distributed under the License is distributed on an + "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + KIND, either express or implied. See the License for the + specific language governing permissions and limitations + under the License. +--> + +# Apache Iceberg Security Threat Model + +This document describes Apache Iceberg's detailed security threat model for +maintainers and automated security triage. + +It complements the shorter public-facing security model in +[`site/docs/security.md`](site/docs/security.md) by making Iceberg's trust +assumptions, security boundaries, and recurring non-security bug classes more +explicit. + +## Purpose + +Apache Iceberg is often deployed as a library and integration layer inside +larger systems that provide their own authentication, authorization, and +credential management. Because of that deployment model, many bug classes that +look security-relevant in the abstract are not actually security +vulnerabilities in Iceberg itself. + +This model is intended to answer: + +- what Iceberg generally treats as a security vulnerability +- what Iceberg generally treats as correctness, hardening, or deployment work +- which boundaries are primarily owned by Iceberg versus the surrounding + catalog, engine, or service +- which issue classes should be downgraded by default by scanners + +## Scope + +This model is scoped to the Apache Iceberg project itself: + +- the table format implementation +- client libraries +- engine integrations +- catalog-related components shipped in the Iceberg repository + +It is not a general threat model for every deployment that embeds Iceberg. + +In particular, it does not attempt to define the complete security model for: + +- query engines or applications that embed Iceberg +- storage-level authorization enforced outside Iceberg + +## Security Goals + +Iceberg should: + +- avoid exposing secrets or delegated credentials to principals that were not + already trusted with them +- avoid creating new unauthorized capabilities in Iceberg-owned components or + integrations +- avoid violating trust boundaries that Iceberg itself owns, such as leaking + signer, auth, or credential-bearing state across catalog or session + boundaries in the same process + +Iceberg does not aim to be the primary enforcement point for: + +- user-to-user authorization inside a query engine +- storage-level authorization +- service-side credential scoping performed by an external catalog + +## Roles + +### Operator + +The operator deploys and configures the catalog, metastore, REST service, +engine, and storage integration around Iceberg. This role is trusted to choose +endpoints, warehouses, and storage integrations, configure credentials, and +decide which users may create tables, read tables, or invoke maintenance +actions. + +### Catalog control plane + +The catalog control plane is responsible for resolving tables and supplying +metadata, locations, configuration, and delegated credentials to Iceberg. This +role may be implemented by a REST catalog server, a metastore-backed catalog, +or another catalog implementation. Regardless of how it is implemented, it +should not expose secrets to unintended principals or leak credential-bearing +state across unintended boundaries. + +Many reported issues assume a malicious catalog or metastore, which Iceberg Review Comment: agreed - adopted this suggestion -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
