potiuk commented on PR #10483: URL: https://github.com/apache/ozone/pull/10483#issuecomment-4813973550
@jojochuang — thanks for the thorough review. All nine points are folded into `THREAT_MODEL.md` (commit 7ee8791b8) and I've resolved the threads. Summary: **§5a — default-state baseline (the important one):** - ACL checks off by default (`ozone.acl.enabled=false`); Native ACL is the default once enabled. - Block tokens off by default (`hdds.block.token.enabled=false`). - TDE (`hdds.grpc.tls.enabled`) and KMS optional, disabled by default. These now answer Q-authz / Q-token / Q-tde and reset the "default build" baseline — a finding that assumes ACLs/tokens/TDE are on in a stock install is `OUT-OF-MODEL: non-default-build`. **§3 — scope:** - CSI driver out of scope (not production-ready); Recon in scope as part of the production cluster. - Secure-mode S3 anonymous rejection made explicit, with the future S3 web-hosting opt-in-anonymous caveat noted. **§7:** cross-referenced the ozone-site#397 checksum doc. **§10 — operator hardening:** - Protect OM/SCM/Recon RocksDB at rest (restrictive perms + ideally on-disk encryption). - Isolate the KMS in a separate, firewalled network segment. - Tracking a consolidated production secure-deployment checklist for the Ozone docs. Shout if I've mis-stated anything — happy to iterate. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
