clolov commented on code in PR #22431: URL: https://github.com/apache/kafka/pull/22431#discussion_r3333875041
########## THREAT_MODEL.md: ########## @@ -0,0 +1,280 @@ +<!-- +SPDX-License-Identifier: Apache-2.0 + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + https://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +--> + +# Threat Model — Apache Kafka + +## §1 Header + +- **Project:** Apache Kafka — a distributed event-streaming platform. **Brokers** persist and serve + partitioned, replicated topics over the Kafka RPC protocol; **producers/consumers/admin clients** connect + over the network; cluster metadata is managed by a **KRaft** controller quorum (or, on legacy clusters, + ZooKeeper). The repo also ships **Kafka Connect** (a connector runtime + REST control plane), **Kafka + Streams** (a client library), tiered **storage**, and the **clients** library *(documented — README, module + layout: `core`, `server`, `clients`, `metadata`, `raft`, `connect`, `streams`, `*-coordinator`, `storage`)*. +- **Modelled against:** `apache/kafka` `trunk`/HEAD (2026-05-31). +- **Status:** **DRAFT — v0, not yet reviewed by the Kafka PMC.** Produced by the ASF Security team via the + `threat-model-producer` rubric (<https://gist.github.com/potiuk/da14a826283038ddfe38cc9fe6310573>). +- **Reporting / version-binding / legend** as in the sibling models. **Draft confidence:** ~16 documented / + 0 maintainer / ~58 inferred. Each *(inferred)* routes to §14. + +**Framing note:** Kafka is a *configurable platform*. It provides **mechanisms** — SASL/mTLS authentication, +an ACL **Authorizer**, TLS transport, quotas — and the **operator chooses** which listeners use them. A +broker can be run wide open (PLAINTEXT, no authorizer) or fully locked down; the model says which outcomes +are `VALID` in a secured config vs. operator responsibility. The adversary is an **untrusted network client** +of a broker (or the Connect REST API); the operator and trusted cluster peers are out of model. + +## §2 Scope and intended use + +Caller roles: + +- **Untrusted network client** — any peer that can open a TCP connection to a broker listener (or Connect + REST) before authenticating. +- **Authenticated principal** — a producer/consumer/admin client whose SASL/mTLS identity the broker + validated; confined by ACLs. +- **Broker / controller peer** — another broker or a KRaft controller in the same cluster; operator-provisioned. +- **Operator** — configures listeners, security protocols, SASL, TLS, the authorizer + ACLs, quotas, Connect, + and storage. **Trusted; out of model as adversary (§3).** + +**Component-family table:** + +| Family | Entry point | Touches outside process | In model? | +| --- | --- | --- | --- | +| Broker RPC / network layer | listener `:9092`, request handlers (`core`, `server`) | network | **Yes** | +| Authentication | SASL (PLAIN/SCRAM/GSSAPI/OAUTHBEARER), mTLS, delegation tokens | crypto; (KDC/IdP) | **Yes** | +| Authorization | ACL `Authorizer` (StandardAuthorizer/KRaft) | metadata | **Yes** | +| Transport security | per-listener TLS, inter-broker security | network | **Yes** | +| Metadata control plane | KRaft quorum (`raft`, `metadata`) / ZooKeeper (legacy) | network | **Yes (peer-trust)** | +| Coordinators | group / transaction / share coordinators | — | **Yes** | +| Storage + tiered storage | log segments; remote-storage plugins | filesystem; remote store | **Yes** | +| Kafka Connect | REST control plane + connector plugins | network egress; plugin code | **Yes (addendum C)** | +| Kafka Streams | client library (runs in the app) | — | Light → §3 | +| Clients library | parses broker responses | — | **Yes (client-side)** | +| tools / shell / trogdor / tests / docker | — | — | No → §3 | Review Comment: I don't know whether you need an exhaustive list or just an list of examples, but let's also exclude committer-tools -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
