Michael Smith has posted comments on this change. ( http://gerrit.cloudera.org:8080/24388 )
Change subject: IMPALA-15062: (Part 1) Add draft threat-model document ...................................................................... Patch Set 1: Code-Review+1 (24 comments) http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md File draft-THREAT-MODEL.md: http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@692 PS1, Line 692: "report upstream to Apache Kudu; : we pick up fixes via vendored sync" (proposed)? > Seems good to me I think the Hive source is so far diverged from upstream that we should probably handle those. It doesn't seem to be explicitly called out the way Kudu source is though. http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@704 PS1, Line 704: Proposed: memory corruption is `VALID`; crash / : exception / slow path / OOM on a malformed file *landed by a writer with : INSERT* is `OUT-OF-MODEL: equivalent-harm`; the same on a writer-controlled : file in a *read-only-to-writer* deployment is `VALID-HARDENING`. *(maps to : §3 item 6, §8 P8, §9, §11a)* > Seems OK Ack http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@712 PS1, Line 712: Anything to add or remove? > We could add `bin/` which only contain operationsl / helper scripts. I have a mild preference for leaving bin/ in for utilities we might run on untrusted sources like minidumps. I think the noise from it should be low. http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@716 PS1, Line 716: Is the Web UI a per-user authentication surface or a flat-admin : surface? > Flat-admin Ack http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@721 PS1, Line 721: do you make any Impala-side : claim about tolerance, or is that entirely the operator's responsibility : (proposed)? > Confirm, it's the operator's responsibility Ack http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@726 PS1, Line 726: no child processes besides codegen > Impala also spawns: Done http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@726 PS1, Line 726: no signal handlers besides : breakpad > Impala also adds handlers for: Done http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@727 PS1, Line 727: Any : exceptions? > JAVA_TOOL_OPTIONS is read from the environment and merged (not sanitized) Done http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@742 PS1, Line 742: Proposed across the board: **dev/test, operator must flip per §10**, except : the last. *(maps to §5a, §10, §13)* > All proposed "dev/test" Ack http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@746 PS1, Line 746: Is a Web UI port reachable without auth a : `VALID` report on the operator's behalf, or `OUT-OF-MODEL: : non-default-build`? > OUT-OF-MODEL: non-default-build. The docs strongly recommend setting --webs Ack http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@751 PS1, Line 751: Confirm : that setting these is `OUT-OF-MODEL > Confirm Ack http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@761 PS1, Line 761: `--cookie_secret_file`: when unset, do HS2-HTTP cookies fall back : to a per-process random secret (proposed)? Is the cookie HMAC algorithm : documented and considered a §8 property? > Confirm, when unset, Impala generates a 256-bit cryptographically random ke Ack http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@767 PS1, Line 767: **Q16.** Treat `ai_generate_text` responses and JDBC-external-table rows as : data crossing a trust boundary (proposed)? Does Impala itself attempt any : sanitization of LLM responses or external-JDBC rows? *(maps to §6, §10)* > Confirm, treat as untrusted data crossing a trust boundary. Ack http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@771 PS1, Line 771: is there an enforced maximum (proposed: yes > Yes, max_statement_length_bytes = 16 MB Ack http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@775 PS1, Line 775: is admission control (the : `--default_pool_*` family) the entire enforcement, with no engine-level : guard? > Mostly true, but we also have concurrency limitation via --fe_service_threa Ack http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@781 PS1, Line 781: (proposed: : game-over) > Yes, game-over. Ack http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@784 PS1, Line 784: out of : scope (proposed) > Yes, out of scope. Ack http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@788 PS1, Line 788: so any compromised peer with a valid Kerberos identity is unbounded : (proposed)? > Confirm Ack http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@803 PS1, Line 803: (proposed: : **no** — delegated to storage layer)? > Confirm Ack http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@807 PS1, Line 807: all delegated to SASL/Kerberos/JWT : libraries? > All delegated to SASL/krb5/OpenSSL. Ack http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@810 PS1, Line 810: proposed: : **no**, an authorization-view feature with known existence-leak side : channels through error messages and query profiles > Confirm, authorization view, not confidentiality boundary. Ack http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@816 PS1, Line 816: (proposed: **no**, the : plan is finalized at start) > Confirm Ack http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@831 PS1, Line 831: `docs/threat-model.md` > LGTM Ack http://gerrit.cloudera.org:8080/#/c/24388/1/draft-THREAT-MODEL.md@835 PS1, Line 835: Is there an existing Impala threat-model document (Confluence, : internal) that this should reconcile against rather than supersede? > I'm not aware of such document Ack -- To view, visit http://gerrit.cloudera.org:8080/24388 To unsubscribe, visit http://gerrit.cloudera.org:8080/settings Gerrit-Project: Impala-ASF Gerrit-Branch: master Gerrit-MessageType: comment Gerrit-Change-Id: I4d9c22f3b95f0a542888e56eeb618423104cc9fd Gerrit-Change-Number: 24388 Gerrit-PatchSet: 1 Gerrit-Owner: Michael Smith <[email protected]> Gerrit-Reviewer: Impala Public Jenkins <[email protected]> Gerrit-Reviewer: Michael Smith <[email protected]> Gerrit-Reviewer: Zoltan Borok-Nagy <[email protected]> Gerrit-Comment-Date: Tue, 02 Jun 2026 18:34:08 +0000 Gerrit-HasComments: Yes
