potiuk commented on PR #17823: URL: https://github.com/apache/iotdb/pull/17823#issuecomment-4618441673
Thanks @HTHou — pushed a revision folding in your review: - **Trusted-network-by-default** posture, with the authenticated client RPC surface as the main in-model boundary; direct public exposure (esp. with default creds) noted as not a supported posture. - Default **`root:root`** documented as must-change-before-production (`OUT-OF-MODEL: non-default-build`), not a supported posture. - Defaults reflected: REST off, MQTT off, client Thrift SSL off. - `USE_UDF` / `USE_TRIGGER` / `USE_PIPE` / `USE_MODEL` framed as grantable system privileges — principals holding them are trusted for that server-side execution; **RBAC is the boundary, not a sandbox** (UDF-RCE = BY-DESIGN). - **DoS line split**: malformed/pre-auth input causing crash/OOM/hang is in-model; ordinary expensive queries / write load are operator capacity (out-of-model unless super-linear amplification / missing-expected-limit / hang). Per your note, I kept inter-node trust, the Byzantine-peer assumption, and the long-term triage policy as explicit §14 follow-up items rather than finalizing them here. Ready as the initial draft whenever you're set. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
