Add security threat model (THREAT_MODEL.md) + SECURITY.md/AGENTS.md discoverability#6535
Add security threat model (THREAT_MODEL.md) + SECURITY.md/AGENTS.md discoverability#6535potiuk wants to merge 2 commits into
Conversation
… discoverability v0 threat model produced by the ASF Security team via threat-model-producer (Michael Scovetta rubric, run with Claude Opus) for the PMC to review, correct, and own. Wires the AGENTS.md -> SECURITY.md -> THREAT_MODEL.md discoverability chain the scan agent follows. Every non-trivial claim is provenance-tagged; open questions for the PMC are collected in THREAT_MODEL.md section 14. Generated-by: Claude Opus 4.8 (1M context)
|
Thank you! I will check the draft |
|
Thanks @okumin — no rush. The most useful read is the §14 "Open questions" section at the end; those are where I inferred a position and would value your confirmation or correction. |
okumin
left a comment
okumin
left a comment
There was a problem hiding this comment.
I answered some obvious points. I'm still checking the remaining
| *(inferred)* tag to *(maintainer)* once confirmed. | ||
|
|
||
| **Wave 1 — scope & intended use** | ||
| 1. Is the in-scope surface "HiveServer2 (the SQL front door) + the artifacts it |
There was a problem hiding this comment.
Some external services, such as Apache Spark, can directly access Hive Metastore. The direct metastore access should be in scope.
https://gist.github.com/okumin/f33574e96efd014fa6c1f5d4e13531ef
Off-topic: Should we have a separate THREAT_MODEL.md for Hive Metastore if it is more convenient for AI? HiveServer2 and Hive Metastore have different security models and different parameters.
| compiles/executes", with the Metastore treated as an intra-cluster trusted | ||
| service? Or is direct Metastore access in scope? | ||
| 2. Are UDFs / SerDes / custom InputFormats / `TRANSFORM` scripts in scope as | ||
| *code-execution-by-design* (not a sandbox), per §7? |
There was a problem hiding this comment.
Yes, they are, but we may elaborate on details.
Prerequisite
We assume authentication and authorization are configured.
Built-in UDF
Basically, built-in UDFs should be safe. Apache Hive exceptionally includes some insecure UDFs (e.g., reflect, reflect2, java_method, in_file) that allow arbitrary code execution. A Hive administrator must configure hive.server2.builtin.udf.blacklist to block such UDFs, either through their authorization plugin or directly. We know that major plugins, such as the Ranger authorizer, configure hive.server2.builtin.udf.blacklist properly.
Custom UDF
A Hive administrator must configure access policies (e.g., via Ranger) to allow only trusted users to add UDF jars or register UDFs. They are responsible for implementing safe UDFs, and Hive systems trust them. Hive can't guarantee safety when a trusted user adds compromised UDFs.
SerDe/InputFormat/OutputFormat
Only Hive administrators can put jars. They are responsible for deploying secure SerDe/InputFormat/OutputFormat, and Hive systems trust them. Hive can't guarantee safety when a Hive administrator adds a compromised SerDe/InputFormat/OutputFormat.
TRANSFORM
In a secure deployment, it must be prohibited. Major authorization plugins add org.apache.hadoop.hive.ql.security.authorization.plugin.DisallowTransformHook to hive.exec.pre.hooks, and TRANSFORM is prohibited. Hive administrators are responsible for either using proper authorization plugins or configuring the hook themselves.
| 6. At the client→HS2 boundary, are SQL text, JDBC connection properties, and | ||
| session-config overrides all treated as untrusted (subject to the conf | ||
| whitelist)? | ||
| 7. Which `doAs` posture is the supported/recommended one, and how does it |
There was a problem hiding this comment.
When authentication and authorization, I expect hive.server2.enable.doAs to be false. That's because HiveServer2 can enforce policies on its own. I would like someone else to double-check this point.
| scoping, others)? | ||
|
|
||
| **Wave 3 — disclaimed properties & defaults** | ||
| 9. Confirm the operator-owned list in §6 (TLS, authz-model choice, network |
There was a problem hiding this comment.
As stated above, Hive Metastore should be protected at the application level, not at the network level.
I also wonder if we should accept only Ranger as an authorization system. I'm still considering that point, though.
| 11. Is super-linear resource use / a hang on a pathological query a bug, or is | ||
| bounding it the operator's job (YARN queues / HS2 limits)? | ||
| 12. Confirm the real names + shipped defaults of the §8 levers (especially | ||
| `hive.server2.authentication` and the default authorization model). |
There was a problem hiding this comment.
I'm checking them. We have parameters to configure TLS on the Hive side.
Incorporates okumin's PR apache#6535 review: - direct Hive Metastore access in scope (HMS enforces caller authz at the application level; Spark et al. connect directly) -> §3.3/§4/§11a - UDF/SerDe/TRANSFORM code-execution detail: built-in UDF blacklist (reflect/reflect2/java_method/in_file), custom UDF/SerDe admin trust, TRANSFORM disable via DisallowTransformHook -> §7/§8/§11a - §14 Q1/Q2 promoted to maintainer; Q7/Q9/Q12 annotated PMC-reviewing Generated-by: Claude Opus 4.8
|
Thanks
I've left these as "PMC reviewing" in §14 pending your follow-up, so nothing's prematurely locked:
On your off-topic question — separate THREAT_MODEL.md for the Metastore: my lean is to keep a single THREAT_MODEL.md but with clearly separated HS2 vs HMS scope/boundary/property subsections, since it's one repo and one discoverability chain (AGENTS.md -> SECURITY.md -> THREAT_MODEL.md) and the triage dispositions are shared. If you'd rather split them, that works too — we'd just point SECURITY.md at both files. Your call; happy to restructure either way. |
|
3 participants
This adds a v0 security threat model + discoverability wiring to
apache/hive, produced by the ASF Security team for the Hive PMC to review and own — the pre-flight step for the Glasswing security scan the PMC opted into.What's here
THREAT_MODEL.md— a v0 model (Michael Scovetta rubric, run with Claude Opus) covering the HiveServer2 SQL front door, the Metastore, and the UDF / SerDe / execution layer: trust boundaries, in/out-of-scope adversaries, what Hive upholds vs. what it leaves to the operator (TLS, authorization-model choice, network isolation, UDF vetting), known non-findings, and triage dispositions. Every non-trivial claim is provenance-tagged(documented)/(maintainer)/(inferred); the(inferred)ones are our hypotheses.SECURITY.md— private reporting viasecurity@hive.apache.org+ a pointer to the model.AGENTS.md— wiresAGENTS.md → SECURITY.md → THREAT_MODEL.mdso the scan agent (and researchers) can mechanically find the model.How to engage — this is a draft to react to, not a finished artifact.
THREAT_MODEL.md§14 collects open questions in waves; answer inline a few at a time, correct anything wrong, and the model becomes the PMC's. Once you're happy, we queue the scan in OSS-criticality order. No deadline pressure with the Mythos 5 window being extended.Generated-by: Claude Opus 4.8 (1M context)