Add draft project security threat-model document#1293
Conversation
Adds a v0 THREAT_MODEL.md for Apache Knox drafted by the ASF Security team for the Knox PMC to review, adjust, and own (path 3 of the Frontier Model Preparation pre-flight, per the Knox PMC's 2026-07-02 go-ahead), plus the discoverability wiring: AGENTS.md -> SECURITY.md -> THREAT_MODEL.md. Generated-by: Claude (Opus 4.8, 1M context)
Test Results32 tests 32 ✅ 3s ⏱️ Results for commit 7f2caa4. ♻️ This comment has been updated with latest results. |
…nore apache-rat 0.13 (this repo's version) does not recognise the short SPDX identifier, so it flagged THREAT_MODEL.md / SECURITY.md / AGENTS.md. Switching to the full AL-2.0 header (HTML comment) makes them pass the license check on every RAT version, so the .ratignore exemption is no longer needed. Generated-by: Claude Code
|
Quick note on the CI: the red was One alternative worth flagging: No strong preference from our side; the header fix already gets you green, so the bump is purely optional cleanup. |
@potiuk - thanks for the offer. We can bump that separately. |
| proxy-user / identity-assertion mechanism assumes the backend will accept a | ||
| Knox-asserted principal. This means **anything that lets a client control the | ||
| asserted identity is an authentication bypass against every backend.** | ||
| - **Network segmentation** *(inferred → Q6)*: Knox assumes clients cannot reach |
There was a problem hiding this comment.
Network segmentation is one possibiliity. The other is that traffic that CAN authenticate via Kerberos directly to the backend servers are indeed allowed and without explicit proxyuser config making the clients trusted proxies they may not assert the identity of another user via doAs.
| `conf/` and `data/security/`; writes audit + service logs; may spawn nothing | ||
| beyond the JVM. This "no-surprise" inventory is almost entirely inferred and is | ||
| a high-priority confirmation target. | ||
|
|
There was a problem hiding this comment.
Let's verify whether the webshell terminal spawns any process.
| | Knob / mode | Less-secure setting | Proposed maintainer stance | | ||
| | --- | --- | --- | | ||
| | Demo LDAP + `sandbox` topology | shipped, trivially bypassable creds | dev-only; production must replace *(→ Q5)* | | ||
| | Self-signed identity keystore | default if operator provides none | dev-only; production installs a CA cert *(→ Q13)* | |
There was a problem hiding this comment.
This should be 'identity certificate' as the keystore has separate considerations.
| | Demo LDAP + `sandbox` topology | shipped, trivially bypassable creds | dev-only; production must replace *(→ Q5)* | | ||
| | Self-signed identity keystore | default if operator provides none | dev-only; production installs a CA cert *(→ Q13)* | | ||
| | `HeaderPreAuth` without an IP/mTLS trust check | trusts `SM_USER`/custom identity header from any client | **VALID if reachable** — a preauth header trusted without a gating check is a classic Knox misconfig-to-CVE path *(→ Q14)* | | ||
| | Anonymous / `Anonymous` auth provider or no authz provider in a topology | request passes unauthenticated/unauthorized | operator-chosen posture for public services; report ⇒ OUT-OF-MODEL unless a *different* topology's protection leaks *(→ Q15)* | |
There was a problem hiding this comment.
This is used for public or self-authenticating services and is indeed OUT-OF-MODEL
| **Wave 1 — scope, deployment, adversary (unblocks everything):** | ||
|
|
||
| - **Q1 (§2):** Deployment shape is "a long-running Jetty-based edge daemon, | ||
| administrator-operated; not an in-process library." Correct? |
|
|
||
| - **Q19/Q20 (§6/§8):** Confirm the per-surface trust table, and state the | ||
| resource line. Proposed: "unauthenticated hang/crash = bug; proportionate load | ||
| = not." |
| resource line. Proposed: "unauthenticated hang/crash = bug; proportionate load | ||
| = not." | ||
| - **Q26 (§9):** Confirm Knox perimeter authz does not replace backend/Ranger | ||
| authz. |
| authz. | ||
| - **Q27 (§9):** For the reverse-proxy attack classes (request smuggling, SSRF, | ||
| SSO open-redirect, SAML XXE, host-header/XFF confusion, WebSocket origin), | ||
| which does Knox take responsibility for vs leave to the operator? |
There was a problem hiding this comment.
All protections are the responsibility of the operator though Knox provides various ways for them to add ptotections. For things like XSRF, we have the WebAppSecProvider that can be configured for XSRF, CSS, CORS, etc. We also have various regexp based whitelists to protect against SSRF and open-redirect. These protections must be properly tuned for the deployment specific expectations with regard to hosts, ports, domains, etc.
| - **Q-meta-A:** Knox has **no** project-specific `SECURITY.md` or website security | ||
| page (only the generic `security@apache.org` entry on | ||
| security.apache.org/projects). Should this model become the canonical Knox | ||
| security document, linked from a new `SECURITY.md` and the project site? |
| security.apache.org/projects). Should this model become the canonical Knox | ||
| security document, linked from a new `SECURITY.md` and the project site? | ||
| - **Q-meta-B:** Where should the ratified model live (`docs/` in-repo, versioned | ||
| with releases) and what change class triggers a revision (per §12)? |
What
Adds a v0
THREAT_MODEL.mdfor Apache Knox, plus the discoverability wiring (SECURITY.mdandAGENTS.md), drafted by the ASF Security team for the Knox PMC to review, adjust, and own.This is path 3 of the Frontier Model Preparation pre-flight — the Knox PMC (Larry McCay, chair) asked on 2026-07-02 for a v0 draft to react to. The document follows the Security team's threat-model rubric: it describes the assumptions Knox makes about its environment and callers, the security properties it upholds and the ones it explicitly disclaims, the operator's responsibilities, and a triage-disposition table for routing a security report.
THREAT_MODEL.md— the v0 draft (provenance-tagged(documented)/(maintainer)/(inferred); §14 collects the open questions for the PMC, prioritized in waves).SECURITY.md— a reporting policy (Knox had none) that links the threat model.AGENTS.md— points toSECURITY.md→THREAT_MODEL.mdso the model is mechanically discoverable.For the PMC — highest-leverage open questions
HeaderPreAuth(trusting an identity header without an mTLS/IP gate) a supported posture, or a misconfiguration the operator must avoid?The
(inferred)claims are the ones needing PMC confirmation; promoting them to(maintainer)as you answer §14 is the fastest path to a ratified model.🤖 Generated with Claude Code