Add security threat model (THREAT_MODEL.md) + SECURITY.md/AGENTS.md discoverability#6535
Add security threat model (THREAT_MODEL.md) + SECURITY.md/AGENTS.md discoverability#6535potiuk wants to merge 4 commits into
Conversation
… discoverability v0 threat model produced by the ASF Security team via threat-model-producer (Michael Scovetta rubric, run with Claude Opus) for the PMC to review, correct, and own. Wires the AGENTS.md -> SECURITY.md -> THREAT_MODEL.md discoverability chain the scan agent follows. Every non-trivial claim is provenance-tagged; open questions for the PMC are collected in THREAT_MODEL.md section 14. Generated-by: Claude Opus 4.8 (1M context)
|
Thank you! I will check the draft |
|
Thanks @okumin — no rush. The most useful read is the §14 "Open questions" section at the end; those are where I inferred a position and would value your confirmation or correction. |
okumin
left a comment
okumin
left a comment
There was a problem hiding this comment.
I answered some obvious points. I'm still checking the remaining
Incorporates okumin's PR apache#6535 review: - direct Hive Metastore access in scope (HMS enforces caller authz at the application level; Spark et al. connect directly) -> §3.3/§4/§11a - UDF/SerDe/TRANSFORM code-execution detail: built-in UDF blacklist (reflect/reflect2/java_method/in_file), custom UDF/SerDe admin trust, TRANSFORM disable via DisallowTransformHook -> §7/§8/§11a - §14 Q1/Q2 promoted to maintainer; Q7/Q9/Q12 annotated PMC-reviewing Generated-by: Claude Opus 4.8
|
Thanks
I've left these as "PMC reviewing" in §14 pending your follow-up, so nothing's prematurely locked:
On your off-topic question — separate THREAT_MODEL.md for the Metastore: my lean is to keep a single THREAT_MODEL.md but with clearly separated HS2 vs HMS scope/boundary/property subsections, since it's one repo and one discoverability chain (AGENTS.md -> SECURITY.md -> THREAT_MODEL.md) and the triage dispositions are shared. If you'd rather split them, that works too — we'd just point SECURITY.md at both files. Your call; happy to restructure either way. |
asf-ci-hive
added
tests pending
tests passed
and removed
tests unstable
tests pending
labels
…to separate threat models (different security models/params)
|
Thanks @okumin — really useful detail. Your answers are folded into
On your off-topic question — splitting HS2 and HMS into separate threat models: I think that's a good idea given they have genuinely different security models and parameters, and it also reads cleaner for the scan agent. I've noted it as §14 Q15; happy to split this into No rush on the rest of your review — ping me when you've worked through the remaining points and I'll fold them in one pass. |
| isolation, UDF vetting). Anything mis-assigned? | ||
| 10. Confirm the by-design non-guarantees in §7. | ||
| 11. Is super-linear resource use / a hang on a pathological query a bug, or is | ||
| bounding it the operator's job (YARN queues / HS2 limits)? |
There was a problem hiding this comment.
In general, this is an operator responsibility rather than a Hive bug. Hive accepts arbitrary HiveQL, so operators are expected to use HiveServer2 limits (e.g., hive.query.max.length) and YARN resource pools to bound the impact of pathological queries.
If a stronger isolation than HS2 and YARN can provide is required, operators should use separate HS2 instances or separate Hadoop/YARN clusters.
| code-execution-by-design (not a sandbox), per §7?~~ | ||
| 3. Confirm the assumed deployment: clustered, behind an operator-controlled | ||
| perimeter, with Hadoop + a metastore RDBMS + (Ranger or SQL-std auth) + KDC | ||
| as trusted dependencies. |
There was a problem hiding this comment.
Yes. We assume a clustered Hive deployment behind an operator-controlled perimeter. Hadoop, the metastore RDBMS, the configured authorization provider, and the Kerberos KDC are trusted dependencies.
The authorization provider is typically Ranger in production deployments, though SQL-standard authorization may also be used.
| 4. Is the in-scope adversary "a SQL client at the HS2 boundary" (+ a network | ||
| MITM where TLS is off)? Anything to add? | ||
| 5. Confirm operators with storage/metastore-DB/cluster-process access, and | ||
| trusted admins doing authorized actions, are out of model. |
There was a problem hiding this comment.
Yes. Operators with direct storage, metastore DB, or cluster-process access are considered trusted and out of scope. Authorized actions by trusted administrators are also out of model. This threat model focuses on behavior via Hive’s supported interfaces, assuming that the underlying infrastructure and its administrators are trusted.
| perimeter, with Hadoop + a metastore RDBMS + (Ranger or SQL-std auth) + KDC | ||
| as trusted dependencies. | ||
| 4. Is the in-scope adversary "a SQL client at the HS2 boundary" (+ a network | ||
| MITM where TLS is off)? Anything to add? |
There was a problem hiding this comment.
Yes. The primary in-scope adversaries are untrusted clients at Hive service boundaries: SQL clients submitting statements to HS2, and clients accessing the Hive Metastore through supported APIs.
A network MITM is also in scope when TLS or equivalent transport protection is enabled, and a Hive operator is responsible for setting up TLS properly.
|
Thanks @okumin — this is exactly the maintainer input the §14 open questions were fishing for, and it sharpens the model a lot. How I'll fold it in: Answered questions → maintainer-ratified. Your adversary model (untrusted SQL/metastore clients; MITM when TLS is enabled), trusted dependencies (Hadoop, metastore RDBMS, the authz provider, KDC), and trusted-admin-out-of-scope will move from (inferred) to (maintainer) in the next push. UDF / SerDe / TRANSFORM. The built-in-UDF blacklist ( Metastore direct access (line 186). Agreed it belongs in scope — I'll add direct Hive Metastore access (e.g. from Spark) as an in-scope interface and cite your gist. On a separate Still open (no rush), left as open questions pending your word:
I'll push the fold-in and re-request your review. Thanks again. |
|
Thanks.
Sure. We would like to follow the best practice. Let's go with your suggestion now. I'm still checking the unanswered questions. Wait a while |
§3/§4/§7 adversaries, trusted deps, query-resource bounding; §14 Q3/Q4/Q5/Q11 marked answered. Generated-by: Claude Code (Claude Opus 4.7)
|
@okumin — pushed the fold-in (c8ca131): your 2026-06-27 answers on the adversary model, trusted dependencies, out-of-scope operators/admins, and query-resource bounding are now in the model (§3/§4/§7), and §14 Q3/Q4/Q5/Q11 are marked answered. Still open whenever you have a moment: the |
|
3 participants
This adds a v0 security threat model + discoverability wiring to
apache/hive, produced by the ASF Security team for the Hive PMC to review and own — the pre-flight step for the Glasswing security scan the PMC opted into.What's here
THREAT_MODEL.md— a v0 model (Michael Scovetta rubric, run with Claude Opus) covering the HiveServer2 SQL front door, the Metastore, and the UDF / SerDe / execution layer: trust boundaries, in/out-of-scope adversaries, what Hive upholds vs. what it leaves to the operator (TLS, authorization-model choice, network isolation, UDF vetting), known non-findings, and triage dispositions. Every non-trivial claim is provenance-tagged(documented)/(maintainer)/(inferred); the(inferred)ones are our hypotheses.SECURITY.md— private reporting viasecurity@hive.apache.org+ a pointer to the model.AGENTS.md— wiresAGENTS.md → SECURITY.md → THREAT_MODEL.mdso the scan agent (and researchers) can mechanically find the model.How to engage — this is a draft to react to, not a finished artifact.
THREAT_MODEL.md§14 collects open questions in waves; answer inline a few at a time, correct anything wrong, and the model becomes the PMC's. Once you're happy, we queue the scan in OSS-criticality order. No deadline pressure with the Mythos 5 window being extended.Generated-by: Claude Opus 4.8 (1M context)