Skip to content

Add draft project security threat-model document#1293

Open
potiuk wants to merge 2 commits into
apache:masterfrom
potiuk:knox-threat-model
Open

Add draft project security threat-model document#1293
potiuk wants to merge 2 commits into
apache:masterfrom
potiuk:knox-threat-model

Conversation

@potiuk

@potiuk potiuk commented Jul 2, 2026

Copy link
Copy Markdown
Member

What

Adds a v0 THREAT_MODEL.md for Apache Knox, plus the discoverability wiring (SECURITY.md and AGENTS.md), drafted by the ASF Security team for the Knox PMC to review, adjust, and own.

This is path 3 of the Frontier Model Preparation pre-flight — the Knox PMC (Larry McCay, chair) asked on 2026-07-02 for a v0 draft to react to. The document follows the Security team's threat-model rubric: it describes the assumptions Knox makes about its environment and callers, the security properties it upholds and the ones it explicitly disclaims, the operator's responsibilities, and a triage-disposition table for routing a security report.

  • THREAT_MODEL.md — the v0 draft (provenance-tagged (documented)/(maintainer)/(inferred); §14 collects the open questions for the PMC, prioritized in waves).
  • SECURITY.md — a reporting policy (Knox had none) that links the threat model.
  • AGENTS.md — points to SECURITY.mdTHREAT_MODEL.md so the model is mechanically discoverable.

For the PMC — highest-leverage open questions

  • §14 Q14 — is ungated HeaderPreAuth (trusting an identity header without an mTLS/IP gate) a supported posture, or a misconfiguration the operator must avoid?
  • §14 Q24 — ratify "faithful identity assertion" (a client cannot make Knox assert a principal it did not authenticate) as the keystone property.
  • §14 Q3 / Q4 — confirm the operator, the federated IdP, and the backend services are out of the adversary model.

The (inferred) claims are the ones needing PMC confirmation; promoting them to (maintainer) as you answer §14 is the fastest path to a ratified model.

🤖 Generated with Claude Code

Adds a v0 THREAT_MODEL.md for Apache Knox drafted by the ASF Security team
for the Knox PMC to review, adjust, and own (path 3 of the Frontier Model
Preparation pre-flight, per the Knox PMC's 2026-07-02 go-ahead), plus the
discoverability wiring: AGENTS.md -> SECURITY.md -> THREAT_MODEL.md.

Generated-by: Claude (Opus 4.8, 1M context)
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

Test Results

32 tests   32 ✅  3s ⏱️
 1 suites   0 💤
 1 files     0 ❌

Results for commit 7f2caa4.

♻️ This comment has been updated with latest results.

…nore

apache-rat 0.13 (this repo's version) does not recognise the short SPDX
identifier, so it flagged THREAT_MODEL.md / SECURITY.md / AGENTS.md. Switching
to the full AL-2.0 header (HTML comment) makes them pass the license check on
every RAT version, so the .ratignore exemption is no longer needed.

Generated-by: Claude Code
@potiuk

potiuk commented Jul 4, 2026

Copy link
Copy Markdown
Member Author

Quick note on the CI: the red was apache-rat flagging the three added .md files. I've just pushed a commit adding the full Apache License v2.0 header (as an HTML comment) to each, which resolves it under this repo's current apache-rat 0.13 — so the PR should go green as-is.

One alternative worth flagging: apache-rat-plugin.version here is pinned to 0.13 (~2015). Newer RAT (0.16.1) recognises the SPDX identifier and has a decade of format/bugfix improvements. If the PMC prefers, I'm happy to swap the header commit for a one-line bump of that property (0.130.16.1) instead — whichever you'd rather carry. Just say the word and I'll include it here.

No strong preference from our side; the header fix already gets you green, so the bump is purely optional cleanup.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant