[MINOR] Record PMC answers to the security THREAT_MODEL.md open questions#5275
Open
jongyoul wants to merge 1 commit into
Open
[MINOR] Record PMC answers to the security THREAT_MODEL.md open questions#5275jongyoul wants to merge 1 commit into
jongyoul wants to merge 1 commit into
Conversation
…ions Follow-up to apache#5268, which added THREAT_MODEL.md as a v0 draft for the PMC to review. This folds the Apache Zeppelin PMC review answers into the document: records the PMC answer for each open question in §14, and re-tags the corresponding (inferred) claims as (maintainer) across §2/§3/§5a/§6/§8/§9/§11a. Documentation only.
There was a problem hiding this comment.
Pull request overview
This PR updates Zeppelin’s security threat model document (THREAT_MODEL.md) to incorporate Apache Zeppelin PMC responses to previously open questions, converting prior (inferred) statements into (maintainer)-confirmed positions and clarifying triage guidance for automated/security reviews.
Changes:
- Updates the document status and confidence framing to reflect PMC review and recorded answers.
- Re-tags multiple previously (inferred) claims as (maintainer) and folds §14 answers back into earlier sections (scope, defaults, properties, hardening).
- Expands §14 with the recorded PMC answers (waves 1–3), including rulings on defaults and hardening expectations.
Comments suppressed due to low confidence (1)
THREAT_MODEL.md:94
- This section still says the auth/anonymous posture is "pending" a §5a/§14 ruling, but §14 now records the PMC decision. Leaving "pending" here makes the model internally inconsistent after the PMC-reviewed updates.
untrusted network.** The docs direct operators to enable Shiro *or* deploy
only in a secured/trusted environment *(documented)*; an unauthenticated,
internet-exposed instance is an operator misconfiguration, not a Zeppelin
defect (pending the §5a/§14 ruling on whether anonymous is a supported
posture).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+161
to
+167
| **Insecure-default ruling (recorded).** The PMC has ruled that every insecure | ||
| §5a default above is a *dev-convenience / by-design* choice, not the supported | ||
| production posture: Zeppelin's stance is "open by default, secure by | ||
| configuration" (enable Shiro, or deploy only in a secured/trusted network). A | ||
| report that only manifests under one of these defaults is therefore | ||
| `OUT-OF-MODEL: non-default-build` (or `BY-DESIGN`), with the requirement living | ||
| in §10. See §14 wave 1 for the per-knob answers. |
| @@ -334,47 +342,66 @@ The highest-leverage section for keeping scan output signal-heavy: | |||
|
|
|||
| ## §14 Open questions for the maintainers | |||
Comment on lines
+268
to
+271
| the notebook web UI — *(maintainer — §14.10)* there is **no Content-Security- | ||
| Policy** and CSRF protection is **Origin-header-based only**, so strengthening | ||
| these (CSP, stronger CSRF) is welcome `VALID-HARDENING`; websocket cross-origin. | ||
| The point is to put integrators on notice. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Follow-up to #5268, which added the security
THREAT_MODEL.mdas a v0 draft for the PMC to review.This folds the Apache Zeppelin PMC review answers into the document so it reflects maintainer positions rather than the draft
(inferred)guesses:(inferred)claims as(maintainer)across §2/§3/§5a/§6/§8/§9/§11a.OUT-OF-MODEL: non-default-build.VALID-HARDENING).Documentation only; no code changes.