Skip to content

Add draft project security threat-model document#1293

Open
potiuk wants to merge 1 commit into
apache:masterfrom
potiuk:knox-threat-model
Open

Add draft project security threat-model document#1293
potiuk wants to merge 1 commit into
apache:masterfrom
potiuk:knox-threat-model

Conversation

@potiuk

@potiuk potiuk commented Jul 2, 2026

Copy link
Copy Markdown
Member

What

Adds a v0 THREAT_MODEL.md for Apache Knox, plus the discoverability wiring (SECURITY.md and AGENTS.md), drafted by the ASF Security team for the Knox PMC to review, adjust, and own.

This is path 3 of the Frontier Model Preparation pre-flight — the Knox PMC (Larry McCay, chair) asked on 2026-07-02 for a v0 draft to react to. The document follows the Security team's threat-model rubric: it describes the assumptions Knox makes about its environment and callers, the security properties it upholds and the ones it explicitly disclaims, the operator's responsibilities, and a triage-disposition table for routing a security report.

  • THREAT_MODEL.md — the v0 draft (provenance-tagged (documented)/(maintainer)/(inferred); §14 collects the open questions for the PMC, prioritized in waves).
  • SECURITY.md — a reporting policy (Knox had none) that links the threat model.
  • AGENTS.md — points to SECURITY.mdTHREAT_MODEL.md so the model is mechanically discoverable.

For the PMC — highest-leverage open questions

  • §14 Q14 — is ungated HeaderPreAuth (trusting an identity header without an mTLS/IP gate) a supported posture, or a misconfiguration the operator must avoid?
  • §14 Q24 — ratify "faithful identity assertion" (a client cannot make Knox assert a principal it did not authenticate) as the keystone property.
  • §14 Q3 / Q4 — confirm the operator, the federated IdP, and the backend services are out of the adversary model.

The (inferred) claims are the ones needing PMC confirmation; promoting them to (maintainer) as you answer §14 is the fastest path to a ratified model.

🤖 Generated with Claude Code

Adds a v0 THREAT_MODEL.md for Apache Knox drafted by the ASF Security team
for the Knox PMC to review, adjust, and own (path 3 of the Frontier Model
Preparation pre-flight, per the Knox PMC's 2026-07-02 go-ahead), plus the
discoverability wiring: AGENTS.md -> SECURITY.md -> THREAT_MODEL.md.

Generated-by: Claude (Opus 4.8, 1M context)
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown

Test Results

32 tests   32 ✅  3s ⏱️
 1 suites   0 💤
 1 files     0 ❌

Results for commit aaff416.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant