Add a draft security threat model + discoverability files (THREAT_MODEL.md, SECURITY.md, AGENTS.md)#841
Conversation
…EL.md, SECURITY.md, AGENTS.md) Generated-by: Claude Code
HoustonPutman
left a comment
There was a problem hiding this comment.
Ok these are the comments I have. Not sure exactly what I'm supposed to do from here. Do I make the changes then merge? Including saying that it was reviewed by me (I see a section mentioning no review has been done)
…e/Role, pass-through k8s options, security@solr.apache.org Addresses the 5 review comments on apache#841; flips the confirmed claims' provenance to *(maintainer)* and credits the 2026-07-15 review.
|
Thanks, Houston — this is exactly the maintainer input the draft needed, and all five are clear corrections. I've folded them into the PR:
On the "no review has been done" note: that's a provenance marker — draft claims start tagged So from here it's yours: a final look and merge whenever you're happy — that's the one thing that gets the Operator discoverable for the scan. You don't need to make any further edits unless you spot something else. Thanks again — the namespace-scoped and RBAC corrections especially are the kind of thing only a maintainer would catch. |
This is a proposal for the Solr PMC to review — please correct, reject, or discuss as needed. The maintainers are the decision-makers; nothing here is a requirement.
This adds a v0 draft threat model (
THREAT_MODEL.md) for the Solr Operator plus the conventionalAGENTS.md → SECURITY.md → THREAT_MODEL.mddiscoverability chain, so an automated agentic security scanner can mechanically find the project's security model.Context. The ASF Security team is preparing Apache Solr's repositories for an automated agentic security scan. Discoverability (the scanner being able to follow
AGENTS.md → SECURITY.md → model) is the one hard gate — without it a scan can't run. The Solr search server (apache/solr) already has its model merged; this PR is the equivalent for the operator, whose attack surface is entirely different (a privileged Kubernetes controller, not a search engine). The model cross-referencesapache/solr'sTHREAT_MODEL.mdfor everything on the managed-Solr side.This is a v0 draft — mostly
*(inferred)*. The Security team drafted it from the repo's own public artefacts (CRD types, the operatorClusterRole,main.goflag defaults, the Helm values, the auth/TLS docs) using thethreat-model-producerrubric. Every claim carries a provenance tag; every*(inferred)*tag routes to a matching question in §14 Open questions. The fastest way to review is to react to §14 (a one-line confirm / correct / strike per question) rather than compose from scratch — we then fold your answers in and the tags become*(maintainer)*.A few concrete things the draft flags for your confirmation (all §14): the all-namespaces watch + cluster-wide
ClusterRoledefault;tls-skip-verify-server=true(operator→Solr cert verification off by default); the bootstrapsecurity.jsonpasswords being generated withmath/randrather thancrypto/rand; and the confused-deputy surface where a namespace tenant's CR fields drive the privileged operator. These are proposed dispositions, not assertions — your call.Scope note: the Solr Operator was one of the repos flagged for scope confirmation in the scan enrollment. If the PMC would rather not include the operator in this cycle, just close the PR and we'll drop it — no problem. If you'd rather own the model yourselves, close it and we'll wait.
Questions / pushback welcome. Happy to adjust structure, file placement, or wording to match project house style.