Greg Harris created KAFKA-15398:
-----------------------------------
Summary: Document Connect threat model
Key: KAFKA-15398
URL: https://issues.apache.org/jira/browse/KAFKA-15398
Project: Kafka
Issue Type: Task
Components: KafkaConnect
Reporter: Greg Harris
Kafka Connect is a plugin framework, regularly requiring the installation of
third-party code. This poses a security hazard for operators, who may be
compromised by actively malicious plugins or well-intentioned plugins which are
exploitable.
We should document the threat model that the Connect architecture uses, and
make it clear to operators what trust and verification is required in order to
operate Connect safely.
At a high level, this documentation may include:
# Plugins are arbitrary code with unrestricted access to the filesystem,
secrets, and network resources of the hosting Connect worker
# The filesystem of the worker is trusted
# Connector configurations passed via REST API are trusted
# Plugins may have exploits triggered by certain configurations, or by
external connections.
# Exploits may also be present in plugins/drivers/dependencies used by Connect
plugins, such as JDBC drivers
# The default installation without REST API security is exploitable when run
on an untrusted network.
Documenting this security model will also make it easier to discuss changing
the model and improving the security architecture of Connect in the future.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
