Description
Apache ShenYu does not currently have a published Security Model or Threat Model document. The absence of this document has resulted in a high volume of security reports that fall outside ShenYu's intended trust boundaries, requiring repeated manual triage by the PMC and ASF Security team.
A published Security Model will allow ASF Security to reject out-of-scope reports before they reach the PMC, and will provide operators with a clear understanding of ShenYu's security assumptions and deployment requirements.
Proposed Content:
The document should cover:
Deployment boundary: Admin is designed for trusted internal networks; Admin port must not be exposed to the public internet.
Authentication boundary: All authenticated Admin users are fully trusted; account provisioning is the security boundary.
RBAC scope: @RequiresPermissions controls UI feature visibility, not security isolation between authenticated Admin users.
WebSocket sync channel: /websocket is intentionally unauthenticated; must be protected by network-level access controls.
Control plane vs data plane: Admin and Gateway are separate trust domains.
Database security: Database is trusted infrastructure; database compromise is an independent security event outside ShenYu's software threat model.
Proposed Locations:
Official website: https://shenyu.apache.org/docs/help/security_model/
GitHub: SECURITY_MODEL.md in the repository root or docs/ directory
Acceptance Criteria:
Security Model document is published on the official website and in the GitHub repository before or alongside the next release.
Document is linked from SECURITY.md in the repository root.
ASF Security team is notified of the publication URL.
Task List
No response
Description
Apache ShenYu does not currently have a published Security Model or Threat Model document. The absence of this document has resulted in a high volume of security reports that fall outside ShenYu's intended trust boundaries, requiring repeated manual triage by the PMC and ASF Security team.
A published Security Model will allow ASF Security to reject out-of-scope reports before they reach the PMC, and will provide operators with a clear understanding of ShenYu's security assumptions and deployment requirements.
Proposed Content:
The document should cover:
Deployment boundary: Admin is designed for trusted internal networks; Admin port must not be exposed to the public internet.
Authentication boundary: All authenticated Admin users are fully trusted; account provisioning is the security boundary.
RBAC scope: @RequiresPermissions controls UI feature visibility, not security isolation between authenticated Admin users.
WebSocket sync channel: /websocket is intentionally unauthenticated; must be protected by network-level access controls.
Control plane vs data plane: Admin and Gateway are separate trust domains.
Database security: Database is trusted infrastructure; database compromise is an independent security event outside ShenYu's software threat model.
Proposed Locations:
Official website: https://shenyu.apache.org/docs/help/security_model/
GitHub: SECURITY_MODEL.md in the repository root or docs/ directory
Acceptance Criteria:
Security Model document is published on the official website and in the GitHub repository before or alongside the next release.
Document is linked from SECURITY.md in the repository root.
ASF Security team is notified of the publication URL.
Task List
No response