adnanhemani commented on PR #1424: URL: https://github.com/apache/polaris/pull/1424#issuecomment-2831436394
Agreed here, in general, with the other comments that `*` resource for these KMS actions is likely a bad idea. But I'm still struggling with a proper threat model here. The only major security threat case I could see to this is that a data admin has used different encryption keys for files within the same table - and are using the encryption key access as a way of controlling access to the overall data in the table. In this case, they would need to tell Polaris using what access logic should Polaris give credentials to which KMS keys - which is something that we do not support AFAIK. The other major case could be that a malicious user then uses the `*` resource on KMS to attempt decrypting something on the local filesystem that was encrypted using the same KMS key. For SSE, it would not be possible for a user to decrypt something (per my understanding) in a S3 path that is not explicitly listed in the credential-vended policy. If a user attempts to download a S3 file using some other credentials to the local filesystem, they will require the KMS policy to even download this file to begin with. So, in my opinion, this comes back to: do we care about this use case where different files in the same table are encrypted using different KMS keys and do we need to ensure that credentials only allow such access per file? If so, how can we solve this? Or - is there a different threat model that I have not considered here that shows an active vulnerability. cc @singhpk234 @eric-maynard @dennishuo -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
