When client read block from DataNode, the block access token is used for authorization on DataNode. But if the block access token is stolen by impostor, the impostor can read the block, I think this is one security hole.
I think we can use the replay cache mechanism in Kerberos to resolve the question, example below explaining: The possibility exists for an impostor to simultaneously steal both the ticket and the authenticator and use them during the 2 minutes the authenticator is valid. This is very difficult but not impossible. To solve this problem with Kerberos 5, Replay Cache has been introduced. In application servers (but also in TGS), there exists the capacity to remember authenticators which have arrived within the last 2 minutes, and to reject them if they are replicas. With this the problem is resolved as long as the impostor is not smart enough to copy the ticket and authenticator and make them arrive at the application server before the legitimate request arrives. This really would be a hoax, since the authentic user would be rejected while the impostor would have access to the service. Thanks, LiuLei