When client read block from DataNode, the block access token is used for
authorization on DataNode. But if the block access token is stolen by
impostor, the  impostor can read the block,
I think this is one security hole.

I think we can use the replay cache mechanism in Kerberos to resolve the
question, example below explaining:

The possibility exists for an impostor to simultaneously steal both the
ticket and the authenticator and use them during the 2 minutes the
authenticator is valid. This is very difficult but not impossible. To solve
this problem with Kerberos 5, Replay Cache has been introduced. In
application servers (but also in TGS), there exists the capacity to
remember authenticators which have arrived within the last 2 minutes, and
to reject them if they are replicas. With this the problem is resolved as
long as the impostor is not smart enough to copy the ticket and
authenticator and make them arrive at the application server before the
legitimate request arrives. This really would be a hoax, since the
authentic user would be rejected while the impostor would have access to
the service.


Thanks,

LiuLei

Reply via email to