Block access token is only valid for a short period of time, as the NN/DN
shared secrets are rolled periodically. As long as you cannot steal block
token easily (besides using zero-day bugs), there is really no security
hole here (by design). If you know of a way to steal block tokens without
root access, let us know.


On Tue, Nov 12, 2013 at 7:30 PM, lei liu <liulei...@gmail.com> wrote:

> When client read block from DataNode, the block access token is used for
> authorization on DataNode. But if the block access token is stolen by
> impostor, the  impostor can read the block,
> I think this is one security hole.
>
> I think we can use the replay cache mechanism in Kerberos to resolve the
> question, example below explaining:
>
> The possibility exists for an impostor to simultaneously steal both the
> ticket and the authenticator and use them during the 2 minutes the
> authenticator is valid. This is very difficult but not impossible. To solve
> this problem with Kerberos 5, Replay Cache has been introduced. In
> application servers (but also in TGS), there exists the capacity to
> remember authenticators which have arrived within the last 2 minutes, and
> to reject them if they are replicas. With this the problem is resolved as
> long as the impostor is not smart enough to copy the ticket and
> authenticator and make them arrive at the application server before the
> legitimate request arrives. This really would be a hoax, since the
> authentic user would be rejected while the impostor would have access to
> the service.
>
>
> Thanks,
>
> LiuLei
>

Reply via email to