Block access token is only valid for a short period of time, as the NN/DN shared secrets are rolled periodically. As long as you cannot steal block token easily (besides using zero-day bugs), there is really no security hole here (by design). If you know of a way to steal block tokens without root access, let us know.
On Tue, Nov 12, 2013 at 7:30 PM, lei liu <liulei...@gmail.com> wrote: > When client read block from DataNode, the block access token is used for > authorization on DataNode. But if the block access token is stolen by > impostor, the impostor can read the block, > I think this is one security hole. > > I think we can use the replay cache mechanism in Kerberos to resolve the > question, example below explaining: > > The possibility exists for an impostor to simultaneously steal both the > ticket and the authenticator and use them during the 2 minutes the > authenticator is valid. This is very difficult but not impossible. To solve > this problem with Kerberos 5, Replay Cache has been introduced. In > application servers (but also in TGS), there exists the capacity to > remember authenticators which have arrived within the last 2 minutes, and > to reject them if they are replicas. With this the problem is resolved as > long as the impostor is not smart enough to copy the ticket and > authenticator and make them arrive at the application server before the > legitimate request arrives. This really would be a hoax, since the > authentic user would be rejected while the impostor would have access to > the service. > > > Thanks, > > LiuLei >