Thanks Luke for your reply. The life time of block access token is ten hours, whether we should change two minutes? I think the shorter the life time of the token, token less likely to be stolen.
2013/11/14 Luke Lu <l...@apache.org> > Block access token is only valid for a short period of time, as the NN/DN > shared secrets are rolled periodically. As long as you cannot steal block > token easily (besides using zero-day bugs), there is really no security > hole here (by design). If you know of a way to steal block tokens without > root access, let us know. > > > On Tue, Nov 12, 2013 at 7:30 PM, lei liu <liulei...@gmail.com> wrote: > > > When client read block from DataNode, the block access token is used for > > authorization on DataNode. But if the block access token is stolen by > > impostor, the impostor can read the block, > > I think this is one security hole. > > > > I think we can use the replay cache mechanism in Kerberos to resolve the > > question, example below explaining: > > > > The possibility exists for an impostor to simultaneously steal both the > > ticket and the authenticator and use them during the 2 minutes the > > authenticator is valid. This is very difficult but not impossible. To > solve > > this problem with Kerberos 5, Replay Cache has been introduced. In > > application servers (but also in TGS), there exists the capacity to > > remember authenticators which have arrived within the last 2 minutes, and > > to reject them if they are replicas. With this the problem is resolved as > > long as the impostor is not smart enough to copy the ticket and > > authenticator and make them arrive at the application server before the > > legitimate request arrives. This really would be a hoax, since the > > authentic user would be rejected while the impostor would have access to > > the service. > > > > > > Thanks, > > > > LiuLei > > >