You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@kudu.apache.org by "Todd Lipcon (JIRA)" <ji...@apache.org> on 2017/03/09 22:48:37 UTC

[jira] [Created] (KUDU-1918) Prevent hijacking of scanners by other users

Todd Lipcon created KUDU-1918:
---------------------------------

             Summary: Prevent hijacking of scanners by other users
                 Key: KUDU-1918
                 URL: https://issues.apache.org/jira/browse/KUDU-1918
             Project: Kudu
          Issue Type: Improvement
          Components: security, tserver
    Affects Versions: 1.3.0
            Reporter: Todd Lipcon


Currently the UUIDs used for scanner IDs are using boost::uuid, which doesn't necessarily use a secure random source. If these turn out to be predictable, some attack around scanner hijacking might be possible. We should use an unpredictable source for scanner IDs, or save the original authenticated user in the Scanner and ensure that the authentication does not switch mid-scan.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)