You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@kudu.apache.org by "Todd Lipcon (JIRA)" <ji...@apache.org> on 2017/03/10 20:25:04 UTC

[jira] [Commented] (KUDU-1843) Client UUIDs should be cryptographically random

    [ https://issues.apache.org/jira/browse/KUDU-1843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15905649#comment-15905649 ] 

Todd Lipcon commented on KUDU-1843:
-----------------------------------

Caching the original username turns out to be a little tricky, since the WAL doesn't record the original username, and thus when reconstructing the request cache during tablet bootstrap we don't have enough information to do so. I think making the UUIDs unpredictable is probably a better approach.

> Client UUIDs should be cryptographically random
> -----------------------------------------------
>
>                 Key: KUDU-1843
>                 URL: https://issues.apache.org/jira/browse/KUDU-1843
>             Project: Kudu
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 1.3.0
>            Reporter: Todd Lipcon
>            Assignee: Todd Lipcon
>            Priority: Critical
>
> Currently we use boost::uuid's default random generator, which is not cryptographically random. This may increase the ease with which an attacker could guess another client's client ID, which would potentially allow them to perform DoS or try to steal the results of RPCs from the result cache.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)