[
https://issues.apache.org/jira/browse/KUDU-1843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15905649#comment-15905649
]
Todd Lipcon commented on KUDU-1843:
-----------------------------------
Caching the original username turns out to be a little tricky, since the WAL
doesn't record the original username, and thus when reconstructing the request
cache during tablet bootstrap we don't have enough information to do so. I
think making the UUIDs unpredictable is probably a better approach.
> Client UUIDs should be cryptographically random
> -----------------------------------------------
>
> Key: KUDU-1843
> URL: https://issues.apache.org/jira/browse/KUDU-1843
> Project: Kudu
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.3.0
> Reporter: Todd Lipcon
> Assignee: Todd Lipcon
> Priority: Critical
>
> Currently we use boost::uuid's default random generator, which is not
> cryptographically random. This may increase the ease with which an attacker
> could guess another client's client ID, which would potentially allow them to
> perform DoS or try to steal the results of RPCs from the result cache.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
