[
https://issues.apache.org/jira/browse/KUDU-1843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15905758#comment-15905758
]
Dan Burkert commented on KUDU-1843:
-----------------------------------
I continue to be worried about requiring client IDs to be unguessable for
security reasons. We haven't treated client IDs as sensitive information, and
we would need to begin doing that.
> Client UUIDs should be cryptographically random
> -----------------------------------------------
>
> Key: KUDU-1843
> URL: https://issues.apache.org/jira/browse/KUDU-1843
> Project: Kudu
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.3.0
> Reporter: Todd Lipcon
> Assignee: Todd Lipcon
> Priority: Critical
>
> Currently we use boost::uuid's default random generator, which is not
> cryptographically random. This may increase the ease with which an attacker
> could guess another client's client ID, which would potentially allow them to
> perform DoS or try to steal the results of RPCs from the result cache.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
