[
https://issues.apache.org/jira/browse/KUDU-1843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15927187#comment-15927187
]
Todd Lipcon commented on KUDU-1843:
-----------------------------------
The username isn't part of RequestIdPB. We could duplicate it there, but then
we'll need one more layer of verification to make sure a client's claimed
username matches the RequestId username. Plus it wastes more space on the wire,
WAL, etc (not a big deal, more concerned about code complexity).
Do we log client IDs anywhere?
> Client UUIDs should be cryptographically random
> -----------------------------------------------
>
> Key: KUDU-1843
> URL: https://issues.apache.org/jira/browse/KUDU-1843
> Project: Kudu
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.3.0
> Reporter: Todd Lipcon
> Assignee: Todd Lipcon
> Priority: Critical
>
> Currently we use boost::uuid's default random generator, which is not
> cryptographically random. This may increase the ease with which an attacker
> could guess another client's client ID, which would potentially allow them to
> perform DoS or try to steal the results of RPCs from the result cache.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
