Rakesh Kumar Singh created ZOOKEEPER-2582:
---------------------------------------------
Summary: When addauth twice for same user but different password,
it is adding 2 digest corresponding to both username, password and so we can
able to access znode with user and any of these password which does not seem to
be correct
Key: ZOOKEEPER-2582
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2582
Project: ZooKeeper
Issue Type: Bug
Components: server
Affects Versions: 3.5.1
Reporter: Rakesh Kumar Singh
When addauth twice for same user but different password, it is adding 2 digest
corresponding to both username, password and so we can able to access znode
with user and any of these password which does not seem to be correct
Steps:-
[zk: localhost:2181(CONNECTED) 0] addauth digest user1:pass1
[zk: localhost:2181(CONNECTED) 1] addauth digest user1:pass
[zk: localhost:2181(CONNECTED) 9] create /user_test5 hello
Created /user_test5
[zk: localhost:2181(CONNECTED) 10] setAcl /user_test5 auth:user1:pass1:crdwa
[zk: localhost:2181(CONNECTED) 11] getAcl /user_test5
'digest,'user1:+7K83PhyQ3ijGj0ADmljf0quVwQ=
: cdrwa
'digest,'user1:UZIsvOKp29j8vAahJzjgpA1VTOk=
: cdrwa
Here we can see 2 entries for same user (user1) with different password
Now disconnect the client and connect again using zkCli.sh
addauth digest user1:<any of 2 password>, we can able to access the znode.
[zk: localhost:2181(CONNECTED) 0] get /user_test5
Authentication is not valid : /user_test5
[zk: localhost:2181(CONNECTED) 1] addauth digest user1:pass
[zk: localhost:2181(CONNECTED) 2] get /user_test5
hello
Same way, it will allow n number of entry if we addauth for same user with n
number of password
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
