You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@zookeeper.apache.org by "Rakesh Kumar Singh (JIRA)" <ji...@apache.org> on 2016/09/14 13:39:20 UTC
[jira] [Created] (ZOOKEEPER-2582) When addauth twice for same user
but different password, it is adding 2 digest corresponding to both
username, password and so we can able to access znode with user and any of
these password which does not seem to be correct
Rakesh Kumar Singh created ZOOKEEPER-2582:
---------------------------------------------
Summary: When addauth twice for same user but different password, it is adding 2 digest corresponding to both username, password and so we can able to access znode with user and any of these password which does not seem to be correct
Key: ZOOKEEPER-2582
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2582
Project: ZooKeeper
Issue Type: Bug
Components: server
Affects Versions: 3.5.1
Reporter: Rakesh Kumar Singh
When addauth twice for same user but different password, it is adding 2 digest corresponding to both username, password and so we can able to access znode with user and any of these password which does not seem to be correct
Steps:-
[zk: localhost:2181(CONNECTED) 0] addauth digest user1:pass1
[zk: localhost:2181(CONNECTED) 1] addauth digest user1:pass
[zk: localhost:2181(CONNECTED) 9] create /user_test5 hello
Created /user_test5
[zk: localhost:2181(CONNECTED) 10] setAcl /user_test5 auth:user1:pass1:crdwa
[zk: localhost:2181(CONNECTED) 11] getAcl /user_test5
'digest,'user1:+7K83PhyQ3ijGj0ADmljf0quVwQ=
: cdrwa
'digest,'user1:UZIsvOKp29j8vAahJzjgpA1VTOk=
: cdrwa
Here we can see 2 entries for same user (user1) with different password
Now disconnect the client and connect again using zkCli.sh
addauth digest user1:<any of 2 password>, we can able to access the znode.
[zk: localhost:2181(CONNECTED) 0] get /user_test5
Authentication is not valid : /user_test5
[zk: localhost:2181(CONNECTED) 1] addauth digest user1:pass
[zk: localhost:2181(CONNECTED) 2] get /user_test5
hello
Same way, it will allow n number of entry if we addauth for same user with n number of password
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)