[ https://issues.apache.org/jira/browse/ZOOKEEPER-2582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15490467#comment-15490467 ]
Rakesh Kumar Singh commented on ZOOKEEPER-2582: ----------------------------------------------- It should override from later addauth details > When addauth twice for same user but different password, it is adding 2 > digest corresponding to both username, password and so we can able to access > znode with user and any of these password which does not seem to be correct > -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- > > Key: ZOOKEEPER-2582 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2582 > Project: ZooKeeper > Issue Type: Bug > Components: server > Affects Versions: 3.5.1 > Reporter: Rakesh Kumar Singh > > When addauth twice for same user but different password, it is adding 2 > digest corresponding to both username, password and so we can able to access > znode with user and any of these password which does not seem to be correct > Steps:- > [zk: localhost:2181(CONNECTED) 0] addauth digest user1:pass1 > [zk: localhost:2181(CONNECTED) 1] addauth digest user1:pass > [zk: localhost:2181(CONNECTED) 9] create /user_test5 hello > Created /user_test5 > [zk: localhost:2181(CONNECTED) 10] setAcl /user_test5 auth:user1:pass1:crdwa > [zk: localhost:2181(CONNECTED) 11] getAcl /user_test5 > 'digest,'user1:+7K83PhyQ3ijGj0ADmljf0quVwQ= > : cdrwa > 'digest,'user1:UZIsvOKp29j8vAahJzjgpA1VTOk= > : cdrwa > Here we can see 2 entries for same user (user1) with different password > Now disconnect the client and connect again using zkCli.sh > addauth digest user1:<any of 2 password>, we can able to access the znode. > [zk: localhost:2181(CONNECTED) 0] get /user_test5 > Authentication is not valid : /user_test5 > [zk: localhost:2181(CONNECTED) 1] addauth digest user1:pass > [zk: localhost:2181(CONNECTED) 2] get /user_test5 > hello > Same way, it will allow n number of entry if we addauth for same user with n > number of password -- This message was sent by Atlassian JIRA (v6.3.4#6332)