[jira] [Commented] (ZOOKEEPER-2582) When addauth twice for same user but different password, it is adding 2 digest corresponding to both username, password and so we can able to access znode with user and any of these password which does not seem to be correct

Wed, 14 Sep 2016 06:41:14 -0700 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15490467#comment-15490467
 ] 

Rakesh Kumar Singh commented on ZOOKEEPER-2582:
-----------------------------------------------

It should override from later addauth details

> When addauth twice for same user but different password, it is adding 2 
> digest corresponding to both username, password and so we can able to access 
> znode with user and any of these password which does not seem to be correct
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-2582
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2582
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: server
>    Affects Versions: 3.5.1
>            Reporter: Rakesh Kumar Singh
>
> When addauth twice for same user but different password, it is adding 2 
> digest corresponding to both username, password and so we can able to access 
> znode with user and any of these password which does not seem to be correct
> Steps:-
> [zk: localhost:2181(CONNECTED) 0] addauth digest user1:pass1
> [zk: localhost:2181(CONNECTED) 1] addauth digest user1:pass
> [zk: localhost:2181(CONNECTED) 9] create /user_test5 hello
> Created /user_test5
> [zk: localhost:2181(CONNECTED) 10] setAcl /user_test5 auth:user1:pass1:crdwa
> [zk: localhost:2181(CONNECTED) 11] getAcl /user_test5
> 'digest,'user1:+7K83PhyQ3ijGj0ADmljf0quVwQ=
> : cdrwa
> 'digest,'user1:UZIsvOKp29j8vAahJzjgpA1VTOk=
> : cdrwa
> Here we can see 2 entries for same user (user1) with different password
> Now disconnect the client and connect again using zkCli.sh
> addauth digest user1:<any of 2 password>, we can able to access the znode.
> [zk: localhost:2181(CONNECTED) 0] get /user_test5
> Authentication is not valid : /user_test5
> [zk: localhost:2181(CONNECTED) 1] addauth digest user1:pass
> [zk: localhost:2181(CONNECTED) 2] get /user_test5
> hello
> Same way, it will allow n number of entry if we addauth for same user with n 
> number of password



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to