[ https://issues.apache.org/jira/browse/ZOOKEEPER-2585?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15507488#comment-15507488 ]
Arshad Mohammad commented on ZOOKEEPER-2585: -------------------------------------------- # This is not a problem, this is the expected behavior # auth ACL scheme adds ACLs for authorized ids in the session. auth ACL scheme means add ACLs for authorized ids. In your case there were two authorized ids when you executed {{setAcl /test_auth auth:u1:p1:crdwa}} 'x509,'CN=locahost%2COU=CS%2CO=HUAWEI%2CL=Shenzhen%2CST=Guangdong%2CC=CHINA and digest,'u1:fpT/y03U+EjItKZOSLGvjnJlyng= So the ACLs are added for these two ids. # In {{setAcl /test_auth auth:u1:p1:crdwa}} command u1:p1 are meaning less and are completely ignored. I don't know why these are mandatory to pass from CLI. May be you can raise JIRA for this. # When you logged-in after quit, the 'x509,'CN=locahost%2COU=CS%2CO=HUAWEI%2CL=Shenzhen%2CST=Guangdong%2CC=CHINA got added as authorized id again. Because this id has all the permissions on on /test_auth node, you are able to perform all the operations. > ACL with SSL is not working > --------------------------- > > Key: ZOOKEEPER-2585 > URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2585 > Project: ZooKeeper > Issue Type: Bug > Components: server > Affects Versions: 3.5.1 > Reporter: Rakesh Kumar Singh > Priority: Critical > > Set ACL with SSL is not working > Steps to reproduce:- > 1. Start zookeeper in ssl mode in standalone > 2. Connect zookeeper from zookeeper client (using zkCli.sh) > 3. add auth and set ACL as below and then quit the client :- > [zk: localhost:2181(CONNECTED) 0] addauth digest u1:p1 > [zk: localhost:2181(CONNECTED) 1] create /test_auth hello > Created /test_auth > [zk: localhost:2181(CONNECTED) 2] setAcl /test_auth auth:u1:p1:crdwa > [zk: localhost:2181(CONNECTED) 3] get /test_auth > hello > [zk: localhost:2181(CONNECTED) 4] quit > 4. Connect again zookeeper from zookeeper client (using zkCli.sh) > 5. Try to access the znode, try to set the data and so on, everything is > allowed > [zk: localhost:2181(CONNECTED) 2] set /test_auth hello1 > [zk: localhost:2181(CONNECTED) 3] get /test_auth > hello1 > [zk: localhost:2181(CONNECTED) 1] getAcl /test_auth > 'x509,'CN=locahost%2COU=CS%2CO=HUAWEI%2CL=Shenzhen%2CST=Guangdong%2CC=CHINA > : cdrwa > 'digest,'u1:fpT/y03U+EjItKZOSLGvjnJlyng= > : cdrwa -- This message was sent by Atlassian JIRA (v6.3.4#6332)