Arshad Mohammad commented on ZOOKEEPER-2585:

# This is not a problem, this is the expected behavior
# auth ACL scheme adds ACLs for authorized ids in the session. auth ACL scheme 
means add ACLs for authorized ids. In your case there were two authorized ids 
when you executed {{setAcl /test_auth auth:u1:p1:crdwa}}
'x509,'CN=locahost%2COU=CS%2CO=HUAWEI%2CL=Shenzhen%2CST=Guangdong%2CC=CHINA and
So the ACLs are added for these two ids.
# In {{setAcl /test_auth auth:u1:p1:crdwa}} command u1:p1 are meaning less and 
are completely ignored. I don't know why these are mandatory to pass from CLI. 
May be you can raise JIRA for this.
# When you logged-in after quit, the 
'x509,'CN=locahost%2COU=CS%2CO=HUAWEI%2CL=Shenzhen%2CST=Guangdong%2CC=CHINA got 
added as authorized id again. Because this id has all the permissions on on 
/test_auth node, you are able to perform all the operations.  

> ACL with SSL is not working
> ---------------------------
>                 Key: ZOOKEEPER-2585
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2585
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: server
>    Affects Versions: 3.5.1
>            Reporter: Rakesh Kumar Singh
>            Priority: Critical
> Set ACL with SSL is not working
> Steps to reproduce:-
> 1. Start zookeeper in ssl mode in standalone
> 2. Connect zookeeper from zookeeper client (using zkCli.sh)
> 3. add auth and set ACL as below and then quit the client :-
> [zk: localhost:2181(CONNECTED) 0] addauth digest u1:p1
> [zk: localhost:2181(CONNECTED) 1] create /test_auth hello
> Created /test_auth
> [zk: localhost:2181(CONNECTED) 2] setAcl /test_auth auth:u1:p1:crdwa
> [zk: localhost:2181(CONNECTED) 3] get /test_auth
> hello
> [zk: localhost:2181(CONNECTED) 4] quit
> 4. Connect again zookeeper from zookeeper client (using zkCli.sh)
> 5. Try to access the znode, try to set the data and so on, everything is 
> allowed
> [zk: localhost:2181(CONNECTED) 2] set /test_auth hello1
> [zk: localhost:2181(CONNECTED) 3] get /test_auth
> hello1
> [zk: localhost:2181(CONNECTED) 1] getAcl /test_auth
> 'x509,'CN=locahost%2COU=CS%2CO=HUAWEI%2CL=Shenzhen%2CST=Guangdong%2CC=CHINA
> : cdrwa
> 'digest,'u1:fpT/y03U+EjItKZOSLGvjnJlyng=
> : cdrwa

This message was sent by Atlassian JIRA

Reply via email to