[ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2582?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15507546#comment-15507546
 ] 

Arshad Mohammad commented on ZOOKEEPER-2582:
--------------------------------------------

# This is not a problem.
# In digest authentication scheme  user alone is not the id. Both user and 
password form the id.
so user1:pass1 and user1:pass are two different ids
# bq. addauth digest user1:<any of 2 password>, we can able to access the znode.
This is because both the ids, user1:pass1 and user1:pass, are given permission. 
This is done when you set the ACLs using the auth scheme. For detail refer my 
comment in ZOOKEEPER-2585.

> When addauth twice for same user but different password, it is adding 2 
> digest corresponding to both username, password and so we can able to access 
> znode with user and any of these password which does not seem to be correct
> --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: ZOOKEEPER-2582
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2582
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: server
>    Affects Versions: 3.5.1
>            Reporter: Rakesh Kumar Singh
>
> When addauth twice for same user but different password, it is adding 2 
> digest corresponding to both username, password and so we can able to access 
> znode with user and any of these password which does not seem to be correct
> Steps:-
> [zk: localhost:2181(CONNECTED) 0] addauth digest user1:pass1
> [zk: localhost:2181(CONNECTED) 1] addauth digest user1:pass
> [zk: localhost:2181(CONNECTED) 9] create /user_test5 hello
> Created /user_test5
> [zk: localhost:2181(CONNECTED) 10] setAcl /user_test5 auth:user1:pass1:crdwa
> [zk: localhost:2181(CONNECTED) 11] getAcl /user_test5
> 'digest,'user1:+7K83PhyQ3ijGj0ADmljf0quVwQ=
> : cdrwa
> 'digest,'user1:UZIsvOKp29j8vAahJzjgpA1VTOk=
> : cdrwa
> Here we can see 2 entries for same user (user1) with different password
> Now disconnect the client and connect again using zkCli.sh
> addauth digest user1:<any of 2 password>, we can able to access the znode.
> [zk: localhost:2181(CONNECTED) 0] get /user_test5
> Authentication is not valid : /user_test5
> [zk: localhost:2181(CONNECTED) 1] addauth digest user1:pass
> [zk: localhost:2181(CONNECTED) 2] get /user_test5
> hello
> Same way, it will allow n number of entry if we addauth for same user with n 
> number of password



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to