Details
-
Bug
-
Status: Open
-
Major
-
Resolution: Unresolved
-
3.5.1
-
None
-
None
Description
When addauth twice for same user but different password, it is adding 2 digest corresponding to both username, password and so we can able to access znode with user and any of these password which does not seem to be correct
Steps:-
[zk: localhost:2181(CONNECTED) 0] addauth digest user1:pass1
[zk: localhost:2181(CONNECTED) 1] addauth digest user1:pass
[zk: localhost:2181(CONNECTED) 9] create /user_test5 hello
Created /user_test5
[zk: localhost:2181(CONNECTED) 10] setAcl /user_test5 auth:user1:pass1:crdwa
[zk: localhost:2181(CONNECTED) 11] getAcl /user_test5
'digest,'user1:+7K83PhyQ3ijGj0ADmljf0quVwQ=
: cdrwa
'digest,'user1:UZIsvOKp29j8vAahJzjgpA1VTOk=
: cdrwa
Here we can see 2 entries for same user (user1) with different password
Now disconnect the client and connect again using zkCli.sh
addauth digest user1:<any of 2 password>, we can able to access the znode.
[zk: localhost:2181(CONNECTED) 0] get /user_test5
Authentication is not valid : /user_test5
[zk: localhost:2181(CONNECTED) 1] addauth digest user1:pass
[zk: localhost:2181(CONNECTED) 2] get /user_test5
hello
Same way, it will allow n number of entry if we addauth for same user with n number of password