Zookeeper ACL
7.1 Shell 操作
zookeeper本身提供了ACL机制,表示为scheme: id:permissions,第一个字段表示采用哪一种机制,第二个id表示用户,permissions表示相关权限(如只读,读写,管理等)。
7.1 .1 scheme :id 介绍
world: 它下面只有一个id, 叫anyone, world:anyone代表任何人,zookeeper中对所有人有权限的结点就是属于world:anyone的auth: 它不需要id, 只要是通过authentication的user都有权限(zookeeper支持通过kerberos来进行authencation, 也支持username/password形式的authentication),使用auth来设置权限的时候,需要在zk里注册一个用户才可以digest: 它对应的id为username:BASE64(SHA1(password)),它需要先通过username:password形式的authenticationip: 它对应的id为客户机的IP地址,设置的时候可以设置一个ip段,比如ip:192.168.1.0/16, 表示匹配前16个bit的IP段super: 在这种scheme情况下,对应的id拥有超级权限,可以做任何事情(cdrwa)
7.1 .2 permissions
权限ACL简写描述
CREATEc可以创建子节点DELETEd可以删除子节点(仅下一级节点)READr可以读取节点数据及显示子节点列表WRITEw可以设置节点数据ADMINa可以设置节点访问控制列表权限
7.1.3 ACL Shell 命令
命令使用方式描述
getAclgetAcl
读取ACL权限setAclsetAcl
设置ACL权限addauthaddauth 添加认证用户
7.1.4 操作
World scheme
其实默认就是Word Scheme
语法
setAcl
<path
> world:anyone:
<acl
>
[zk: localhost:2181
(CONNECTED
) 61
] create /ba 1
Created /baizhiedu
[zk: localhost:2181
(CONNECTED
) 62
] getAcl /ba
'world,'anyone
: cdrwa
[zk: localhost:2181
(CONNECTED
) 64
] setAcl的方式设置相关权限 /ba world:anyone:cdrw
cZxid
= 0x1c631
ctime
= Tue Jul 09 08:37:06 CST 2019
mZxid
= 0x1c631
mtime
= Tue Jul 09 08:37:06 CST 2019
pZxid
= 0x1c631
cversion
= 0
dataVersion
= 0
aclVersion
= 1
ephemeralOwner
= 0x0
dataLength
= 1
numChildren
= 0
[zk: localhost:2181
(CONNECTED
) 67
] getAcl /ba
'world,'anyone
: cdrw
IP scheme
对于特定IP适用,其他没有设置过的IP没有相关权限
语法
setAcl <path> ip:<ip>:<acl>
[zk: localhost:2181
(CONNECTED
) 73
] setAcl /ba ip:192.168.123.111:cdrwa
cZxid
= 0x1c635
ctime
= Tue Jul 09 08:44:14 CST 2019
mZxid
= 0x1c635
mtime
= Tue Jul 09 08:44:14 CST 2019
pZxid
= 0x1c635
cversion
= 0
dataVersion
= 0
aclVersion
= 1
ephemeralOwner
= 0x0
dataLength
= 1
numChildren
= 0
[zk: localhost:2181
(CONNECTED
) 78
] getAcl /ba
'ip,'192.168.123.111
: cdrwa
[zk: localhost:2181
(CONNECTED
) 79
] get /ba
Authentication is not valid
: /ba
Auth scheme
语法
addauth digest <user>:<password> #添加认证用户
setAcl <path> auth:<user>:<acl>
[zk: localhost:2181
(CONNECTED
) 81
] addauth digest gjf:root
[zk: localhost:2181
(CONNECTED
) 82
] setAcl /baizhi03 auth:gjf:root
cZxid
= 0x1c637
ctime
= Tue Jul 09 08:47:00 CST 2019
mZxid
= 0x1c637
mtime
= Tue Jul 09 08:47:00 CST 2019
pZxid
= 0x1c637
cversion
= 0
dataVersion
= 0
aclVersion
= 1
ephemeralOwner
= 0x0
dataLength
= 1
numChildren
= 0
[zk: localhost:2181
(CONNECTED
) 95
] getAcl /ba03
'digest,'gjf:bbYGkKPfBgiZDzcwrmVylqDlXnI
=
: cdrwa
Digest scheme
语法
setAcl <path> digest:<user>:<password>:<acl>
计算密文
echo -n <user>:<password> | openssl dgst -binary -sha1 | openssl base64
[root@GuoJiafeng01 ~
]
bbYGkKPfBgiZDzcwrmVylqDlXnI
=
[zk: localhost:2181
(CONNECTED
) 98
] create /ba04 1
Created /ba04
[zk: localhost:2181
(CONNECTED
) 99
] setAcl /ba04 digest:gjf:bbYGkKPfBgiZDzcwrmVylqDlXnI
=:a
cZxid
= 0x1c641
ctime
= Tue Jul 09 08:59:18 CST 2019
mZxid
= 0x1c641
mtime
= Tue Jul 09 08:59:18 CST 2019
pZxid
= 0x1c641
cversion
= 0
dataVersion
= 0
aclVersion
= 1
ephemeralOwner
= 0x0
dataLength
= 1
numChildren
= 0
[zk: localhost:2181
(CONNECTED
) 100
] getAcl /ba04
'digest,'gjf:bbYGkKPfBgiZDzcwrmVylqDlXnI
=
: a
[zk: localhost:2181
(CONNECTED
) 101
] get /ba04
Authentication is not valid
: /ba04
[zk: localhost:2181
(CONNECTED
) 102
] addauth digest gjf:root
[zk: localhost:2181
(CONNECTED
) 107
] get /ba04
1
cZxid
= 0x1c641
ctime
= Tue Jul 09 08:59:18 CST 2019
mZxid
= 0x1c641
mtime
= Tue Jul 09 08:59:18 CST 2019
pZxid
= 0x1c641
cversion
= 0
dataVersion
= 0
aclVersion
= 2
ephemeralOwner
= 0x0
dataLength
= 1
numChildren
= 0
7.2 Java API
@Before
public void getClient() {
ACLProvider aclProvider
= new ACLProvider() {
private List
<ACL> acl
;
@Override
public List
<ACL> getDefaultAcl() {
if(acl
==null
){
ArrayList
<ACL> acl
= ZooDefs
.Ids
.CREATOR_ALL_ACL
;
acl
.clear();
acl
.add(new ACL(ZooDefs
.Perms
.ALL
, new Id("digest", "admin:123") ));
this.acl
= acl
;
}
return acl
;
}
@Override
public List
<ACL> getAclForPath(String path
) {
return null
;
}
};
ExponentialBackoffRetry backoffRetry
= new ExponentialBackoffRetry(1000, 1000);
curatorFramework
= CuratorFrameworkFactory
.newClient("192.168.134.99:2181", backoffRetry
);
this.curatorFramework
.start();
}
