ZooKeeper的ACL權限

ACL控制權限

• 什麼是ACL(Access Control List訪問控制列表)

  • 針對節點能夠設置相關讀寫等權限, 目的爲了保障數據安全性
  • 權限permission能夠指定不一樣的權限範圍以及角色

• ACL命令行

  • getAcl: 獲取某個節點的acl權限信息

    [zk: localhost:2181(CONNECTED) 11] getAcl /czk
    'world,'anyone
    : cdrwa

  • setAcl: 設置某個節點的acl權限信息

  • addauth: 輸入認證受權信息, 註冊時輸入明文密碼(登陸)可是在zk的系統裏, 密碼是以加密的形式存在的

• ACL的構成

  • zk的acl經過[scheme​ : id :permissions] 來構成權限列表

    • scheme: 表明採用的某種權限機制
    • id: 表明容許訪問的用戶
    • permissions: 權限組合字符串

  • scheme:

    • world: world下只能有一個id, 即只有一個用戶就是anyone 組合的寫法就是

      world:anyone:[permissions]

    • auth: 表明認證登陸, 須要註冊用戶有權限就能夠, 形式爲 auth: user:password:[permissions]

    • digest: 須要對密碼加密才能訪問, 組合形式爲digest: username:BASE64(SHA1(password)):[permissions]

    • auth與digest的區別: 前者明文,後者密文

      • setAcl /path auth:tom:tom:cdrwa
      • setAcl /path digest:tom:BASE64(SHA1(password))cdrwa是等價的
      • 在經過addauth digest tom:tom後都能操做指定節點的權限

    • ip:當設置爲ip指定的IP地址, 此時限制ip進行訪問,好比ip:192.168.1.1:[permissions]

    • super: 表明超級管理員, 擁有全部的權限

  • permissions說明

    • crdwa
    • Create 建立
    • Read 獲取節點/子節點
    • Write: 設置節點數據
    • Delete: 刪除子節點
    • Admin 設置權限

  • world:anyone:cdrwa

    #建立子節點 /czk/abc
    [zk: localhost:2181(CONNECTED) 5] create /czk/abc 123
    Created /czk/abc
    #查看節點權限  新建節點默認權限都是 world:anyone:cdrwa
    [zk: localhost:2181(CONNECTED) 6] getAcl /czk/abc
    'world,'anyone
    : cdrwa

    • 經過setAcl修改節點權限 setAcl 路徑 world:anyone:crwa

    #設置權限爲crwa 去掉了d 刪除子節點權限
    [zk: localhost:2181(CONNECTED) 7] setAcl /czk/abc world:anyone:crwa
    cZxid = 0xb3
    ctime = Sun Jan 06 17:46:55 CST 2019
    mZxid = 0xb3
    mtime = Sun Jan 06 17:46:55 CST 2019
    pZxid = 0xb3
    cversion = 0
    dataVersion = 0
    aclVersion = 1
    ephemeralOwner = 0x0
    dataLength = 3
    numChildren = 0
    #查看權限
    [zk: localhost:2181(CONNECTED) 8] getAcl /czk/abc
    'world,'anyone
    : crwa
    #建立新的子節點
    [zk: localhost:2181(CONNECTED) 9] create /czk/abc/czk1 123
    Created /czk/abc/czk1
    #測試可否刪除子節點
    [zk: localhost:2181(CONNECTED) 11] delete /czk/abc/czk1
    Authentication is not valid : /czk/abc/czk1
    #子節點依然存在
    [zk: localhost:2181(CONNECTED) 12] ls /czk/abc
    [czk1]

  • auth:user:pwd:cdrwa 用auth的方式(密碼爲明文)處理ACL

    addauth digest user:pwd 用戶註冊 登錄

    [zk: lh:2181(CONNECTED) 13] setAcl /czk/abc auth:czk:czk:cdrwa
    Acl is not valid : /czk/abc # 沒有註冊用戶
    [zk: lh:2181(CONNECTED) 14] addauth digest czk:czk  #註冊用戶
    [zk: lh:2181(CONNECTED) 15] setAcl /czk/abc auth:czk:czk:cdrwa
    cZxid = 0xb3
    ctime = Sun Jan 06 17:46:55 CST 2019
    mZxid = 0xb3
    mtime = Sun Jan 06 17:46:55 CST 2019
    pZxid = 0xb5
    cversion = 1
    dataVersion = 0
    aclVersion = 2
    ephemeralOwner = 0x0
    dataLength = 3
    numChildren = 1
    [zk: lh:2181(CONNECTED) 16] getAcl /czk/abc
    'digest,'czk:8vob7o7uTPp2jDaiVV3mUesBi7A=
    : cdrwa
    #退出終端後從新操做
    [zk: localhost:2181(CONNECTED) 0] ls /czk
    [sec0000000003, dir1, abc, sec0000000002]
    [zk: localhost:2181(CONNECTED) 1] ls /czk/abc
    Authentication is not valid : /czk/abc  #沒有查看權限
    #登錄後再次查看
    [zk: localhost:2181(CONNECTED) 4] addauth digest czk:czk
    [zk: localhost:2181(CONNECTED) 5] ls /czk/abc
    [xyz]
    #修改受權內容 一旦指定了用戶名 再次設置 不須要傳入用戶名密碼
    [zk: localhost:2181(CONNECTED) 8] setAcl /czk/abc auth::crwa
    cZxid = 0xb3
    ctime = Sun Jan 06 17:46:55 CST 2019
    mZxid = 0xb3
    mtime = Sun Jan 06 17:46:55 CST 2019
    pZxid = 0xb5
    cversion = 1
    dataVersion = 0
    aclVersion = 3
    ephemeralOwner = 0x0
    dataLength = 3
    numChildren = 1
    [zk: localhost:2181(CONNECTED) 9] getAcl /czk/abc
    'digest,'czk:8vob7o7uTPp2jDaiVV3mUesBi7A=
    : crwa

  • digest:user:BASE64(SHA1(pwd)):cdrwa 用digest(密碼爲密文)的方式處理ACL

    [zk: localhost:2181(CONNECTED) 13] setAcl /czk/test digest:czk:8vob7o7uTPp2jDaiVV3mUesBi7A=:rwa
    cZxid = 0xbc
    ctime = Sun Jan 06 18:20:23 CST 2019
    mZxid = 0xbc
    mtime = Sun Jan 06 18:20:23 CST 2019
    pZxid = 0xbc
    cversion = 0
    dataVersion = 0
    aclVersion = 1
    ephemeralOwner = 0x0
    dataLength = 3
    numChildren = 0
    [zk: localhost:2181(CONNECTED) 14] ls /czk/test
    []
    [zk: localhost:2181(CONNECTED) 15] getAcl /czk/test
    'digest,'czk:8vob7o7uTPp2jDaiVV3mUesBi7A=
    : rwa

  • ip:192.168.1.1:cdrwa 經過ip 控制某些客戶端是否有訪問的權限

    [zk: localhost:2181(CONNECTED) 17] create /czk/test2 123
    Created /czk/test2
    [zk: localhost:2181(CONNECTED) 18] setAcl /czk/test2 ip:192.168.199.3:crwa
    cZxid = 0xbf
    ctime = Sun Jan 06 18:24:28 CST 2019
    mZxid = 0xbf
    mtime = Sun Jan 06 18:24:28 CST 2019
    pZxid = 0xbf
    cversion = 0
    dataVersion = 0
    aclVersion = 1
    ephemeralOwner = 0x0
    dataLength = 3
    numChildren = 0
    [zk: localhost:2181(CONNECTED) 19] getAcl /czk/test2
    'ip,'192.168.199.3
    : crwa
    [zk: localhost:2181(CONNECTED) 20] get /czk/test2
    Authentication is not valid : /czk/test2

  • super管理員

    修改 zkServer.sh

    nohup $JAVA $ZOO_DATADIR_AUTOCREATE "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" \
        "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
        "-Dzookeeper.DigestAuthenticationProvider.superDigest=czk:8vob7o7uTPp2jDaiVV3mUesBi7A=" \
        -cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" > "$_ZOO_DAEMON_OUT" 2>&1 < /dev/null &

    重啓客戶端 登錄

  [zk: localhost:2181(CONNECTED) 2] addauth digest czk:czk
  [zk: localhost:2181(CONNECTED) 3] ls /czk/test2
  []
  [zk: localhost:2181(CONNECTED) 4] getAcl /czk/test2
  'ip,'192.168.199.3
  : crwa
  [zk: localhost:2181(CONNECTED) 5] ls /czk/test2
  []
  [zk: localhost:2181(CONNECTED) 6] delete /czk/test2
  [zk: localhost:2181(CONNECTED) 7] ls /czk
  [sec0000000003, dir1, abc, test, sec0000000002]