zookeeper的ACL權限控制
ACL:Access Control List 訪問控制列表html
1. 簡介
0.概述
ACL 權限控制,使用:scheme:id:perm 來標識,主要涵蓋 3 個方面:
權限模式(Scheme):受權的策略
受權對象(ID):受權的對象
權限(Permission):授予的權限java
其特性以下:
ZooKeeper的權限控制是基於每一個znode節點的,須要對每一個節點設置權限
每一個znode支持設置多種權限控制方案和多個權限
子節點不會繼承父節點的權限,客戶端無權訪問某節點,但可能能夠訪問它的子節點node
例如:apache
setAcl /test2 ip:128.0.0.1:crwda
1. scheme 採用何種方式受權
world:默認方式,至關於所有都能訪問
auth:表明已經認證經過的用戶(cli中能夠經過addauth digest user:pwd 來添加當前上下文中的受權用戶)
digest:即用戶名:密碼這種方式認證,這也是業務系統中最經常使用的。用 username:password 字符串來產生一個MD5串,而後該串被用來做爲ACL ID。認證是經過明文發送username:password 來進行的,當用在ACL時,表達式爲username:base64 ,base64是password的SHA1摘要的編碼。
ip:使用客戶端的主機IP做爲ACL ID 。這個ACL表達式的格式爲addr/bits ,此時addr中的有效位與客戶端addr中的有效位進行比對。app
2. ID 給誰授予權限
受權對象ID是指,權限賦予的用戶或者一個實體,例如:IP 地址或者機器。受權模式 schema 與 受權對象 ID 之間測試
3. permission 授予什麼權限
CREATE、READ、WRITE、DELETE、ADMIN 也就是 增、刪、改、查、管理權限,這5種權限簡寫爲crwda編碼
注意:加密
這5種權限中,delete是指對子節點的刪除權限,其它4種權限指對自身節點的操做權限spa
更詳細的以下:code
CREATE c 能夠建立子節點
DELETE d 能夠刪除子節點(僅下一級節點)
READ r 能夠讀取節點數據及顯示子節點列表
WRITE w 能夠設置節點數據
ADMIN a 能夠設置節點訪問控制列表權限
2.ACL 相關命令
getAcl getAcl <path> 讀取ACL權限
setAcl setAcl <path> <acl> 設置ACL權限
addauth addauth <scheme> <auth> 添加認證用戶
3.測試zkCli設置權限
1.word方式
[zk: localhost:2181(CONNECTED) 9] create /test1 test1-value Created /test1 [zk: localhost:2181(CONNECTED) 10] getAcl /test1 #建立的默認是全部用戶均可以進行cdrwa 'world,'anyone : cdrwa [zk: localhost:2181(CONNECTED) 11] setAcl /test1 world:anyone:acd #修改成全部人能夠acd cZxid = 0x400000007 ctime = Tue Mar 12 14:46:55 CST 2019 mZxid = 0x400000007 mtime = Tue Mar 12 14:46:55 CST 2019 pZxid = 0x400000007 cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 11 numChildren = 0 [zk: localhost:2181(CONNECTED) 12] getAcl /test1 'world,'anyone : cda
2.IP的方式
[zk: localhost:2181(CONNECTED) 13] create /test2 test2-value Created /test2 [zk: localhost:2181(CONNECTED) 14] setAcl /test2 ip:127.0.0.1:crwda #修改此IP具備全部權限 cZxid = 0x400000009 ctime = Tue Mar 12 14:51:58 CST 2019 mZxid = 0x400000009 mtime = Tue Mar 12 14:51:58 CST 2019 pZxid = 0x400000009 cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 11 numChildren = 0 [zk: localhost:2181(CONNECTED) 15] getAcl /test2 'ip,'127.0.0.1 : cdrwa
固然能夠設置IP的時候使用多個ip的方式,好比:
[zk: localhost:2181(CONNECTED) 42] setAcl /t3 ip:192.168.0.164:cdwra,ip:127.0.0.1:cdwra cZxid = 0x400000018 ctime = Tue Mar 12 15:12:59 CST 2019 mZxid = 0x400000018 mtime = Tue Mar 12 15:12:59 CST 2019 pZxid = 0x400000018 cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 2 numChildren = 0 [zk: localhost:2181(CONNECTED) 43] getAcl /t3 'ip,'192.168.0.164 : cdrwa 'ip,'127.0.0.1 : cdrwa
3. Auth
[zk: localhost:2181(CONNECTED) 44] create /t4 44 Created /t4 [zk: localhost:2181(CONNECTED) 45] addauth digest qlq:111222 #增長受權用戶,明文用戶名和密碼 [zk: localhost:2181(CONNECTED) 46] setAcl /t4 auth:qlq:cdwra #授予權限 cZxid = 0x40000001d ctime = Tue Mar 12 15:16:56 CST 2019 mZxid = 0x40000001d mtime = Tue Mar 12 15:16:56 CST 2019 pZxid = 0x40000001d cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 2 numChildren = 0 [zk: localhost:2181(CONNECTED) 48] getAcl /t4 'digest,'qlq:JWNEexxIoeVompjU7O5pZzTU+VQ= : cdrwa
若是從新鏈接以後獲取會報沒權限,須要添加受權用戶:
[zk: localhost:2181(CONNECTED) 4] get /t4 Authentication is not valid : /t4 [zk: localhost:2181(CONNECTED) 6] addauth digest qlq:111222 [zk: localhost:2181(CONNECTED) 7] get /t4 44 cZxid = 0x40000001d ctime = Tue Mar 12 15:16:56 CST 2019 mZxid = 0x40000001d mtime = Tue Mar 12 15:16:56 CST 2019 pZxid = 0x40000001d cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 2 numChildren = 0
4. Digest
etAcl /test digest:用戶名:密碼:權限
密碼是用戶名和密碼加密後的字符串。
(1)生成密碼:sha1加密以後base64編碼
package zd.dms.test; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; import org.apache.commons.codec.binary.Base64; public class Test { public static void main(String[] args) throws NoSuchAlgorithmException { String usernameAndPassword = "user:123456"; byte digest[] = MessageDigest.getInstance("SHA1").digest(usernameAndPassword.getBytes()); Base64 base64 = new Base64(); String encodeToString = base64.encodeToString(digest); System.out.println(encodeToString); } }
6DY5WhzOfGsWQ1XFuIyzxkpwdPo=
(2)設置權限
[zk: localhost:2181(CONNECTED) 7] setAcl /t6 digest:user:6DY5WhzOfGsWQ1XFuIyzxkpwdPo=:crwda #受權 cZxid = 0x400000028 ctime = Tue Mar 12 15:50:02 CST 2019 mZxid = 0x400000028 mtime = Tue Mar 12 15:50:02 CST 2019 pZxid = 0x400000028 cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 4 numChildren = 0 [zk: localhost:2181(CONNECTED) 8] getAcl /t6 'digest,'user:6DY5WhzOfGsWQ1XFuIyzxkpwdPo= : cdrwa
直接刪除會不容許,也必須增長摘要以後才能刪除
[zk: localhost:2181(CONNECTED) 1] rmr /t6 #直接刪除沒權限 Authentication is not valid : /t6 [zk: localhost:2181(CONNECTED) 2] addauth digest user:123456 #增長認證用戶 [zk: localhost:2181(CONNECTED) 3] rmr /t6 [zk: localhost:2181(CONNECTED) 4] ls / [t4, curator, test2, zookeeper, test1, t3]
5.Java原生的zookeperAPI的ACL
1.建立節點回顧
原來咱們建立節點的時候以下:
package zookeper; import java.io.IOException; import java.util.concurrent.CountDownLatch; import org.apache.zookeeper.CreateMode; import org.apache.zookeeper.KeeperException; import org.apache.zookeeper.WatchedEvent; import org.apache.zookeeper.Watcher; import org.apache.zookeeper.Watcher.Event.KeeperState; import org.apache.zookeeper.ZooDefs; import org.apache.zookeeper.ZooKeeper; public class BaseAPI { private static ZooKeeper zoo; final static CountDownLatch connectedSignal = new CountDownLatch(1); public static ZooKeeper connect(String host) throws IOException, InterruptedException { zoo = new ZooKeeper(host, 5000, new Watcher() { public void process(WatchedEvent event) { if (event.getState() == KeeperState.SyncConnected) { connectedSignal.countDown(); } } }); connectedSignal.await(); return zoo; } public void close() throws InterruptedException { zoo.close(); } public static void create(String path, byte[] data) throws KeeperException, InterruptedException { zoo.create(path, data, ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT); } public static void main(String[] args) throws IOException, InterruptedException, KeeperException { final String path = "/t7"; final ZooKeeper connect = connect("127.0.0.1:2181,127.0.0.1:2182,127.0.0.1:2183"); connect.create(path, "777".getBytes(), ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT); Thread.sleep(10 * 1000); } }
能夠看到create方法的第三個參數就是ACL集合,使用的是與zkCli方式同樣的word:anyone:crwda 默認方式
以下:
/** * This is a completely open ACL . */ public final ArrayList<ACL> OPEN_ACL_UNSAFE = new ArrayList<ACL>( Collections.singletonList(new ACL(Perms.ALL, ANYONE_ID_UNSAFE))); public interface Perms { int READ = 1 << 0; int WRITE = 1 << 1; int CREATE = 1 << 2; int DELETE = 1 << 3; int ADMIN = 1 << 4; int ALL = READ | WRITE | CREATE | DELETE | ADMIN; } public interface Ids { public final Id ANYONE_ID_UNSAFE = new Id("world", "anyone"); public final Id AUTH_IDS = new Id("auth", ""); public final ArrayList<ACL> OPEN_ACL_UNSAFE = new ArrayList<ACL>( Collections.singletonList(new ACL(Perms.ALL, ANYONE_ID_UNSAFE))); public final ArrayList<ACL> CREATOR_ALL_ACL = new ArrayList<ACL>( Collections.singletonList(new ACL(Perms.ALL, AUTH_IDS))); public final ArrayList<ACL> READ_ACL_UNSAFE = new ArrayList<ACL>( Collections .singletonList(new ACL(Perms.READ, ANYONE_ID_UNSAFE))); }
本身手動寫一個採用IP的方式設置ACL的方法:
package zookeper; import java.io.IOException; import java.util.ArrayList; import java.util.List; import java.util.concurrent.CountDownLatch; import org.apache.zookeeper.CreateMode; import org.apache.zookeeper.KeeperException; import org.apache.zookeeper.WatchedEvent; import org.apache.zookeeper.Watcher; import org.apache.zookeeper.Watcher.Event.KeeperState; import org.apache.zookeeper.ZooDefs; import org.apache.zookeeper.ZooDefs.Perms; import org.apache.zookeeper.ZooKeeper; import org.apache.zookeeper.data.ACL; import org.apache.zookeeper.data.Id; public class BaseAPI { private static ZooKeeper zoo; final static CountDownLatch connectedSignal = new CountDownLatch(1); public static ZooKeeper connect(String host) throws IOException, InterruptedException { zoo = new ZooKeeper(host, 5000, new Watcher() { public void process(WatchedEvent event) { if (event.getState() == KeeperState.SyncConnected) { connectedSignal.countDown(); } } }); connectedSignal.await(); return zoo; } public void close() throws InterruptedException { zoo.close(); } public static void create(String path, byte[] data) throws KeeperException, InterruptedException { zoo.create(path, data, ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT); } public static void main(String[] args) throws IOException, InterruptedException, KeeperException { final String path = "/t9"; final ZooKeeper connect = connect("127.0.0.1:2181,127.0.0.1:2182,127.0.0.1:2183"); // 建立ACL ACL acl = new ACL(); // 建立Id,也能夠設置構造方法傳入scheme和id Id id = new Id("ip", "192.168.0.164"); acl.setId(id); acl.setPerms(Perms.ALL); List<ACL> acls = new ArrayList<>(); acls.add(acl); connect.create(path, "777".getBytes(), acls, CreateMode.PERSISTENT); Thread.sleep(10 * 1000); } }
獲取ACL:
package zookeper; import java.io.IOException; import java.util.ArrayList; import java.util.List; import java.util.concurrent.CountDownLatch; import org.apache.zookeeper.CreateMode; import org.apache.zookeeper.KeeperException; import org.apache.zookeeper.WatchedEvent; import org.apache.zookeeper.Watcher; import org.apache.zookeeper.Watcher.Event.KeeperState; import org.apache.zookeeper.ZooDefs; import org.apache.zookeeper.ZooDefs.Perms; import org.apache.zookeeper.ZooKeeper; import org.apache.zookeeper.data.ACL; import org.apache.zookeeper.data.Id; public class BaseAPI { private static ZooKeeper zoo; final static CountDownLatch connectedSignal = new CountDownLatch(1); public static ZooKeeper connect(String host) throws IOException, InterruptedException { zoo = new ZooKeeper(host, 5000, new Watcher() { public void process(WatchedEvent event) { if (event.getState() == KeeperState.SyncConnected) { connectedSignal.countDown(); } } }); connectedSignal.await(); return zoo; } public void close() throws InterruptedException { zoo.close(); } public static void create(String path, byte[] data) throws KeeperException, InterruptedException { zoo.create(path, data, ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT); } public static void main(String[] args) throws IOException, InterruptedException, KeeperException { final String path = "/t9"; final ZooKeeper connect = connect("127.0.0.1:2181,127.0.0.1:2182,127.0.0.1:2183"); List<ACL> acls = connect.getACL("/t9", connect.exists("/t9", false)); for (ACL acl : acls) { System.out.println(acl.getPerms()); System.out.println(acl.getId()); } } }
結果:
31
'ip,'192.168.0.164
ckCli客戶端進行驗證:
[zk: localhost:2181(CONNECTED) 7] getAcl /t9 'ip,'192.168.0.164 : cdrwa
補充:權限的計算方法:
<<:左移位,在低位處補0; &與(AND),對兩個整型操做數中對應位執行布爾代數,兩個位都爲1時輸出1,不然0。
1
10
100
1000
10000
按位與以後是:11111 也就是十進制的31.
2.修改ACL
修改節點 /t10 節點的acl訪問方式採用digest:user:111222
package zookeper; import java.io.IOException; import java.util.ArrayList; import java.util.List; import java.util.concurrent.CountDownLatch; import org.apache.zookeeper.CreateMode; import org.apache.zookeeper.KeeperException; import org.apache.zookeeper.WatchedEvent; import org.apache.zookeeper.Watcher; import org.apache.zookeeper.Watcher.Event.KeeperState; import org.apache.zookeeper.ZooDefs; import org.apache.zookeeper.ZooDefs.Perms; import org.apache.zookeeper.ZooKeeper; import org.apache.zookeeper.data.ACL; import org.apache.zookeeper.data.Id; import org.apache.zookeeper.data.Stat; public class BaseAPI { private static ZooKeeper zoo; final static CountDownLatch connectedSignal = new CountDownLatch(1); public static ZooKeeper connect(String host) throws IOException, InterruptedException { zoo = new ZooKeeper(host, 5000, new Watcher() { public void process(WatchedEvent event) { if (event.getState() == KeeperState.SyncConnected) { connectedSignal.countDown(); } } }); connectedSignal.await(); return zoo; } public void close() throws InterruptedException { zoo.close(); } public static void create(String path, byte[] data) throws KeeperException, InterruptedException { zoo.create(path, data, ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT); } public static void main(String[] args) throws IOException, InterruptedException, KeeperException { final String path = "/t10"; final ZooKeeper connect = connect("127.0.0.1:2181,127.0.0.1:2182,127.0.0.1:2183"); // 建立ACL ACL acl = new ACL(); // 建立Id,也能夠設置構造方法傳入scheme和id Id id = new Id("digest", "user:6DY5WhzOfGsWQ1XFuIyzxkpwdPo="); acl.setId(id); acl.setPerms(Perms.ALL); List<ACL> acls = new ArrayList<>(); acls.add(acl); // 修改ACL Stat setACL = connect.setACL(path, acls, connect.exists(path, false).getAversion()); // 獲取Acl System.out.println(connect.getACL(path, setACL)); } }
結果:
[31,s{'digest,'user:6DY5WhzOfGsWQ1XFuIyzxkpwdPo=}
]
zkCli客戶端進行驗證:
[zk: localhost:2181(CONNECTED) 26] getAcl /t10 'digest,'user:6DY5WhzOfGsWQ1XFuIyzxkpwdPo= : cdrwa
3.訪問上面的節點會報錯沒權限
package zookeper; import java.io.IOException; import java.util.ArrayList; import java.util.List; import java.util.concurrent.CountDownLatch; import org.apache.zookeeper.CreateMode; import org.apache.zookeeper.KeeperException; import org.apache.zookeeper.WatchedEvent; import org.apache.zookeeper.Watcher; import org.apache.zookeeper.Watcher.Event.KeeperState; import org.apache.zookeeper.ZooDefs; import org.apache.zookeeper.ZooDefs.Perms; import org.apache.zookeeper.ZooKeeper; import org.apache.zookeeper.data.ACL; import org.apache.zookeeper.data.Id; import org.apache.zookeeper.data.Stat; public class BaseAPI { private static ZooKeeper zoo; final static CountDownLatch connectedSignal = new CountDownLatch(1); public static ZooKeeper connect(String host) throws IOException, InterruptedException { zoo = new ZooKeeper(host, 5000, new Watcher() { public void process(WatchedEvent event) { if (event.getState() == KeeperState.SyncConnected) { connectedSignal.countDown(); } } }); connectedSignal.await(); return zoo; } public void close() throws InterruptedException { zoo.close(); } public static void create(String path, byte[] data) throws KeeperException, InterruptedException { zoo.create(path, data, ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT); } public static void main(String[] args) throws IOException, InterruptedException, KeeperException { final String path = "/t10"; final ZooKeeper connect = connect("127.0.0.1:2181,127.0.0.1:2182,127.0.0.1:2183"); byte[] data = connect.getData(path, false, null); System.out.println(new String(data, "UTF-8")); } }
結果:
log4j:WARN No appenders could be found for logger (org.apache.zookeeper.ZooKeeper).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
Exception in thread "main" org.apache.zookeeper.KeeperException$NoAuthException: KeeperErrorCode = NoAuth for /t10
at org.apache.zookeeper.KeeperException.create(KeeperException.java:113)
at org.apache.zookeeper.KeeperException.create(KeeperException.java:51)
at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1212)
at org.apache.zookeeper.ZooKeeper.getData(ZooKeeper.java:1241)
at zookeper.BaseAPI.main(BaseAPI.java:42)
4. 解決辦法:鏈接的connection增長用戶信息
package zookeper; import java.io.IOException; import java.util.concurrent.CountDownLatch; import org.apache.zookeeper.CreateMode; import org.apache.zookeeper.KeeperException; import org.apache.zookeeper.WatchedEvent; import org.apache.zookeeper.Watcher; import org.apache.zookeeper.Watcher.Event.KeeperState; import org.apache.zookeeper.ZooDefs; import org.apache.zookeeper.ZooKeeper; public class BaseAPI { private static ZooKeeper zoo; final static CountDownLatch connectedSignal = new CountDownLatch(1); public static ZooKeeper connect(String host) throws IOException, InterruptedException { zoo = new ZooKeeper(host, 5000, new Watcher() { public void process(WatchedEvent event) { if (event.getState() == KeeperState.SyncConnected) { connectedSignal.countDown(); } } }); connectedSignal.await(); return zoo; } public void close() throws InterruptedException { zoo.close(); } public static void create(String path, byte[] data) throws KeeperException, InterruptedException { zoo.create(path, data, ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT); } public static void main(String[] args) throws IOException, InterruptedException, KeeperException { final String path = "/t10"; final ZooKeeper connect = connect("127.0.0.1:2181,127.0.0.1:2182,127.0.0.1:2183"); // 會話添加用戶和密碼信息 connect.addAuthInfo("digest", "user:123456".getBytes()); byte[] data = connect.getData(path, false, null); System.out.println(new String(data, "UTF-8")); } }
結果:
10
相關文章
- 1. zookeeper 四 : ACL 權限控制
- 2. ZooKeeper ACL權限控制
- 3. zookeeper ACL 權限控制
- 4. ZooKeeper系列(五)—— ACL 權限控制
- 5. ZooKeeper設置ACL權限控制
- 6. Zookeeper權限控制ACL詳解
- 7. Zookeeper 權限控制 ACL介紹
- 8. zookeeper ACL權限
- 9. ZooKeeper的ACL權限
- 10. hdfs的acl權限控制
- 更多相關文章...
- • MySQL刪除用戶權限(REVOKE) - MySQL教程
- • Lua 流程控制 - Lua 教程
- • Docker容器實戰(六) - 容器的隔離與限制
- • 漫談MySQL的鎖機制
相關標籤/搜索
每日一句
-
每一个你不满意的现在,都有一个你没有努力的曾经。
最新文章
歡迎關注本站公眾號,獲取更多信息
