zookeeper的acl权限控制_zookeeper的ACL权限控制

最新推荐文章于 2023-03-21 21:41:01 发布

weixin_39827304

最新推荐文章于 2023-03-21 21:41:01 发布

阅读量129

点赞数

文章标签： zookeeper的acl权限控制

本文链接：https://blog.csdn.net/weixin_39827304/article/details/111782647

版权

本文详细介绍了Zookeeper的ACL权限控制，包括权限模式(Scheme)如world、auth、digest和ip，以及对应的权限类型CREATE、READ、WRITE、DELETE、ADMIN。Zookeeper的权限控制是基于每个节点的，不继承父节点权限。文章通过实例演示了如何使用zkCli设置不同类型的ACL，并展示了在Java原生API中如何创建和修改节点的ACL，以及处理权限验证问题。

摘要由CSDN通过智能技术生成

ACL：Access Control List 访问控制列表

1. 简介

0.概述

ACL 权限控制，使用：scheme:id:perm 来标识，主要涵盖 3 个方面：

权限模式(Scheme)：授权的策略

授权对象(ID):授权的对象

权限(Permission):授予的权限

其特性如下：

ZooKeeper的权限控制是基于每个znode节点的，需要对每个节点设置权限

每个znode支持设置多种权限控制方案和多个权限

子节点不会继承父节点的权限，客户端无权访问某节点，但可能可以访问它的子节点

例如:

setAcl /test2 ip:128.0.0.1:crwda

1. scheme采用何种方式授权

world：默认方式，相当于全部都能访问

auth：代表已经认证通过的用户(cli中可以通过addauth digest user:pwd 来添加当前上下文中的授权用户)

digest：即用户名:密码这种方式认证，这也是业务系统中最常用的。用 username:password 字符串来产生一个MD5串，然后该串被用来作为ACL ID。认证是通过明文发送username:password 来进行的，当用在ACL时，表达式为username:base64 ，base64是password的SHA1摘要的编码。

ip：使用客户端的主机IP作为ACL ID 。这个ACL表达式的格式为addr/bits ，此时addr中的有效位与客户端addr中的有效位进行比对。

2. ID 给谁授予权限

授权对象ID是指，权限赋予的用户或者一个实体，例如：IP 地址或者机器。授权模式 schema 与授权对象 ID 之间

3. permission 授予什么权限

CREATE、READ、WRITE、DELETE、ADMIN 也就是增、删、改、查、管理权限，这5种权限简写为crwda

注意:

这5种权限中，delete是指对子节点的删除权限，其它4种权限指对自身节点的操作权限

更详细的如下:

CREATE c 可以创建子节点

DELETEd可以删除子节点(仅下一级节点)

READr可以读取节点数据及显示子节点列表

WRITEw可以设置节点数据

ADMINa可以设置节点访问控制列表权限

2.ACL 相关命令

getAcl getAcl 读取ACL权限

setAcl setAcl 设置ACL权限

addauth addauth 添加认证用户

3.测试zkCli设置权限

1.word方式

[zk: localhost:2181(CONNECTED) 9] create /test1 test1-value

Created/test1

[zk: localhost:2181(CONNECTED) 10] getAcl /test1 #创建的默认是所有用户都可以进行cdrwa'world,'anyone

: cdrwa

[zk: localhost:2181(CONNECTED) 11] setAcl /test1 world:anyone:acd #修改为所有人可以acd

cZxid= 0x400000007ctime= Tue Mar 12 14:46:55 CST 2019mZxid= 0x400000007mtime= Tue Mar 12 14:46:55 CST 2019pZxid= 0x400000007cversion= 0dataVersion= 0aclVersion= 1ephemeralOwner= 0x0dataLength= 11numChildren= 0[zk: localhost:2181(CONNECTED) 12] getAcl /test1'world,'anyone

: cda

2.IP的方式

[zk: localhost:2181(CONNECTED) 13] create /test2 test2-value

Created/test2

[zk: localhost:2181(CONNECTED) 14] setAcl /test2 ip:127.0.0.1:crwda #修改此IP具有所有权限

cZxid= 0x400000009ctime= Tue Mar 12 14:51:58 CST 2019mZxid= 0x400000009mtime= Tue Mar 12 14:51:58 CST 2019pZxid= 0x400000009cversion= 0dataVersion= 0aclVersion= 1ephemeralOwner= 0x0dataLength= 11numChildren= 0[zk: localhost:2181(CONNECTED) 15] getAcl /test2'ip,'127.0.0.1: cdrwa

当然可以设置IP的时候使用多个ip的方式，比如:

[zk: localhost:2181(CONNECTED) 42] setAcl /t3 ip:192.168.0.164:cdwra,ip:127.0.0.1:cdwra

cZxid= 0x400000018ctime= Tue Mar 12 15:12:59 CST 2019mZxid= 0x400000018mtime= Tue Mar 12 15:12:59 CST 2019pZxid= 0x400000018cversion= 0dataVersion= 0aclVersion= 1ephemeralOwner= 0x0dataLength= 2numChildren= 0[zk: localhost:2181(CONNECTED) 43] getAcl /t3'ip,'192.168.0.164: cdrwa'ip,'127.0.0.1: cdrwa

3. Auth

[zk: localhost:2181(CONNECTED) 44] create /t4 44Created/t4

[zk: localhost:2181(CONNECTED) 45] addauth digest qlq:111222 #增加授权用户,明文用户名和密码[zk: localhost:2181(CONNECTED) 46] setAcl /t4 auth:qlq:cdwra　　#授予权限

cZxid= 0x40000001dctime= Tue Mar 12 15:16:56 CST 2019mZxid= 0x40000001dmtime= Tue Mar 12 15:16:56 CST 2019pZxid= 0x40000001dcversion= 0dataVersion= 0aclVersion= 1ephemeralOwner= 0x0dataLength= 2numChildren= 0[zk: localhost:2181(CONNECTED) 48] getAcl /t4'digest,'qlq:JWNEexxIoeVompjU7O5pZzTU+VQ=: cdrwa

如果重新连接之后获取会报没权限，需要添加授权用户:

[zk: localhost:2181(CONNECTED) 4] get /t4

Authentication is not valid :/t4[zk: localhost:2181(CONNECTED) 6] addauth digest qlq:111222[zk: localhost:2181(CONNECTED) 7] get /t444cZxid= 0x40000001dctime= Tue Mar 12 15:16:56 CST 2019mZxid= 0x40000001dmtime= Tue Mar 12 15:16:56 CST 2019pZxid= 0x40000001dcversion= 0dataVersion= 0aclVersion= 1ephemeralOwner= 0x0dataLength= 2numChildren= 0

4. Digest

etAcl /test digest:用户名:密码:权限

密码是用户名和密码加密后的字符串。

(1)生成密码:sha1加密之后base64编码

packagezd.dms.test;importjava.security.MessageDigest;importjava.security.NoSuchAlgorithmException;importorg.apache.commons.codec.binary.Base64;public classTest {public static void main(String[] args) throwsNoSuchAlgorithmException {

String usernameAndPassword= "user:123456";byte digest[] = MessageDigest.getInstance("SHA1").digest(usernameAndPassword.getBytes());

Base64 base64= newBase64();

String encodeToString=base64.encodeToString(digest);

System.out.println(encodeToString);

}

6DY5WhzOfGsWQ1XFuIyzxkpwdPo=

(2)设置权限

[zk: localhost:2181(CONNECTED) 7] setAcl /t6 digest:user:6DY5WhzOfGsWQ1XFuIyzxkpwdPo=:crwda #授权

cZxid= 0x400000028ctime= Tue Mar 12 15:50:02 CST 2019mZxid= 0x400000028mtime= Tue Mar 12 15:50:02 CST 2019pZxid= 0x400000028cversion= 0dataVersion= 0aclVersion= 1ephemeralOwner= 0x0dataLength= 4numChildren= 0[zk: localhost:2181(CONNECTED) 8] getAcl /t6'digest,'user:6DY5WhzOfGsWQ1XFuIyzxkpwdPo=: cdrwa

直接删除会不允许，也必须增加摘要之后才能删除

[zk: localhost:2181(CONNECTED) 1] rmr /t6 #直接删除没权限

Authentication is not valid :/t6

[zk: localhost:2181(CONNECTED) 2] addauth digest user:123456 #增加认证用户[zk: localhost:2181(CONNECTED) 3] rmr /t6

[zk: localhost:2181(CONNECTED) 4] ls /[t4, curator, test2, zookeeper, test1, t3]

5.Java原生的zookeperAPI的ACL

1.创建节点回顾

原来我们创建节点的时候如下:

packagezookeper;importjava.io.IOException;importjava.util.concurrent.CountDownLatch;importorg.apache.zookeeper.CreateMode;importorg.apache.zookeeper.KeeperException;importorg.apache.zookeeper.WatchedEvent;importorg.apache.zookeeper.Watcher;importorg.apache.zookeeper.Watcher.Event.KeeperState;importorg.apache.zookeeper.ZooDefs;importorg.apache.zookeeper.ZooKeeper;public classBaseAPI {private staticZooKeeper zoo;final static CountDownLatch connectedSignal = new CountDownLatch(1);public static ZooKeeper connect(String host) throwsIOException, InterruptedException {

zoo= new ZooKeeper(host, 5000, newWatcher() {public voidprocess(WatchedEvent event) {if (event.getState() ==KeeperState.SyncConnected) {

connectedSignal.countDown();

}

});

connectedSignal.await();returnzoo;

}public void close() throwsInterruptedException {

zoo.close();

}public static void create(String path, byte[] data) throwsKeeperException, InterruptedException {

zoo.create(path, data, ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);

}public static void main(String[] args) throwsIOException, InterruptedException, KeeperException {final String path = "/t7";final ZooKeeper connect = connect("127.0.0.1:2181,127.0.0.1:2182,127.0.0.1:2183");

connect.create(path,"777".getBytes(), ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);

Thread.sleep(10 * 1000);

}

可以看到create方法的第三个参数就是ACL集合,使用的是与zkCli方式一样的word:anyone:crwda 默认方式

如下:

/*** This is a completely open ACL .*/

public final ArrayList OPEN_ACL_UNSAFE = new ArrayList(

Collections.singletonList(newACL(Perms.ALL, ANYONE_ID_UNSAFE)));public interfacePerms {int READ = 1 << 0;int WRITE = 1 << 1;int CREATE = 1 << 2;int DELETE = 1 << 3;int ADMIN = 1 << 4;int ALL = READ | WRITE | CREATE | DELETE |ADMIN;

}public interfaceIds {

public final Id ANYONE_ID_UNSAFE = new Id("world", "anyone");

public final Id AUTH_IDS = new Id("auth", "");

public final ArrayList OPEN_ACL_UNSAFE = new ArrayList(

Collections.singletonList(newACL(Perms.ALL, ANYONE_ID_UNSAFE)));

public final ArrayList CREATOR_ALL_ACL = new ArrayList(

Collections.singletonList(newACL(Perms.ALL, AUTH_IDS)));

public final ArrayList READ_ACL_UNSAFE = new ArrayList(

Collections

.singletonList(newACL(Perms.READ, ANYONE_ID_UNSAFE)));

}

自己手动写一个采用IP的方式设置ACL的方法:

packagezookeper;importjava.io.IOException;importjava.util.ArrayList;importjava.util.List;importjava.util.concurrent.CountDownLatch;importorg.apache.zookeeper.CreateMode;importorg.apache.zookeeper.KeeperException;importorg.apache.zookeeper.WatchedEvent;importorg.apache.zookeeper.Watcher;importorg.apache.zookeeper.Watcher.Event.KeeperState;importorg.apache.zookeeper.ZooDefs;importorg.apache.zookeeper.ZooDefs.Perms;importorg.apache.zookeeper.ZooKeeper;importorg.apache.zookeeper.data.ACL;importorg.apache.zookeeper.data.Id;public classBaseAPI {private staticZooKeeper zoo;final static CountDownLatch connectedSignal = new CountDownLatch(1);public static ZooKeeper connect(String host) throwsIOException, InterruptedException {

zoo= new ZooKeeper(host, 5000, newWatcher() {public voidprocess(WatchedEvent event) {if (event.getState() ==KeeperState.SyncConnected) {

connectedSignal.countDown();

}

});

connectedSignal.await();returnzoo;

}public void close() throwsInterruptedException {

zoo.close();

}public static void create(String path, byte[] data) throwsKeeperException, InterruptedException {

zoo.create(path, data, ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);

}public static void main(String[] args) throwsIOException, InterruptedException, KeeperException {final String path = "/t9";final ZooKeeper connect = connect("127.0.0.1:2181,127.0.0.1:2182,127.0.0.1:2183");//创建ACL

ACL acl = newACL();//创建Id，也可以设置构造方法传入scheme和id

Id id = new Id("ip", "192.168.0.164");

acl.setId(id);

acl.setPerms(Perms.ALL);

List acls = new ArrayList<>();

acls.add(acl);

connect.create(path,"777".getBytes(), acls, CreateMode.PERSISTENT);

Thread.sleep(10 * 1000);

}

获取ACL:

zoo= new ZooKeeper(host, 5000, newWatcher() {public voidprocess(WatchedEvent event) {if (event.getState() ==KeeperState.SyncConnected) {

connectedSignal.countDown();

}

});

connectedSignal.await();returnzoo;

}public void close() throwsInterruptedException {

zoo.close();

}public static void create(String path, byte[] data) throwsKeeperException, InterruptedException {

zoo.create(path, data, ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);

List acls = connect.getACL("/t9", connect.exists("/t9", false));for(ACL acl : acls) {

System.out.println(acl.getPerms());

System.out.println(acl.getId());

}

结果：

'ip,'192.168.0.164

ckCli客户端进行验证:

[zk: localhost:2181(CONNECTED) 7] getAcl /t9'ip,'192.168.0.164: cdrwa

补充:权限的计算方法:

100

1000

10000

按位与之后是:11111 也就是十进制的31.

2.修改ACL

修改节点 /t10 节点的acl访问方式采用digest:user:111222

packagezookeper;importjava.io.IOException;importjava.util.ArrayList;importjava.util.List;importjava.util.concurrent.CountDownLatch;importorg.apache.zookeeper.CreateMode;importorg.apache.zookeeper.KeeperException;importorg.apache.zookeeper.WatchedEvent;importorg.apache.zookeeper.Watcher;importorg.apache.zookeeper.Watcher.Event.KeeperState;importorg.apache.zookeeper.ZooDefs;importorg.apache.zookeeper.ZooDefs.Perms;importorg.apache.zookeeper.ZooKeeper;importorg.apache.zookeeper.data.ACL;importorg.apache.zookeeper.data.Id;importorg.apache.zookeeper.data.Stat;public classBaseAPI {private staticZooKeeper zoo;final static CountDownLatch connectedSignal = new CountDownLatch(1);public static ZooKeeper connect(String host) throwsIOException, InterruptedException {

zoo= new ZooKeeper(host, 5000, newWatcher() {public voidprocess(WatchedEvent event) {if (event.getState() ==KeeperState.SyncConnected) {

connectedSignal.countDown();

}

});

connectedSignal.await();returnzoo;

}public void close() throwsInterruptedException {

zoo.close();

}public static void create(String path, byte[] data) throwsKeeperException, InterruptedException {

zoo.create(path, data, ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);

}public static void main(String[] args) throwsIOException, InterruptedException, KeeperException {final String path = "/t10";final ZooKeeper connect = connect("127.0.0.1:2181,127.0.0.1:2182,127.0.0.1:2183");//创建ACL

ACL acl = newACL();//创建Id，也可以设置构造方法传入scheme和id

Id id = new Id("digest", "user:6DY5WhzOfGsWQ1XFuIyzxkpwdPo=");

acl.setId(id);

acl.setPerms(Perms.ALL);

List acls = new ArrayList<>();

acls.add(acl);//修改ACL

Stat setACL = connect.setACL(path, acls, connect.exists(path, false).getAversion());//获取Acl

System.out.println(connect.getACL(path, setACL));

}

结果：

[31,s{'digest,'user:6DY5WhzOfGsWQ1XFuIyzxkpwdPo=}

]

zkCli客户端进行验证:

[zk: localhost:2181(CONNECTED) 26] getAcl /t10'digest,'user:6DY5WhzOfGsWQ1XFuIyzxkpwdPo=: cdrwa

3.访问上面的节点会报错没权限

packagezookeper;importjava.io.IOException;importjava.util.ArrayList;importjava.util.List;importjava.util.concurrent.CountDownLatch;importorg.apache.zookeeper.CreateMode;importorg.apache.zookeeper.KeeperException;importorg.apache.zookeeper.WatchedEvent;importorg.apache.zookeeper.Watcher;importorg.apache.zookeeper.Watcher.Event.KeeperState;importorg.apache.zookeeper.ZooDefs;importorg.apache.zookeeper.ZooDefs.Perms;importorg.apache.zookeeper.ZooKeeper;importorg.apache.zookeeper.data.ACL;importorg.apache.zookeeper.data.Id;importorg.apache.zookeeper.data.Stat;public classBaseAPI {private staticZooKeeper zoo;final static CountDownLatch connectedSignal = new CountDownLatch(1);public static ZooKeeper connect(String host) throwsIOException, InterruptedException {

zoo= new ZooKeeper(host, 5000, newWatcher() {public voidprocess(WatchedEvent event) {if (event.getState() ==KeeperState.SyncConnected) {

connectedSignal.countDown();

}

});

connectedSignal.await();returnzoo;

}public void close() throwsInterruptedException {

zoo.close();

}public static void create(String path, byte[] data) throwsKeeperException, InterruptedException {

zoo.create(path, data, ZooDefs.Ids.OPEN_ACL_UNSAFE, CreateMode.PERSISTENT);

System.out.println(new String(data, "UTF-8"));

}

结果：