zoopeeper设置acl权限控制(只允许特定ip访问,加强安全)

前言

为了加强访问zookeeper的安全,防止侵入式攻击,设置acl权限控制,只允许特定的Ip访问

acl配置ip
  • 这里以zookeeper版本3.6.1为例,采取docker方式部署
登陆执行终端
  • 语法
zkCli.sh -server <IP>:<port>
]# docker exec -it zookeeper /bin/bash
root@zookeeper:/apache-zookeeper-3.6.1-bin# /apache-zookeeper-3.6.1-bin/bin/zkCli.sh  -server 192.168.3.80:2181
Connecting to 192.168.3.80:2181
2022-06-15 16:18:55,868 [myid:] - INFO  [main:Environment@98] - Client environment:zookeeper.version=3.6.1--104dcb3e3fb464b30c5186d229e00af9f332524b, built on 04/21/2020 15:01 GMT
2022-06-15 16:18:55,873 [myid:] - INFO  [main:Environment@98] - Client environment:host.name=<NA>
2022-06-15 16:18:55,873 [myid:] - INFO  [main:Environment@98] - Client environment:java.version=11.0.8
2022-06-15 16:18:55,876 [myid:] - INFO  [main:Environment@98] - Client environment:java.vendor=N/A
2022-06-15 16:18:55,876 [myid:] - INFO  [main:Environment@98] - Client environment:java.home=/usr/local/openjdk-11
2022-06-15 16:18:55,877 [myid:] - INFO  [main:Environment@98] - Client environment:java.class.path=/apache-zookeeper-3.6.1-bin/bin/../zookeeper-server/target/classes:/apache-zookeeper-3.6.1-bin/bin/../build/classes:/apache-zookeeper-3.6.1-bin/bin/../zookeeper-server/target/lib/*.jar:/apache-zookeeper-3.6.1-bin/bin/../build/lib/*.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/zookeeper-prometheus-metrics-3.6.1.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/zookeeper-jute-3.6.1.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/zookeeper-3.6.1.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/snappy-java-1.1.7.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/slf4j-log4j12-1.7.25.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/slf4j-api-1.7.25.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/simpleclient_servlet-0.6.0.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/simpleclient_hotspot-0.6.0.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/simpleclient_common-0.6.0.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/simpleclient-0.6.0.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/netty-transport-native-unix-common-4.1.48.Final.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/netty-transport-native-epoll-4.1.48.Final.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/netty-transport-4.1.48.Final.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/netty-resolver-4.1.48.Final.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/netty-handler-4.1.48.Final.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/netty-common-4.1.48.Final.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/netty-codec-4.1.48.Final.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/netty-buffer-4.1.48.Final.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/metrics-core-3.2.5.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/log4j-1.2.17.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/json-simple-1.1.1.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/jline-2.11.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/jetty-util-9.4.24.v20191120.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/jetty-servlet-9.4.24.v20191120.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/jetty-server-9.4.24.v20191120.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/jetty-security-9.4.24.v20191120.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/jetty-io-9.4.24.v20191120.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/jetty-http-9.4.24.v20191120.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/javax.servlet-api-3.1.0.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/jackson-databind-2.10.3.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/jackson-core-2.10.3.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/jackson-annotations-2.10.3.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/commons-lang-2.6.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/commons-cli-1.2.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/audience-annotations-0.5.0.jar:/apache-zookeeper-3.6.1-bin/bin/../zookeeper-*.jar:/apache-zookeeper-3.6.1-bin/bin/../zookeeper-server/src/main/resources/lib/*.jar:/conf:
2022-06-15 16:18:55,877 [myid:] - INFO  [main:Environment@98] - Client environment:java.library.path=/usr/java/packages/lib:/usr/lib64:/lib64:/lib:/usr/lib
2022-06-15 16:18:55,877 [myid:] - INFO  [main:Environment@98] - Client environment:java.io.tmpdir=/tmp
2022-06-15 16:18:55,877 [myid:] - INFO  [main:Environment@98] - Client environment:java.compiler=<NA>
2022-06-15 16:18:55,877 [myid:] - INFO  [main:Environment@98] - Client environment:os.name=Linux
2022-06-15 16:18:55,878 [myid:] - INFO  [main:Environment@98] - Client environment:os.arch=amd64
2022-06-15 16:18:55,878 [myid:] - INFO  [main:Environment@98] - Client environment:os.version=3.10.0-1062.9.1.el7.x86_64
2022-06-15 16:18:55,878 [myid:] - INFO  [main:Environment@98] - Client environment:user.name=root
2022-06-15 16:18:55,878 [myid:] - INFO  [main:Environment@98] - Client environment:user.home=/root
2022-06-15 16:18:55,878 [myid:] - INFO  [main:Environment@98] - Client environment:user.dir=/apache-zookeeper-3.6.1-bin
2022-06-15 16:18:55,879 [myid:] - INFO  [main:Environment@98] - Client environment:os.memory.free=248MB
2022-06-15 16:18:55,881 [myid:] - INFO  [main:Environment@98] - Client environment:os.memory.max=256MB
2022-06-15 16:18:55,881 [myid:] - INFO  [main:Environment@98] - Client environment:os.memory.total=256MB
2022-06-15 16:18:55,889 [myid:] - INFO  [main:ZooKeeper@1005] - Initiating client connection, connectString=192.168.3.80:2181 sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@3d3fcdb0
2022-06-15 16:18:55,904 [myid:] - INFO  [main:X509Util@77] - Setting -D jdk.tls.rejectClientInitiatedRenegotiation=true to disable client-initiated TLS renegotiation
2022-06-15 16:18:55,924 [myid:] - INFO  [main:ClientCnxnSocket@239] - jute.maxbuffer value is 1048575 Bytes
2022-06-15 16:18:55,941 [myid:] - INFO  [main:ClientCnxn@1703] - zookeeper.request.timeout value is 0. feature enabled=false
Welcome to ZooKeeper!
2022-06-15 16:18:55,971 [myid:192.168.3.80:2181] - INFO  [main-SendThread(192.168.3.80:2181):ClientCnxn$SendThread@1154] - Opening socket connection to server 192.168.3.80/192.168.3.80:2181.
2022-06-15 16:18:55,972 [myid:192.168.3.80:2181] - INFO  [main-SendThread(192.168.3.80:2181):ClientCnxn$SendThread@1156] - SASL config status: Will not attempt to authenticate using SASL (unknown error)
2022-06-15 16:18:55,995 [myid:192.168.3.80:2181] - INFO  [main-SendThread(192.168.3.80:2181):ClientCnxn$SendThread@986] - Socket connection established, initiating session, client: /192.168.3.80:47584, server: 192.168.3.80/192.168.3.80:2181
JLine support is enabled
2022-06-15 16:18:56,018 [myid:192.168.3.80:2181] - INFO  [main-SendThread(192.168.3.80:2181):ClientCnxn$SendThread@1420] - Session establishment complete on server 192.168.3.80/192.168.3.80:2181, session id = 0x1012c090b8f0004, negotiated timeout = 30000

WATCHER::

WatchedEvent state:SyncConnected type:None path:null
[zk: 192.168.3.80:2181(CONNECTED) 0] 
查看当前权限
  • 语法
getAcl /
[zk: 192.168.3.80:2181(CONNECTED) 0] getAcl /
'world,'anyone
: cdrwa
添加可访问IP
  • 语法
setAcl / ip:${ip}:cdrwa,ip:${ip}:cdrwa    # 可添加一个,亦可同时添加多个
[zk: 192.168.3.80:2181(CONNECTED) 1] setAcl / ip:192.168.3.80:cdrwa
[zk: 192.168.3.80:2181(CONNECTED) 2] getAcl /	#  查看添加后的权限
'ip,'192.168.3.80
: cdrwa
恢复
  • 语法
setAcl / world:anyone:cdrwa
[zk: 192.168.3.80:2181(CONNECTED) 3] setAcl / world:anyone:cdrwa
[zk: 192.168.3.80:2181(CONNECTED) 4] getAcl /	#  查看恢复后的权限
'world,'anyone
: cdrwa
结语

Linux系统安全加固-ZooKeeper未授权访问漏洞处理
Zookeeper 权限控制 ACL
ZooKeeper-cli: the ZooKeeper command line interface

  • 0
    点赞
  • 4
    收藏
    觉得还不错? 一键收藏
  • 0
    评论

“相关推荐”对你有帮助么?

  • 非常没帮助
  • 没帮助
  • 一般
  • 有帮助
  • 非常有帮助
提交
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值