1. Shell 操作
zookeeper本身提供了ACL机制,表示为scheme: id:permissions,第一个字段表示采用哪一种机制,第二个id表示用户,permissions表示相关权限(如只读,读写,管理等)。
(1)scheme :id 介绍
- world: 它下面只有一个id, 叫anyone, world:anyone代表任何人,zookeeper中对所有人有权限的结点就是属于world:anyone的
- auth: 它不需要id, 只要是通过authentication的user都有权限(zookeeper支持通过kerberos来进行authencation, 也支持username/password形式的authentication),使用auth来设置权限的时候,需要在zk里注册一个用户才可以
- digest: 它对应的id为username:BASE64(SHA1(password)),它需要先通过username:password形式的authentication
- ip: 它对应的id为客户机的IP地址,设置的时候可以设置一个ip段,比如ip:192.168.1.0/16, 表示匹配前16个bit的IP段
- super: 在这种scheme情况下,对应的id拥有超级权限,可以做任何事情(cdrwa)
(2)permissions
权限 | ACL简写 | 描述 |
---|---|---|
CREATE | c | 可以创建子节点 |
DELETE | d | 可以删除子节点 |
READ | r | 可以读取节点数据及显示子节点列表 |
WRITE | w | 可以设置节点数据 |
ADMIN | a | 可以设置节点访问控制权限 |
(3)ACL Shell命令
命令 | 使用方式 | 描述 |
---|---|---|
getAcl | getAcl <path> | 读取ACL权限 |
setAcl | setAcl <path><acl> | 设置ACL权限 |
addauth | addauth <scheme><auth> | 添加认证用户 |
(4)操作
World Scheme
其实默认就是World Scheme
语法
setAcl <path> world:anyone:<acl>
#随便创建一个节点
[zk: localhost:2181(CONNECTED) 61] create /wangjyedu 1
Created /wangjyedu
[zk: localhost:2181(CONNECTED) 62] getAcl /wangjyedu
'world,'anyone
: cdrwa
#在创建完成后相关节点,还可以通过setAcl的方式设置相关权限
[zk: localhost:2181(CONNECTED) 64] setAcl/wangjyedu world:anyone:cdrw
cZxid = 0x1c631
ctime = Tue Jul 09 08:37:06 CST 2019
mZxid = 0x1c631
mtime = Tue Jul 09 08:37:06 CST 2019
pZxid = 0x1c631
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 1
numChildren = 0
[zk: localhost:2181(CONNECTED) 67] getAcl /wangjyedu
'world,'anyone
: cdrw
IP Scheme
对于特定IP适用,其他没有设置过的IP没有相关权限
语法
setAcl <path> ip:<ip>:<acl>
#通过setAcl的方式设置相关权限
[zk: localhost:2181(CONNECTED) 73] setAcl /wangjy01 ip:192.168.123.111:cdrwa
cZxid = 0x1c635
ctime = Tue Jul 09 08:44:14 CST 2019
mZxid = 0x1c635
mtime = Tue Jul 09 08:44:14 CST 2019
pZxid = 0x1c635
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 1
numChildren = 0
[zk: localhost:2181(CONNECTED) 78] getAcl /wangjy01
'ip,'192.168.123.111
: cdrwa
[zk: localhost:2181(CONNECTED) 79] get /wangjy01
Authentication is not valid : /wangjy01
Auth Scheme
语法
addauth digest <user>:<password> #添加认证用户
setAcl <path> auth:<user>:<acl>
# 创建一个用户
[zk: localhost:2181(CONNECTED) 81] addauth digest wjy:root
# 设置wangjy03节点的acl
[zk: localhost:2181(CONNECTED) 82] setAcl /wangjy03 auth:wjy:root
cZxid = 0x1c637
ctime = Tue Jul 09 08:47:00 CST 2019
mZxid = 0x1c637
mtime = Tue Jul 09 08:47:00 CST 2019
pZxid = 0x1c637
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 1
numChildren = 0
[zk: localhost:2181(CONNECTED) 95] getAcl /wangjy03
'digest,'wjy:bbYGkKPfBgiZDzcwrmVylqDlXnI=
: cdrwa
**Digest Scheme **
语法
setAcl <path> digest:<user>:<password>:<acl>
计算密文
echo -n : | openssl dgst -binary -sha1 | openssl base64
[root@wangjy01 ~]# echo -n wjy:root | openssl dgst -binary -sha1 | openssl base64
Jcfx3JHSwzhuIB96LTMrrNltrFs=
[zk: localhost:2181(CONNECTED) 98] create /wangjy04 1
Created /wangjy04
[zk: localhost:2181(CONNECTED) 99] setAcl /wangjy04 digest:wjy:Jcfx3JHSwzhuIB96LTMrrNltrFs=:a
cZxid = 0x1c641
ctime = Tue Jul 09 08:59:18 CST 2019
mZxid = 0x1c641
mtime = Tue Jul 09 08:59:18 CST 2019
pZxid = 0x1c641
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 1
numChildren = 0
[zk: localhost:2181(CONNECTED) 100] getAcl /wangjy04
'digest,'wjy:Jcfx3JHSwzhuIB96LTMrrNltrFs=
: a
# 当前是没有权限的
[zk: localhost:2181(CONNECTED) 101] get /wangjy04
Authentication is not valid : /wangjy04
# 在当前session中添加认证用户
[zk: localhost:2181(CONNECTED) 102] addauth digest wjy:root
#就能获取到相关的权限了
[zk: localhost:2181(CONNECTED) 107] get /wangjy04
1
cZxid = 0x1c641
ctime = Tue Jul 09 08:59:18 CST 2019
mZxid = 0x1c641
mtime = Tue Jul 09 08:59:18 CST 2019
pZxid = 0x1c641
cversion = 0
dataVersion = 0
aclVersion = 2
ephemeralOwner = 0x0
dataLength = 1
numChildren = 0
2. JavaAPI
@Before
public void getClient() {
/*
* 重连策略 四种实现
* ExponentialBackoffRetry、RetryNTimes、RetryOneTimes、RetryUntilElapsed
* */
ACLProvider aclProvider = new ACLProvider() {
private List<ACL> acl ;
@Override
public List<ACL> getDefaultAcl() {
if(acl ==null){
ArrayList<ACL> acl = ZooDefs.Ids.CREATOR_ALL_ACL;
acl.clear();
acl.add(new ACL(ZooDefs.Perms.ALL, new Id("digest", "admin:123") ));
this.acl = acl;
}
return acl;
}
@Override
public List<ACL> getAclForPath(String path) {
return null;
}
};
ExponentialBackoffRetry backoffRetry = new ExponentialBackoffRetry(1000, 1000);
//curatorFramework = CuratorFrameworkFactory.builder().aclProvider(aclProvider).authorization("digest", "admin:123".getBytes()).connectString("192.168.134.99:2181").retryPolicy(backoffRetry).build();
curatorFramework = CuratorFrameworkFactory.newClient("192.168.134.99:2181", backoffRetry);
this.curatorFramework.start();
}