【Zookeeper 学习笔记】—ACL权限控制

作者: 蓝精灵lx

出处:https://blog.csdn.net/liuxiao723846/article/details/79391650


ZK 类似文件系统,Client 可以在上面创建节点、更新节点、删除节点等如何做到权限的控制?查阅文档,zk的ack(Access Control List)能够保证权限,但是调研完后发现它不是很好用。

ACL 权限控制,使用:schema:id:permission 来标识,主要涵盖 3 个方面:

  1. 权限模式(Schema):鉴权的策略
  2. 授权对象(ID)
  3. 权限(Permission)

其特性如下:

  1. ZooKeeper的权限控制是基于每个znode节点的,需要对每个节点设置权限
  2. 每个znode支持设置多种权限控制方案和多个权限
  3. 子节点不会继承父节点的权限,客户端无权访问某节点,但可能可以访问它的子节点

schema、id和permission

1、schema:

ZooKeeper内置了一些权限控制方案,可以用以下方案为每个节点设置权限:

方案 描述
world 只有一个用户:anyone,代表所有人(默认)
ip 使用IP地址认证
auth 使用已添加认证的用户认证
digest 使用“用户名:密码”方式认证

2、id:

授权对象ID是指,权限赋予的用户或者一个实体,例如:IP 地址或者机器。授权模式 schema 与 授权对象 ID 之间关系:

3、权限permission:

权限 ACL简写 描述
CREATE c 可以创建子节点
DELETE d 可以删除子节点(仅下一级节点)
READ r 可以读取节点数据及显示子节点列表
WRITE w 可以设置节点数据
ADMIN a 可以设置节点访问控制列表权限

二、权限相关命令:

命令 使用方式 描述
getAcl getAcl 读取ACL权限
setAcl setAcl 设置ACL权限
addauth addauth 添加认证用户

三、实战:

1、World方案:

1)设置方式

setAcl <path> world:anyone:<acl>

2)客户端实例:

[zk: localhost:2181(CONNECTED) 0] create /node1 1
Created /node1

[zk: localhost:2181(CONNECTED) 1] getAcl /node1
'world,'anyone #默认为world方案
: cdrwa #任何人都拥有所有权限
#可以用以下方式设置:
[zk: localhost:2181(CONNECTED) 2] setAcl /node1 world:anyone:cdrwa
cZxid = 0x19000002a1
ctime = Thu May 11 22:00:00 CST 2017
mZxid = 0x19000002a1
mtime = Thu May 11 22:00:00 CST 2017
pZxid = 0x19000002a1
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 1
numChildren = 0

2、IP方案:

1)设置方式

setAcl <path> ip:<ip>:<acl>

:可以是具体IP也可以是IP/bit格式,即IP转换为二进制,匹配前bit位,如192.168.0.0/16匹配192.168..

2)客户端实例

[zk: localhost:2181(CONNECTED) 0] create /node2 1
Created /node2

[zk: localhost:2181(CONNECTED) 1] setAcl /node2 ip:192.168.100.1:cdrwa #设置IP:192.168.100.1 拥有所有权限
cZxid = 0x1900000239
ctime = Thu May 11 22:00:00 CST 2017
mZxid = 0x1900000239
mtime = Thu May 11 22:00:00 CST 2017
pZxid = 0x1900000239
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 1
numChildren = 0

[zk: localhost:2181(CONNECTED) 2] getAcl /node2
'ip,'192.168.100.1
: cdrwa

#使用IP非 192.168.100.1 的机器
[zk: localhost:2181(CONNECTED) 0] get /node2
Authentication is not valid : /node2 #没有权限

[zk: localhost:2181(CONNECTED) 1] delete /node2 #删除成功(因为设置DELETE权限仅对下一级子节点有效,并不包含此节点)

3、Auth方案

1)设置方式

addauth digest <user>:<password> #添加认证用户
setAcl <path> auth:<user>:<acl>

2)客户端实例

[zk: localhost:2181(CONNECTED) 0] create /node3 1
Created /node3

[zk: localhost:2181(CONNECTED) 1] addauth digest yoonper:123456 #添加认证用户

[zk: localhost:2181(CONNECTED) 2] setAcl /node3 auth:yoonper:cdrwa
cZxid = 0x19000002b8
ctime = Thu May 11 22:00:00 CST 2017
mZxid = 0x19000002b8
mtime = Thu May 11 22:00:00 CST 2017
pZxid = 0x19000002b8
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 1
numChildren = 0

[zk: localhost:2181(CONNECTED) 3] getAcl /node3
'digest,'yoonper:UvJWhBril5yzpEiA2eV7bwwhfLs=
: cdrwa

[zk: localhost:2181(CONNECTED) 4] get /node3
1 #刚才已经添加认证用户,可以直接读取数据,断开会话重连需要重新addauth添加认证用户
cZxid = 0x1900000418
ctime = Thu May 11 22:00:00 CST 2017
mZxid = 0x1900000418
mtime = Thu May 11 22:00:00 CST 2017
pZxid = 0x1900000418
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 1
numChildren = 0

4、Digest方案

1)设置方式

setAcl <path> digest:<user>:<password>:<acl>

这里的密码是经过SHA1及BASE64处理的密文,在SHELL中可以通过以下命令计算:
echo -n : | openssl dgst -binary -sha1 | openssl base64
先来计算一个密文

echo -n yoonper:123456 | openssl dgst -binary -sha1 | openssl base64
UvJWhBril5yzpEiA2eV7bwwhfLs=

2)客户端实例

[zk: localhost:2181(CONNECTED) 0] create /node4 1
Created /node4

#使用是上面算好的密文密码添加权限:
[zk: localhost:2181(CONNECTED) 1] setAcl /node4 digest:yoonper:UvJWhBril5yzpEiA2eV7bwwhfLs=:cdrwa
cZxid = 0x19000002e3
ctime = Thu May 11 22:00:00 CST 2017
mZxid = 0x19000002e3
mtime = Thu May 11 22:00:00 CST 2017
pZxid = 0x19000002e3
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 1
numChildren = 0

[zk: localhost:2181(CONNECTED) 2] getAcl /node4
'digest,'yoonper:UvJWhBril5yzpEiA2eV7bwwhfLs=
: cdrwa

[zk: localhost:2181(CONNECTED) 3] get /node4
Authentication is not valid : /node4 #没有权限

[zk: localhost:2181(CONNECTED) 4] addauth digest yoonper:123456 #添加认证用户

[zk: localhost:2181(CONNECTED) 5] get /node4
1 #成功读取数据
cZxid = 0x1900000420
ctime = Thu May 11 22:00:00 CST 2017
mZxid = 0x1900000420
mtime = Thu May 11 22:00:00 CST 2017
pZxid = 0x1900000420
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 1
numChildren = 0

5、java客户单实例:

import java.io.IOException;  
import java.util.concurrent.CountDownLatch;  

import org.apache.zookeeper.CreateMode;  
import org.apache.zookeeper.KeeperException;  
import org.apache.zookeeper.WatchedEvent;  
import org.apache.zookeeper.Watcher;  
import org.apache.zookeeper.Watcher.Event.EventType;  
import org.apache.zookeeper.Watcher.Event.KeeperState;  
import org.apache.zookeeper.ZooDefs.Ids;  
import org.apache.zookeeper.ZooKeeper;  

import com.zookeeper.utils.CommonParams;  


public class Zookeeper_Acl_Create  extends CommonParams implements Watcher {  

    private static CountDownLatch latch = new CountDownLatch(1);  

    private static CountDownLatch countDownLatch = new CountDownLatch(1);  

    private static ZooKeeper zk = null;  

    public void syncInit() {  
        try {  
            zk = new ZooKeeper(CONNECTION_IP, 5000,  
                    new Zookeeper_Acl_Create());  
            latch.await();  
            zk.addAuthInfo("digest", "username:password".getBytes());  
            zk.create("/act", "init".getBytes(), Ids.CREATOR_ALL_ACL, CreateMode.EPHEMERAL);  
            ZooKeeper zk3 =  new ZooKeeper(CONNECTION_IP, 5000,  
                    null);  
            zk3.addAuthInfo("digest", "username:password".getBytes());  
            String value2 = new String(zk3.getData("/act", false, null));  
            System.out.println("zk3有权限进行数据的获取" + value2);  
            ZooKeeper zk2 =  new ZooKeeper(CONNECTION_IP, 5000,  
                    null);  
            zk2.addAuthInfo("digest", "super:123".getBytes());  
            zk2.getData("/act", false, null);  
        } catch (InterruptedException e) {  
            e.printStackTrace();  
        } catch (IOException e) {  
            e.printStackTrace();  
        } catch (KeeperException e) {  
            System.out.println("异常:" + e.getMessage());  
            System.out.println("zk2没有权限进行数据的获取");  
            countDownLatch.countDown();  
        }  
    }  

    @Override  
    public void process(WatchedEvent event) {  
        if (KeeperState.SyncConnected == event.getState()) {  
            if (event.getType() == EventType.None && null == event.getPath()) {  
                latch.countDown();  
            }   
        }  
    }  

    public static void main(String[] args) throws InterruptedException {  
        Zookeeper_Acl_Create acl_Create = new Zookeeper_Acl_Create();  
        acl_Create.syncInit();  
        countDownLatch.await();  
    }  

}  

输出:

zk3有权限进行数据的获取init
异常:KeeperErrorCode = NoAuth for /act
zk2没有权限进行数据的获取
赞(1) 打赏

如未加特殊说明,此网站文章均为原创,转载必须注明出处。Java 技术驿站 » 【Zookeeper 学习笔记】—ACL权限控制
分享到: 更多 (0)

评论 抢沙发

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址

Java 技术驿站 | 致力打造 Java 精品博客

联系作者优质文章

觉得文章有用就打赏一下文章作者

支付宝扫一扫打赏

微信扫一扫打赏