转载地址:https://blog.csdn.net/liuxiao723846/article/details/79391650
ZK 类似文件系统,Client 可以在上面创建节点、更新节点、删除节点等如何做到权限的控制?查阅文档,zk的ack(Access Control List)能够保证权限,但是调研完后发现它不是很好用。
ACL 权限控制,使用:schema:id:permission 来标识,主要涵盖 3 个方面:
- 权限模式(Schema):鉴权的策略
- 授权对象(ID)
- 权限(Permission)
其特性如下:
- ZooKeeper的权限控制是基于每个znode节点的,需要对每个节点设置权限
- 每个znode支持设置多种权限控制方案和多个权限
- 子节点不会继承父节点的权限,客户端无权访问某节点,但可能可以访问它的子节点
一、接下来,我们逐一讲解schema、id和permission三个知识点。
1、schema:
ZooKeeper内置了一些权限控制方案,可以用以下方案为每个节点设置权限:
方案 | 描述 |
---|---|
world | 只有一个用户:anyone,代表所有人(默认) |
ip | 使用IP地址认证 |
auth | 使用已添加认证的用户认证 |
digest | 使用“用户名:密码”方式认证 |
2、id:
授权对象ID是指,权限赋予的用户或者一个实体,例如:IP 地址或者机器。授权模式 schema 与 授权对象 ID 之间关系:
3、权限permission:
权限 | ACL简写 | 描述 |
---|---|---|
CREATE | c | 可以创建子节点 |
DELETE | d | 可以删除子节点(仅下一级节点) |
READ | r | 可以读取节点数据及显示子节点列表 |
WRITE | w | 可以设置节点数据 |
ADMIN | a | 可以设置节点访问控制列表权限 |
二、权限相关命令:
命令 | 使用方式 | 描述 |
---|---|---|
getAcl | getAcl <path> | 读取ACL权限 |
setAcl | setAcl <path> <acl> | 设置ACL权限 |
addauth | addauth <scheme> <auth> | 添加认证用户 |
三、实战:
1、World方案:
1)设置方式
setAcl <path> world:anyone:<acl>
2)客户端实例:
-
[zk: localhost:2181(CONNECTED) 0] create /node1 1
-
Created /node1
-
[zk: localhost:2181(CONNECTED) 1] getAcl /node1
-
'world,'anyone #默认为world方案
-
: cdrwa #任何人都拥有所有权限
-
#可以用以下方式设置:
-
[zk: localhost:2181(CONNECTED) 2] setAcl /node1 world:anyone:cdrwa
-
cZxid = 0x19000002a1
-
ctime = Thu May 11 22:00:00 CST 2017
-
mZxid = 0x19000002a1
-
mtime = Thu May 11 22:00:00 CST 2017
-
pZxid = 0x19000002a1
-
cversion = 0
-
dataVersion = 0
-
aclVersion = 1
-
ephemeralOwner = 0x0
-
dataLength = 1
-
numChildren = 0
2、IP方案:
1)设置方式
setAcl <path> ip:<ip>:<acl>
<ip>:可以是具体IP也可以是IP/bit格式,即IP转换为二进制,匹配前bit位,如192.168.0.0/16匹配192.168.*.*
2)客户端实例
-
[zk: localhost:2181(CONNECTED) 0] create /node2 1
-
Created /node2
-
[zk: localhost:2181(CONNECTED) 1] setAcl /node2 ip:192.168.100.1:cdrwa #设置IP:192.168.100.1 拥有所有权限
-
cZxid = 0x1900000239
-
ctime = Thu May 11 22:00:00 CST 2017
-
mZxid = 0x1900000239
-
mtime = Thu May 11 22:00:00 CST 2017
-
pZxid = 0x1900000239
-
cversion = 0
-
dataVersion = 0
-
aclVersion = 1
-
ephemeralOwner = 0x0
-
dataLength = 1
-
numChildren = 0
-
[zk: localhost:2181(CONNECTED) 2] getAcl /node2
-
'ip,'192.168.100.1
-
: cdrwa
-
#使用IP非 192.168.100.1 的机器
-
[zk: localhost:2181(CONNECTED) 0] get /node2
-
Authentication is not valid : /node2 #没有权限
-
[zk: localhost:2181(CONNECTED) 1] delete /node2 #删除成功(因为设置DELETE权限仅对下一级子节点有效,并不包含此节点)
3、Auth方案
1)设置方式
-
addauth digest <user>:<password> #添加认证用户
-
setAcl <path> auth:<user>:<acl>
2)客户端实例
-
[zk: localhost:2181(CONNECTED) 0] create /node3 1
-
Created /node3
-
[zk: localhost:2181(CONNECTED) 1] addauth digest yoonper:123456 #添加认证用户
-
[zk: localhost:2181(CONNECTED) 2] setAcl /node3 auth:yoonper:cdrwa
-
cZxid = 0x19000002b8
-
ctime = Thu May 11 22:00:00 CST 2017
-
mZxid = 0x19000002b8
-
mtime = Thu May 11 22:00:00 CST 2017
-
pZxid = 0x19000002b8
-
cversion = 0
-
dataVersion = 0
-
aclVersion = 1
-
ephemeralOwner = 0x0
-
dataLength = 1
-
numChildren = 0
-
[zk: localhost:2181(CONNECTED) 3] getAcl /node3
-
'digest,'yoonper:UvJWhBril5yzpEiA2eV7bwwhfLs=
-
: cdrwa
-
[zk: localhost:2181(CONNECTED) 4] get /node3
-
1 #刚才已经添加认证用户,可以直接读取数据,断开会话重连需要重新addauth添加认证用户
-
cZxid = 0x1900000418
-
ctime = Thu May 11 22:00:00 CST 2017
-
mZxid = 0x1900000418
-
mtime = Thu May 11 22:00:00 CST 2017
-
pZxid = 0x1900000418
-
cversion = 0
-
dataVersion = 0
-
aclVersion = 1
-
ephemeralOwner = 0x0
-
dataLength = 1
-
numChildren = 0
4、Digest方案
1)设置方式
setAcl <path> digest:<user>:<password>:<acl>
这里的密码是经过SHA1及BASE64处理的密文,在SHELL中可以通过以下命令计算:
echo -n <user>:<password> | openssl dgst -binary -sha1 | openssl base64
先来计算一个密文
-
echo -n yoonper:123456 | openssl dgst -binary -sha1 | openssl base64
-
UvJWhBril5yzpEiA2eV7bwwhfLs=
2)客户端实例
-
[zk: localhost:2181(CONNECTED) 0] create /node4 1
-
Created /node4
-
#使用是上面算好的密文密码添加权限:
-
[zk: localhost:2181(CONNECTED) 1] setAcl /node4 digest:yoonper:UvJWhBril5yzpEiA2eV7bwwhfLs=:cdrwa
-
cZxid = 0x19000002e3
-
ctime = Thu May 11 22:00:00 CST 2017
-
mZxid = 0x19000002e3
-
mtime = Thu May 11 22:00:00 CST 2017
-
pZxid = 0x19000002e3
-
cversion = 0
-
dataVersion = 0
-
aclVersion = 1
-
ephemeralOwner = 0x0
-
dataLength = 1
-
numChildren = 0
-
[zk: localhost:2181(CONNECTED) 2] getAcl /node4
-
'digest,'yoonper:UvJWhBril5yzpEiA2eV7bwwhfLs=
-
: cdrwa
-
[zk: localhost:2181(CONNECTED) 3] get /node4
-
Authentication is not valid : /node4 #没有权限
-
[zk: localhost:2181(CONNECTED) 4] addauth digest yoonper:123456 #添加认证用户
-
[zk: localhost:2181(CONNECTED) 5] get /node4
-
1 #成功读取数据
-
cZxid = 0x1900000420
-
ctime = Thu May 11 22:00:00 CST 2017
-
mZxid = 0x1900000420
-
mtime = Thu May 11 22:00:00 CST 2017
-
pZxid = 0x1900000420
-
cversion = 0
-
dataVersion = 0
-
aclVersion = 1
-
ephemeralOwner = 0x0
-
dataLength = 1
-
numChildren = 0
5、java客户单实例:
-
import java.io.IOException;
-
import java.util.concurrent.CountDownLatch;
-
import org.apache.zookeeper.CreateMode;
-
import org.apache.zookeeper.KeeperException;
-
import org.apache.zookeeper.WatchedEvent;
-
import org.apache.zookeeper.Watcher;
-
import org.apache.zookeeper.Watcher.Event.EventType;
-
import org.apache.zookeeper.Watcher.Event.KeeperState;
-
import org.apache.zookeeper.ZooDefs.Ids;
-
import org.apache.zookeeper.ZooKeeper;
-
import com.zookeeper.utils.CommonParams;
-
public class Zookeeper_Acl_Create extends CommonParams implements Watcher {
-
private static CountDownLatch latch = new CountDownLatch(1);
-
private static CountDownLatch countDownLatch = new CountDownLatch(1);
-
private static ZooKeeper zk = null;
-
public void syncInit() {
-
try {
-
zk = new ZooKeeper(CONNECTION_IP, 5000,
-
new Zookeeper_Acl_Create());
-
latch.await();
-
zk.addAuthInfo("digest", "username:password".getBytes());
-
zk.create("/act", "init".getBytes(), Ids.CREATOR_ALL_ACL, CreateMode.EPHEMERAL);
-
ZooKeeper zk3 = new ZooKeeper(CONNECTION_IP, 5000,
-
null);
-
zk3.addAuthInfo("digest", "username:password".getBytes());
-
String value2 = new String(zk3.getData("/act", false, null));
-
System.out.println("zk3有权限进行数据的获取" + value2);
-
ZooKeeper zk2 = new ZooKeeper(CONNECTION_IP, 5000,
-
null);
-
zk2.addAuthInfo("digest", "super:123".getBytes());
-
zk2.getData("/act", false, null);
-
} catch (InterruptedException e) {
-
e.printStackTrace();
-
} catch (IOException e) {
-
e.printStackTrace();
-
} catch (KeeperException e) {
-
System.out.println("异常:" + e.getMessage());
-
System.out.println("zk2没有权限进行数据的获取");
-
countDownLatch.countDown();
-
}
-
}
-
@Override
-
public void process(WatchedEvent event) {
-
if (KeeperState.SyncConnected == event.getState()) {
-
if (event.getType() == EventType.None && null == event.getPath()) {
-
latch.countDown();
-
}
-
}
-
}
-
public static void main(String[] args) throws InterruptedException {
-
Zookeeper_Acl_Create acl_Create = new Zookeeper_Acl_Create();
-
acl_Create.syncInit();
-
countDownLatch.await();
-
}
-
}
输出:
-
zk3有权限进行数据的获取init
-
异常:KeeperErrorCode = NoAuth for /act
-
zk2没有权限进行数据的获取