zookeeper permission acl and four-word command

Permission acl introduction, the composition and id of acl

acl is the abbreviation of Access control lists, which is the access control list:

• Relevant read and write permissions can be set for nodes, the purpose is to ensure data security
• Permissions can specify different permission scopes and roles

The composition of acl:

• zk's acl uses [scheme:id:permissions] to form a list of permissions:
  • scheme: represents a certain permission mechanism adopted
  • id: represents the user who is allowed to access
  • permissions: permission combination string

The composition of acl-scheme, the scheme has the following types:

• world: There is only one id under world, that is, there is only one user, that is, anyone, then the combination is written as world:anyone:[permissions]
• ip: When set to the ip address specified by ip, the ip is restricted for access, such as ip:192.168.77.130:[permissions]
• auth: stands for authentication login, which requires a registered user to obtain permission before login and access, in the form of auth:userpassword:[permissions]
• digest: The password needs to be encrypted for access. The combination is: digest:username:BASE64(SHA1(password)):[permissions]
  • The difference between auth and digest is that the former uses the plaintext password to log in, and the latter uses the ciphertext password to log in. setAcl /path auth:lee:lee:cdrwa is equivalent to setAcl /path digest:lee:BASE64(SHA1(password)):cdrwa. After passing addauth digest lee:lee, it can operate the authority of the specified node. In practice, digest is more commonly used.
• super: represents the super administrator, has all the permissions

Composition of acl -permissions:

• Permission string abbreviation crdwa:
  • CREATE: Create child node permission
  • READ: Access node/child node permission
  • WRITE: Set node data permissions
  • DELETE: delete child node permission
  • ADMIN: administrator privileges

acl command:

• getAcl Get the acl permission information of a node
• setAcl Set the acl permission information of a node
• addauth Enter the authentication and authorization information, and enter the plaintext password (login) when registering, but in the zk system, the password exists in encrypted form

---

acl command line world

Use the getAcl command to get the acl permission information of a node, for example:

[root@study-01 ~]# zkCli.sh
[zk: localhost:2181(CONNECTED) 5] create /testDir/testAcl test-data  # 创建一个子节点
Created /testDir/testAcl
[zk: localhost:2181(CONNECTED) 6] getAcl /testDir/testAcl  # 获取该节点的acl权限信息
'world,'anyone  # 默认为world
: cdrwa
[zk: localhost:2181(CONNECTED) 7]

Use the setAcl command to set the acl permission information of a node, for example:

[zk: localhost:2181(CONNECTED) 7] setAcl /testDir/testAcl world:anyone:crwa  # 设置该节点的acl权限
cZxid = 0x26
ctime = Mon Apr 23 17:28:30 CST 2018
mZxid = 0x26
mtime = Mon Apr 23 17:28:30 CST 2018
pZxid = 0x26
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 9
numChildren = 0
[zk: localhost:2181(CONNECTED) 8] getAcl /testDir/testAcl                  
'world,'anyone
: crwa   # 设置成功后，该节点就少了d权限
[zk: localhost:2181(CONNECTED) 9] create /testDir/testAcl/xyz xyz-data  # 创建子节点
Created /testDir/testAcl/xyz
[zk: localhost:2181(CONNECTED) 10] delete /testDir/testAcl/xyz  # 删除该子节点
Authentication is not valid : /testDir/testAcl/xyz  # 由于没有d权限，所以提示无法删除
[zk: localhost:2181(CONNECTED) 11]

The same is true for setting other permissions, which will not be demonstrated here.

---

acl command line auth

When using auth to set permissions, you need to register a user in zk. Example:

[zk: localhost:2181(CONNECTED) 11] addauth digest user1:123456   # 需要先添加一个用户
[zk: localhost:2181(CONNECTED) 12] setAcl /testDir/testAcl auth:user1:123456:crwa  # 然后才可以拿着这个用户去设置权限
cZxid = 0x26
ctime = Mon Apr 23 17:28:30 CST 2018
mZxid = 0x26
mtime = Mon Apr 23 17:28:30 CST 2018
pZxid = 0x28
cversion = 1
dataVersion = 0
aclVersion = 2
ephemeralOwner = 0x0
dataLength = 9
numChildren = 1
[zk: localhost:2181(CONNECTED) 14] getAcl /testDir/testAcl
'digest,'user1:HYGa7IZRm2PUBFiFFu8xY2pPP/s=  # 密码是以密文的形式存储的
: crwa
[zk: localhost:2181(CONNECTED) 15] 

If you set the permissions and set them again, you don't need to add the user name and password. And even if it is set by other users, it will only be configured according to the user who set it up for the first time:

[zk: localhost:2181(CONNECTED) 16] setAcl /testDir/testAcl auth::crw
[zk: localhost:2181(CONNECTED) 16] setAcl /testDir/testAcl auth:test:test:crw
[zk: localhost:2181(CONNECTED) 14] getAcl /testDir/testAcl
'digest,'user1:HYGa7IZRm2PUBFiFFu8xY2pPP/s=  # 依旧是第一次设置的用户
: crwa
[zk: localhost:2181(CONNECTED) 15] 

---

acl command line digest

Since the user has already logged in when using auth for the experiment, before using the digest to do the experiment, you need to log out of the client and then reconnect, so that the previously logged in user will automatically log out. You can only use digest to set permissions after logging out of the user, for example:

[zk: localhost:2181(CONNECTED) 5] create /names/testDigest digest-data  # 创建子节点
Created /names/testDigest
[zk: localhost:2181(CONNECTED) 6] addauth digest user1:123456  # 添加用户
[zk: localhost:2181(CONNECTED) 8] getAcl /names/testDigest 
'world,'anyone
: cdrwa
[zk: localhost:2181(CONNECTED) 3] setAcl /names/testDigest digest:user1:HYGa7IZRm2PUBFiFFu8xY2pPP/s=:crwa   # 使用digest来设置权限
cZxid = 0x3a
ctime = Mon Apr 23 20:40:11 CST 2018
mZxid = 0x3a
mtime = Mon Apr 23 20:40:11 CST 2018
pZxid = 0x3a
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 11
numChildren = 0
[zk: localhost:2181(CONNECTED) 11] getAcl /names/testDigest
'digest,'user1:HYGa7IZRm2PUBFiFFu8xY2pPP/s=
: crwa
[zk: localhost:2181(CONNECTED) 12] 

It can be seen that digest and auth are consistent except that one uses plaintext and the other uses ciphertext, so the difference between them is only the difference between ciphertext and plaintext. In an online environment, digest is generally used because the ciphertext is safer.

---

acl command line ip

This method is the same as restricting ip, that is, setting only a certain ip to have permission to operate. Example:

[zk: localhost:2181(CONNECTED) 1] create /names/testip ip-data   创建子节点
Created /names/testip
[zk: localhost:2181(CONNECTED) 2] getAcl /names/testip
'world,'anyone
: cdrwa
[zk: localhost:2181(CONNECTED) 4] setAcl /names/testip ip:192.168.190.129:cdrwa  # 使用ip来设置权限
cZxid = 0x46
ctime = Mon Apr 23 20:55:43 CST 2018
mZxid = 0x46
mtime = Mon Apr 23 20:55:43 CST 2018
pZxid = 0x46
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 7
numChildren = 0
[zk: localhost:2181(CONNECTED) 5] getAcl /names/testip
'ip,'192.168.190.129   # 只允许这个ip拥有该节点的cdrwa权限
: cdrwa
[zk: localhost:2181(CONNECTED) 6] get /names/testip
ip-data
cZxid = 0x46
ctime = Mon Apr 23 20:55:43 CST 2018
mZxid = 0x46
mtime = Mon Apr 23 20:55:43 CST 2018
pZxid = 0x46
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 7
numChildren = 0
[zk: localhost:2181(CONNECTED) 6] 

---

acl command line super super administrator

Basically all systems will have a super administrator user, zk is no exception. When we set permissions for some nodes, but found that the settings are wrong, the nodes cannot be accessed normally, then ordinary users cannot solve this problem, and can only use super administrator users to reset permissions or delete nodes. So this section briefly demonstrates how to configure an administrator user:

1. Modify zkServer.sh to add super administrator:

[root@study-01 ~]# cd /usr/local/zookeeper-3.4.11/bin/
[root@study-01 /usr/local/zookeeper-3.4.11/bin]# vim zkServer.sh  # 找到nohup那一行，加入以下内容
"-Dzookeeper.DigestAuthenticationProvider.superDigest=user1:HYGa7IZRm2PUBFiFFu8xY2pPP/s="
[root@study-01 /usr/local/zookeeper-3.4.11/bin]# 

Note: user1 is the username, and the string behind is the encrypted ciphertext password

As shown below:

2. After the modification, you need to restart the zookeeper service to take effect:

[root@study-01 /usr/local/zookeeper-3.4.11/bin]# ./zkServer.sh restart

Using super admin user:

[root@study-01 ~]# zkCli.sh
[zk: localhost:2181(CONNECTED) 9] ls /names/ip  # ls一个无权限的节点
Authentication is not valid : /names/ip   # 可以看到，权限不够
[zk: localhost:2181(CONNECTED) 10] addauth digest user1:123456  # 登录超级管理员用户，这里登录用的是明文密码
[zk: localhost:2181(CONNECTED) 11] ls /names/ip  # 然后再次ls
[]   # 这次就可以ls到了
[zk: localhost:2181(CONNECTED) 12] get /names/ip   # 也可以get信息
ip-data
cZxid = 0x51
ctime = Mon Apr 23 21:02:42 CST 2018
mZxid = 0x51
mtime = Mon Apr 23 21:02:42 CST 2018
pZxid = 0x51
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 7
numChildren = 0
[zk: localhost:2181(CONNECTED) 13] delete /names/testip  # 删除节点也可以
[zk: localhost:2181(CONNECTED) 14] 

---

Common usage scenarios of acl

1. The development/test environment is separated, the developer has no right to operate the node of the test library, and can only read
2. The service that controls the specified ip in the production environment can access the relevant nodes to prevent confusion

---

zk four-word command

zk Four Letter Words:

• zk can interact with the server through its own shorthand commands
• You need to use the nc command, the installation command: yum install nc
• Command format: echo [commond] | nc [ip] [port]

The official document address is as follows:

http://zookeeper.apache.org/doc/r3.4.11/zookeeperAdmin.html#sc_zkCommands

A brief introduction to some commonly used zk four-character commands:

1.[stat] View the status information of zk and whether it is in mode. Example:

[root@study-01 ~]# echo stat |nc 192.168.190.129 2181
Zookeeper version: 3.4.11-37e277162d567b55a07d1755f0b31c32e93c01a0, built on 11/01/2017 18:06 GMT
Clients:
 /192.168.190.129:34268[0](queued=0,recved=1,sent=0)

Latency min/avg/max: 0/0/4
Received: 117
Sent: 116
Connections: 1
Outstanding: 0
Zxid: 0x58
Mode: standalone
Node count: 16
[root@study-01 ~]# 

2.[ruok] Check whether the current zkserver is started. If it is started, it will return to imok. Example:

[root@study-01 ~]# echo ruok |nc 192.168.190.129 2181
imok
[root@study-01 ~]#

3.[dump] List unprocessed sessions and ephemeral nodes. Example:

[root@study-01 ~]# echo dump |nc 192.168.190.129 2181
SessionTracker dump:
Session Sets (0):
ephemeral nodes dump:
Sessions with Ephemerals (0):
[root@study-01 ~]# 

4.[conf] View server configuration. Example:

[root@study-01 ~]# echo conf |nc 192.168.190.129 2181
clientPort=2181
dataDir=/usr/local/zookeeper-3.4.11/dataDir/version-2
dataLogDir=/usr/local/zookeeper-3.4.11/dataLogDir/version-2
tickTime=2000
maxClientCnxns=60
minSessionTimeout=4000
maxSessionTimeout=40000
serverId=0
[root@study-01 ~]# 

5. [cons] Displays information about clients connected to the server. Example:

[root@study-01 ~]# echo cons |nc 192.168.190.129 2181
 /127.0.0.1:41152[1](queued=0,recved=2,sent=2,sid=0x10001004ed60001,lop=PING,est=1524493375316,to=30000,lcxid=0x0,lzxid=0x59,lresp=19999999,llat=0,minlat=0,avglat=1,maxlat=2)
 /192.168.190.129:34277[0](queued=0,recved=1,sent=0)

[root@study-01 ~]# 

6.[envi] View environment variables. Example:

[root@study-01 ~]# echo envi |nc 192.168.190.129 2181
Environment:
zookeeper.version=3.4.11-37e277162d567b55a07d1755f0b31c32e93c01a0, built on 11/01/2017 18:06 GMT
host.name=localhost
java.version=1.8.0_161
java.vendor=Oracle Corporation
java.home=/usr/local/jdk1.8/jre
java.class.path=/usr/local/zookeeper-3.4.11/bin/../build/classes:/usr/local/zookeeper-3.4.11/bin/../build/lib/*.jar:/usr/local/zookeeper-3.4.11/bin/../lib/slf4j-log4j12-1.6.1.jar:/usr/local/zookeeper-3.4.11/bin/../lib/slf4j-api-1.6.1.jar:/usr/local/zookeeper-3.4.11/bin/../lib/netty-3.10.5.Final.jar:/usr/local/zookeeper-3.4.11/bin/../lib/log4j-1.2.16.jar:/usr/local/zookeeper-3.4.11/bin/../lib/jline-0.9.94.jar:/usr/local/zookeeper-3.4.11/bin/../lib/audience-annotations-0.5.0.jar:/usr/local/zookeeper-3.4.11/bin/../zookeeper-3.4.11.jar:/usr/local/zookeeper-3.4.11/bin/../src/java/lib/*.jar:/usr/local/zookeeper-3.4.11/bin/../conf:
java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
java.io.tmpdir=/tmp
java.compiler=<NA>
os.name=Linux
os.arch=amd64
os.version=3.10.0-327.el7.x86_64
user.name=root
user.home=/root
user.dir=/usr/local/zookeeper-3.4.11/bin
[root@study-01 ~]# 

7.[mntr] Monitor zk health information. Example:

[root@study-01 ~]# echo mntr |nc 192.168.190.129 2181
zk_version  3.4.11-37e277162d567b55a07d1755f0b31c32e93c01a0, built on 11/01/2017 18:06 GMT
zk_avg_latency  0
zk_max_latency  4
zk_min_latency  0
zk_packets_received 169
zk_packets_sent 168
zk_num_alive_connections    2
zk_outstanding_requests 0
zk_server_state standalone
zk_znode_count  16
zk_watch_count  0
zk_ephemerals_count 0
zk_approximate_data_size    305
zk_open_file_descriptor_count   31
zk_max_file_descriptor_count    4096
[root@study-01 ~]# 

8.[wchs] Display watch information. Example:

[root@study-01 ~]# echo wchs |nc 192.168.190.129 2181
1 connections watching 1 paths
Total watches:1
[root@study-01 ~]# 

9.[wchc] Display session and watch information. In versions after 3.4.10, wchc and wchp are no longer the commands in the whitelist. If you need to use these two commands, you need to perform a configuration. Example:

[root@study-01 ~]# echo wchc |nc 192.168.190.129 2181
wchc is not executed because it is not in the whitelist.  # 可以看到，提示这是不在白名单列表里的命令
[root@study-01 ~]# cd /usr/local/zookeeper-3.4.11/conf/
[root@study-01 /usr/local/zookeeper-3.4.11/conf]# vim zoo.cfg   # 在文件末尾添加如下内容
4lw.commands.whitelist=*
[root@study-01 /usr/local/zookeeper-3.4.11/conf]# cd 
[root@study-01 ~]# zkServer.sh restart  # 重启zk服务
[root@study-01 ~]# echo wchc |nc 192.168.190.129 2181  # 这时就可以使用了
0x10001004ed60001
    /names

[root@study-01 ~]# 

10.[wchp] Display watch and path information. Example:

[root@study-01 ~]# echo wchp |nc 192.168.190.129 2181
/names
    0x10001004ed60001

[root@study-01 ~]#