znode node and acl permission setting of zookeeper
zookeeper
ZooKeeper, a software project of the Apache Software Foundation, is a distributed, open-source distributed application coordination service. It provides open source distributed configuration services, synchronization services, and naming registries for large-scale distributed computing.
ZooKeeper is a typical distributed data consistency solution based on which distributed applications can implement data publishing/subscribing, load balancing, naming services, distributed coordination/notification, cluster management, Master election, distributed locks and Distributed queue and other functions
Official website:http://ZooKeeper.apache.org/
Quick start:http://zookeeper.apache.org/doc/current/zookeeperStarted.html
API address:https://zookeeper.apache.org/doc/
data structure
The structure of the ZooKeeper data model is very similar to the Unix file system. It can be regarded as a tree as a whole. Each node is called a ZNode, and each ZNode can be uniquely identified by its path.
The namespace provided by zookeeper is very similar to the standard file system, which is stored in the form of key-value. The name key is a series of path elements separated by slashes /, and each node in the zookeeper namespace is identified by a path.
znode node
node type
持久化目录节点(PERSISTENT)
: After the client disconnects from zookeeper, the node still exists
# 默认创建的就是持久节点
create /test
持久化顺序编号目录节点(PERSISTENT_SEQUENTIAL)
: After the client disconnects from zookeeper, the node still exists, and Zookeeper will number the node in sequence
# 创建序号节点
create -s /test
# 返回创建的实际路径
Created /test0000000001
create -s /test
# 返回创建的实际路径2
Created /test0000000002
临时目录节点(EPHEMERAL)
: After the client disconnects from zookeeper, the node is deleted
# 创建临时节点, 断开会话 在连接将会自动删除
create -e /temp
临时顺序编号目录节点(EPHEMERAL_SEQUENTIAL)
: After the client disconnects from zookeeper, the node is deleted, and Zookeeper will number the node in sequence
create -e -s /temp/seq
node properties
View node properties:stat /znode
state attribute | describe |
---|---|
cZxid | The transaction ID when the node is created, a transaction ID will be generated every time the state is modified. The transaction ID is the total order of all modifications in ZooKeeper. Each modification has a unique zxid, if zxid1 is smaller than zxid2, then zxid1 occurs before zxid2. |
ctime | time when the node was created |
mZxid | Transaction ID when the node was last modified |
mtime | The time when the node was last modified |
pZxid | Indicates the transaction ID of the last modification of the child node list of this node. Adding a child node or deleting a child node will affect the child node list, but modifying the data content of the child node will not affect the ID (note that only the child node list is changed) It will change the pzxid, and the content change of the child node will not affect the pzxid) |
cversion | The version number of the child node, the version number of the child node is increased by 1 each time it is modified |
dataversion | Data version number, the version number is incremented by 1 each time the data is modified |
aclversion | Permission version number, the version number is increased by 1 each time the permission is modified |
ephemeralOwner | The sessionID of the session that created this ephemeral node. If the node is a persistent node, then the value of this property is 0 |
dataLength | The data length of the node |
numChildren | The node has the number of child nodes, only the number of direct child nodes is counted |
node monitoring
Customers can add -w
parameters to monitor the changes of nodes and sub-nodes in real time, and receive notifications in real time.
Order | describe |
---|---|
ls -w path | Monitor changes in child nodes (addition, deletion) |
get -w path | Monitor node data changes |
stat -w path | Listen for changes in node properties |
printwatches on|off | After the monitoring is triggered, whether to print the monitoring event (default on) |
client command line
view all commands
Enter the zookeeper client command line through zkClient, enter help to view the instructions of the zookeeper client
localhost:2181 $ help
ZooKeeper -server host:port cmd args
stat path [watch]
set path data [version]
ls path [watch]
delquota [-n|-b] path
ls2 path [watch]
setAcl path acl
setquota -n|-b val path
history
redo cmdno
printwatches on|off
delete path [version]
sync path
listquota path
rmr path
get path [watch]
create [-s] [-e] path data acl
addauth scheme auth
getAcl path
command description
View a list of directories under a path
ls [-s] [-w] [-R] path
path:代表路径,完整路径
-s:返回状态信息
-w:监听节点变化
-R:递归查看某路径下目录列表
Create a node and assign
create [-s] [-e] [-c] [-t ttl] path [data] [acl]
[-s] [-e]:-s 和 -e 都是可选的,-s 代表顺序节点, -e 代表临时节点,注意其中 -s 和 -e 可以同时使用的,并且临时节点不能再创建子节点
path:指定要创建节点的路径,比如 /runoob
data:要在此节点存储的数据
acl:访问权限相关,默认是 world,相当于全世界都能访问
Modify the data stored by the node
set [-s] [-v version] path data
path:节点路径。
data:需要存储的数据。
[version]:可选项,版本号(可用作乐观锁)
Get node data and status information
get [-s] [-w] path
-s:返回结果带上状态信息
-w:返回数据并对对节点进行事件监听
View node status information
stat [-w] path
path:代表路径
-w:对节点进行事件监听
delete a node
delete [-v version] path
deleteall path [-b batch size]
如果某节点不为空,则不能用delete命令删除
View node status
stat path [watch]
set the value of the node
set path data [version]
View the content contained in the current znode
ls path [watch]
View the current node data and see data such as the number of updates
ls2 path [watch]
create node -s contains sequence -e temporary
create [-s] [-e] path data acl
get the value of the node
get path [watch]
delete node
delete path [version]
delete node recursively
rmr path
acl permission setting
The full name of ACL is Access Control List (Access Control List), which is used to control the access rights of resources. ZooKeeper uses ACLs to control access to its znodes.
Based
scheme:id:permission
on access control. The scheme indicates the authorization mode, the corresponding value of the id mode, and the permission is the specific addition, deletion and modification permission bits.
Notice:在使用ACL时,权限仅对当前节点有效,不会让子节点继承。
scheme authentication model
plan | describe |
---|---|
world | Open mode, world means the whole world can access (this is the default setting) |
ip | ip mode, limit the client IP to prevent access |
auth | User password authentication mode, only when authentication is added in the session can it prevent access |
digest | Similar to auth, the difference is that auth uses plaintext passwords, while digest uses sha-1+base64 encrypted passwords. Digest is more common in actual use. |
permission bit
permission bit | permissions | describe |
---|---|---|
c | CREATE | Can create child nodes |
d | DELETE | Child nodes can be deleted (only lower level nodes) |
r | READ | Can read node data and display child node list |
w | WRITE | Node data can be set |
a | ADMIN | Can set node access control list permissions |
acl related commands
Order | How to use | describe |
---|---|---|
getAcl | getAcl
|
Read ACL permission |
setAcl | setAcl
|
Set ACL permissions |
addauth | addauth | Add authenticated user |
Example of using ACLs
Permissions are only valid for the current node and will not be inherited by child nodes. For example, restricting the IP access to A node, but not hindering the IP access to A's child nodes
world permission
grammar:setAcl <path> world:anyone:<权限位>
View default node permissions
# 创建一个节点
$ create -e /test
Created /test
# 查看节点权限
# 返回的默认权限表示 ,所有人拥有所有权限
$ getAcl /test
'world,'anyone
: cdrwa
Modify the default permissions to read and write
# 设置为rw权限
setAcl /test world:anyone:rw
# 可以正常读
get /test
# 无法正常创建子节点
create -e /test/t "rw"
# 返回没有权限的异常
Authentication is not valid : /test/t
Examples of IP permissions:
grammar:setAcl <path> ip:<ip地址|地址段>:<权限位>
Example of auth mode:
Syntax:
setAcl <path> auth:<用户名>:<密码>:<权限位>
addauth digest <用户名>:<密码>
Example digest permission:
grammar:
setAcl <path> digest :<用户名>:<密钥>:<权限位>
addauth digest <用户名>:<密码>
# 通过sha1与base64组合加密码生成密钥
echo -n <用户名>:<密码> | openssl dgst -binary -sha1 | openssl base64
# 先 sha1 加密,然后base64加密
echo -n test:123456 | openssl dgst -binary -sha1 | openssl base64
# 返回密钥
PbXQT4DQMDcaYC1X0EY0B2RZCwM=
Set digest permission
setAcl /test digest:test:PbXQT4DQMDcaYC1X0EY0B2RZCwM=:cdrw
Viewing the node will show no permissions
#查看节点
get /test
# 显示没有权限访问
Authentication is not valid : /test
Check after adding authentication to the current session
After setting the digest permission for the node, addauth must be executed before accessing, so that the current session can be protected from access.
# 给当前会话添加权限帐户
addauth digest test:123456
# 再次查看即可成功查看
get /test
client tool
ZooInspector
download link:https://issues.apache.org/jira/secure/attachment/12436620/ZooInspector.zip
Unzip and enter the ZooInspector\build directory, execute the command:
D:\Development\ZooInspector\build>java -jar zookeeper-dev-ZooInspector.jar
PrettyZoo
download link:https://github.com/vran-dev/PrettyZoo