ACL control authority
What is the ACL (Access Control List Access Control List)
- You can set permissions for a node-related reading and writing, the purpose in order to protect data security
- Permissions permission can specify a different jurisdiction and role
ACL Command Line
getAcl: acl obtain permission to a node of information
[zk: localhost:2181(CONNECTED) 11] getAcl /itheima 'world,'anyone : cdrwa
setAcl: acl permissions set a node information
addauth: Enter the authentication and authorization information, plain text password when you register (login) but zk of the system, passwords are encrypted form of existence
ACL configuration
zk constituted by the acl permissions list [scheme: permissions: id]
- scheme: some kind of authority on behalf of mechanisms used
- id: on behalf of users allowed access
- permissions: combination of permissions string
scheme:
world: only one id next world, that is, only one user is anyone that is a combination of wording
world:anyone:[permissions]
auth: login authentication representatives, need to register users have permission to be in the form of auth: user: password: [permissions]
digest: the need to encrypt the password to access, in the form of a combination of digest: username: BASE64 (SHA1 (password)): [permissions]
And digest auth difference: the former plaintext, ciphertext latter
- setAcl /path auth:tom:tom:cdrwa
- setAcl / path digest: tom: BASE64 (SHA1 (password)) cdrwa is equivalent to
- By addauth digest tom: tom can operate after a specified node rights
ip: When set to the specified IP address ip, ip case restricted access, such as ip: 192.168.1.1: [permissions]
super: on behalf of super administrator, has all the permissions
Description permissions
- crdwa
- Create create
- Read obtain node / subnode
- Write: setting node data
- Delete: Removes the child node
- Admin set permissions
world:anyone:cdrwa
#创建子节点 /itheima/abc [zk: localhost:2181(CONNECTED) 5] create /itheima/abc 123 Created /itheima/abc #查看节点权限 新建节点默认权限都是 world:anyone:cdrwa [zk: localhost:2181(CONNECTED) 6] getAcl /itheima/abc 'world,'anyone : cdrwa
- SetAcl node by modifying the permissions setAcl path world: anyone: crwa
#设置权限为crwa 去掉了d 删除子节点权限 [zk: localhost:2181(CONNECTED) 7] setAcl /itheima/abc world:anyone:crwa cZxid = 0xb3 ctime = Sun Jan 06 17:46:55 CST 2019 mZxid = 0xb3 mtime = Sun Jan 06 17:46:55 CST 2019 pZxid = 0xb3 cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 3 numChildren = 0 #查看权限 [zk: localhost:2181(CONNECTED) 8] getAcl /itheima/abc 'world,'anyone : crwa #创建新的子节点 [zk: localhost:2181(CONNECTED) 9] create /itheima/abc/xyz 123 Created /itheima/abc/xyz #测试能否删除子节点 [zk: localhost:2181(CONNECTED) 11] delete /itheima/abc/xyz Authentication is not valid : /itheima/abc/xyz #子节点依然存在 [zk: localhost:2181(CONNECTED) 12] ls /itheima/abc [xyz]
auth: user: pwd: cdrwa (password in plain text) treated with ACL auth way
addauth digest user: pwd registered user login
[zk: lh:2181(CONNECTED) 13] setAcl /itheima/abc auth:itheima:itheima:cdrwa Acl is not valid : /itheima/abc # 没有注册用户 [zk: lh:2181(CONNECTED) 14] addauth digest itheima:itheima #注册用户 [zk: lh:2181(CONNECTED) 15] setAcl /itheima/abc auth:itheima:itheima:cdrwa cZxid = 0xb3 ctime = Sun Jan 06 17:46:55 CST 2019 mZxid = 0xb3 mtime = Sun Jan 06 17:46:55 CST 2019 pZxid = 0xb5 cversion = 1 dataVersion = 0 aclVersion = 2 ephemeralOwner = 0x0 dataLength = 3 numChildren = 1 [zk: lh:2181(CONNECTED) 16] getAcl /itheima/abc 'digest,'itheima:8vob7o7uTPp2jDaiVV3mUesBi7A= : cdrwa #退出终端后重新操作 [zk: localhost:2181(CONNECTED) 0] ls /itheima [sec0000000003, dir1, abc, sec0000000002] [zk: localhost:2181(CONNECTED) 1] ls /itheima/abc Authentication is not valid : /itheima/abc #没有查看权限 #登陆后再次查看 [zk: localhost:2181(CONNECTED) 4] addauth digest itheima:itheima [zk: localhost:2181(CONNECTED) 5] ls /itheima/abc [xyz] #修改授权内容 一旦指定了用户名 再次设置 不需要传入用户名密码 [zk: localhost:2181(CONNECTED) 8] setAcl /itheima/abc auth::crwa cZxid = 0xb3 ctime = Sun Jan 06 17:46:55 CST 2019 mZxid = 0xb3 mtime = Sun Jan 06 17:46:55 CST 2019 pZxid = 0xb5 cversion = 1 dataVersion = 0 aclVersion = 3 ephemeralOwner = 0x0 dataLength = 3 numChildren = 1 [zk: localhost:2181(CONNECTED) 9] getAcl /itheima/abc 'digest,'itheima:8vob7o7uTPp2jDaiVV3mUesBi7A= : crwa
digest: user: BASE64 (SHA1 (pwd)): cdrwa treated with ACL digest (password in plain text) manner
[zk: localhost:2181(CONNECTED) 13] setAcl /itheima/test digest:itheima:8vob7o7uTPp2jDaiVV3mUesBi7A=:rwa cZxid = 0xbc ctime = Sun Jan 06 18:20:23 CST 2019 mZxid = 0xbc mtime = Sun Jan 06 18:20:23 CST 2019 pZxid = 0xbc cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 3 numChildren = 0 [zk: localhost:2181(CONNECTED) 14] ls /itheima/test [] [zk: localhost:2181(CONNECTED) 15] getAcl /itheima/test 'digest,'itheima:8vob7o7uTPp2jDaiVV3mUesBi7A= : rwa
ip: 192.168.1.1: cdrwa by ip control whether certain client has access privileges
[zk: localhost:2181(CONNECTED) 17] create /itheima/test2 123 Created /itheima/test2 [zk: localhost:2181(CONNECTED) 18] setAcl /itheima/test2 ip:192.168.199.3:crwa cZxid = 0xbf ctime = Sun Jan 06 18:24:28 CST 2019 mZxid = 0xbf mtime = Sun Jan 06 18:24:28 CST 2019 pZxid = 0xbf cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 3 numChildren = 0 [zk: localhost:2181(CONNECTED) 19] getAcl /itheima/test2 'ip,'192.168.199.3 : crwa [zk: localhost:2181(CONNECTED) 20] get /itheima/test2 Authentication is not valid : /itheima/test2
super administrator
Modify zkServer.sh
nohup $JAVA $ZOO_DATADIR_AUTOCREATE "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" \ "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \ "-Dzookeeper.DigestAuthenticationProvider.superDigest=itheima:8vob7o7uTPp2jDaiVV3mUesBi7A=" \ -cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" > "$_ZOO_DAEMON_OUT" 2>&1 < /dev/null &
Restart the client landing
[zk: localhost:2181(CONNECTED) 2] addauth digest czk:czk [zk: localhost:2181(CONNECTED) 3] ls /czk/test2 [] [zk: localhost:2181(CONNECTED) 4] getAcl /czk/test2 'ip,'192.168.199.3 : crwa [zk: localhost:2181(CONNECTED) 5] ls /czk/test2 [] [zk: localhost:2181(CONNECTED) 6] delete /czk/test2 [zk: localhost:2181(CONNECTED) 7] ls /czk [sec0000000003, dir1, abc, test, sec0000000002]