ZooKeeper the ACL permissions

Others 2019-06-16 20:08:42 views: null

ACL control authority

  • What is the ACL (Access Control List Access Control List)

    • You can set permissions for a node-related reading and writing, the purpose in order to protect data security
    • Permissions permission can specify a different jurisdiction and role

  • ACL Command Line

    • getAcl: acl obtain permission to a node of information

      [zk: localhost:2181(CONNECTED) 11] getAcl /itheima
'world,'anyone
: cdrwa

    • setAcl: acl permissions set a node information

    • addauth: Enter the authentication and authorization information, plain text password when you register (login) but zk of the system, passwords are encrypted form of existence

  • ACL configuration

    • zk constituted by the acl permissions list [scheme: permissions: id]

      • scheme: some kind of authority on behalf of mechanisms used
      • id: on behalf of users allowed access
      • permissions: combination of permissions string

    • scheme:

      • world: only one id next world, that is, only one user is anyone that is a combination of wording

        world:anyone:[permissions]

      • auth: login authentication representatives, need to register users have permission to be in the form of auth: user: password: [permissions]

      • digest: the need to encrypt the password to access, in the form of a combination of digest: username: BASE64 (SHA1 (password)): [permissions]

      • And digest auth difference: the former plaintext, ciphertext latter

        • setAcl /path auth:tom:tom:cdrwa
        • setAcl / path digest: tom: BASE64 (SHA1 (password)) cdrwa is equivalent to
        • By addauth digest tom: tom can operate after a specified node rights

      • ip: When set to the specified IP address ip, ip case restricted access, such as ip: 192.168.1.1: [permissions]

      • super: on behalf of super administrator, has all the permissions

    • Description permissions

      • crdwa
      • Create create
      • Read obtain node / subnode
      • Write: setting node data
      • Delete: Removes the child node
      • Admin set permissions

    • world:anyone:cdrwa

      #创建子节点 /itheima/abc
[zk: localhost:2181(CONNECTED) 5] create /itheima/abc 123
Created /itheima/abc
#查看节点权限  新建节点默认权限都是 world:anyone:cdrwa
[zk: localhost:2181(CONNECTED) 6] getAcl /itheima/abc
'world,'anyone
: cdrwa
      • SetAcl node by modifying the permissions setAcl path world: anyone: crwa
      #设置权限为crwa 去掉了d 删除子节点权限
[zk: localhost:2181(CONNECTED) 7] setAcl /itheima/abc world:anyone:crwa
cZxid = 0xb3
ctime = Sun Jan 06 17:46:55 CST 2019
mZxid = 0xb3
mtime = Sun Jan 06 17:46:55 CST 2019
pZxid = 0xb3
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 3
numChildren = 0
#查看权限
[zk: localhost:2181(CONNECTED) 8] getAcl /itheima/abc
'world,'anyone
: crwa
#创建新的子节点
[zk: localhost:2181(CONNECTED) 9] create /itheima/abc/xyz 123
Created /itheima/abc/xyz
#测试能否删除子节点
[zk: localhost:2181(CONNECTED) 11] delete /itheima/abc/xyz
Authentication is not valid : /itheima/abc/xyz
#子节点依然存在
[zk: localhost:2181(CONNECTED) 12] ls /itheima/abc
[xyz]

    • auth: user: pwd: cdrwa (password in plain text) treated with ACL auth way

      addauth digest user: pwd registered user login

      [zk: lh:2181(CONNECTED) 13] setAcl /itheima/abc auth:itheima:itheima:cdrwa
Acl is not valid : /itheima/abc # 没有注册用户
[zk: lh:2181(CONNECTED) 14] addauth digest itheima:itheima  #注册用户
[zk: lh:2181(CONNECTED) 15] setAcl /itheima/abc auth:itheima:itheima:cdrwa
cZxid = 0xb3
ctime = Sun Jan 06 17:46:55 CST 2019
mZxid = 0xb3
mtime = Sun Jan 06 17:46:55 CST 2019
pZxid = 0xb5
cversion = 1
dataVersion = 0
aclVersion = 2
ephemeralOwner = 0x0
dataLength = 3
numChildren = 1
[zk: lh:2181(CONNECTED) 16] getAcl /itheima/abc
'digest,'itheima:8vob7o7uTPp2jDaiVV3mUesBi7A=
: cdrwa
#退出终端后重新操作
[zk: localhost:2181(CONNECTED) 0] ls /itheima
[sec0000000003, dir1, abc, sec0000000002]
[zk: localhost:2181(CONNECTED) 1] ls /itheima/abc
Authentication is not valid : /itheima/abc  #没有查看权限
#登陆后再次查看
[zk: localhost:2181(CONNECTED) 4] addauth digest itheima:itheima
[zk: localhost:2181(CONNECTED) 5] ls /itheima/abc
[xyz]
#修改授权内容 一旦指定了用户名 再次设置 不需要传入用户名密码
[zk: localhost:2181(CONNECTED) 8] setAcl /itheima/abc auth::crwa
cZxid = 0xb3
ctime = Sun Jan 06 17:46:55 CST 2019
mZxid = 0xb3
mtime = Sun Jan 06 17:46:55 CST 2019
pZxid = 0xb5
cversion = 1
dataVersion = 0
aclVersion = 3
ephemeralOwner = 0x0
dataLength = 3
numChildren = 1
[zk: localhost:2181(CONNECTED) 9] getAcl /itheima/abc
'digest,'itheima:8vob7o7uTPp2jDaiVV3mUesBi7A=
: crwa

    • digest: user: BASE64 (SHA1 (pwd)): cdrwa treated with ACL digest (password in plain text) manner

      [zk: localhost:2181(CONNECTED) 13] setAcl /itheima/test digest:itheima:8vob7o7uTPp2jDaiVV3mUesBi7A=:rwa
cZxid = 0xbc
ctime = Sun Jan 06 18:20:23 CST 2019
mZxid = 0xbc
mtime = Sun Jan 06 18:20:23 CST 2019
pZxid = 0xbc
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 3
numChildren = 0
[zk: localhost:2181(CONNECTED) 14] ls /itheima/test
[]
[zk: localhost:2181(CONNECTED) 15] getAcl /itheima/test
'digest,'itheima:8vob7o7uTPp2jDaiVV3mUesBi7A=
: rwa

    • ip: 192.168.1.1: cdrwa by ip control whether certain client has access privileges

      [zk: localhost:2181(CONNECTED) 17] create /itheima/test2 123
Created /itheima/test2
[zk: localhost:2181(CONNECTED) 18] setAcl /itheima/test2 ip:192.168.199.3:crwa
cZxid = 0xbf
ctime = Sun Jan 06 18:24:28 CST 2019
mZxid = 0xbf
mtime = Sun Jan 06 18:24:28 CST 2019
pZxid = 0xbf
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 3
numChildren = 0
[zk: localhost:2181(CONNECTED) 19] getAcl /itheima/test2
'ip,'192.168.199.3
: crwa
[zk: localhost:2181(CONNECTED) 20] get /itheima/test2
Authentication is not valid : /itheima/test2

    • super administrator

      Modify zkServer.sh

       nohup $JAVA $ZOO_DATADIR_AUTOCREATE "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" \
    "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
    "-Dzookeeper.DigestAuthenticationProvider.superDigest=itheima:8vob7o7uTPp2jDaiVV3mUesBi7A=" \
    -cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" > "$_ZOO_DAEMON_OUT" 2>&1 < /dev/null &

      Restart the client landing

    [zk: localhost:2181(CONNECTED) 2] addauth digest czk:czk
[zk: localhost:2181(CONNECTED) 3] ls /czk/test2
[]
[zk: localhost:2181(CONNECTED) 4] getAcl /czk/test2
'ip,'192.168.199.3
: crwa
[zk: localhost:2181(CONNECTED) 5] ls /czk/test2
[]
[zk: localhost:2181(CONNECTED) 6] delete /czk/test2
[zk: localhost:2181(CONNECTED) 7] ls /czk
[sec0000000003, dir1, abc, test, sec0000000002]

Guess you like

Origin www.cnblogs.com/xinyonghu/p/11032100.html
ACL
Recommended
The sixth meeting of openKylin Community Ecology Committee was successfully held
Alibaba Cloud officially releases Tongyi Qianwen 2.5
Python 3.13 releases first Beta: experimental free-threading mode and JIT, improved interactive interpreter
Stack Overflow used my code to train large AI models and banned my account.
Pop!_OS’s COSMIC desktop completes App Store listing
Report: Django is still the first choice for 74% of developers
"Internet Investment and Financing Operation in the First Quarter of 2024" Research Report
15 years ago, he was on the "FFmpeg pillar of shame", and today he still has to thank us - Tencent QQPlayer avenges its shame?
Ranking
Python handwritten digit recognition, the corresponding mathematical formulas and Detailed procedures
Der M-Chip-Mac implementiert mehrere Android-Emulatoren
CentOS 명령줄 모드에서 화면이 항상 켜져 있도록 설정 ---- 예상한 효과를 얻지 못했습니다.
Teach you step by step how to use GDB to debug programs: a comprehensive guide from entry to mastery
python3 pip ipython installation
A lot of python crawler source code sharing -- talk about the little thing about python crawler
Agile Sprint in Alpha Stage (7)
Access URL in Unity
FunctoinDemo form
MS SQL common SQL statements (6): create, modify, delete triggers and other operations sq
Daily
More
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)
2024-05-01(4)

Code World

© 2018 codetd.com