I. Introduction
To avoid data being stored in the other programs Zookeeper human error or modified, provided Zookeeper ACL (Access Control Lists) for access control. Only users who have the proper permission can perform operations such as CRUD node. Hereinafter were introduced using native commands and Apache Curator Shell client permissions.
Second, the use Shell rights management
2.1 Setting and viewing permissions
A node you want to set permissions (ACL), the following two optional commands:
# 1.给已有节点赋予权限
setAcl path acl
# 2.在创建节点时候指定权限
create [-s] [-e] path data aclCheck the specified node authority to order as follows:
getAcl path2.2 Permissions composition
Zookeeper permission by [scheme: id: permissions] of three parts, which can be built Schemes and Permissions options are as follows:
Permissions options :
- The CREATE : allows you to create a child node;
- The READ : allow acquiring data from a node and its child nodes are listed;
- The WRITE : allows setting data node;
- DELETE : allows you to delete child nodes;
- ADMIN : allows for the node set permissions.
Schemes options :
- world : the default mode, all clients have the specified permission. the next world only one id option is to anyone, usually written as a combination
world:anyone:[permissons]; - auth : Only authenticated users only have the specified permission. Usually written as a combination
auth:user:password:[permissons], when using this mode, you need to log in using auth mode after setting permissions,userandpasswordwill use the login user name and password; - Digest : Only authenticated users only have the specified permission. Typically written as a combination
auth:user:BASE64(SHA1(password)):[permissons], the password in this form must be double encrypted SHA1 and BASE64; - ip : limit only certain IP client only has permission specified. Usually it consists of writing is
ip:182.168.0.168:[permissions]; - Super : on behalf of super administrator, has all the permissions need to modify the startup script Zookeeper configuration.
2.3 Adding authentication information
You may be used as follows for the current Session command to add the user authentication information, equivalent to the registration operation.
# 格式
addauth scheme auth
#示例:添加用户名为heibai,密码为root的用户认证信息
addauth digest heibai:root 2.4 permissions example
1. world mode
world is a default mode, that is created if you do not specify the permissions, the default permissions that world.
[zk: localhost:2181(CONNECTED) 32] create /hadoop 123
Created /hadoop
[zk: localhost:2181(CONNECTED) 33] getAcl /hadoop
'world,'anyone #默认的权限
: cdrwa
[zk: localhost:2181(CONNECTED) 34] setAcl /hadoop world:anyone:cwda # 修改节点,不允许所有客户端读
....
[zk: localhost:2181(CONNECTED) 35] get /hadoop
Authentication is not valid : /hadoop # 权限不足
2. auth mode
[zk: localhost:2181(CONNECTED) 36] addauth digest heibai:heibai # 登录
[zk: localhost:2181(CONNECTED) 37] setAcl /hadoop auth::cdrwa # 设置权限
[zk: localhost:2181(CONNECTED) 38] getAcl /hadoop # 获取权限
'digest,'heibai:sCxtVJ1gPG8UW/jzFHR0A1ZKY5s= #用户名和密码 (密码经过加密处理),注意返回的权限类型是 digest
: cdrwa
#用户名和密码都是使用登录的用户名和密码,即使你在创建权限时候进行指定也是无效的
[zk: localhost:2181(CONNECTED) 39] setAcl /hadoop auth:root:root:cdrwa #指定用户名和密码为 root
[zk: localhost:2181(CONNECTED) 40] getAcl /hadoop
'digest,'heibai:sCxtVJ1gPG8UW/jzFHR0A1ZKY5s= #无效,使用的用户名和密码依然还是 heibai
: cdrwa
3. digest mode
[zk:44] create /spark "spark" digest:heibai:sCxtVJ1gPG8UW/jzFHR0A1ZKY5s=:cdrwa #指定用户名和加密后的密码
[zk:45] getAcl /spark #获取权限
'digest,'heibai:sCxtVJ1gPG8UW/jzFHR0A1ZKY5s= # 返回的权限类型是 digest
: cdrwaHere you can use to find authpatterns set permissions and usage digestpermissions mode in the final results, obtained permission modes are digest. To some extent, you can authpattern understood as digesta simple mode of implementation. Because digestmode, you need to write the user name and password each time encryption setting, which is more cumbersome, the use of authmodel can avoid this kind of trouble.
4. ip mode
Limited access to only certain ip.
[zk: localhost:2181(CONNECTED) 46] create /hive "hive" ip:192.168.0.108:cdrwa
[zk: localhost:2181(CONNECTED) 47] get /hive
Authentication is not valid : /hive # 当前主机已经不能访问Here you can see the current host can not access, want to be able to access again, you can use the corresponding IP client, or use the introduction of the following supermode.
5. super mode
Need to modify the startup script zkServer.shand add super administrator account and password information at the specified location:
"-Dzookeeper.DigestAuthenticationProvider.superDigest=heibai:sCxtVJ1gPG8UW/jzFHR0A1ZKY5s=" 
After editing is required zkServer.sh restartto restart the service, this time limit IP access node again:
[zk: localhost:2181(CONNECTED) 0] get /hive #访问受限
Authentication is not valid : /hive
[zk: localhost:2181(CONNECTED) 1] addauth digest heibai:heibai # 登录 (添加认证信息)
[zk: localhost:2181(CONNECTED) 2] get /hive #成功访问
hive
cZxid = 0x158
ctime = Sat May 25 09:11:29 CST 2019
mZxid = 0x158
mtime = Sat May 25 09:11:29 CST 2019
pZxid = 0x158
cversion = 0
dataVersion = 0
aclVersion = 0
ephemeralOwner = 0x0
dataLength = 4
numChildren = 0Third, using the Java client rights management
3.1 depends
Apache Curator here for an example, you need to import the depending Before use, the complete dependence follows:
<dependencies>
<!--Apache Curator 相关依赖-->
<dependency>
<groupId>org.apache.curator</groupId>
<artifactId>curator-framework</artifactId>
<version>4.0.0</version>
</dependency>
<dependency>
<groupId>org.apache.curator</groupId>
<artifactId>curator-recipes</artifactId>
<version>4.0.0</version>
</dependency>
<dependency>
<groupId>org.apache.zookeeper</groupId>
<artifactId>zookeeper</artifactId>
<version>3.4.13</version>
</dependency>
<!--单元测试相关依赖-->
<dependency>
<groupId>junit</groupId>
<artifactId>junit</artifactId>
<version>4.12</version>
</dependency>
</dependencies>3.2 Rights Management API
Example Apache Curator permission settings as follows:
public class AclOperation {
private CuratorFramework client = null;
private static final String zkServerPath = "192.168.0.226:2181";
private static final String nodePath = "/hadoop/hdfs";
@Before
public void prepare() {
RetryPolicy retryPolicy = new RetryNTimes(3, 5000);
client = CuratorFrameworkFactory.builder()
.authorization("digest", "heibai:123456".getBytes()) //等价于 addauth 命令
.connectString(zkServerPath)
.sessionTimeoutMs(10000).retryPolicy(retryPolicy)
.namespace("workspace").build();
client.start();
}
/**
* 新建节点并赋予权限
*/
@Test
public void createNodesWithAcl() throws Exception {
List<ACL> aclList = new ArrayList<>();
// 对密码进行加密
String digest1 = DigestAuthenticationProvider.generateDigest("heibai:123456");
String digest2 = DigestAuthenticationProvider.generateDigest("ying:123456");
Id user01 = new Id("digest", digest1);
Id user02 = new Id("digest", digest2);
// 指定所有权限
aclList.add(new ACL(Perms.ALL, user01));
// 如果想要指定权限的组合,中间需要使用 | ,这里的|代表的是位运算中的 按位或
aclList.add(new ACL(Perms.DELETE | Perms.CREATE, user02));
// 创建节点
byte[] data = "abc".getBytes();
client.create().creatingParentsIfNeeded()
.withMode(CreateMode.PERSISTENT)
.withACL(aclList, true)
.forPath(nodePath, data);
}
/**
* 给已有节点设置权限,注意这会删除所有原来节点上已有的权限设置
*/
@Test
public void SetAcl() throws Exception {
String digest = DigestAuthenticationProvider.generateDigest("admin:admin");
Id user = new Id("digest", digest);
client.setACL()
.withACL(Collections.singletonList(new ACL(Perms.READ | Perms.DELETE, user)))
.forPath(nodePath);
}
/**
* 获取权限
*/
@Test
public void getAcl() throws Exception {
List<ACL> aclList = client.getACL().forPath(nodePath);
ACL acl = aclList.get(0);
System.out.println(acl.getId().getId()
+ "是否有删读权限:" + (acl.getPerms() == (Perms.READ | Perms.DELETE)));
}
@After
public void destroy() {
if (client != null) {
client.close();
}
}
}See full source code of this warehouse: https://github.com/heibaiying/BigData-Notes/tree/master/code/Zookeeper/curator
More big data series can be found GitHub open source project : Big Data Getting Started