zookeeper的权限控制

zookeeper的acl权限控制
 概述
​ zookeeper 类似文件系统,client 可以创建节点、更新节点、删除节点,那么如何做到节点的权限的控制呢?zookeeper的access control list 访问控制列表可以做到acl 权限控制,使用scheme:id:permission 来标识,主要涵盖 3 个方面:

  • 权限模式(scheme):授权的策略
  • 授权对象(id):授权的对象
  • 权限(permission):授予的权限

其特性如下
zooKeeper的权限控制是基于每个znode节点的,需要对每个节点设置权限每个znode支持设置多种权限控制方案和多个权限子节点不会继承父节点的权限,客户端无权访问某节点,但可能可以访问它的子节点

setAcl /test2 ip:192.168.60.130:crwda // 将节点权限设置为Ip:192.168.60.130

权限模式
​ 采用何种方式授权

方案 描述
world 只有一个用户: anyone, 代表登录zokeeper所有人(默认)
ip 对客户端使用IP地址认证
auth 使用已添加认证的用户认证
digest 使用用户名:密码方式认证


 授权的对象

​ 授权对象ID是指,权限赋予的实体,例如:IP 地址或用户。

授予的权限

world: 它下面只有一个id, 叫anyone, world:anyone代表任何人,zookeeper中对所有人有权限的结点就是属于world:anyone的

auth: 它不需要id, 只要是通过authentication的user都有权限(zookeeper支持通过kerberos来进行authencation, 也支持username/password形式的authentication)

digest: 它对应的id为username:BASE64(SHA1(password)),它需要先通过username:password形式的authentication

ip: 它对应的id为客户机的IP地址,设置的时候可以设置一个ip段,比如ip:192.168.1.0/16, 表示匹配前16个bit的IP段

super: 在这种scheme情况下,对应的id拥有超级权限,可以做任何事情(cdrwa)

CREATE(c): 创建权限,可以在在当前node下创建child node

DELETE(d): 删除权限,可以删除当前的node

READ(r): 读权限,可以获取当前node的数据,可以list当前node所有的child nodes

WRITE(w): 写权限,可以向当前node写数据

ADMIN(a): 管理权限,可以设置当前node的permission

这5种权限简写为cdrwa,注意:这5种权限中,delete是指对子节点的删除权限,其它4种
权限指对自身节点的操作权限

权限 ACL简写 描述
create c 可以创建子节点
delete d 可以删除子节点(仅下一级节点)
read r 可以读取节点数据及显示子节点列表
write w 可以设置节点数据
admin a 可以设置节点访问控制列表权限


授权的相关命令

命令 使用方式 描述
getAcl getAcl 读取ACL权限
setAcl setAcl 设置ACL权限
addauth addauth 添加认证用户


案例
world授权模式:
命令

[zk: localhost:2181(CONNECTED) 3] create /node1 "node1"
Created /node1
[zk: localhost:2181(CONNECTED) 5] getAcl /node1
'world,'anyone
: cdrwa
[zk: localhost:2181(CONNECTED) 6] setAcl /node1 world:anyone:cdraw
cZxid = 0x37
ctime = Tue Apr 21 20:34:49 CST 2020
mZxid = 0x37
mtime = Tue Apr 21 20:34:49 CST 2020
pZxid = 0x37
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 5
numChildren = 0
[zk: localhost:2181(CONNECTED) 7]

IP授权模式:
命令

setAcl <path> ip:<ip>:<acl>

案例
注意:远程登录zookeeper命令:./zkCli.sh -server ip

[zk: 47.231.431.657(CONNECTED) 0] create /node2 "node2"
Created /node2
[zk: 47.231.431.657(CONNECTED) 3] getAcl /node2
'world,'anyone
: cdrwa
[zk: 47.231.431.657(CONNECTED) 4] setAcl /node2 ip:192.168.60.129:cdrwa
cZxid = 0x3a
ctime = Tue Apr 21 20:39:09 CST 2020
mZxid = 0x3a
mtime = Tue Apr 21 20:39:09 CST 2020
pZxid = 0x3a
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 5
numChildren = 0
[zk: 47.231.431.657(CONNECTED) 5] getAcl /node2
'ip,'192.168.60.129
: cdrwa

[zk: 47.231.431.657(CONNECTED) 6] get /node2
Authentication is not valid : /node2
[zk: 47.231.431.657(CONNECTED) 7]

 

Auth授权模式:
命令

addauth digest <user>:<password> #添加认证用户
setAcl <path> auth:<user>:<acl>

案例

[zk: localhost:2181(CONNECTED) 7] create /node3 "node3"
Created /node3
[zk: localhost:2181(CONNECTED) 8] addauth digest dalianpai:123456
[zk: localhost:2181(CONNECTED) 9] setAcl /node3 auth:dalianpai:cdrwa
cZxid = 0x3d
ctime = Tue Apr 21 20:45:20 CST 2020
mZxid = 0x3d
mtime = Tue Apr 21 20:45:20 CST 2020
pZxid = 0x3d
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 5
numChildren = 0
[zk: localhost:2181(CONNECTED) 10] getAcl /node3
'digest,'dalianpai:A7v7a7NwQ63ZrUvGjVLuE0PHZmQ=
: cdrwa
[zk: localhost:2181(CONNECTED) 11] get /node3
node3
cZxid = 0x3d
ctime = Tue Apr 21 20:45:20 CST 2020
mZxid = 0x3d
mtime = Tue Apr 21 20:45:20 CST 2020
pZxid = 0x3d
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 5
numChildren = 0
[zk: localhost:2181(CONNECTED) 12]

Digest授权模式:
命令

setAcl <path> digest:<user>:<password>:<acl>

这里的密码是经过SHA1及BASE64处理的密文,在SHELL中可以通过以下命令计算:

echo -n <user>:<password> | openssl dgst -binary -sha1 | openssl base64

先来计算一个密文

[root@iZ1la3d1xbmukrZ bin]# echo -n wgr:12345 | openssl dgst -binary -sha1 | openssl base64
sfWvAOV+8UWBCBQJ3dDPaHw2f+Q=
[root@iZ1la3d1xbmukrZ bin]#
[zk: localhost:2181(CONNECTED) 16] create /node5 "node5"
Created /node5
[zk: localhost:2181(CONNECTED) 17] setAcl /node

node4   node5   node2   node3   node1
[zk: localhost:2181(CONNECTED) 17] setAcl /node5 digest:wgr:sfWvAOV+8UWBCBQJ3dDPaHw2f+Q=:cdrwa
cZxid = 0x43
ctime = Tue Apr 21 20:57:34 CST 2020
mZxid = 0x43
mtime = Tue Apr 21 20:57:34 CST 2020
pZxid = 0x43
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 5
numChildren = 0
[zk: localhost:2181(CONNECTED) 18]  getAcl /node5
'digest,'wgr:sfWvAOV+8UWBCBQJ3dDPaHw2f+Q=
: cdrwa
[zk: localhost:2181(CONNECTED) 19] get /node5
Authentication is not valid : /node5
[zk: localhost:2181(CONNECTED) 20] addauth digest wgr:12345
[zk: localhost:2181(CONNECTED) 21] get /node5
node5
cZxid = 0x43
ctime = Tue Apr 21 20:57:34 CST 2020
mZxid = 0x43
mtime = Tue Apr 21 20:57:34 CST 2020
pZxid = 0x43
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 5
numChildren = 0
[zk: localhost:2181(CONNECTED) 22]

多种模式授权:
同一个节点可以同时使用多种模式授权

[zk: localhost:2181(CONNECTED) 0] create /node5 "node5"
Created /node5
[zk: localhost:2181(CONNECTED) 1] addauth digest itcast:123456 #添加认证用户
[zk: localhost:2181(CONNECTED) 2] setAcl /node5
ip:192.168.60.129:cdra,auth:wgr:cdrwa,digest:wgr:sfWvAOV+8UWBCBQJ3dDPaHw2f+Q=:cdrwa

 acl 超级管理员
​ zookeeper的权限管理模式有一种叫做super,该模式提供一个超管可以方便的访问任何权限的节点
​ 假设这个超管是:super:admin,需要先为超管生成密码的密文

[root@iZ1la3d1xbmukrZ bin]# echo -n super:super | openssl dgst -binary -sha1 | openssl base64
gG7s8t3oDEtIqF6DM9LlI/R+9Ss=
[root@iZ1la3d1xbmukrZ bin]#

那么打开zookeeper目录下的/bin/zkServer.sh服务器脚本文件,找到如下一行:

这就是脚本中启动zookeeper的命令,默认只有以上两个配置项,我们需要加一个超管的配置项:

"-Dzookeeper.DigestAuthenticationProvider.superDigest=super:xQJmxLMiHGwaqBvst5y6rkB6HQs="
[zk: localhost:2181(CONNECTED) 22] addauth digest super:super
[zk: localhost:2181(CONNECTED) 23] get  /node3
node3
cZxid = 0x3d
ctime = Tue Apr 21 20:45:20 CST 2020
mZxid = 0x3d
mtime = Tue Apr 21 20:45:20 CST 2020
pZxid = 0x3d
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 5
numChildren = 0
[zk: localhost:2181(CONNECTED) 24] get  /node4
node4
cZxid = 0x40
ctime = Tue Apr 21 20:50:14 CST 2020
mZxid = 0x40
mtime = Tue Apr 21 20:50:14 CST 2020
pZxid = 0x40
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 5
numChildren = 0
[zk: localhost:2181(CONNECTED) 25] get  /node5
node5
cZxid = 0x43
ctime = Tue Apr 21 20:57:34 CST 2020
mZxid = 0x43
mtime = Tue Apr 21 20:57:34 CST 2020
pZxid = 0x43
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 5
numChildren = 0

posted @ 2020-04-21 21:50  天宇轩-王  阅读(4574)  评论(0编辑  收藏  举报