ZooKeeper的ACL权限

ACL控制权限

  • 什么是ACL(Access Control List访问控制列表)

    • 针对节点可以设置相关读写等权限, 目的为了保障数据安全性
    • 权限permission可以指定不同的权限范围以及角色
  • ACL命令行

    • getAcl: 获取某个节点的acl权限信息

      [zk: localhost:2181(CONNECTED) 11] getAcl /czk
      'world,'anyone
      : cdrwa
      
    • setAcl: 设置某个节点的acl权限信息

    • addauth: 输入认证授权信息, 注册时输入明文密码(登录)但是在zk的系统里, 密码是以加密的形式存在的

  • ACL的构成

    • zk的acl通过[scheme​ : id :permissions] 来构成权限列表

      • scheme: 代表采用的某种权限机制
      • id: 代表允许访问的用户
      • permissions: 权限组合字符串
    • scheme:

      • world: world下只能有一个id, 即只有一个用户就是anyone 组合的写法就是

        world:anyone:[permissions]

      • auth: 代表认证登录, 需要注册用户有权限就可以, 形式为 auth: user:password:[permissions]

      • digest: 需要对密码加密才能访问, 组合形式为digest: username:BASE64(SHA1(password)):[permissions]

      • auth与digest的区别: 前者明文,后者密文

        • setAcl /path auth:tom:tom:cdrwa
        • setAcl /path digest:tom:BASE64(SHA1(password))cdrwa是等价的
        • 在通过addauth digest tom:tom后都能操作指定节点的权限
      • ip:当设置为ip指定的IP地址, 此时限制ip进行访问,比如ip:192.168.1.1:[permissions]

      • super: 代表超级管理员, 拥有所有的权限

    • permissions说明

      • crdwa
      • Create 创建
      • Read 获取节点/子节点
      • Write: 设置节点数据
      • Delete: 删除子节点
      • Admin 设置权限
    • world:anyone:cdrwa

      #创建子节点 /czk/abc
      [zk: localhost:2181(CONNECTED) 5] create /czk/abc 123
      Created /czk/abc
      #查看节点权限  新建节点默认权限都是 world:anyone:cdrwa
      [zk: localhost:2181(CONNECTED) 6] getAcl /czk/abc
      'world,'anyone
      : cdrwa
      
      • 通过setAcl修改节点权限 setAcl 路径 world:anyone:crwa
      #设置权限为crwa 去掉了d 删除子节点权限
      [zk: localhost:2181(CONNECTED) 7] setAcl /czk/abc world:anyone:crwa
      cZxid = 0xb3
      ctime = Sun Jan 06 17:46:55 CST 2019
      mZxid = 0xb3
      mtime = Sun Jan 06 17:46:55 CST 2019
      pZxid = 0xb3
      cversion = 0
      dataVersion = 0
      aclVersion = 1
      ephemeralOwner = 0x0
      dataLength = 3
      numChildren = 0
      #查看权限
      [zk: localhost:2181(CONNECTED) 8] getAcl /czk/abc
      'world,'anyone
      : crwa
      #创建新的子节点
      [zk: localhost:2181(CONNECTED) 9] create /czk/abc/czk1 123
      Created /czk/abc/czk1
      #测试能否删除子节点
      [zk: localhost:2181(CONNECTED) 11] delete /czk/abc/czk1
      Authentication is not valid : /czk/abc/czk1
      #子节点依然存在
      [zk: localhost:2181(CONNECTED) 12] ls /czk/abc
      [czk1]
      
    • auth:user:pwd:cdrwa 用auth的方式(密码为明文)处理ACL

      addauth digest user:pwd 用户注册 登陆

      [zk: lh:2181(CONNECTED) 13] setAcl /czk/abc auth:czk:czk:cdrwa
      Acl is not valid : /czk/abc # 没有注册用户
      [zk: lh:2181(CONNECTED) 14] addauth digest czk:czk  #注册用户
      [zk: lh:2181(CONNECTED) 15] setAcl /czk/abc auth:czk:czk:cdrwa
      cZxid = 0xb3
      ctime = Sun Jan 06 17:46:55 CST 2019
      mZxid = 0xb3
      mtime = Sun Jan 06 17:46:55 CST 2019
      pZxid = 0xb5
      cversion = 1
      dataVersion = 0
      aclVersion = 2
      ephemeralOwner = 0x0
      dataLength = 3
      numChildren = 1
      [zk: lh:2181(CONNECTED) 16] getAcl /czk/abc
      'digest,'czk:8vob7o7uTPp2jDaiVV3mUesBi7A=
      : cdrwa
      #退出终端后重新操作
      [zk: localhost:2181(CONNECTED) 0] ls /czk
      [sec0000000003, dir1, abc, sec0000000002]
      [zk: localhost:2181(CONNECTED) 1] ls /czk/abc
      Authentication is not valid : /czk/abc  #没有查看权限
      #登陆后再次查看
      [zk: localhost:2181(CONNECTED) 4] addauth digest czk:czk
      [zk: localhost:2181(CONNECTED) 5] ls /czk/abc
      [xyz]
      #修改授权内容 一旦指定了用户名 再次设置 不需要传入用户名密码
      [zk: localhost:2181(CONNECTED) 8] setAcl /czk/abc auth::crwa
      cZxid = 0xb3
      ctime = Sun Jan 06 17:46:55 CST 2019
      mZxid = 0xb3
      mtime = Sun Jan 06 17:46:55 CST 2019
      pZxid = 0xb5
      cversion = 1
      dataVersion = 0
      aclVersion = 3
      ephemeralOwner = 0x0
      dataLength = 3
      numChildren = 1
      [zk: localhost:2181(CONNECTED) 9] getAcl /czk/abc
      'digest,'czk:8vob7o7uTPp2jDaiVV3mUesBi7A=
      : crwa
      
      
    • digest:user:BASE64(SHA1(pwd)):cdrwa 用digest(密码为密文)的方式处理ACL

      [zk: localhost:2181(CONNECTED) 13] setAcl /czk/test digest:czk:8vob7o7uTPp2jDaiVV3mUesBi7A=:rwa
      cZxid = 0xbc
      ctime = Sun Jan 06 18:20:23 CST 2019
      mZxid = 0xbc
      mtime = Sun Jan 06 18:20:23 CST 2019
      pZxid = 0xbc
      cversion = 0
      dataVersion = 0
      aclVersion = 1
      ephemeralOwner = 0x0
      dataLength = 3
      numChildren = 0
      [zk: localhost:2181(CONNECTED) 14] ls /czk/test
      []
      [zk: localhost:2181(CONNECTED) 15] getAcl /czk/test
      'digest,'czk:8vob7o7uTPp2jDaiVV3mUesBi7A=
      : rwa
      
    • ip:192.168.1.1:cdrwa 通过ip 控制某些客户端是否有访问的权限

      [zk: localhost:2181(CONNECTED) 17] create /czk/test2 123
      Created /czk/test2
      [zk: localhost:2181(CONNECTED) 18] setAcl /czk/test2 ip:192.168.199.3:crwa
      cZxid = 0xbf
      ctime = Sun Jan 06 18:24:28 CST 2019
      mZxid = 0xbf
      mtime = Sun Jan 06 18:24:28 CST 2019
      pZxid = 0xbf
      cversion = 0
      dataVersion = 0
      aclVersion = 1
      ephemeralOwner = 0x0
      dataLength = 3
      numChildren = 0
      [zk: localhost:2181(CONNECTED) 19] getAcl /czk/test2
      'ip,'192.168.199.3
      : crwa
      [zk: localhost:2181(CONNECTED) 20] get /czk/test2
      Authentication is not valid : /czk/test2
      
    • super管理员

      修改 zkServer.sh

       nohup $JAVA $ZOO_DATADIR_AUTOCREATE "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" \
          "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \
          "-Dzookeeper.DigestAuthenticationProvider.superDigest=czk:8vob7o7uTPp2jDaiVV3mUesBi7A=" \
          -cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" > "$_ZOO_DAEMON_OUT" 2>&1 < /dev/null &
      
      

      重启客户端 登陆

    [zk: localhost:2181(CONNECTED) 2] addauth digest czk:czk
    [zk: localhost:2181(CONNECTED) 3] ls /czk/test2
    []
    [zk: localhost:2181(CONNECTED) 4] getAcl /czk/test2
    'ip,'192.168.199.3
    : crwa
    [zk: localhost:2181(CONNECTED) 5] ls /czk/test2
    []
    [zk: localhost:2181(CONNECTED) 6] delete /czk/test2
    [zk: localhost:2181(CONNECTED) 7] ls /czk
    [sec0000000003, dir1, abc, test, sec0000000002]
    
posted @ 2019-06-16 17:04  鹿泉  阅读(915)  评论(0编辑  收藏  举报