欢迎您访问程序员文章站本站旨在为大家提供分享程序员计算机编程知识!
您现在的位置是: 首页

Zookeeper Dubbo IP 白名单

程序员文章站 2022-05-19 08:18:30
...
  1. zookeeper的节点概念
    zookeeper入门系列:概述
    总的来说 dubbo 体现在zookeeper中就是一个节点:/dubbo
  2. 使用zkCli.sh 连接zookeeper

    /local/zookeeper-3.4.5/bin/zkCli.sh  # 启动客户端
    connect 172.16.103.33:2181           # 连接上目标zookeeper
    ls /                                 # 查看根节点下的所有节点
    setAcl /dubbo ip:172.16.103.33:cdrwa       # 设置IP白名单
    

关于IP地址段
IP地址网段表示法
关于 ip段协议 设置失败 解决方案 使用zkClient (javaAPI解决)
详见下面的 zkClient部分


10/16 补充 用户名密码方案

  1. 客户端连接zookeeper

    ./zkCli.sh
  2. 使用java生成密码 generateDigest("用户名:密码")

    import org.apache.zookeeper.server.auth.DigestAuthenticationProvider;
    import org.junit.Test;
    
    import java.security.NoSuchAlgorithmException;
    
    /**
     * @author luwenlong
     * @date 2017/10/13
     * @description 类描述
     */
    public class PasswordBuilder {
        @Test
        public void generate() {
            try {
                System.out.println(DigestAuthenticationProvider.generateDigest("luwfls:luwfls"));
            } catch (NoSuchAlgorithmException e) {
                // TODO Auto-generated catch block
                e.printStackTrace();
            }
        }
    }
    
  3. 设置dubbo的密码权限(这里的密码是加密后的不要使用明文密码

setAcl /dubbo digest:luwfls:dbshuAKWkOXQro563C0o+16AAR4=:cdrwa

附超级权限设置方法,以供设置密码错误或忘记密码

  1. 编辑zkServer.sh 109行

    nohup "$JAVA" "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" "-Dzookeeper.DigestAuthenticationProvider.superDigest=super:g9oN2HttPfn8MMWJZ2r45Np/LIA=" \
  2. 重启zookeeper

    ./zkServer.sh restart
  3. 验证

    ./zkCli.sh     ##连接 
    addauth digest:luwfls:luwfls   ## 相当于超级管理员登陆
    setAcl /dubbo digest:用户名:加密后的密码:权限 ## 以超级管理员身份设置新密码

11/02 补充zkClient 方案

  • 前提 需参考上一步,设置完超级管理员之后可使用超级管理员权限使用
  • demo的github地址
  • 简介
import org.I0Itec.zkclient.ZkClient;
import org.apache.zookeeper.ZooDefs;
import org.apache.zookeeper.ZooKeeper;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
import org.apache.zookeeper.data.Stat;
import org.junit.Test;

import java.io.IOException;
import java.util.ArrayList;
import java.util.List;

/**
 * @author luwenlong
 * @date 2017/10/17 0017
 * @description zookeeper 管理
 */
public class ZKManager {
    private static final String ZKADDRESS = "172.16.101.130:2190";
    private static final String SUPERAUTH = "super:superpw";
    private static final String LUWFLS = "luwfls:luwfls";
    private static final String DIGEST = "digest";

    private static ZkClient zkClient = new ZkClient(ZKADDRESS);

    @Test
    public void testZooKeeperConnect() throws IOException {
        ZooKeeper zooKeeper = new ZooKeeper(ZKADDRESS, 500, watchedEvent -> System.out.println("已经触发了" + watchedEvent.getType() + "事件!"));
        //zooKeeper.addAuthInfo(DIGEST,"super:superpw".getBytes());
        ZooKeeper.States state = zooKeeper.getState();
        System.out.println("状态: "+state);

    }

    /**
     * 超级管理员身份 修改根目录权限 为 任何人任何权限
     */
    @Test
    public void setRootWorldCDRWA() throws Exception {
        ZooKeeper zooKeeper = new ZooKeeper(ZKADDRESS, 500, watchedEvent -> System.out.println("已经触发了" + watchedEvent.getType() + "事件!"));
        zooKeeper.addAuthInfo(DIGEST,SUPERAUTH.getBytes());
        ArrayList<ACL> acls = new ArrayList<>();
        acls.add(new ACL(ZooDefs.Perms.ALL,new Id("world","anyone")));
        zooKeeper.setACL("/dubbo",acls,13);
    }

    /**
     * 设置IP段 白名单
     * 有问题 KeeperErrorCode = InvalidACL for /dubbo
     */
    @Test
    public void setIPS() throws Exception{
        ZooKeeper zooKeeper = new ZooKeeper(ZKADDRESS, 500, watchedEvent -> System.out.println("已经触发了" + watchedEvent.getType() + "事件!"));
        zooKeeper.addAuthInfo(DIGEST,LUWFLS.getBytes());
        ArrayList<ACL> acls = new ArrayList<>();
        acls.add(new ACL(ZooDefs.Perms.ALL,new Id("ip","172.16.103.33")));
        acls.add(new ACL(ZooDefs.Perms.ALL,new Id("ip","172.16.103.60")));
        //当前version 可理解为乐观锁的最后一个版本号(屁民理论)
        zooKeeper.setACL("/dubbo",acls,zooKeeper.exists("/dubbo",false).getAversion());
    }
    /**
     * 查询权限
     */
    @Test
    public void getAcl() throws Exception{
        ZooKeeper zooKeeper = new ZooKeeper(ZKADDRESS, 500, watchedEvent -> System.out.println("已经触发了" + watchedEvent.getType() + "事件!"));
        zooKeeper.addAuthInfo("digest","luwfls:luwfls".getBytes());
        ZooKeeper.States state = zooKeeper.getState();
        System.out.printf("state  " + state);
        List<ACL> acl = zooKeeper.getACL("/dubbo", new Stat());
        acl.forEach(acl1 -> System.out.println(acl1));
    }

    /**
     * 查询 节点版本 version
     * 更改权限的时候需要设置 当前节点的 可用版本号 Stat.aversion
     */

    @Test
    public void queryVersion() throws Exception{
        ZooKeeper zooKeeper = new ZooKeeper(ZKADDRESS, 500, watchedEvent -> System.out.println("已经触发了" + watchedEvent.getType() + "事件!"));
        zooKeeper.addAuthInfo("digest","luwfls:luwfls".getBytes());
        Stat stat = zooKeeper.exists("/dubbo", false);
        System.out.println(String.format("version %s  cversion %s aversion %s ", stat.getVersion(),stat.getCversion(),stat.getAversion()));
        System.out.println(stat);
    }
    /**
     * 创建节点
     */
    @Test
    public void testCreatePersistent() {
       zkClient.createPersistent("/test123");
    }

}

Zookeeper Dubbo IP 白名单

        ArrayList<ACL> acls = new ArrayList<>();
        acls.add(new ACL(ZooDefs.Perms.ALL,new Id("ip","172.16.103.33")));
        acls.add(new ACL(ZooDefs.Perms.ALL,new Id("ip","172.16.103.60")));
        //当前version 可理解为乐观锁的最后一个版本号(屁民理论)
       zooKeeper.setACL("/test123",acls,zooKeeper.exists("/test123",false).getAversion());

通过上面的代码 设置了两个IP加入白名单。