Zookeeper设置访问权限 博客分类: 软件使用 zookeepersetAcl
程序员文章站
2024-03-05 21:17:13
...
zookeeper的身份认证有4种方式
(1)world: 它下面只有一个id, 叫anyone, world:anyone代表任何人,zookeeper中对所有人有权限的结点就是属于world:anyone的
(2)auth: 它不需要id, 只要是通过authentication的user都有权限(zookeeper支持通过kerberos来进行authencation, 也支持username/password形式的authentication)
(3)digest: 它对应的id为username:BASE64(SHA1(password)),它需要先通过username:password形式的authentication
(4)ip: 它对应的id为客户机的IP地址,设置的时候可以设置一个ip段,比如ip:192.168.1.0/16, 表示匹配前16个bit的IP段
super: 在这种scheme情况下,对应的id拥有超级权限,可以做任何事情(cdrwa)
通过zkCli设置权限,查看权限,认证权限
设置权限
->./zkCli.sh -server ip:port
(1)创建节点并设置权限
->create path data digest:username:BASE64(SHA1(password)):rwdca
(2)先创建节点,后设置权限
->create path data
->setAcl path digest:username:base64(sha1(password)):rwdca
查看权限
-> getAcl path
认证权限
->addauth scheme auth
demo: ->addauth digest admin:admin(明文)
通过Curator设置权限,认证权限
(1)world: 它下面只有一个id, 叫anyone, world:anyone代表任何人,zookeeper中对所有人有权限的结点就是属于world:anyone的
(2)auth: 它不需要id, 只要是通过authentication的user都有权限(zookeeper支持通过kerberos来进行authencation, 也支持username/password形式的authentication)
(3)digest: 它对应的id为username:BASE64(SHA1(password)),它需要先通过username:password形式的authentication
(4)ip: 它对应的id为客户机的IP地址,设置的时候可以设置一个ip段,比如ip:192.168.1.0/16, 表示匹配前16个bit的IP段
super: 在这种scheme情况下,对应的id拥有超级权限,可以做任何事情(cdrwa)
通过zkCli设置权限,查看权限,认证权限
设置权限
->./zkCli.sh -server ip:port
(1)创建节点并设置权限
->create path data digest:username:BASE64(SHA1(password)):rwdca
(2)先创建节点,后设置权限
->create path data
->setAcl path digest:username:base64(sha1(password)):rwdca
查看权限
-> getAcl path
认证权限
->addauth scheme auth
demo: ->addauth digest admin:admin(明文)
通过Curator设置权限,认证权限
<dependency> <groupId>org.apache.curator</groupId> <artifactId>curator-framework</artifactId> <version>2.10.0</version> </dependency> <dependency> <groupId>org.apache.curator</groupId> <artifactId>curator-recipes</artifactId> <version>2.10.0</version> </dependency>
import java.nio.charset.Charset;
import java.util.Collections;
import org.apache.curator.framework.CuratorFramework;
import org.apache.curator.framework.CuratorFrameworkFactory;
import org.apache.curator.retry.ExponentialBackoffRetry;
import org.apache.zookeeper.ZooDefs.Perms;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
import org.apache.zookeeper.server.auth.DigestAuthenticationProvider;
import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.junit.FixMethodOrder;
import org.junit.Test;
import org.junit.runners.MethodSorters;
/**
*
* junit version 4.12
* zk version: 3.4.6
*
*/
@FixMethodOrder(MethodSorters.NAME_ASCENDING)
public class ZkTest {
private static String scheme = "digest";
private static String ulr = "localhost:2181";
private static final String COLON = ":";
private static String username = "admin";
private static String password = "admin";
private static CuratorFramework client;
@BeforeClass
public static void setup() throws Exception {
client = CuratorFrameworkFactory.builder() //
.authorization(scheme, signature().getBytes()) //
.connectString(ulr).sessionTimeoutMs(5000).connectionTimeoutMs(5000) //
.retryPolicy(new ExponentialBackoffRetry(1000, 3)) //
.build();
client.start();
}
@Test
public void createNode() throws Exception {
if (client.checkExists().forPath("/test/nnnn") == null) {
client.create().creatingParentsIfNeeded().forPath("/test/nnnn");
System.out.println("已创建/test/nnnn");
client.setACL().withACL(Collections.singletonList(
new ACL(Perms.ALL, new Id(scheme, DigestAuthenticationProvider.generateDigest(signature())))))
.forPath("/test");
System.out.println("已授权");
} else {
System.out.println("该节点已经存在");
}
}
@Test
public void getNodeInfo() throws Exception {
if (client.checkExists().forPath("/test/nnnn") != null) {
byte[] forPath = client.getData().forPath("/test/nnnn");
System.out.println("节点data=" + new String(forPath, Charset.forName("UTF-8")));
} else {
System.out.println("获取节点信息失败,原因:该节点不存在");
}
}
@AfterClass
public static void destroy() {
client.close();
}
private static String signature() {
return username + COLON + password;
}
}