Zookeeper设置访问权限 博客分类: 软件使用 zookeepersetAcl
程序员文章站
2024-03-05 21:17:13
...
zookeeper的身份认证有4种方式
(1)world: 它下面只有一个id, 叫anyone, world:anyone代表任何人,zookeeper中对所有人有权限的结点就是属于world:anyone的
(2)auth: 它不需要id, 只要是通过authentication的user都有权限(zookeeper支持通过kerberos来进行authencation, 也支持username/password形式的authentication)
(3)digest: 它对应的id为username:BASE64(SHA1(password)),它需要先通过username:password形式的authentication
(4)ip: 它对应的id为客户机的IP地址,设置的时候可以设置一个ip段,比如ip:192.168.1.0/16, 表示匹配前16个bit的IP段
super: 在这种scheme情况下,对应的id拥有超级权限,可以做任何事情(cdrwa)
通过zkCli设置权限,查看权限,认证权限
设置权限
->./zkCli.sh -server ip:port
(1)创建节点并设置权限
->create path data digest:username:BASE64(SHA1(password)):rwdca
(2)先创建节点,后设置权限
->create path data
->setAcl path digest:username:base64(sha1(password)):rwdca
查看权限
-> getAcl path
认证权限
->addauth scheme auth
demo: ->addauth digest admin:admin(明文)
通过Curator设置权限,认证权限
(1)world: 它下面只有一个id, 叫anyone, world:anyone代表任何人,zookeeper中对所有人有权限的结点就是属于world:anyone的
(2)auth: 它不需要id, 只要是通过authentication的user都有权限(zookeeper支持通过kerberos来进行authencation, 也支持username/password形式的authentication)
(3)digest: 它对应的id为username:BASE64(SHA1(password)),它需要先通过username:password形式的authentication
(4)ip: 它对应的id为客户机的IP地址,设置的时候可以设置一个ip段,比如ip:192.168.1.0/16, 表示匹配前16个bit的IP段
super: 在这种scheme情况下,对应的id拥有超级权限,可以做任何事情(cdrwa)
通过zkCli设置权限,查看权限,认证权限
设置权限
->./zkCli.sh -server ip:port
(1)创建节点并设置权限
->create path data digest:username:BASE64(SHA1(password)):rwdca
(2)先创建节点,后设置权限
->create path data
->setAcl path digest:username:base64(sha1(password)):rwdca
查看权限
-> getAcl path
认证权限
->addauth scheme auth
demo: ->addauth digest admin:admin(明文)
通过Curator设置权限,认证权限
<dependency> <groupId>org.apache.curator</groupId> <artifactId>curator-framework</artifactId> <version>2.10.0</version> </dependency> <dependency> <groupId>org.apache.curator</groupId> <artifactId>curator-recipes</artifactId> <version>2.10.0</version> </dependency>
import java.nio.charset.Charset; import java.util.Collections; import org.apache.curator.framework.CuratorFramework; import org.apache.curator.framework.CuratorFrameworkFactory; import org.apache.curator.retry.ExponentialBackoffRetry; import org.apache.zookeeper.ZooDefs.Perms; import org.apache.zookeeper.data.ACL; import org.apache.zookeeper.data.Id; import org.apache.zookeeper.server.auth.DigestAuthenticationProvider; import org.junit.AfterClass; import org.junit.BeforeClass; import org.junit.FixMethodOrder; import org.junit.Test; import org.junit.runners.MethodSorters; /** * * junit version 4.12 * zk version: 3.4.6 * */ @FixMethodOrder(MethodSorters.NAME_ASCENDING) public class ZkTest { private static String scheme = "digest"; private static String ulr = "localhost:2181"; private static final String COLON = ":"; private static String username = "admin"; private static String password = "admin"; private static CuratorFramework client; @BeforeClass public static void setup() throws Exception { client = CuratorFrameworkFactory.builder() // .authorization(scheme, signature().getBytes()) // .connectString(ulr).sessionTimeoutMs(5000).connectionTimeoutMs(5000) // .retryPolicy(new ExponentialBackoffRetry(1000, 3)) // .build(); client.start(); } @Test public void createNode() throws Exception { if (client.checkExists().forPath("/test/nnnn") == null) { client.create().creatingParentsIfNeeded().forPath("/test/nnnn"); System.out.println("已创建/test/nnnn"); client.setACL().withACL(Collections.singletonList( new ACL(Perms.ALL, new Id(scheme, DigestAuthenticationProvider.generateDigest(signature()))))) .forPath("/test"); System.out.println("已授权"); } else { System.out.println("该节点已经存在"); } } @Test public void getNodeInfo() throws Exception { if (client.checkExists().forPath("/test/nnnn") != null) { byte[] forPath = client.getData().forPath("/test/nnnn"); System.out.println("节点data=" + new String(forPath, Charset.forName("UTF-8"))); } else { System.out.println("获取节点信息失败,原因:该节点不存在"); } } @AfterClass public static void destroy() { client.close(); } private static String signature() { return username + COLON + password; } }