ACL全称为Access Control List(访问控制列表),用于控制资源的访问权限。分为三个维度:scheme、id、permission,schema代表授权策略,id代表用户,permission代表权限。
scheme:id
-
world: 它下面只有一个 id, 叫 anyone, world:anyone 代表任何人,zookeeper 中对所有人有权限的结点就是属于 world:anyone 的
-
auth: 它不需要 id, 只要是通过 authentication 的 user 都有权限(zookeeper 支持通过 kerberos 来进行 authencation, 也支持 username:password 形式的 authentication)
-
digest: 它对应的 id 为 username:BASE64(SHA1(password)),它需要先通过 username:password 形式的 authentication
- ip: 它对应的 id 为客户机的 IP 地址,设置的时候可以设置一个 ip 段,比如 ip:192.168.1.0/16, 表示匹配前 16 个 bit 的 IP
permission(权限)
权限 权限描述 c create:创建权限,在该path下创建子节点的权限 d delete:删除权限,删除该path节点下子节点的权限 r read:读权限 读取当前节点的data属性的权限 w write:写权限,允许更新当前节点的data a admin:管理员权限,允许对改节点的acl权限进行管理 create权限
#设置/wusp的权限为drwa,少了c setAcl /wusp world:anyone:drwa cZxid = 0x4 ctime = Sun May 14 17:33:09 CST 2023 mZxid = 0x5 mtime = Sun May 14 17:52:57 CST 2023 pZxid = 0x4 cversion = 0 dataVersion = 1 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 8 numChildren = 0 #创建子节点的时候权限不足 [zk: localhost:2181(CONNECTED) 21] create /wusp/child data Authentication is not valid : /wusp/child
#给/wusp加上create权限 [zk: localhost:2181(CONNECTED) 22] setAcl /wusp world:anyone:cdrwa cZxid = 0x4 ctime = Sun May 14 17:33:09 CST 2023 mZxid = 0x5 mtime = Sun May 14 17:52:57 CST 2023 pZxid = 0x4 cversion = 0 dataVersion = 1 aclVersion = 2 ephemeralOwner = 0x0 dataLength = 8 numChildren = 0 #子节点创建成功 [zk: localhost:2181(CONNECTED) 23] create /wusp/child data Created /wusp/child
delete权限
#移除delete权限 [zk: localhost:2181(CONNECTED) 24] setAcl /wusp world:anyone:crwa cZxid = 0x4 ctime = Sun May 14 17:33:09 CST 2023 mZxid = 0x5 mtime = Sun May 14 17:52:57 CST 2023 pZxid = 0x35 cversion = 1 dataVersion = 1 aclVersion = 3 ephemeralOwner = 0x0 dataLength = 8 numChildren = 1 #rmr命令提示权限不足 [zk: localhost:2181(CONNECTED) 25] rmr /wusp Authentication is not valid : /wusp/child #delete命令提示权限不足 [zk: localhost:2181(CONNECTED) 26] delete /wusp/child Authentication is not valid : /wusp/child
#增加delete权限 [zk: localhost:2181(CONNECTED) 27] setAcl /wusp world:anyone:cdrwa cZxid = 0x4 ctime = Sun May 14 17:33:09 CST 2023 mZxid = 0x5 mtime = Sun May 14 17:52:57 CST 2023 pZxid = 0x35 cversion = 1 dataVersion = 1 aclVersion = 4 ephemeralOwner = 0x0 dataLength = 8 numChildren = 1 #/wusp/child节点成功删除 [zk: localhost:2181(CONNECTED) 28] delete /wusp/child [zk: localhost:2181(CONNECTED) 29]
read权限
#新增/wusp/child节点 [zk: localhost:2181(CONNECTED) 29] create /wusp/child data Created /wusp/child #移除read权限 [zk: localhost:2181(CONNECTED) 32] setAcl /wusp world:anyone:cdwa cZxid = 0x4 ctime = Sun May 14 17:33:09 CST 2023 mZxid = 0x5 mtime = Sun May 14 17:52:57 CST 2023 pZxid = 0x3b cversion = 3 dataVersion = 1 aclVersion = 5 ephemeralOwner = 0x0 dataLength = 8 numChildren = 1 #获取/wusp节点的data,提示权限不足 [zk: localhost:2181(CONNECTED) 33] get /wusp Authentication is not valid : /wusp #但是成功获取/wusp/child几点的data [zk: localhost:2181(CONNECTED) 35] get /wusp/child data cZxid = 0x3b ctime = Wed May 17 21:13:06 CST 2023 mZxid = 0x3b mtime = Wed May 17 21:13:06 CST 2023 pZxid = 0x3b cversion = 0 dataVersion = 0 aclVersion = 0 ephemeralOwner = 0x0 dataLength = 4 numChildren = 0 [zk: localhost:2181(CONNECTED) 36] getAcl /wusp 'world,'anyone : cdwa [zk: localhost:2181(CONNECTED) 37] getAcl /wusp/child 'world,'anyone : cdrwa
write权限
#移除write权限 [zk: localhost:2181(CONNECTED) 38] setAcl /wusp world:anyone:cdra cZxid = 0x4 ctime = Sun May 14 17:33:09 CST 2023 mZxid = 0x5 mtime = Sun May 14 17:52:57 CST 2023 pZxid = 0x3b cversion = 3 dataVersion = 1 aclVersion = 6 ephemeralOwner = 0x0 dataLength = 8 numChildren = 1 #修改/wusp的data属性,提示权限不足 [zk: localhost:2181(CONNECTED) 39] set /wusp data1 Authentication is not valid : /wusp #成功修改/wusp/child的data属性】 [zk: localhost:2181(CONNECTED) 40] set /wusp/child data2 cZxid = 0x3b ctime = Wed May 17 21:13:06 CST 2023 mZxid = 0x3f mtime = Wed May 17 21:20:37 CST 2023 pZxid = 0x3b cversion = 0 dataVersion = 1 aclVersion = 0 ephemeralOwner = 0x0 dataLength = 5 numChildren = 0
admin
#移除admin权限 [zk: localhost:2181(CONNECTED) 41] setAcl /wusp world:anyone:cdrw cZxid = 0x4 ctime = Sun May 14 17:33:09 CST 2023 mZxid = 0x5 mtime = Sun May 14 17:52:57 CST 2023 pZxid = 0x3b cversion = 3 dataVersion = 1 aclVersion = 7 ephemeralOwner = 0x0 dataLength = 8 numChildren = 1 #修改acl权限时,提示权限不足。 #这里有个问题,admin权限移除后,怎么添加上? [zk: localhost:2181(CONNECTED) 42] setAcl /wusp world:anyone:cdrwa Authentication is not valid : /wusp
ACL命令
- getAcl 获取指定节点的 ACL 信息
- setAcl 设置指定节点的 ACL 信息
- addauth 输入认证授权信息,注册时输入明文密码,加密形式保存
#新增/acl节点 [zk: localhost:2181(CONNECTED) 3] create /acl data Created /acl #默认acl为 world:anyone:cdrwa [zk: localhost:2181(CONNECTED) 4] getAcl /acl 'world,'anyone : cdrwa
scheme为auth和digest的区别?
总结:(先看下面的代码信息,然后在来看这个总结的内容)
auth 用明文设置授权信息,但需要先创建用户。
digest是密文设置授权信息,可以不先创建用户
#设置path=/acl的ACL信息,设置失败,因为没有创建用户user1 [zk: localhost:2181(CONNECTED) 6] setAcl /acl auth:user1:123456:crwa Acl is not valid : /acl #addauth digest创建use1。注:这里应该是user1,但手敲命令时敲成了use1,并不影响后续的理解 [zk: localhost:2181(CONNECTED) 7] addauth digest use1 123456 # 使用scheme=auth的形式设置ACL信息 [zk: localhost:2181(CONNECTED) 8] setAcl /acl auth:use1:123456:crwa cZxid = 0x4c ctime = Thu May 18 14:58:06 CST 2023 mZxid = 0x4c mtime = Thu May 18 14:58:06 CST 2023 pZxid = 0x4c cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 4 numChildren = 0 # 使用scheme=auth以明文设置ACL信息,展示的是密文的形式 [zk: localhost:2181(CONNECTED) 9] getAcl /acl 'digest,'use1:Bw00EEOEYvTk9+7ckGoBdAICO4Q= : crwa
#成功创建path=acl/child [zk: localhost:2181(CONNECTED) 10] create /acl/child data Created /acl/child #退出客户端 [zk: localhost:2181(CONNECTED) 11] quit #重新登陆zkCli,输入ls /命令 ls/ [zookeeper, acl, persistent, wusp] # getAcl /acl [zk: localhost:2181(CONNECTED) 1] getAcl /acl 'digest,'use1:Bw00EEOEYvTk9+7ckGoBdAICO4Q= : crwa # set /acl data1,提示权限不足 [zk: localhost:2181(CONNECTED) 2] set /acl data1 Authentication is not valid : /acl #create /acl/child2,提示权限不足 [zk: localhost:2181(CONNECTED) 4] create /acl/child2 data Authentication is not valid : /acl/child2 #权限认证错误,但却没有任何提示,这个挺讨厌的 [zk: localhost:2181(CONNECTED) 5] addauth use1 12345 #权限正确认证 [zk: localhost:2181(CONNECTED) 10] addauth digest use1 123456 # 可以创建子节点 [zk: localhost:2181(CONNECTED) 11] create /acl/child2 data Created /acl/child2 # 可以修改节点的data属性 [zk: localhost:2181(CONNECTED) 12] set /acl data1 cZxid = 0x4c ctime = Thu May 18 14:58:06 CST 2023 mZxid = 0x59 mtime = Thu May 18 15:15:51 CST 2023 pZxid = 0x58 cversion = 2 dataVersion = 1 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 5 numChildren = 2
#新增path=/aclDigest [zk: localhost:2181(CONNECTED) 5] create /aclDigest data Created /aclDigest #获取path =/aclDigest的ACL信息 [zk: localhost:2181(CONNECTED) 6] getAcl /aclDigest 'world,'anyone : cdrwa #以scheme=digest的形式设置ACL信息,这里设置成功了,这里没有向scheme=auth那样先认证授权,但需要先生成密文,生成方式如下 [zk: localhost:2181(CONNECTED) 7] setAcl /aclDigest digest:user3:SzpfOOuDCdri8p4n7oIaFCZpXeE=:cdrwa cZxid = 0x71 ctime = Thu May 18 15:45:11 CST 2023 mZxid = 0x71 mtime = Thu May 18 15:45:11 CST 2023 pZxid = 0x71 cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 4 numChildren = 0 #查看path=/aclDigest的ACL信息,修改配置成功 [zk: localhost:2181(CONNECTED) 8] getAcl /aclDigest 'digest,'user3:SzpfOOuDCdri8p4n7oIaFCZpXeE= : cdrwa #新增path=/aclDigest/child,提示权限不足 [zk: localhost:2181(CONNECTED) 9] create /aclDigest/child data Authentication is not valid : /aclDigest/child #认证授权信息 [zk: localhost:2181(CONNECTED) 4] addauth digest user3:123456 #新增path=/aclDigest/child成功 [zk: localhost:2181(CONNECTED) 5] create /aclDigest/child data Created /aclDigest/child
scheme生成密文的方式(linux)
java -Djava.ext.dirs=${zkDir}/lib -cp ${zkDir}/zookeeper-3.4.12.jar org.apache.zookeeper.server.auth.DigestAuthenticationProvider ${user}:${passwd}
#ip的方式很好理解 setAcl ${path} ip:${ip}:cdrwa
猜你喜欢
- 18小时前Log4j2 配置日志记录发送到 kafka 中
- 18小时前打败一切NeRF! 3D Gaussian Splatting 的 简单入门知识
- 18小时前将网页数据读入数据库+将数据库数据读出到网页——基于python flask实现网页与数据库的交互连接【全网最全】
- 18小时前[Halcon&3D] 3D手眼标定理论与示例解析
- 17小时前关于酒的古诗(关于酒的古诗词文)
- 15小时前你是我的优乐美(你是我的优乐美是什么歌)
- 12小时前红糖发糕怎么做才松软(红糖发糕怎么做才松软窍门)
- 10小时前氧气由什么构成(氧气由什么构成?)
- 8小时前patrol尼桑(patrol尼桑途乐价格)
- 1小时前中信客服电话(中信客服电话多少)
网友评论
- 搜索
- 最新文章
- 热门文章