zookeeper权限控制

guduadmin37月前

ACL全称为Access Control List（访问控制列表），用于控制资源的访问权限。分为三个维度：scheme、id、permission，schema代表授权策略，id代表用户，permission代表权限。

scheme:id

world: 它下面只有一个 id, 叫 anyone, world:anyone 代表任何人，zookeeper 中对所有人有权限的结点就是属于 world:anyone 的
auth: 它不需要 id, 只要是通过 authentication 的 user 都有权限（zookeeper 支持通过 kerberos 来进行 authencation, 也支持 username:password 形式的 authentication)

digest: 它对应的 id 为 username:BASE64(SHA1(password))，它需要先通过 username:password 形式的 authentication

ip: 它对应的 id 为客户机的 IP 地址，设置的时候可以设置一个 ip 段，比如 ip:192.168.1.0/16, 表示匹配前 16 个 bit 的 IP

permission(权限)

权限	权限描述
c	create:创建权限，在该path下创建子节点的权限
d	delete：删除权限,删除该path节点下子节点的权限
r	read:读权限读取当前节点的data属性的权限
w	write:写权限，允许更新当前节点的data
a	admin:管理员权限，允许对改节点的acl权限进行管理

create权限

#设置/wusp的权限为drwa,少了c
setAcl /wusp world:anyone:drwa
cZxid = 0x4
ctime = Sun May 14 17:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 14 17:52:57 CST 2023
pZxid = 0x4
cversion = 0
dataVersion = 1
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 8
numChildren = 0
#创建子节点的时候权限不足
[zk: localhost:2181(CONNECTED) 21] create /wusp/child data
Authentication is not valid : /wusp/child

#给/wusp加上create权限
[zk: localhost:2181(CONNECTED) 22] setAcl /wusp world:anyone:cdrwa
cZxid = 0x4
ctime = Sun May 14 17:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 14 17:52:57 CST 2023
pZxid = 0x4
cversion = 0
dataVersion = 1
aclVersion = 2
ephemeralOwner = 0x0
dataLength = 8
numChildren = 0
#子节点创建成功
[zk: localhost:2181(CONNECTED) 23] create /wusp/child data
Created /wusp/child

delete权限

#移除delete权限
[zk: localhost:2181(CONNECTED) 24] setAcl /wusp world:anyone:crwa
cZxid = 0x4
ctime = Sun May 14 17:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 14 17:52:57 CST 2023
pZxid = 0x35
cversion = 1
dataVersion = 1
aclVersion = 3
ephemeralOwner = 0x0
dataLength = 8
numChildren = 1
#rmr命令提示权限不足
[zk: localhost:2181(CONNECTED) 25] rmr /wusp
Authentication is not valid : /wusp/child
#delete命令提示权限不足
[zk: localhost:2181(CONNECTED) 26] delete /wusp/child
Authentication is not valid : /wusp/child

#增加delete权限
[zk: localhost:2181(CONNECTED) 27] setAcl /wusp world:anyone:cdrwa
cZxid = 0x4
ctime = Sun May 14 17:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 14 17:52:57 CST 2023
pZxid = 0x35
cversion = 1
dataVersion = 1
aclVersion = 4
ephemeralOwner = 0x0
dataLength = 8
numChildren = 1
#/wusp/child节点成功删除
[zk: localhost:2181(CONNECTED) 28] delete /wusp/child
[zk: localhost:2181(CONNECTED) 29]

read权限

#新增/wusp/child节点
[zk: localhost:2181(CONNECTED) 29] create /wusp/child data
Created /wusp/child
#移除read权限
[zk: localhost:2181(CONNECTED) 32] setAcl /wusp world:anyone:cdwa
cZxid = 0x4
ctime = Sun May 14 17:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 14 17:52:57 CST 2023
pZxid = 0x3b
cversion = 3
dataVersion = 1
aclVersion = 5
ephemeralOwner = 0x0
dataLength = 8
numChildren = 1
#获取/wusp节点的data,提示权限不足
[zk: localhost:2181(CONNECTED) 33] get /wusp
Authentication is not valid : /wusp
#但是成功获取/wusp/child几点的data
[zk: localhost:2181(CONNECTED) 35] get /wusp/child
data
cZxid = 0x3b
ctime = Wed May 17 21:13:06 CST 2023
mZxid = 0x3b
mtime = Wed May 17 21:13:06 CST 2023
pZxid = 0x3b
cversion = 0
dataVersion = 0
aclVersion = 0
ephemeralOwner = 0x0
dataLength = 4
numChildren = 0
[zk: localhost:2181(CONNECTED) 36] getAcl /wusp
'world,'anyone
: cdwa
[zk: localhost:2181(CONNECTED) 37] getAcl /wusp/child
'world,'anyone
: cdrwa

write权限

#移除write权限
[zk: localhost:2181(CONNECTED) 38] setAcl /wusp world:anyone:cdra
cZxid = 0x4
ctime = Sun May 14 17:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 14 17:52:57 CST 2023
pZxid = 0x3b
cversion = 3
dataVersion = 1
aclVersion = 6
ephemeralOwner = 0x0
dataLength = 8
numChildren = 1
#修改/wusp的data属性，提示权限不足
[zk: localhost:2181(CONNECTED) 39] set /wusp data1
Authentication is not valid : /wusp
#成功修改/wusp/child的data属性】
[zk: localhost:2181(CONNECTED) 40] set /wusp/child data2
cZxid = 0x3b
ctime = Wed May 17 21:13:06 CST 2023
mZxid = 0x3f
mtime = Wed May 17 21:20:37 CST 2023
pZxid = 0x3b
cversion = 0
dataVersion = 1
aclVersion = 0
ephemeralOwner = 0x0
dataLength = 5
numChildren = 0

admin

#移除admin权限
[zk: localhost:2181(CONNECTED) 41] setAcl /wusp world:anyone:cdrw
cZxid = 0x4
ctime = Sun May 14 17:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 14 17:52:57 CST 2023
pZxid = 0x3b
cversion = 3
dataVersion = 1
aclVersion = 7
ephemeralOwner = 0x0
dataLength = 8
numChildren = 1
#修改acl权限时，提示权限不足。
#这里有个问题，admin权限移除后，怎么添加上?
[zk: localhost:2181(CONNECTED) 42] setAcl /wusp world:anyone:cdrwa
Authentication is not valid : /wusp

ACL命令

getAcl 获取指定节点的 ACL 信息
setAcl 设置指定节点的 ACL 信息

addauth 输入认证授权信息，注册时输入明文密码，加密形式保存

#新增/acl节点
[zk: localhost:2181(CONNECTED) 3] create /acl data
Created /acl
#默认acl为 world:anyone:cdrwa
[zk: localhost:2181(CONNECTED) 4] getAcl /acl
'world,'anyone
: cdrwa

scheme为auth和digest的区别？

总结：（先看下面的代码信息，然后在来看这个总结的内容）

auth 用明文设置授权信息，但需要先创建用户。

digest是密文设置授权信息，可以不先创建用户

#设置path=/acl的ACL信息，设置失败，因为没有创建用户user1
[zk: localhost:2181(CONNECTED) 6] setAcl /acl auth:user1:123456:crwa
Acl is not valid : /acl
#addauth digest创建use1。注：这里应该是user1，但手敲命令时敲成了use1，并不影响后续的理解
[zk: localhost:2181(CONNECTED) 7] addauth digest use1 123456
# 使用scheme=auth的形式设置ACL信息
[zk: localhost:2181(CONNECTED) 8] setAcl /acl auth:use1:123456:crwa
cZxid = 0x4c
ctime = Thu May 18 14:58:06 CST 2023
mZxid = 0x4c
mtime = Thu May 18 14:58:06 CST 2023
pZxid = 0x4c
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 4
numChildren = 0
# 使用scheme=auth以明文设置ACL信息,展示的是密文的形式
[zk: localhost:2181(CONNECTED) 9] getAcl /acl
'digest,'use1:Bw00EEOEYvTk9+7ckGoBdAICO4Q=
: crwa

#成功创建path=acl/child
[zk: localhost:2181(CONNECTED) 10] create /acl/child data
Created /acl/child
#退出客户端
[zk: localhost:2181(CONNECTED) 11] 	quit
#重新登陆zkCli,输入ls /命令
ls/
[zookeeper, acl, persistent, wusp]
# getAcl /acl
[zk: localhost:2181(CONNECTED) 1] getAcl /acl
'digest,'use1:Bw00EEOEYvTk9+7ckGoBdAICO4Q=
: crwa
# set /acl data1，提示权限不足
[zk: localhost:2181(CONNECTED) 2] set /acl data1
Authentication is not valid : /acl
#create /acl/child2，提示权限不足
[zk: localhost:2181(CONNECTED) 4] create /acl/child2 data
Authentication is not valid : /acl/child2
#权限认证错误，但却没有任何提示，这个挺讨厌的
[zk: localhost:2181(CONNECTED) 5] addauth use1 12345
#权限正确认证
[zk: localhost:2181(CONNECTED) 10] addauth digest use1 123456
# 可以创建子节点
[zk: localhost:2181(CONNECTED) 11] create /acl/child2 data
Created /acl/child2
# 可以修改节点的data属性
[zk: localhost:2181(CONNECTED) 12] set /acl data1
cZxid = 0x4c
ctime = Thu May 18 14:58:06 CST 2023
mZxid = 0x59
mtime = Thu May 18 15:15:51 CST 2023
pZxid = 0x58
cversion = 2
dataVersion = 1
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 5
numChildren = 2

#新增path=/aclDigest
[zk: localhost:2181(CONNECTED) 5] create /aclDigest data
Created /aclDigest
#获取path =/aclDigest的ACL信息
[zk: localhost:2181(CONNECTED) 6] getAcl /aclDigest
'world,'anyone
: cdrwa
#以scheme=digest的形式设置ACL信息，这里设置成功了，这里没有向scheme=auth那样先认证授权，但需要先生成密文，生成方式如下
[zk: localhost:2181(CONNECTED) 7] setAcl /aclDigest digest:user3:SzpfOOuDCdri8p4n7oIaFCZpXeE=:cdrwa
cZxid = 0x71
ctime = Thu May 18 15:45:11 CST 2023
mZxid = 0x71
mtime = Thu May 18 15:45:11 CST 2023
pZxid = 0x71
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 4
numChildren = 0
#查看path=/aclDigest的ACL信息，修改配置成功
[zk: localhost:2181(CONNECTED) 8] getAcl /aclDigest
'digest,'user3:SzpfOOuDCdri8p4n7oIaFCZpXeE=
: cdrwa
#新增path=/aclDigest/child,提示权限不足
[zk: localhost:2181(CONNECTED) 9] create /aclDigest/child data
Authentication is not valid : /aclDigest/child
#认证授权信息
[zk: localhost:2181(CONNECTED) 4] addauth digest user3:123456
#新增path=/aclDigest/child成功
[zk: localhost:2181(CONNECTED) 5] create /aclDigest/child data
Created /aclDigest/child

scheme生成密文的方式（linux）

java -Djava.ext.dirs=${zkDir}/lib -cp  ${zkDir}/zookeeper-3.4.12.jar  org.apache.zookeeper.server.auth.DigestAuthenticationProvider ${user}:${passwd}

zookeeper权限控制,在这里插入图片描述,第1张

#ip的方式很好理解
setAcl ${path} ip:${ip}:cdrwa

db标签

网友评论

搜索: Search

最新文章

热门文章