操作步驟
1、利用客戶端連接當前zookeeper服務並查看當前節點信息:
#./bin/zkCli.sh
Connecting to localhost:2181
2020-01-14 10:01:21,694 [myid:] - INFO [main:Environment@100] - Client environment:zookeeper.version=3.4.14-4c25d480e66aadd371de8bd2fd8da255ac140bcf, built on 03/06/2019 16:18 GMT
2020-01-14 10:01:21,697 [myid:] - INFO [main:Environment@100] - Client environment:host.name=dianliangcaiji.novalocal
2020-01-14 10:01:21,697 [myid:] - INFO [main:Environment@100] - Client environment:java.version=1.8.0_201
2020-01-14 10:01:21,705 [myid:] - INFO [main:Environment@100] - Client environment:java.vendor=Oracle Corporation
2020-01-14 10:01:21,705 [myid:] - INFO [main:Environment@100] - Client environment:java.home=/home/ocr/jdk1.8.0_201/jre
2020-01-14 10:01:21,706 [myid:] - INFO [main:Environment@100] - Client environment:java.class.path=/usr/local/zookeeper-3.4.14/bin/../zookeeper-server/target/classes:/usr/local/zookeeper-3.4.14/bin/../build/classes:/usr/local/zookeeper-3.4.14/bin/../zookeeper-server/target/lib/*.jar:/usr/local/zookeeper-3.4.14/bin/../build/lib/*.jar:/usr/local/zookeeper-3.4.14/bin/../lib/slf4j-log4j12-1.7.25.jar:/usr/local/zookeeper-3.4.14/bin/../lib/slf4j-api-1.7.25.jar:/usr/local/zookeeper-3.4.14/bin/../lib/netty-3.10.6.Final.jar:/usr/local/zookeeper-3.4.14/bin/../lib/log4j-1.2.17.jar:/usr/local/zookeeper-3.4.14/bin/../lib/jline-0.9.94.jar:/usr/local/zookeeper-3.4.14/bin/../lib/audience-annotations-0.5.0.jar:/usr/local/zookeeper-3.4.14/bin/../zookeeper-3.4.14.jar:/usr/local/zookeeper-3.4.14/bin/../zookeeper-server/src/main/resources/lib/*.jar:/usr/local/zookeeper-3.4.14/bin/../conf:
2020-01-14 10:01:21,706 [myid:] - INFO [main:Environment@100] - Client environment:java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib
2020-01-14 10:01:21,706 [myid:] - INFO [main:Environment@100] - Client environment:java.io.tmpdir=/tmp
2020-01-14 10:01:21,706 [myid:] - INFO [main:Environment@100] - Client environment:java.compiler=<NA>
2020-01-14 10:01:21,706 [myid:] - INFO [main:Environment@100] - Client environment:os.name=Linux
2020-01-14 10:01:21,706 [myid:] - INFO [main:Environment@100] - Client environment:os.arch=amd64
2020-01-14 10:01:21,706 [myid:] - INFO [main:Environment@100] - Client environment:os.version=3.10.0-693.11.6.el7.x86_64
2020-01-14 10:01:21,706 [myid:] - INFO [main:Environment@100] - Client environment:user.name=root
2020-01-14 10:01:21,706 [myid:] - INFO [main:Environment@100] - Client environment:user.home=/root
2020-01-14 10:01:21,706 [myid:] - INFO [main:Environment@100] - Client environment:user.dir=/usr/local/zookeeper-3.4.14
2020-01-14 10:01:21,707 [myid:] - INFO [main:ZooKeeper@442] - Initiating client connection, connectString=localhost:2181 sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@5ce65a89
Welcome to ZooKeeper!
2020-01-14 10:01:21,769 [myid:] - INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread@1025] - Opening socket connection to server localhost/127.0.0.1:2181. Will not attempt to authenticate using SASL (unknown error)
JLine support is enabled
2020-01-14 10:01:22,037 [myid:] - INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread@879] - Socket connection established to localhost/127.0.0.1:2181, initiating session
2020-01-14 10:01:22,100 [myid:] - INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread@1299] - Session establishment complete on server localhost/127.0.0.1:2181, sessionid = 0x101eeb3e0180000, negotiated timeout = 30000
WATCHER::
WatchedEvent state:SyncConnected type:None path:null
[zk: localhost:2181(CONNECTED) 0]
[zk: localhost:2181(CONNECTED) 0] ls / ##查看當前 ZooKeeper 中所包含的內容
[zookeeper]
[zk: localhost:2181(CONNECTED) 1] ls2 / ##更詳細顯示當前ZooKeeper 中內容
[zookeeper]
cZxid = 0x0
ctime = Thu Jan 01 08:00:00 CST 1970
mZxid = 0x0
mtime = Thu Jan 01 08:00:00 CST 1970
pZxid = 0x0
cversion = -1
dataVersion = 0
aclVersion = 0
ephemeralOwner = 0x0
dataLength = 0
numChildren = 1
2、創建一個ACL認證用戶
[zk: localhost:2181(CONNECTED) 4] addauth digest root:123456
如果需要加密,可執行以下命令:
echo -n root:123456 | openssl dgst -binary -sha1 | openssl base64
上述命令可將明文密碼加密爲base64的編碼,對應在配置acl的set時密碼寫成改base64編碼:
4Pn5A64fVZyQ0gOJ8ZWqkY=:drawc
3、配置當前zookeeper節點的acl權限
[zk: localhost:2181(CONNECTED) 17] setAcl /zookeeper auth:root:123456:cdrwa
cZxid = 0x0
ctime = Thu Jan 01 08:00:00 CST 1970
mZxid = 0x0
mtime = Thu Jan 01 08:00:00 CST 1970
pZxid = 0x0
cversion = -1
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 0
numChildren = 1
注:
acl由三部分組成:1爲scheme,2爲user,3爲permission,一般情況下表示爲scheme🆔permissions。auth爲節點創建auth權限認證方式。
scheme
world: 它下面只有一個id, 叫anyone, world:anyone代表任何人,zookeeper中對所有人有權限的結點就是屬於world:anyone的
auth: 它不需要id, 只要是通過authentication的user都有權限(zookeeper支持通過kerberos來進行authencation, 也支持username/password形式的authentication)
digest: 它對應的id爲username:BASE64(SHA1(password)),它需要先通過username:password形式的authentication
ip: 它對應的id爲客戶機的IP地址,設置的時候可以設置一個ip段,比如ip:192.168.1.0/16, 表示匹配前16個bit的IP段
super: 在這種scheme情況下,對應的id擁有超級權限,可以做任何事情(cdrwa)
permissions
CREATE©: 創建權限,可以在在當前node下創建child node
DELETE(d): 刪除權限,可以刪除當前的node
READ®: 讀權限,可以獲取當前node的數據,可以list當前node所有的child nodes
WRITE(w): 寫權限,可以向當前node寫數據
ADMIN(a): 管理權限,可以設置當前node的permission
綜上,一個簡單使用setAcl命令,則可以爲:
示例: setAcl /zookeeper/node1 world:anyone:cdrw
4、查看acl驗證
[zk: localhost:2181(CONNECTED) 18] getAcl /zookeeper
'digest,'root:0Fd0NdkiOPwY3b04Eh1/Wlqh9Qb=
: cdrwa
退出客戶端
quit
重新連接客戶端./zkCli.sh
……
WATCHER::
WatchedEvent state:SyncConnected type:None path:null
[zk: localhost:2181(CONNECTED) 0] ls /zookeeper
Authentication is not valid : /zookeeper ##不能不經驗證連接了,沒有權限進行訪問
[zk: localhost:2181(CONNECTED) 1] addauth digest root:Admin#123456 //設置一下權限再訪問
[zk: localhost:2181(CONNECTED) 2] ls /zookeeper //已經可訪問了
[quota]
[zk: localhost:2181(CONNECTED) 3] get /zookeeper
cZxid = 0x0
ctime = Thu Jan 01 08:00:00 CST 1970
mZxid = 0x0
mtime = Thu Jan 01 08:00:00 CST 1970
pZxid = 0x0
cversion = -1
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 0
numChildren = 1
[zk: localhost:2181(CONNECTED) 4]
注:節點默認權限是world,爲所有client端開放,這樣不安全,我們可基於auth模式進行權限的控制。