本文共 6044 字，大约阅读时间需要 20 分钟。

操作步骤

1、利用客户端连接当前zookeeper服务并查看当前节点信息：

#./bin/zkCli.sh

Connecting to localhost:21812020-01-14 10:01:21,694 [myid:] - INFO  [main:Environment@100] - Client environment:zookeeper.version=3.4.14-4c25d480e66aadd371de8bd2fd8da255ac140bcf, built on 03/06/2019 16:18 GMT2020-01-14 10:01:21,697 [myid:] - INFO  [main:Environment@100] - Client environment:host.name=dianliangcaiji.novalocal2020-01-14 10:01:21,697 [myid:] - INFO  [main:Environment@100] - Client environment:java.version=1.8.0_2012020-01-14 10:01:21,705 [myid:] - INFO  [main:Environment@100] - Client environment:java.vendor=Oracle Corporation2020-01-14 10:01:21,705 [myid:] - INFO  [main:Environment@100] - Client environment:java.home=/home/ocr/jdk1.8.0_201/jre2020-01-14 10:01:21,706 [myid:] - INFO  [main:Environment@100] - Client environment:java.class.path=/usr/local/zookeeper-3.4.14/bin/../zookeeper-server/target/classes:/usr/local/zookeeper-3.4.14/bin/../build/classes:/usr/local/zookeeper-3.4.14/bin/../zookeeper-server/target/lib/*.jar:/usr/local/zookeeper-3.4.14/bin/../build/lib/*.jar:/usr/local/zookeeper-3.4.14/bin/../lib/slf4j-log4j12-1.7.25.jar:/usr/local/zookeeper-3.4.14/bin/../lib/slf4j-api-1.7.25.jar:/usr/local/zookeeper-3.4.14/bin/../lib/netty-3.10.6.Final.jar:/usr/local/zookeeper-3.4.14/bin/../lib/log4j-1.2.17.jar:/usr/local/zookeeper-3.4.14/bin/../lib/jline-0.9.94.jar:/usr/local/zookeeper-3.4.14/bin/../lib/audience-annotations-0.5.0.jar:/usr/local/zookeeper-3.4.14/bin/../zookeeper-3.4.14.jar:/usr/local/zookeeper-3.4.14/bin/../zookeeper-server/src/main/resources/lib/*.jar:/usr/local/zookeeper-3.4.14/bin/../conf:2020-01-14 10:01:21,706 [myid:] - INFO  [main:Environment@100] - Client environment:java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib2020-01-14 10:01:21,706 [myid:] - INFO  [main:Environment@100] - Client environment:java.io.tmpdir=/tmp2020-01-14 10:01:21,706 [myid:] - INFO  [main:Environment@100] - Client environment:java.compiler=
   
    2020-01-14 10:01:21,706 [myid:] - INFO  [main:Environment@100] - Client environment:os.name=Linux2020-01-14 10:01:21,706 [myid:] - INFO  [main:Environment@100] - Client environment:os.arch=amd642020-01-14 10:01:21,706 [myid:] - INFO  [main:Environment@100] - Client environment:os.version=3.10.0-693.11.6.el7.x86_642020-01-14 10:01:21,706 [myid:] - INFO  [main:Environment@100] - Client environment:user.name=root2020-01-14 10:01:21,706 [myid:] - INFO  [main:Environment@100] - Client environment:user.home=/root2020-01-14 10:01:21,706 [myid:] - INFO  [main:Environment@100] - Client environment:user.dir=/usr/local/zookeeper-3.4.142020-01-14 10:01:21,707 [myid:] - INFO  [main:ZooKeeper@442] - Initiating client connection, connectString=localhost:2181 sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@5ce65a89Welcome to ZooKeeper!2020-01-14 10:01:21,769 [myid:] - INFO  [main-SendThread(localhost:2181):ClientCnxn$SendThread@1025] - Opening socket connection to server localhost/127.0.0.1:2181. Will not attempt to authenticate using SASL (unknown error)JLine support is enabled2020-01-14 10:01:22,037 [myid:] - INFO  [main-SendThread(localhost:2181):ClientCnxn$SendThread@879] - Socket connection established to localhost/127.0.0.1:2181, initiating session2020-01-14 10:01:22,100 [myid:] - INFO  [main-SendThread(localhost:2181):ClientCnxn$SendThread@1299] - Session establishment complete on server localhost/127.0.0.1:2181, sessionid = 0x101eeb3e0180000, negotiated timeout = 30000WATCHER::WatchedEvent state:SyncConnected type:None path:null[zk: localhost:2181(CONNECTED) 0][zk: localhost:2181(CONNECTED) 0] ls /                ##查看当前 ZooKeeper 中所包含的内容[zookeeper][zk: localhost:2181(CONNECTED) 1] ls2 /     ##更详细显示当前ZooKeeper 中内容[zookeeper]cZxid = 0x0ctime = Thu Jan 01 08:00:00 CST 1970mZxid = 0x0mtime = Thu Jan 01 08:00:00 CST 1970pZxid = 0x0cversion = -1dataVersion = 0aclVersion = 0ephemeralOwner = 0x0dataLength = 0numChildren = 1
   

2、创建一个ACL认证用户

[zk: localhost:2181(CONNECTED) 4] addauth digest root:123456

如果需要加密，可执行以下命令：

echo -n root:123456 | openssl dgst -binary -sha1 | openssl base64 上述命令可将明文密码加密为base64的编码，对应在配置acl的set时密码写成改base64编码： 4Pn5A64fVZyQ0gOJ8ZWqkY=:drawc

3、配置当前zookeeper节点的acl权限

[zk: localhost:2181(CONNECTED) 17] setAcl /zookeeper auth:root:123456:cdrwacZxid = 0x0ctime = Thu Jan 01 08:00:00 CST 1970mZxid = 0x0mtime = Thu Jan 01 08:00:00 CST 1970pZxid = 0x0cversion = -1dataVersion = 0aclVersion = 1ephemeralOwner = 0x0dataLength = 0numChildren = 1

注：

acl由三部分组成：1为scheme，2为user，3为permission，一般情况下表示为scheme🆔permissions。auth为节点创建auth权限认证方式。

scheme

world: 它下面只有一个id, 叫anyone, world:anyone代表任何人，zookeeper中对所有人有权限的结点就是属于world:anyone的

auth: 它不需要id, 只要是通过authentication的user都有权限（zookeeper支持通过kerberos来进行authencation, 也支持username/password形式的authentication)

digest: 它对应的id为username:BASE64(SHA1(password))，它需要先通过username:password形式的authentication

ip: 它对应的id为客户机的IP地址，设置的时候可以设置一个ip段，比如ip:192.168.1.0/16, 表示匹配前16个bit的IP段

super: 在这种scheme情况下，对应的id拥有超级权限，可以做任何事情(cdrwa)

permissions

CREATE©: 创建权限，可以在在当前node下创建child node

DELETE(d): 删除权限，可以删除当前的node

READ®: 读权限，可以获取当前node的数据，可以list当前node所有的child nodes

WRITE(w): 写权限，可以向当前node写数据

ADMIN(a): 管理权限，可以设置当前node的permission

综上，一个简单使用setAcl命令，则可以为：

示例： setAcl /zookeeper/node1 world:anyone:cdrw

4、查看acl验证

[zk: localhost:2181(CONNECTED) 18] getAcl /zookeeper'digest,'root:0Fd0NdkiOPwY3b04Eh1/Wlqh9Qb=: cdrwa退出客户端quit重新连接客户端./zkCli.sh……WATCHER::WatchedEvent state:SyncConnected type:None path:null[zk: localhost:2181(CONNECTED) 0] ls /zookeeperAuthentication is not valid : /zookeeper             ##不能不经验证连接了，没有权限进行访问[zk: localhost:2181(CONNECTED) 1] addauth digest root:Admin#123456  //设置一下权限再访问[zk: localhost:2181(CONNECTED) 2] ls /zookeeper   //已经可访问了[quota][zk: localhost:2181(CONNECTED) 3] get /zookeepercZxid = 0x0ctime = Thu Jan 01 08:00:00 CST 1970mZxid = 0x0mtime = Thu Jan 01 08:00:00 CST 1970pZxid = 0x0cversion = -1dataVersion = 0aclVersion = 1ephemeralOwner = 0x0dataLength = 0numChildren = 1[zk: localhost:2181(CONNECTED) 4]

注：节点默认权限是world，为所有client端开放，这样不安全，我们可基于auth模式进行权限的控制。

转载地址：http://ofwxz.baihongyu.com/