博客
关于我
zookeeper 客户端 zkCli.sh配置当前节点的ACL
阅读量:595 次
发布时间:2019-03-12

本文共 6044 字,大约阅读时间需要 20 分钟。

操作步骤

1、利用客户端连接当前zookeeper服务并查看当前节点信息:

#./bin/zkCli.sh

Connecting to localhost:21812020-01-14 10:01:21,694 [myid:] - INFO  [main:Environment@100] - Client environment:zookeeper.version=3.4.14-4c25d480e66aadd371de8bd2fd8da255ac140bcf, built on 03/06/2019 16:18 GMT2020-01-14 10:01:21,697 [myid:] - INFO  [main:Environment@100] - Client environment:host.name=dianliangcaiji.novalocal2020-01-14 10:01:21,697 [myid:] - INFO  [main:Environment@100] - Client environment:java.version=1.8.0_2012020-01-14 10:01:21,705 [myid:] - INFO  [main:Environment@100] - Client environment:java.vendor=Oracle Corporation2020-01-14 10:01:21,705 [myid:] - INFO  [main:Environment@100] - Client environment:java.home=/home/ocr/jdk1.8.0_201/jre2020-01-14 10:01:21,706 [myid:] - INFO  [main:Environment@100] - Client environment:java.class.path=/usr/local/zookeeper-3.4.14/bin/../zookeeper-server/target/classes:/usr/local/zookeeper-3.4.14/bin/../build/classes:/usr/local/zookeeper-3.4.14/bin/../zookeeper-server/target/lib/*.jar:/usr/local/zookeeper-3.4.14/bin/../build/lib/*.jar:/usr/local/zookeeper-3.4.14/bin/../lib/slf4j-log4j12-1.7.25.jar:/usr/local/zookeeper-3.4.14/bin/../lib/slf4j-api-1.7.25.jar:/usr/local/zookeeper-3.4.14/bin/../lib/netty-3.10.6.Final.jar:/usr/local/zookeeper-3.4.14/bin/../lib/log4j-1.2.17.jar:/usr/local/zookeeper-3.4.14/bin/../lib/jline-0.9.94.jar:/usr/local/zookeeper-3.4.14/bin/../lib/audience-annotations-0.5.0.jar:/usr/local/zookeeper-3.4.14/bin/../zookeeper-3.4.14.jar:/usr/local/zookeeper-3.4.14/bin/../zookeeper-server/src/main/resources/lib/*.jar:/usr/local/zookeeper-3.4.14/bin/../conf:2020-01-14 10:01:21,706 [myid:] - INFO  [main:Environment@100] - Client environment:java.library.path=/usr/java/packages/lib/amd64:/usr/lib64:/lib64:/lib:/usr/lib2020-01-14 10:01:21,706 [myid:] - INFO  [main:Environment@100] - Client environment:java.io.tmpdir=/tmp2020-01-14 10:01:21,706 [myid:] - INFO  [main:Environment@100] - Client environment:java.compiler=
2020-01-14 10:01:21,706 [myid:] - INFO [main:Environment@100] - Client environment:os.name=Linux2020-01-14 10:01:21,706 [myid:] - INFO [main:Environment@100] - Client environment:os.arch=amd642020-01-14 10:01:21,706 [myid:] - INFO [main:Environment@100] - Client environment:os.version=3.10.0-693.11.6.el7.x86_642020-01-14 10:01:21,706 [myid:] - INFO [main:Environment@100] - Client environment:user.name=root2020-01-14 10:01:21,706 [myid:] - INFO [main:Environment@100] - Client environment:user.home=/root2020-01-14 10:01:21,706 [myid:] - INFO [main:Environment@100] - Client environment:user.dir=/usr/local/zookeeper-3.4.142020-01-14 10:01:21,707 [myid:] - INFO [main:ZooKeeper@442] - Initiating client connection, connectString=localhost:2181 sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@5ce65a89Welcome to ZooKeeper!2020-01-14 10:01:21,769 [myid:] - INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread@1025] - Opening socket connection to server localhost/127.0.0.1:2181. Will not attempt to authenticate using SASL (unknown error)JLine support is enabled2020-01-14 10:01:22,037 [myid:] - INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread@879] - Socket connection established to localhost/127.0.0.1:2181, initiating session2020-01-14 10:01:22,100 [myid:] - INFO [main-SendThread(localhost:2181):ClientCnxn$SendThread@1299] - Session establishment complete on server localhost/127.0.0.1:2181, sessionid = 0x101eeb3e0180000, negotiated timeout = 30000WATCHER::WatchedEvent state:SyncConnected type:None path:null[zk: localhost:2181(CONNECTED) 0][zk: localhost:2181(CONNECTED) 0] ls / ##查看当前 ZooKeeper 中所包含的内容[zookeeper][zk: localhost:2181(CONNECTED) 1] ls2 / ##更详细显示当前ZooKeeper 中内容[zookeeper]cZxid = 0x0ctime = Thu Jan 01 08:00:00 CST 1970mZxid = 0x0mtime = Thu Jan 01 08:00:00 CST 1970pZxid = 0x0cversion = -1dataVersion = 0aclVersion = 0ephemeralOwner = 0x0dataLength = 0numChildren = 1

2、创建一个ACL认证用户

[zk: localhost:2181(CONNECTED) 4] addauth digest root:123456

如果需要加密,可执行以下命令:

echo -n root:123456 | openssl dgst -binary -sha1 | openssl base64
上述命令可将明文密码加密为base64的编码,对应在配置acl的set时密码写成改base64编码:
4Pn5A64fVZyQ0gOJ8ZWqkY=:drawc

3、配置当前zookeeper节点的acl权限

[zk: localhost:2181(CONNECTED) 17] setAcl /zookeeper auth:root:123456:cdrwacZxid = 0x0ctime = Thu Jan 01 08:00:00 CST 1970mZxid = 0x0mtime = Thu Jan 01 08:00:00 CST 1970pZxid = 0x0cversion = -1dataVersion = 0aclVersion = 1ephemeralOwner = 0x0dataLength = 0numChildren = 1

注:

acl由三部分组成:1为scheme,2为user,3为permission,一般情况下表示为scheme🆔permissions。auth为节点创建auth权限认证方式。

scheme

world: 它下面只有一个id, 叫anyone, world:anyone代表任何人,zookeeper中对所有人有权限的结点就是属于world:anyone的

auth: 它不需要id, 只要是通过authentication的user都有权限(zookeeper支持通过kerberos来进行authencation, 也支持username/password形式的authentication)

digest: 它对应的id为username:BASE64(SHA1(password)),它需要先通过username:password形式的authentication

ip: 它对应的id为客户机的IP地址,设置的时候可以设置一个ip段,比如ip:192.168.1.0/16, 表示匹配前16个bit的IP段

super: 在这种scheme情况下,对应的id拥有超级权限,可以做任何事情(cdrwa)

permissions

CREATE©: 创建权限,可以在在当前node下创建child node

DELETE(d): 删除权限,可以删除当前的node

READ®: 读权限,可以获取当前node的数据,可以list当前node所有的child nodes

WRITE(w): 写权限,可以向当前node写数据

ADMIN(a): 管理权限,可以设置当前node的permission

综上,一个简单使用setAcl命令,则可以为:

示例: setAcl /zookeeper/node1 world:anyone:cdrw

4、查看acl验证

[zk: localhost:2181(CONNECTED) 18] getAcl /zookeeper'digest,'root:0Fd0NdkiOPwY3b04Eh1/Wlqh9Qb=: cdrwa退出客户端quit重新连接客户端./zkCli.sh……WATCHER::WatchedEvent state:SyncConnected type:None path:null[zk: localhost:2181(CONNECTED) 0] ls /zookeeperAuthentication is not valid : /zookeeper             ##不能不经验证连接了,没有权限进行访问[zk: localhost:2181(CONNECTED) 1] addauth digest root:Admin#123456  //设置一下权限再访问[zk: localhost:2181(CONNECTED) 2] ls /zookeeper   //已经可访问了[quota][zk: localhost:2181(CONNECTED) 3] get /zookeepercZxid = 0x0ctime = Thu Jan 01 08:00:00 CST 1970mZxid = 0x0mtime = Thu Jan 01 08:00:00 CST 1970pZxid = 0x0cversion = -1dataVersion = 0aclVersion = 1ephemeralOwner = 0x0dataLength = 0numChildren = 1[zk: localhost:2181(CONNECTED) 4]

在这里插入图片描述

在这里插入图片描述
在这里插入图片描述
注:节点默认权限是world,为所有client端开放,这样不安全,我们可基于auth模式进行权限的控制。

转载地址:http://ofwxz.baihongyu.com/

你可能感兴趣的文章
Mysql_Postgresql中_geometry数据操作_st_astext_GeomFromEWKT函数_在java中转换geometry的16进制数据---PostgreSQL工作笔记007
查看>>
mysql_real_connect 参数注意
查看>>
mysql_secure_installation初始化数据库报Access denied
查看>>
MySQL_西安11月销售昨日未上架的产品_20161212
查看>>
Mysql——深入浅出InnoDB底层原理
查看>>
MySQL“被动”性能优化汇总
查看>>
MySQL、HBase 和 Elasticsearch:特点与区别详解
查看>>
MySQL、Redis高频面试题汇总
查看>>
MYSQL、SQL Server、Oracle数据库排序空值null问题及其解决办法
查看>>
mysql一个字段为空时使用另一个字段排序
查看>>
MySQL一个表A中多个字段关联了表B的ID,如何关联查询?
查看>>
MYSQL一直显示正在启动
查看>>
MySQL一站到底!华为首发MySQL进阶宝典,基础+优化+源码+架构+实战五飞
查看>>
MySQL万字总结!超详细!
查看>>
Mysql下载以及安装(新手入门,超详细)
查看>>
MySQL不会性能调优?看看这份清华架构师编写的MySQL性能优化手册吧
查看>>
MySQL不同字符集及排序规则详解:业务场景下的最佳选
查看>>
Mysql不同官方版本对比
查看>>
MySQL与Informix数据库中的同义表创建:深入解析与比较
查看>>
mysql与mem_细说 MySQL 之 MEM_ROOT
查看>>