ACL全称为Access Control List(访问控制列表),用于控制资源的访问权限。分为三个维度:scheme、id、permission,schema代表授权策略,id代表用户,permission代表权限。
scheme:id
- world: 它下面只有一个 id, 叫 anyone, world:anyone 代表任何人,zookeeper 中对所有人有权限的结点就是属于 world:anyone 的
- auth: 它不需要 id, 只要是通过 authentication 的 user 都有权限(zookeeper 支持通过 kerberos 来进行 authencation, 也支持 username:password 形式的 authentication)
- digest: 它对应的 id 为 username:BASE64(SHA1(password)),它需要先通过 username:password 形式的 authentication1. ip: 它对应的 id 为客户机的 IP 地址,设置的时候可以设置一个 ip 段,比如 ip:192.168.1.0/16, 表示匹配前 16 个 bit 的 IP
permission(权限)
权限权限描述ccreate:创建权限,在该path下创建子节点的权限ddelete:删除权限,删除该path节点下子节点的权限rread:读权限 读取当前节点的data属性的权限wwrite:写权限,允许更新当前节点的dataaadmin:管理员权限,允许对改节点的acl权限进行管理
create权限
#设置/wusp的权限为drwa,少了c
setAcl /wusp world:anyone:drwa
cZxid = 0x4
ctime = Sun May 1417:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 1417:52:57 CST 2023
pZxid = 0x4
cversion =0
dataVersion =1
aclVersion =1
ephemeralOwner = 0x0
dataLength =8
numChildren =0#创建子节点的时候权限不足[zk: localhost:2181(CONNECTED)21] create /wusp/child data
Authentication is not valid : /wusp/child
#给/wusp加上create权限[zk: localhost:2181(CONNECTED)22] setAcl /wusp world:anyone:cdrwa
cZxid = 0x4
ctime = Sun May 1417:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 1417:52:57 CST 2023
pZxid = 0x4
cversion =0
dataVersion =1
aclVersion =2
ephemeralOwner = 0x0
dataLength =8
numChildren =0#子节点创建成功[zk: localhost:2181(CONNECTED)23] create /wusp/child data
Created /wusp/child
delete权限
#移除delete权限[zk: localhost:2181(CONNECTED)24] setAcl /wusp world:anyone:crwa
cZxid = 0x4
ctime = Sun May 1417:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 1417:52:57 CST 2023
pZxid = 0x35
cversion =1
dataVersion =1
aclVersion =3
ephemeralOwner = 0x0
dataLength =8
numChildren =1#rmr命令提示权限不足[zk: localhost:2181(CONNECTED)25] rmr /wusp
Authentication is not valid : /wusp/child
#delete命令提示权限不足[zk: localhost:2181(CONNECTED)26] delete /wusp/child
Authentication is not valid : /wusp/child
#增加delete权限[zk: localhost:2181(CONNECTED)27] setAcl /wusp world:anyone:cdrwa
cZxid = 0x4
ctime = Sun May 1417:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 1417:52:57 CST 2023
pZxid = 0x35
cversion =1
dataVersion =1
aclVersion =4
ephemeralOwner = 0x0
dataLength =8
numChildren =1#/wusp/child节点成功删除[zk: localhost:2181(CONNECTED)28] delete /wusp/child
[zk: localhost:2181(CONNECTED)29]
read权限
#新增/wusp/child节点[zk: localhost:2181(CONNECTED)29] create /wusp/child data
Created /wusp/child
#移除read权限[zk: localhost:2181(CONNECTED)32] setAcl /wusp world:anyone:cdwa
cZxid = 0x4
ctime = Sun May 1417:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 1417:52:57 CST 2023
pZxid = 0x3b
cversion =3
dataVersion =1
aclVersion =5
ephemeralOwner = 0x0
dataLength =8
numChildren =1#获取/wusp节点的data,提示权限不足[zk: localhost:2181(CONNECTED)33] get /wusp
Authentication is not valid : /wusp
#但是成功获取/wusp/child几点的data[zk: localhost:2181(CONNECTED)35] get /wusp/child
data
cZxid = 0x3b
ctime = Wed May 1721:13:06 CST 2023
mZxid = 0x3b
mtime = Wed May 1721:13:06 CST 2023
pZxid = 0x3b
cversion =0
dataVersion =0
aclVersion =0
ephemeralOwner = 0x0
dataLength =4
numChildren =0[zk: localhost:2181(CONNECTED)36] getAcl /wusp
'world,'anyone
: cdwa
[zk: localhost:2181(CONNECTED)37] getAcl /wusp/child
'world,'anyone
: cdrwa
write权限
#移除write权限[zk: localhost:2181(CONNECTED)38] setAcl /wusp world:anyone:cdra
cZxid = 0x4
ctime = Sun May 1417:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 1417:52:57 CST 2023
pZxid = 0x3b
cversion =3
dataVersion =1
aclVersion =6
ephemeralOwner = 0x0
dataLength =8
numChildren =1#修改/wusp的data属性,提示权限不足[zk: localhost:2181(CONNECTED)39]set /wusp data1
Authentication is not valid : /wusp
#成功修改/wusp/child的data属性】[zk: localhost:2181(CONNECTED)40]set /wusp/child data2
cZxid = 0x3b
ctime = Wed May 1721:13:06 CST 2023
mZxid = 0x3f
mtime = Wed May 1721:20:37 CST 2023
pZxid = 0x3b
cversion =0
dataVersion =1
aclVersion =0
ephemeralOwner = 0x0
dataLength =5
numChildren =0
admin
#移除admin权限[zk: localhost:2181(CONNECTED)41] setAcl /wusp world:anyone:cdrw
cZxid = 0x4
ctime = Sun May 1417:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 1417:52:57 CST 2023
pZxid = 0x3b
cversion =3
dataVersion =1
aclVersion =7
ephemeralOwner = 0x0
dataLength =8
numChildren =1#修改acl权限时,提示权限不足。#这里有个问题,admin权限移除后,怎么添加上?[zk: localhost:2181(CONNECTED)42] setAcl /wusp world:anyone:cdrwa
Authentication is not valid : /wusp
ACL命令
- getAcl 获取指定节点的 ACL 信息
- setAcl 设置指定节点的 ACL 信息
- addauth 输入认证授权信息,注册时输入明文密码,加密形式保存
#新增/acl节点[zk: localhost:2181(CONNECTED)3] create /acl data
Created /acl
#默认acl为 world:anyone:cdrwa[zk: localhost:2181(CONNECTED)4] getAcl /acl
'world,'anyone
: cdrwa
scheme为auth和digest的区别?
总结:(先看下面的代码信息,然后在来看这个总结的内容)
auth 用明文设置授权信息,但需要先创建用户。
digest是密文设置授权信息,可以不先创建用户
#设置path=/acl的ACL信息,设置失败,因为没有创建用户user1[zk: localhost:2181(CONNECTED)6] setAcl /acl auth:user1:123456:crwa
Acl is not valid : /acl
#addauth digest创建use1。注:这里应该是user1,但手敲命令时敲成了use1,并不影响后续的理解[zk: localhost:2181(CONNECTED)7] addauth digest use1 123456# 使用scheme=auth的形式设置ACL信息[zk: localhost:2181(CONNECTED)8] setAcl /acl auth:use1:123456:crwa
cZxid = 0x4c
ctime = Thu May 1814:58:06 CST 2023
mZxid = 0x4c
mtime = Thu May 1814:58:06 CST 2023
pZxid = 0x4c
cversion =0
dataVersion =0
aclVersion =1
ephemeralOwner = 0x0
dataLength =4
numChildren =0# 使用scheme=auth以明文设置ACL信息,展示的是密文的形式[zk: localhost:2181(CONNECTED)9] getAcl /acl
'digest,'use1:Bw00EEOEYvTk9+7ckGoBdAICO4Q=: crwa
#成功创建path=acl/child[zk: localhost:2181(CONNECTED)10] create /acl/child data
Created /acl/child
#退出客户端[zk: localhost:2181(CONNECTED)11] quit
#重新登陆zkCli,输入ls /命令
ls/
[zookeeper, acl, persistent, wusp]# getAcl /acl[zk: localhost:2181(CONNECTED)1] getAcl /acl
'digest,'use1:Bw00EEOEYvTk9+7ckGoBdAICO4Q=: crwa
# set /acl data1,提示权限不足[zk: localhost:2181(CONNECTED)2]set /acl data1
Authentication is not valid : /acl
#create /acl/child2,提示权限不足[zk: localhost:2181(CONNECTED)4] create /acl/child2 data
Authentication is not valid : /acl/child2
#权限认证错误,但却没有任何提示,这个挺讨厌的[zk: localhost:2181(CONNECTED)5] addauth use1 12345#权限正确认证[zk: localhost:2181(CONNECTED)10] addauth digest use1 123456# 可以创建子节点[zk: localhost:2181(CONNECTED)11] create /acl/child2 data
Created /acl/child2
# 可以修改节点的data属性[zk: localhost:2181(CONNECTED)12]set /acl data1
cZxid = 0x4c
ctime = Thu May 1814:58:06 CST 2023
mZxid = 0x59
mtime = Thu May 1815:15:51 CST 2023
pZxid = 0x58
cversion =2
dataVersion =1
aclVersion =1
ephemeralOwner = 0x0
dataLength =5
numChildren =2
#新增path=/aclDigest[zk: localhost:2181(CONNECTED)5] create /aclDigest data
Created /aclDigest
#获取path =/aclDigest的ACL信息[zk: localhost:2181(CONNECTED)6] getAcl /aclDigest
'world,'anyone
: cdrwa
#以scheme=digest的形式设置ACL信息,这里设置成功了,这里没有向scheme=auth那样先认证授权,但需要先生成密文,生成方式如下[zk: localhost:2181(CONNECTED)7] setAcl /aclDigest digest:user3:SzpfOOuDCdri8p4n7oIaFCZpXeE=:cdrwa
cZxid = 0x71
ctime = Thu May 1815:45:11 CST 2023
mZxid = 0x71
mtime = Thu May 1815:45:11 CST 2023
pZxid = 0x71
cversion =0
dataVersion =0
aclVersion =1
ephemeralOwner = 0x0
dataLength =4
numChildren =0#查看path=/aclDigest的ACL信息,修改配置成功[zk: localhost:2181(CONNECTED)8] getAcl /aclDigest
'digest,'user3:SzpfOOuDCdri8p4n7oIaFCZpXeE=: cdrwa
#新增path=/aclDigest/child,提示权限不足[zk: localhost:2181(CONNECTED)9] create /aclDigest/child data
Authentication is not valid : /aclDigest/child
#认证授权信息[zk: localhost:2181(CONNECTED)4] addauth digest user3:123456
#新增path=/aclDigest/child成功[zk: localhost:2181(CONNECTED)5] create /aclDigest/child data
Created /aclDigest/child
scheme生成密文的方式(linux)
java -Djava.ext.dirs=${zkDir}/lib -cp ${zkDir}/zookeeper-3.4.12.jar org.apache.zookeeper.server.auth.DigestAuthenticationProvider ${user}:${passwd}
#ip的方式很好理解
setAcl ${path} ip:${ip}:cdrwa
标签:
zookeeper
本文转载自: https://blog.csdn.net/Wsp_java/article/details/130672623
版权归原作者 Wsp_java 所有, 如有侵权,请联系我们删除。
版权归原作者 Wsp_java 所有, 如有侵权,请联系我们删除。