java zookeeper权限控制ACL(auth,digest,ip)
学习前请参考:https://www.cnblogs.com/zwcry/p/10407806.html
zookeeper权限控制常用的就三种
1.auth 用户名:密码
将节点权限改为auth认证,但不加密。每次操作数据需要auth登录认证。
2.digest 用户名:加密(密码)
将节点权限改为auth认证,需digest加密(sha1)。每次操作数据需要auth登录认证。
3.ip 192.168.x.x
将节点权限改为限定ip访问
代码只写到digest和ip权限控制,至于auth明文,小朋友们可以手动写下测测。
ACL.java
package com.qy.zk; import java.io.IOException; import java.security.NoSuchAlgorithmException; import java.util.ArrayList; import java.util.List; import org.apache.zookeeper.KeeperException; import org.apache.zookeeper.ZooDefs.Perms; import org.apache.zookeeper.ZooKeeper; import org.apache.zookeeper.data.ACL; import org.apache.zookeeper.data.Id; import org.apache.zookeeper.data.Stat; import org.apache.zookeeper.server.auth.DigestAuthenticationProvider; import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** * 描述:zookeeper节点访问权限,权限定以后,每次操作数据,需要auth认证登录或在ip限定的客服端访问 * 代码里也有写到如何auth认证登录 zk.addAuthInfo * 作者:七脉 */
public class MyZkAcl { private static final Logger log = LoggerFactory.getLogger(MyZkAcl.class); public static void main(String[] args) throws IOException, InterruptedException, KeeperException, NoSuchAlgorithmException { ZooKeeper zk = MyZkConnect.connect(); /**创建一个节点,再进行测试**/
//该方法里的权限是 anyone word,crwda
MyZkConnect.create(zk, "/myacl", "myacl"); /**更改权限控制,指定用户名密码并digest加密**/
//digestAcL(zk, "/myacl");
/**更改权限控制,限定IP**/ ipAcL(zk, "/myacl"); } /** * 描述:将节点权限改为crwda,用户名密码为lry:123456并digest加密 * 作者:七脉 * @param zk * @param nodePath * @return * @throws KeeperException * @throws InterruptedException * @throws NoSuchAlgorithmException */
public static Stat digestAcL(ZooKeeper zk, String nodePath) throws KeeperException, InterruptedException, NoSuchAlgorithmException{ log.info("准备权限修改节点 {} ACL",nodePath); Stat stat = MyZkConnect.queryStat(zk, nodePath); List<ACL> acls = new ArrayList<>(); //scheme 有world/auth/digest/host/ip/ //zk的digest是通过sha1加密
String scheme = "digest"; //定义一个用户名密码为lry:123456
Id id = new Id(scheme, DigestAuthenticationProvider.generateDigest("lry:123456")); ACL acl = new ACL(Perms.ALL, id); acls.add(acl); //如果修改已经加密的节点,请先按原用户密码认证登录 //zk.addAuthInfo(scheme, "lry:123456".getBytes());
Stat newstat = zk.setACL(nodePath, acls, stat.getAversion()); log.info("完成权限修改节点 {} ACL",nodePath); return newstat; } /** * 描述:将节点权限改为crwda,并限制指定IP * 作者:七脉 * @param zk * @param nodePath * @return * @throws KeeperException * @throws InterruptedException * @throws NoSuchAlgorithmException */
public static Stat ipAcL(ZooKeeper zk, String nodePath) throws KeeperException, InterruptedException, NoSuchAlgorithmException{ log.info("准备权限修改节点 {} ACL",nodePath); Stat stat = MyZkConnect.queryStat(zk, nodePath); List<ACL> acls = new ArrayList<>(); //scheme 有world/auth/digest/host/ip/ //zk的digest是通过sha1加密
String scheme = "ip"; //定义权限IP(如果是vm虚拟机,ip为虚拟ip)
Id id = new Id(scheme, "192.168.159.1"); ACL acl = new ACL(Perms.ALL, id); acls.add(acl); //如果修改已经加密的节点,请先按原用户密码认证登录 //zk.addAuthInfo("digest", "lry:123456".getBytes());
Stat newstat = zk.setACL(nodePath, acls, stat.getAversion()); log.info("完成权限修改节点 {} ACL",nodePath); return newstat; } }
不明白的地方,代码里都有注释。相关的类可以在https://www.cnblogs.com/zwcry/p/10407806.html复制,也可以下载源码