zookeeper的acl權限控制
概述
zookeeper 類似文件系統,client 可以創建節點、更新節點、刪除節點,那么如何做到節點的權限的控制呢?zookeeper的access control list 訪問控制列表可以做到acl 權限控制,使用scheme:id:permission 來標識,主要涵蓋 3 個方面:
- 權限模式(scheme):授權的策略
- 授權對象(id):授權的對象
- 權限(permission):授予的權限
其特性如下:
zooKeeper的權限控制是基於每個znode節點的,需要對每個節點設置權限每個znode支持設置多種權限控制方案和多個權限子節點不會繼承父節點的權限,客戶端無權訪問某節點,但可能可以訪問它的子節點
setAcl /test2 ip:192.168.60.130:crwda // 將節點權限設置為Ip:192.168.60.130
權限模式
采用何種方式授權
| 方案 | 描述 |
| world | 只有一個用戶: anyone, 代表登錄zokeeper所有人(默認) |
| ip | 對客戶端使用IP地址認證 |
| auth | 使用已添加認證的用戶認證 |
| digest | 使用“用戶名:密碼”方式認證 |
授權的對象
授權對象ID是指,權限賦予的實體,例如:IP 地址或用戶。
授予的權限
world: 它下面只有一個id, 叫anyone, world:anyone代表任何人,zookeeper中對所有人有權限的結點就是屬於world:anyone的
auth: 它不需要id, 只要是通過authentication的user都有權限(zookeeper支持通過kerberos來進行authencation, 也支持username/password形式的authentication)
digest: 它對應的id為username:BASE64(SHA1(password)),它需要先通過username:password形式的authentication
ip: 它對應的id為客戶機的IP地址,設置的時候可以設置一個ip段,比如ip:192.168.1.0/16, 表示匹配前16個bit的IP段
super: 在這種scheme情況下,對應的id擁有超級權限,可以做任何事情(cdrwa)
CREATE(c): 創建權限,可以在在當前node下創建child node
DELETE(d): 刪除權限,可以刪除當前的node
READ(r): 讀權限,可以獲取當前node的數據,可以list當前node所有的child nodes
WRITE(w): 寫權限,可以向當前node寫數據
ADMIN(a): 管理權限,可以設置當前node的permission
這5種權限簡寫為cdrwa,注意:這5種權限中,delete是指對子節點的刪除權限,其它4種
權限指對自身節點的操作權限
| 權限 | ACL簡寫 | 描述 |
| create | c | 可以創建子節點 |
| delete | d | 可以刪除子節點(僅下一級節點) |
| read | r | 可以讀取節點數據及顯示子節點列表 |
| write | w | 可以設置節點數據 |
| admin | a | 可以設置節點訪問控制列表權限 |
授權的相關命令
| 命令 | 使用方式 | 描述 |
| getAcl | getAcl | 讀取ACL權限 |
| setAcl | setAcl | 設置ACL權限 |
| addauth | addauth | 添加認證用戶 |
案例
world授權模式:
命令
[zk: localhost:2181(CONNECTED) 3] create /node1 "node1" Created /node1 [zk: localhost:2181(CONNECTED) 5] getAcl /node1 'world,'anyone : cdrwa [zk: localhost:2181(CONNECTED) 6] setAcl /node1 world:anyone:cdraw cZxid = 0x37 ctime = Tue Apr 21 20:34:49 CST 2020 mZxid = 0x37 mtime = Tue Apr 21 20:34:49 CST 2020 pZxid = 0x37 cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 5 numChildren = 0 [zk: localhost:2181(CONNECTED) 7]
IP授權模式:
命令
setAcl <path> ip:<ip>:<acl>
案例
注意:遠程登錄zookeeper命令:./zkCli.sh -server ip
[zk: 47.231.431.657(CONNECTED) 0] create /node2 "node2" Created /node2 [zk: 47.231.431.657(CONNECTED) 3] getAcl /node2 'world,'anyone : cdrwa [zk: 47.231.431.657(CONNECTED) 4] setAcl /node2 ip:192.168.60.129:cdrwa cZxid = 0x3a ctime = Tue Apr 21 20:39:09 CST 2020 mZxid = 0x3a mtime = Tue Apr 21 20:39:09 CST 2020 pZxid = 0x3a cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 5 numChildren = 0 [zk: 47.231.431.657(CONNECTED) 5] getAcl /node2 'ip,'192.168.60.129 : cdrwa
[zk: 47.231.431.657(CONNECTED) 6] get /node2
Authentication is not valid : /node2
[zk: 47.231.431.657(CONNECTED) 7]
Auth授權模式:
命令
addauth digest <user>:<password> #添加認證用戶
setAcl <path> auth:<user>:<acl>
案例
[zk: localhost:2181(CONNECTED) 7] create /node3 "node3" Created /node3 [zk: localhost:2181(CONNECTED) 8] addauth digest dalianpai:123456 [zk: localhost:2181(CONNECTED) 9] setAcl /node3 auth:dalianpai:cdrwa cZxid = 0x3d ctime = Tue Apr 21 20:45:20 CST 2020 mZxid = 0x3d mtime = Tue Apr 21 20:45:20 CST 2020 pZxid = 0x3d cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 5 numChildren = 0 [zk: localhost:2181(CONNECTED) 10] getAcl /node3 'digest,'dalianpai:A7v7a7NwQ63ZrUvGjVLuE0PHZmQ= : cdrwa [zk: localhost:2181(CONNECTED) 11] get /node3 node3 cZxid = 0x3d ctime = Tue Apr 21 20:45:20 CST 2020 mZxid = 0x3d mtime = Tue Apr 21 20:45:20 CST 2020 pZxid = 0x3d cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 5 numChildren = 0 [zk: localhost:2181(CONNECTED) 12]
Digest授權模式:
命令
setAcl <path> digest:<user>:<password>:<acl>
這里的密碼是經過SHA1及BASE64處理的密文,在SHELL中可以通過以下命令計算:
echo -n <user>:<password> | openssl dgst -binary -sha1 | openssl base64
先來計算一個密文
[root@iZ1la3d1xbmukrZ bin]# echo -n wgr:12345 | openssl dgst -binary -sha1 | openssl base64 sfWvAOV+8UWBCBQJ3dDPaHw2f+Q= [root@iZ1la3d1xbmukrZ bin]#
[zk: localhost:2181(CONNECTED) 16] create /node5 "node5" Created /node5 [zk: localhost:2181(CONNECTED) 17] setAcl /node node4 node5 node2 node3 node1 [zk: localhost:2181(CONNECTED) 17] setAcl /node5 digest:wgr:sfWvAOV+8UWBCBQJ3dDPaHw2f+Q=:cdrwa cZxid = 0x43 ctime = Tue Apr 21 20:57:34 CST 2020 mZxid = 0x43 mtime = Tue Apr 21 20:57:34 CST 2020 pZxid = 0x43 cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 5 numChildren = 0 [zk: localhost:2181(CONNECTED) 18] getAcl /node5 'digest,'wgr:sfWvAOV+8UWBCBQJ3dDPaHw2f+Q= : cdrwa [zk: localhost:2181(CONNECTED) 19] get /node5 Authentication is not valid : /node5 [zk: localhost:2181(CONNECTED) 20] addauth digest wgr:12345 [zk: localhost:2181(CONNECTED) 21] get /node5 node5 cZxid = 0x43 ctime = Tue Apr 21 20:57:34 CST 2020 mZxid = 0x43 mtime = Tue Apr 21 20:57:34 CST 2020 pZxid = 0x43 cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 5 numChildren = 0 [zk: localhost:2181(CONNECTED) 22]
多種模式授權:
同一個節點可以同時使用多種模式授權
[zk: localhost:2181(CONNECTED) 0] create /node5 "node5" Created /node5 [zk: localhost:2181(CONNECTED) 1] addauth digest itcast:123456 #添加認證用戶 [zk: localhost:2181(CONNECTED) 2] setAcl /node5 ip:192.168.60.129:cdra,auth:wgr:cdrwa,digest:wgr:sfWvAOV+8UWBCBQJ3dDPaHw2f+Q=:cdrwa
acl 超級管理員
zookeeper的權限管理模式有一種叫做super,該模式提供一個超管可以方便的訪問任何權限的節點
假設這個超管是:super:admin,需要先為超管生成密碼的密文
[root@iZ1la3d1xbmukrZ bin]# echo -n super:super | openssl dgst -binary -sha1 | openssl base64 gG7s8t3oDEtIqF6DM9LlI/R+9Ss= [root@iZ1la3d1xbmukrZ bin]#
那么打開zookeeper目錄下的/bin/zkServer.sh服務器腳本文件,找到如下一行:
這就是腳本中啟動zookeeper的命令,默認只有以上兩個配置項,我們需要加一個超管的配置項:
"-Dzookeeper.DigestAuthenticationProvider.superDigest=super:xQJmxLMiHGwaqBvst5y6rkB6HQs="
[zk: localhost:2181(CONNECTED) 22] addauth digest super:super [zk: localhost:2181(CONNECTED) 23] get /node3 node3 cZxid = 0x3d ctime = Tue Apr 21 20:45:20 CST 2020 mZxid = 0x3d mtime = Tue Apr 21 20:45:20 CST 2020 pZxid = 0x3d cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 5 numChildren = 0 [zk: localhost:2181(CONNECTED) 24] get /node4 node4 cZxid = 0x40 ctime = Tue Apr 21 20:50:14 CST 2020 mZxid = 0x40 mtime = Tue Apr 21 20:50:14 CST 2020 pZxid = 0x40 cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 5 numChildren = 0 [zk: localhost:2181(CONNECTED) 25] get /node5 node5 cZxid = 0x43 ctime = Tue Apr 21 20:57:34 CST 2020 mZxid = 0x43 mtime = Tue Apr 21 20:57:34 CST 2020 pZxid = 0x43 cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 5 numChildren = 0
