• zookeeper(五):Zookeeper中的Access Control(ACL)


    概述 

    传统的文件系统中,ACL分为两个维度,一个是属组,一个是权限,子目录/文件默认继承父目录的ACL。而在Zookeeper中,node的ACL是没有继承关系的,是独立控制的

    Zookeeper的ACL,可以从三个维度来理解:一是scheme; 二是user; 三是permission,通常表示为scheme:id:permissions,

    下面从这三个方面分别来介绍:

    1.scheme: scheme

    对应于采用哪种方案来进行权限管理,zookeeper实现了一个pluggable的ACL方案,可以通过扩展scheme,来扩展ACL的机制。zookeeper-3.4.4缺省支持下面几种scheme:

    world: 它下面只有一个id, 叫anyone, world:anyone代表任何人,zookeeper中对所有人有权限的结点就是属于world:anyone的

    auth: 它不需要id, 只要是通过authentication的user都有权限(zookeeper支持通过kerberos来进行authencation, 也支持username/password形式的authentication)

    digest: 它对应的id为username:BASE64(SHA1(password)),它需要先通过username:password形式的authentication

    ip: 它对应的id为客户机的IP地址,设置的时候可以设置一个ip段,比如ip:192.168.1.0/16, 表示匹配前16个bit的IP段

    super: 在这种scheme情况下,对应的id拥有超级权限,可以做任何事情(cdrwa)

    sasl: sasl的对应的id,是一个通过sasl authentication用户的id,zookeeper-3.4.4中的sasl authentication是通过kerberos来实现的,也就是说用户只有通过了kerberos认证,才能访问它有权限的node.

    2 . id

    id与scheme是紧密相关的,具体的情况在上面介绍scheme的过程都已介绍,这里不再赘述。

    3. permission

    zookeeper目前支持下面一些权限:

    CREATE(c): 创建权限,可以在在当前node下创建child node

    DELETE(d): 删除权限,可以删除当前的node

    READ(r): 读权限,可以获取当前node的数据,可以list当前node所有的child nodes

    WRITE(w): 写权限,可以向当前node写数据

    ADMIN(a): 管理权限,可以设置当前node的permission

    digest模式下的示例

    public class ZookeeperAuth implements Watcher {
    
        /** 连接地址 */
        final static String CONNECT_ADDR = "192.168.252.132:2181";
        /** 测试路径 */
        final static String PATH = "/testAuth";
        final static String PATH_DEL = "/testAuth/delNode";
        /** 认证类型 */
        final static String authentication_type = "digest";
        /** 认证正确方法 */
        final static String correctAuthentication = "123456";
        /** 认证错误方法 */
        final static String badAuthentication = "654321";
    
        static ZooKeeper zk = null;
        /** 计时器 */
        AtomicInteger seq = new AtomicInteger();
        /** 标识 */
        private static final String LOG_PREFIX_OF_MAIN = "【Main】";
    
        private CountDownLatch connectedSemaphore = new CountDownLatch(1);
    
        @Override
        public void process(WatchedEvent event) {
            try {
                Thread.sleep(200);
            } catch (InterruptedException e) {
                e.printStackTrace();
            }
            if (event==null) {
                return;
            }
            // 连接状态
            KeeperState keeperState = event.getState();
            // 事件类型
            EventType eventType = event.getType();
            // 受影响的path
            String path = event.getPath();
    
            String logPrefix = "【Watcher-" + this.seq.incrementAndGet() + "】";
    
            System.out.println(logPrefix + "收到Watcher通知");
            System.out.println(logPrefix + "连接状态:	" + keeperState.toString());
            System.out.println(logPrefix + "事件类型:	" + eventType.toString());
            if (KeeperState.SyncConnected == keeperState) {
                // 成功连接上ZK服务器
                if (EventType.None == eventType) {
                    System.out.println(logPrefix + "成功连接上ZK服务器");
                    connectedSemaphore.countDown();
                } 
            } else if (KeeperState.Disconnected == keeperState) {
                System.out.println(logPrefix + "与ZK服务器断开连接");
            } else if (KeeperState.AuthFailed == keeperState) {
                System.out.println(logPrefix + "权限检查失败");
            } else if (KeeperState.Expired == keeperState) {
                System.out.println(logPrefix + "会话失效");
            }
            System.out.println("--------------------------------------------");
        }
        /**
         * 创建ZK连接
         * 
         * @param connectString
         *            ZK服务器地址列表
         * @param sessionTimeout
         *            Session超时时间
         */
        public void createConnection(String connectString, int sessionTimeout) {
            this.releaseConnection();
            try {
                zk = new ZooKeeper(connectString, sessionTimeout, this);
                //添加节点授权
                zk.addAuthInfo(authentication_type,correctAuthentication.getBytes());
                System.out.println(LOG_PREFIX_OF_MAIN + "开始连接ZK服务器");
                //倒数等待
                connectedSemaphore.await();
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
    
        /**
         * 关闭ZK连接
         */
        public void releaseConnection() {
            if (this.zk!=null) {
                try {
                    this.zk.close();
                } catch (InterruptedException e) {
                }
            }
        }
    
        /**
         * 
         * <B>方法名称:</B>测试函数<BR>
         * <B>概要说明:</B>测试认证<BR>
         * @param args
         * @throws Exception
         */
        public static void main(String[] args) throws Exception {
    
            ZookeeperAuth testAuth = new ZookeeperAuth();
            testAuth.createConnection(CONNECT_ADDR,2000);
            List<ACL> acls = new ArrayList<ACL>(1);
            for (ACL ids_acl : Ids.CREATOR_ALL_ACL) {
                acls.add(ids_acl);
            }
    
            try {
                zk.create(PATH, "init content".getBytes(), acls, CreateMode.PERSISTENT);
                System.out.println("使用授权key:" + correctAuthentication + "创建节点:"+ PATH + ", 初始内容是: init content");
            } catch (Exception e) {
                e.printStackTrace();
            }
            try {
                zk.create(PATH_DEL, "will be deleted! ".getBytes(), acls, CreateMode.PERSISTENT);
                System.out.println("使用授权key:" + correctAuthentication + "创建节点:"+ PATH_DEL + ", 初始内容是: init content");
            } catch (Exception e) {
                e.printStackTrace();
            }
    
            // 获取数据
            getDataByNoAuthentication();
            getDataByBadAuthentication();
            getDataByCorrectAuthentication();
    
            // 更新数据
            updateDataByNoAuthentication();
            updateDataByBadAuthentication();
            updateDataByCorrectAuthentication();
    
            // 删除数据
            deleteNodeByBadAuthentication();
            deleteNodeByNoAuthentication();
            deleteNodeByCorrectAuthentication();
            //
            Thread.sleep(1000);
    
            deleteParent();
            //释放连接
            testAuth.releaseConnection();
        }
        /** 获取数据:采用错误的密码 */
        static void getDataByBadAuthentication() {
            String prefix = "[使用错误的授权信息]";
            try {
                ZooKeeper badzk = new ZooKeeper(CONNECT_ADDR, 2000, null);
                //授权
                badzk.addAuthInfo(authentication_type,badAuthentication.getBytes());
                Thread.sleep(2000);
                System.out.println(prefix + "获取数据:" + PATH);
                System.out.println(prefix + "成功获取数据:" + badzk.getData(PATH, false, null));
            } catch (Exception e) {
                System.err.println(prefix + "获取数据失败,原因:" + e.getMessage());
            }
        }
    
        /** 获取数据:不采用密码 */
        static void getDataByNoAuthentication() {
            String prefix = "[不使用任何授权信息]";
            try {
                System.out.println(prefix + "获取数据:" + PATH);
                ZooKeeper nozk = new ZooKeeper(CONNECT_ADDR, 2000, null);
                Thread.sleep(2000);
                System.out.println(prefix + "成功获取数据:" + nozk.getData(PATH, false, null));
            } catch (Exception e) {
                System.err.println(prefix + "获取数据失败,原因:" + e.getMessage());
            }
        }
    
        /** 采用正确的密码 */
        static void getDataByCorrectAuthentication() {
            String prefix = "[使用正确的授权信息]";
            try {
                System.out.println(prefix + "获取数据:" + PATH);
    
                System.out.println(prefix + "成功获取数据:" + zk.getData(PATH, false, null));
            } catch (Exception e) {
                System.out.println(prefix + "获取数据失败,原因:" + e.getMessage());
            }
        }
    
        /**
         * 更新数据:不采用密码
         */
        static void updateDataByNoAuthentication() {
    
            String prefix = "[不使用任何授权信息]";
    
            System.out.println(prefix + "更新数据: " + PATH);
            try {
                ZooKeeper nozk = new ZooKeeper(CONNECT_ADDR, 2000, null);
                Thread.sleep(2000);
                Stat stat = nozk.exists(PATH, false);
                if (stat!=null) {
                    nozk.setData(PATH, prefix.getBytes(), -1);
                    System.out.println(prefix + "更新成功");
                }
            } catch (Exception e) {
                System.err.println(prefix + "更新失败,原因是:" + e.getMessage());
            }
        }
    
        /**
         * 更新数据:采用错误的密码
         */
        static void updateDataByBadAuthentication() {
    
            String prefix = "[使用错误的授权信息]";
    
            System.out.println(prefix + "更新数据:" + PATH);
            try {
                ZooKeeper badzk = new ZooKeeper(CONNECT_ADDR, 2000, null);
                //授权
                badzk.addAuthInfo(authentication_type,badAuthentication.getBytes());
                Thread.sleep(2000);
                Stat stat = badzk.exists(PATH, false);
                if (stat!=null) {
                    badzk.setData(PATH, prefix.getBytes(), -1);
                    System.out.println(prefix + "更新成功");
                }
            } catch (Exception e) {
                System.err.println(prefix + "更新失败,原因是:" + e.getMessage());
            }
        }
    
        /**
         * 更新数据:采用正确的密码
         */
        static void updateDataByCorrectAuthentication() {
    
            String prefix = "[使用正确的授权信息]";
    
            System.out.println(prefix + "更新数据:" + PATH);
            try {
                Stat stat = zk.exists(PATH, false);
                if (stat!=null) {
                    zk.setData(PATH, prefix.getBytes(), -1);
                    System.out.println(prefix + "更新成功");
                }
            } catch (Exception e) {
                System.err.println(prefix + "更新失败,原因是:" + e.getMessage());
            }
        }
    
        /**
         * 不使用密码 删除节点
         */
        static void deleteNodeByNoAuthentication() throws Exception {
    
            String prefix = "[不使用任何授权信息]";
    
            try {
                System.out.println(prefix + "删除节点:" + PATH_DEL);
                ZooKeeper nozk = new ZooKeeper(CONNECT_ADDR, 2000, null);
                Thread.sleep(2000);
                Stat stat = nozk.exists(PATH_DEL, false);
                if (stat!=null) {
                    nozk.delete(PATH_DEL,-1);
                    System.out.println(prefix + "删除成功");
                }
            } catch (Exception e) {
                System.err.println(prefix + "删除失败,原因是:" + e.getMessage());
            }
        }
    
        /**
         * 采用错误的密码删除节点
         */
        static void deleteNodeByBadAuthentication() throws Exception {
    
            String prefix = "[使用错误的授权信息]";
    
            try {
                System.out.println(prefix + "删除节点:" + PATH_DEL);
                ZooKeeper badzk = new ZooKeeper(CONNECT_ADDR, 2000, null);
                //授权  使用错误的授权码badAuthentication
                badzk.addAuthInfo(authentication_type,badAuthentication.getBytes());
                Thread.sleep(2000);
                Stat stat = badzk.exists(PATH_DEL, false);
                if (stat!=null) {
                    badzk.delete(PATH_DEL, -1);
                    System.out.println(prefix + "删除成功");
                }
            } catch (Exception e) {
                System.err.println(prefix + "删除失败,原因是:" + e.getMessage());
            }
        }
    
        /**
         * 使用正确的密码删除节点
         */
        static void deleteNodeByCorrectAuthentication() throws Exception {
    
            String prefix = "[使用正确的授权信息]";
    
            try {
                System.out.println(prefix + "删除节点:" + PATH_DEL);
                Stat stat = zk.exists(PATH_DEL, false);
                if (stat!=null) {
                    zk.delete(PATH_DEL, -1);
                    System.out.println(prefix + "删除成功");
                }
            } catch (Exception e) {
                System.out.println(prefix + "删除失败,原因是:" + e.getMessage());
            }
        }
    
        /**
         * 使用正确的密码删除节点
         */
        static void deleteParent() throws Exception {
            try {
                Stat stat = zk.exists(PATH_DEL, false);
                if (stat == null) {
                    zk.delete(PATH, -1);
                }
            } catch (Exception e) {
                e.printStackTrace();
            }
        }
    
    }
  • 相关阅读:
    centos7 hadoop 2.8安装
    centos7安装jdk1.8
    kafka安装测试报错 could not be established. Broker may not be available.
    中文乱码总结之JSP乱码
    分布式作业笔记
    <c:forEach var="role" items="[entity.Role@d54d4d, entity.Role@1c61868, entity.Role@6c58db, entity.Role@13da8a5]"> list 集合数据转换异常
    Servlet.service() for servlet [jsp] in context with path [/Healthy_manager] threw exception [Unable to compile class for JSP] with root cause java.lang.IllegalArgumentException: Page directive: inval
    [ERROR] Failed to execute goal org.apache.maven.plugins:maven-compiler-plugin:3.1:compile (default-compile) on project triage: Compilation failure [ERROR] No compiler is provided in this environment.
    Invalid bound statement (not found): com.xsw.dao.CategoryDao.getCategoryById] with root cause
    org.apache.ibatis.binding.BindingException: Parameter 'start' not found. Available parameters are [1, 0, param1, param2]
  • 原文地址:https://www.cnblogs.com/shamo89/p/9798227.html
Copyright © 2020-2023  润新知