Zookeeper设置访问权限

阅读更多
zookeeper的身份认证有4种方式

(1)world: 它下面只有一个id, 叫anyone, world:anyone代表任何人,zookeeper中对所有人有权限的结点就是属于world:anyone的
(2)auth: 它不需要id, 只要是通过authentication的user都有权限(zookeeper支持通过kerberos来进行authencation, 也支持username/password形式的authentication)
(3)digest: 它对应的id为username:BASE64(SHA1(password)),它需要先通过username:password形式的authentication
(4)ip: 它对应的id为客户机的IP地址,设置的时候可以设置一个ip段,比如ip:192.168.1.0/16, 表示匹配前16个bit的IP段
super: 在这种scheme情况下,对应的id拥有超级权限,可以做任何事情(cdrwa)

通过zkCli设置权限,查看权限,认证权限

设置权限

->./zkCli.sh -server ip:port
(1)创建节点并设置权限
->create path data digest:username:BASE64(SHA1(password)):rwdca
(2)先创建节点,后设置权限
->create path data
->setAcl path digest:username:base64(sha1(password)):rwdca

查看权限

-> getAcl path

认证权限

->addauth scheme auth
demo: ->addauth digest admin:admin(明文)

通过Curator设置权限,认证权限
  
			org.apache.curator
			curator-framework
			2.10.0
		
		
			org.apache.curator
			curator-recipes
			2.10.0
		


import java.nio.charset.Charset;
import java.util.Collections;

import org.apache.curator.framework.CuratorFramework;
import org.apache.curator.framework.CuratorFrameworkFactory;
import org.apache.curator.retry.ExponentialBackoffRetry;
import org.apache.zookeeper.ZooDefs.Perms;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
import org.apache.zookeeper.server.auth.DigestAuthenticationProvider;
import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.junit.FixMethodOrder;
import org.junit.Test;
import org.junit.runners.MethodSorters;

/**
 * 
 * junit version 4.12
 * zk version: 3.4.6
 *
 */
@FixMethodOrder(MethodSorters.NAME_ASCENDING)
public class ZkTest {

	private static String scheme = "digest";
	private static String ulr = "localhost:2181";

	private static final String COLON = ":";
	private static String username = "admin";
	private static String password = "admin";

	private static CuratorFramework client;

	@BeforeClass
	public static void setup() throws Exception {
		client = CuratorFrameworkFactory.builder() //
				.authorization(scheme, signature().getBytes()) //
				.connectString(ulr).sessionTimeoutMs(5000).connectionTimeoutMs(5000) //
				.retryPolicy(new ExponentialBackoffRetry(1000, 3)) //
				.build();
		client.start();
	}

	@Test
	public void createNode() throws Exception {
		if (client.checkExists().forPath("/test/nnnn") == null) {
			client.create().creatingParentsIfNeeded().forPath("/test/nnnn");
			System.out.println("已创建/test/nnnn");
			client.setACL().withACL(Collections.singletonList(
					new ACL(Perms.ALL, new Id(scheme, DigestAuthenticationProvider.generateDigest(signature())))))
					.forPath("/test");
			System.out.println("已授权");
		} else {
			System.out.println("该节点已经存在");
		}
	}

	@Test
	public void getNodeInfo() throws Exception {
		if (client.checkExists().forPath("/test/nnnn") != null) {
			byte[] forPath = client.getData().forPath("/test/nnnn");
			System.out.println("节点data=" + new String(forPath, Charset.forName("UTF-8")));
		} else {
			System.out.println("获取节点信息失败,原因:该节点不存在");
		}
	}

	@AfterClass
	public static void destroy() {
		client.close();
	}

	private static String signature() {
		return username + COLON + password;
	}

}

你可能感兴趣的:(zookeeper,setAcl)