Zookeeper Dubbo IP 白名单

  1. zookeeper的节点概念
    zookeeper入门系列:概述
    总的来说 dubbo 体现在zookeeper中就是一个节点:/dubbo
  2. 使用zkCli.sh 连接zookeeper

    /local/zookeeper-3.4.5/bin/zkCli.sh  # 启动客户端
    connect 172.16.103.33:2181           # 连接上目标zookeeper
    ls /                                 # 查看根节点下的所有节点
    setAcl /dubbo ip:172.16.103.33:cdrwa       # 设置IP白名单
    

关于IP地址段
IP地址网段表示法
关于 ip段协议 设置失败 解决方案 使用zkClient (javaAPI解决)
详见下面的 zkClient部分


10/16 补充 用户名密码方案

  1. 客户端连接zookeeper

    ./zkCli.sh
  2. 使用java生成密码 generateDigest("用户名:密码")

    import org.apache.zookeeper.server.auth.DigestAuthenticationProvider;
    import org.junit.Test;
    
    import java.security.NoSuchAlgorithmException;
    
    /**
     * @author luwenlong
     * @date 2017/10/13
     * @description 类描述
     */
    public class PasswordBuilder {
        @Test
        public void generate() {
            try {
                System.out.println(DigestAuthenticationProvider.generateDigest("luwfls:luwfls"));
            } catch (NoSuchAlgorithmException e) {
                // TODO Auto-generated catch block
                e.printStackTrace();
            }
        }
    }
    
  3. 设置dubbo的密码权限(这里的密码是加密后的不要使用明文密码

setAcl /dubbo digest:luwfls:dbshuAKWkOXQro563C0o+16AAR4=:cdrwa

附超级权限设置方法,以供设置密码错误或忘记密码

  1. 编辑zkServer.sh 109行

    nohup "$JAVA" "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" "-Dzookeeper.DigestAuthenticationProvider.superDigest=super:g9oN2HttPfn8MMWJZ2r45Np/LIA=" \
  2. 重启zookeeper

    ./zkServer.sh restart
  3. 验证

    ./zkCli.sh     ##连接 
    addauth digest:luwfls:luwfls   ## 相当于超级管理员登陆
    setAcl /dubbo digest:用户名:加密后的密码:权限 ## 以超级管理员身份设置新密码

11/02 补充zkClient 方案

  • 前提 需参考上一步,设置完超级管理员之后可使用超级管理员权限使用
  • demo的github地址
  • 简介
import org.I0Itec.zkclient.ZkClient;
import org.apache.zookeeper.ZooDefs;
import org.apache.zookeeper.ZooKeeper;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
import org.apache.zookeeper.data.Stat;
import org.junit.Test;

import java.io.IOException;
import java.util.ArrayList;
import java.util.List;

/**
 * @author luwenlong
 * @date 2017/10/17 0017
 * @description zookeeper 管理
 */
public class ZKManager {
    private static final String ZKADDRESS = "172.16.101.130:2190";
    private static final String SUPERAUTH = "super:superpw";
    private static final String LUWFLS = "luwfls:luwfls";
    private static final String DIGEST = "digest";

    private static ZkClient zkClient = new ZkClient(ZKADDRESS);

    @Test
    public void testZooKeeperConnect() throws IOException {
        ZooKeeper zooKeeper = new ZooKeeper(ZKADDRESS, 500, watchedEvent -> System.out.println("已经触发了" + watchedEvent.getType() + "事件!"));
        //zooKeeper.addAuthInfo(DIGEST,"super:superpw".getBytes());
        ZooKeeper.States state = zooKeeper.getState();
        System.out.println("状态: "+state);

    }

    /**
     * 超级管理员身份 修改根目录权限 为 任何人任何权限
     */
    @Test
    public void setRootWorldCDRWA() throws Exception {
        ZooKeeper zooKeeper = new ZooKeeper(ZKADDRESS, 500, watchedEvent -> System.out.println("已经触发了" + watchedEvent.getType() + "事件!"));
        zooKeeper.addAuthInfo(DIGEST,SUPERAUTH.getBytes());
        ArrayList acls = new ArrayList<>();
        acls.add(new ACL(ZooDefs.Perms.ALL,new Id("world","anyone")));
        zooKeeper.setACL("/dubbo",acls,13);
    }

    /**
     * 设置IP段 白名单
     * 有问题 KeeperErrorCode = InvalidACL for /dubbo
     */
    @Test
    public void setIPS() throws Exception{
        ZooKeeper zooKeeper = new ZooKeeper(ZKADDRESS, 500, watchedEvent -> System.out.println("已经触发了" + watchedEvent.getType() + "事件!"));
        zooKeeper.addAuthInfo(DIGEST,LUWFLS.getBytes());
        ArrayList acls = new ArrayList<>();
        acls.add(new ACL(ZooDefs.Perms.ALL,new Id("ip","172.16.103.33")));
        acls.add(new ACL(ZooDefs.Perms.ALL,new Id("ip","172.16.103.60")));
        //当前version 可理解为乐观锁的最后一个版本号(屁民理论)
        zooKeeper.setACL("/dubbo",acls,zooKeeper.exists("/dubbo",false).getAversion());
    }
    /**
     * 查询权限
     */
    @Test
    public void getAcl() throws Exception{
        ZooKeeper zooKeeper = new ZooKeeper(ZKADDRESS, 500, watchedEvent -> System.out.println("已经触发了" + watchedEvent.getType() + "事件!"));
        zooKeeper.addAuthInfo("digest","luwfls:luwfls".getBytes());
        ZooKeeper.States state = zooKeeper.getState();
        System.out.printf("state  " + state);
        List acl = zooKeeper.getACL("/dubbo", new Stat());
        acl.forEach(acl1 -> System.out.println(acl1));
    }

    /**
     * 查询 节点版本 version
     * 更改权限的时候需要设置 当前节点的 可用版本号 Stat.aversion
     */

    @Test
    public void queryVersion() throws Exception{
        ZooKeeper zooKeeper = new ZooKeeper(ZKADDRESS, 500, watchedEvent -> System.out.println("已经触发了" + watchedEvent.getType() + "事件!"));
        zooKeeper.addAuthInfo("digest","luwfls:luwfls".getBytes());
        Stat stat = zooKeeper.exists("/dubbo", false);
        System.out.println(String.format("version %s  cversion %s aversion %s ", stat.getVersion(),stat.getCversion(),stat.getAversion()));
        System.out.println(stat);
    }
    /**
     * 创建节点
     */
    @Test
    public void testCreatePersistent() {
       zkClient.createPersistent("/test123");
    }

}

        ArrayList acls = new ArrayList<>();
        acls.add(new ACL(ZooDefs.Perms.ALL,new Id("ip","172.16.103.33")));
        acls.add(new ACL(ZooDefs.Perms.ALL,new Id("ip","172.16.103.60")));
        //当前version 可理解为乐观锁的最后一个版本号(屁民理论)
       zooKeeper.setACL("/test123",acls,zooKeeper.exists("/test123",false).getAversion());

通过上面的代码 设置了两个IP加入白名单。

你可能感兴趣的:(java)