## 五 ACL控制权限 - 什么是ACL(Access Control List访问控制列表) - 针对节点可以设置相关读写等权限, 目的为了保障数据安全性 - 权限permission可以指定不同的权限范围以及角色 - ACL命令行 - getAcl: 获取某个节点的acl权限信息 ``` shell [zk: localhost:2181(CONNECTED) 11] getAcl /itheima 'world,'anyone : cdrwa ``` - setAcl: 设置某个节点的acl权限信息 - addauth: 输入认证授权信息, 注册时输入明文密码(登录)但是在zk的系统里, 密码是以加密的形式存在的 - ACL的构成 - zk的acl通过[scheme​ : id :permissions] 来构成权限列表 - scheme: 代表采用的某种权限机制 - id: 代表允许访问的用户 - permissions: 权限组合字符串 - scheme: - world: world下只能有一个id, 即只有一个用户就是anyone 组合的写法就是 world:anyone:[permissions] - auth: 代表认证登录, 需要注册用户有权限就可以, 形式为 auth: user:password:[permissions] - digest: 需要对密码加密才能访问, 组合形式为digest: username:BASE64(SHA1(password)):[permissions] - auth与digest的区别: 前者明文,后者密文 - setAcl /path auth:tom:tom:cdrwa - setAcl /path digest:tom:BASE64(SHA1(password))cdrwa是等价的 - 在通过addauth digest tom:tom后都能操作指定节点的权限 - ip:当设置为ip指定的IP地址, 此时限制ip进行访问,比如ip:192.168.1.1:[permissions] - super: 代表超级管理员, 拥有所有的权限 - permissions说明 - crdwa - Create 创建 - Read 获取节点/子节点 - Write: 设置节点数据 - Delete: 删除子节点 - Admin 设置权限 - world:anyone:cdrwa ``` shell #创建子节点 /itheima/abc [zk: localhost:2181(CONNECTED) 5] create /itheima/abc 123 Created /itheima/abc #查看节点权限 新建节点默认权限都是 world:anyone:cdrwa [zk: localhost:2181(CONNECTED) 6] getAcl /itheima/abc 'world,'anyone : cdrwa ``` - 通过setAcl修改节点权限 setAcl 路径 world:anyone:crwa ``` shell #设置权限为crwa 去掉了d 删除子节点权限 [zk: localhost:2181(CONNECTED) 7] setAcl /itheima/abc world:anyone:crwa cZxid = 0xb3 ctime = Sun Jan 06 17:46:55 CST 2019 mZxid = 0xb3 mtime = Sun Jan 06 17:46:55 CST 2019 pZxid = 0xb3 cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 3 numChildren = 0 #查看权限 [zk: localhost:2181(CONNECTED) 8] getAcl /itheima/abc 'world,'anyone : crwa #创建新的子节点 [zk: localhost:2181(CONNECTED) 9] create /itheima/abc/xyz 123 Created /itheima/abc/xyz #测试能否删除子节点 [zk: localhost:2181(CONNECTED) 11] delete /itheima/abc/xyz Authentication is not valid : /itheima/abc/xyz #子节点依然存在 [zk: localhost:2181(CONNECTED) 12] ls /itheima/abc [xyz] ``` - auth:user:pwd:cdrwa 用auth的方式(密码为明文)处理ACL addauth digest user:pwd 用户注册 登陆 ``` shell [zk: lh:2181(CONNECTED) 13] setAcl /itheima/abc auth:itheima:itheima:cdrwa Acl is not valid : /itheima/abc # 没有注册用户 [zk: lh:2181(CONNECTED) 14] addauth digest itheima:itheima #注册用户 [zk: lh:2181(CONNECTED) 15] setAcl /itheima/abc auth:itheima:itheima:cdrwa cZxid = 0xb3 ctime = Sun Jan 06 17:46:55 CST 2019 mZxid = 0xb3 mtime = Sun Jan 06 17:46:55 CST 2019 pZxid = 0xb5 cversion = 1 dataVersion = 0 aclVersion = 2 ephemeralOwner = 0x0 dataLength = 3 numChildren = 1 [zk: lh:2181(CONNECTED) 16] getAcl /itheima/abc 'digest,'itheima:8vob7o7uTPp2jDaiVV3mUesBi7A= : cdrwa #退出终端后重新操作 [zk: localhost:2181(CONNECTED) 0] ls /itheima [sec0000000003, dir1, abc, sec0000000002] [zk: localhost:2181(CONNECTED) 1] ls /itheima/abc Authentication is not valid : /itheima/abc #没有查看权限 #登陆后再次查看 [zk: localhost:2181(CONNECTED) 4] addauth digest itheima:itheima [zk: localhost:2181(CONNECTED) 5] ls /itheima/abc [xyz] #修改授权内容 一旦指定了用户名 再次设置 不需要传入用户名密码 [zk: localhost:2181(CONNECTED) 8] setAcl /itheima/abc auth::crwa cZxid = 0xb3 ctime = Sun Jan 06 17:46:55 CST 2019 mZxid = 0xb3 mtime = Sun Jan 06 17:46:55 CST 2019 pZxid = 0xb5 cversion = 1 dataVersion = 0 aclVersion = 3 ephemeralOwner = 0x0 dataLength = 3 numChildren = 1 [zk: localhost:2181(CONNECTED) 9] getAcl /itheima/abc 'digest,'itheima:8vob7o7uTPp2jDaiVV3mUesBi7A= : crwa ``` - digest:user:BASE64(SHA1(pwd)):cdrwa 用digest(密码为密文)的方式处理ACL ``` shell [zk: localhost:2181(CONNECTED) 13] setAcl /itheima/test digest:itheima:8vob7o7uTPp2jDaiVV3mUesBi7A=:rwa cZxid = 0xbc ctime = Sun Jan 06 18:20:23 CST 2019 mZxid = 0xbc mtime = Sun Jan 06 18:20:23 CST 2019 pZxid = 0xbc cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 3 numChildren = 0 [zk: localhost:2181(CONNECTED) 14] ls /itheima/test [] [zk: localhost:2181(CONNECTED) 15] getAcl /itheima/test 注:退出后再登陆,则无法访问/itheima/test,除非登陆:addauth digest 用户名:密文对应的明文密码 ``` - ip:192.168.1.1:cdrwa 通过ip 控制某些客户端是否有访问的权限 ``` shell [zk: localhost:2181(CONNECTED) 17] create /itheima/test2 123 Created /itheima/test2 [zk: localhost:2181(CONNECTED) 18] setAcl /itheima/test2 ip:192.168.199.3:crwa cZxid = 0xbf ctime = Sun Jan 06 18:24:28 CST 2019 mZxid = 0xbf mtime = Sun Jan 06 18:24:28 CST 2019 pZxid = 0xbf cversion = 0 dataVersion = 0 aclVersion = 1 ephemeralOwner = 0x0 dataLength = 3 numChildren = 0 [zk: localhost:2181(CONNECTED) 19] getAcl /itheima/test2 'ip,'192.168.199.3 : crwa [zk: localhost:2181(CONNECTED) 20] get /itheima/test2 Authentication is not valid : /itheima/test2 ``` - super管理员 修改 zkServer.sh ``` shell nohup $JAVA $ZOO_DATADIR_AUTOCREATE "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" \ "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" \ #只需要加入中间这一行 "-Dzookeeper.DigestAuthenticationProvider.superDigest=itheima:8vob7o7uTPp2jDaiVV3mUesBi7A=" \ -cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" > "$_ZOO_DAEMON_OUT" 2>&1 < /dev/null & ``` 重启客户端 登陆 ``` shell [zk: localhost:2181(CONNECTED) 2] addauth digest itheima:itheima [zk: localhost:2181(CONNECTED) 3] ls /itheima/test2 [] [zk: localhost:2181(CONNECTED) 4] getAcl /itheima/test2 'ip,'192.168.199.3 : crwa [zk: localhost:2181(CONNECTED) 5] ls /itheima/test2 [] [zk: localhost:2181(CONNECTED) 6] delete /itheima/test2 [zk: localhost:2181(CONNECTED) 7] ls /itheima [sec0000000003, dir1, abc, test, sec0000000002] ```