[b][size=medium]zookeeper的身份认证有4种方式[/size][/b]

(1)world: 它下面只有一个id, 叫anyone, world:anyone代表任何人,zookeeper中对所有人有权限的结点就是属于world:anyone的
(2)auth: 它不需要id, 只要是通过authentication的user都有权限(zookeeper支持通过kerberos来进行authencation, 也支持username/password形式的authentication)
(3)digest: 它对应的id为username:BASE64(SHA1(password)),它需要先通过username:password形式的authentication
(4)ip: 它对应的id为客户机的IP地址,设置的时候可以设置一个ip段,比如ip:192.168.1.0/16, 表示匹配前16个bit的IP段
super: 在这种scheme情况下,对应的id拥有超级权限,可以做任何事情(cdrwa)

[b][size=medium]通过zkCli设置权限,查看权限,认证权限[/size][/b]

[b]设置权限[/b]

->./zkCli.sh -server ip:port
(1)创建节点并设置权限
->create path data digest:username:BASE64(SHA1(password)):rwdca
(2)先创建节点,后设置权限
->create path data
->setAcl path digest:username:base64(sha1(password)):rwdca

[b]查看权限[/b]

-> getAcl path

[b]认证权限[/b]

->addauth scheme auth
demo: ->addauth digest admin:admin(明文)

[b][size=medium]通过Curator设置权限,认证权限[/size][/b]

<dependency>
<groupId>org.apache.curator</groupId>
<artifactId>curator-framework</artifactId>
<version>2.10.0</version>
</dependency>
<dependency>
<groupId>org.apache.curator</groupId>
<artifactId>curator-recipes</artifactId>
<version>2.10.0</version>
</dependency>


import java.nio.charset.Charset;
import java.util.Collections;

import org.apache.curator.framework.CuratorFramework;
import org.apache.curator.framework.CuratorFrameworkFactory;
import org.apache.curator.retry.ExponentialBackoffRetry;
import org.apache.zookeeper.ZooDefs.Perms;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
import org.apache.zookeeper.server.auth.DigestAuthenticationProvider;
import org.junit.AfterClass;
import org.junit.BeforeClass;
import org.junit.FixMethodOrder;
import org.junit.Test;
import org.junit.runners.MethodSorters;

/**
*
* junit version 4.12
* zk version: 3.4.6
*
*/
@FixMethodOrder(MethodSorters.NAME_ASCENDING)
public class ZkTest {

private static String scheme = "digest";
private static String ulr = "localhost:2181";

private static final String COLON = ":";
private static String username = "admin";
private static String password = "admin";

private static CuratorFramework client;

@BeforeClass
public static void setup() throws Exception {
client = CuratorFrameworkFactory.builder() //
.authorization(scheme, signature().getBytes()) //
.connectString(ulr).sessionTimeoutMs(5000).connectionTimeoutMs(5000) //
.retryPolicy(new ExponentialBackoffRetry(1000, 3)) //
.build();
client.start();
}

@Test
public void createNode() throws Exception {
if (client.checkExists().forPath("/test/nnnn") == null) {
client.create().creatingParentsIfNeeded().forPath("/test/nnnn");
System.out.println("已创建/test/nnnn");
client.setACL().withACL(Collections.singletonList(
new ACL(Perms.ALL, new Id(scheme, DigestAuthenticationProvider.generateDigest(signature())))))
.forPath("/test");
System.out.println("已授权");
} else {
System.out.println("该节点已经存在");
}
}

@Test
public void getNodeInfo() throws Exception {
if (client.checkExists().forPath("/test/nnnn") != null) {
byte[] forPath = client.getData().forPath("/test/nnnn");
System.out.println("节点data=" + new String(forPath, Charset.forName("UTF-8")));
} else {
System.out.println("获取节点信息失败,原因:该节点不存在");
}
}

@AfterClass
public static void destroy() {
client.close();
}

private static String signature() {
return username + COLON + password;
}

}
Logo

权威|前沿|技术|干货|国内首个API全生命周期开发者社区

更多推荐