ACL全称为Access Control List(访问控制列表),用于控制资源的访问权限。分为三个维度:scheme、id、permission,schema代表授权策略,id代表用户,permission代表权限。

scheme:id

  • world: 它下面只有一个 id, 叫 anyone, world:anyone 代表任何人,zookeeper 中对所有人有权限的结点就是属于 world:anyone 的

  • auth: 它不需要 id, 只要是通过 authentication 的 user 都有权限(zookeeper 支持通过 kerberos 来进行 authencation, 也支持 username:password 形式的 authentication)

  • digest: 它对应的 id 为 username:BASE64(SHA1(password)),它需要先通过 username:password 形式的 authentication

    1. ip: 它对应的 id 为客户机的 IP 地址,设置的时候可以设置一个 ip 段,比如 ip:192.168.1.0/16, 表示匹配前 16 个 bit 的 IP

permission(权限)

权限权限描述
ccreate:创建权限,在该path下创建子节点的权限
ddelete:删除权限,删除该path节点下子节点的权限
rread:读权限 读取当前节点的data属性的权限
wwrite:写权限,允许更新当前节点的data
aadmin:管理员权限,允许对改节点的acl权限进行管理

create权限

#设置/wusp的权限为drwa,少了c
setAcl /wusp world:anyone:drwa
cZxid = 0x4
ctime = Sun May 14 17:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 14 17:52:57 CST 2023
pZxid = 0x4
cversion = 0
dataVersion = 1
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 8
numChildren = 0
#创建子节点的时候权限不足
[zk: localhost:2181(CONNECTED) 21] create /wusp/child data
Authentication is not valid : /wusp/child
#给/wusp加上create权限
[zk: localhost:2181(CONNECTED) 22] setAcl /wusp world:anyone:cdrwa
cZxid = 0x4
ctime = Sun May 14 17:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 14 17:52:57 CST 2023
pZxid = 0x4
cversion = 0
dataVersion = 1
aclVersion = 2
ephemeralOwner = 0x0
dataLength = 8
numChildren = 0
#子节点创建成功
[zk: localhost:2181(CONNECTED) 23] create /wusp/child data
Created /wusp/child

delete权限

#移除delete权限
[zk: localhost:2181(CONNECTED) 24] setAcl /wusp world:anyone:crwa
cZxid = 0x4
ctime = Sun May 14 17:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 14 17:52:57 CST 2023
pZxid = 0x35
cversion = 1
dataVersion = 1
aclVersion = 3
ephemeralOwner = 0x0
dataLength = 8
numChildren = 1
#rmr命令提示权限不足
[zk: localhost:2181(CONNECTED) 25] rmr /wusp
Authentication is not valid : /wusp/child
#delete命令提示权限不足
[zk: localhost:2181(CONNECTED) 26] delete /wusp/child
Authentication is not valid : /wusp/child
#增加delete权限
[zk: localhost:2181(CONNECTED) 27] setAcl /wusp world:anyone:cdrwa
cZxid = 0x4
ctime = Sun May 14 17:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 14 17:52:57 CST 2023
pZxid = 0x35
cversion = 1
dataVersion = 1
aclVersion = 4
ephemeralOwner = 0x0
dataLength = 8
numChildren = 1
#/wusp/child节点成功删除
[zk: localhost:2181(CONNECTED) 28] delete /wusp/child
[zk: localhost:2181(CONNECTED) 29]

read权限

#新增/wusp/child节点
[zk: localhost:2181(CONNECTED) 29] create /wusp/child data
Created /wusp/child
#移除read权限
[zk: localhost:2181(CONNECTED) 32] setAcl /wusp world:anyone:cdwa
cZxid = 0x4
ctime = Sun May 14 17:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 14 17:52:57 CST 2023
pZxid = 0x3b
cversion = 3
dataVersion = 1
aclVersion = 5
ephemeralOwner = 0x0
dataLength = 8
numChildren = 1
#获取/wusp节点的data,提示权限不足
[zk: localhost:2181(CONNECTED) 33] get /wusp
Authentication is not valid : /wusp
#但是成功获取/wusp/child几点的data
[zk: localhost:2181(CONNECTED) 35] get /wusp/child
data
cZxid = 0x3b
ctime = Wed May 17 21:13:06 CST 2023
mZxid = 0x3b
mtime = Wed May 17 21:13:06 CST 2023
pZxid = 0x3b
cversion = 0
dataVersion = 0
aclVersion = 0
ephemeralOwner = 0x0
dataLength = 4
numChildren = 0
[zk: localhost:2181(CONNECTED) 36] getAcl /wusp
'world,'anyone
: cdwa
[zk: localhost:2181(CONNECTED) 37] getAcl /wusp/child
'world,'anyone
: cdrwa

write权限

#移除write权限
[zk: localhost:2181(CONNECTED) 38] setAcl /wusp world:anyone:cdra
cZxid = 0x4
ctime = Sun May 14 17:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 14 17:52:57 CST 2023
pZxid = 0x3b
cversion = 3
dataVersion = 1
aclVersion = 6
ephemeralOwner = 0x0
dataLength = 8
numChildren = 1
#修改/wusp的data属性,提示权限不足
[zk: localhost:2181(CONNECTED) 39] set /wusp data1
Authentication is not valid : /wusp
#成功修改/wusp/child的data属性】
[zk: localhost:2181(CONNECTED) 40] set /wusp/child data2
cZxid = 0x3b
ctime = Wed May 17 21:13:06 CST 2023
mZxid = 0x3f
mtime = Wed May 17 21:20:37 CST 2023
pZxid = 0x3b
cversion = 0
dataVersion = 1
aclVersion = 0
ephemeralOwner = 0x0
dataLength = 5
numChildren = 0

admin

#移除admin权限
[zk: localhost:2181(CONNECTED) 41] setAcl /wusp world:anyone:cdrw
cZxid = 0x4
ctime = Sun May 14 17:33:09 CST 2023
mZxid = 0x5
mtime = Sun May 14 17:52:57 CST 2023
pZxid = 0x3b
cversion = 3
dataVersion = 1
aclVersion = 7
ephemeralOwner = 0x0
dataLength = 8
numChildren = 1
#修改acl权限时,提示权限不足。
#这里有个问题,admin权限移除后,怎么添加上?
[zk: localhost:2181(CONNECTED) 42] setAcl /wusp world:anyone:cdrwa
Authentication is not valid : /wusp

ACL命令

  • getAcl 获取指定节点的 ACL 信息
  • setAcl 设置指定节点的 ACL 信息
  • addauth 输入认证授权信息,注册时输入明文密码,加密形式保存
#新增/acl节点
[zk: localhost:2181(CONNECTED) 3] create /acl data
Created /acl
#默认acl为 world:anyone:cdrwa
[zk: localhost:2181(CONNECTED) 4] getAcl /acl
'world,'anyone
: cdrwa

scheme为auth和digest的区别?

总结:(先看下面的代码信息,然后在来看这个总结的内容)

auth 用明文设置授权信息,但需要先创建用户。
digest是密文设置授权信息,可以不先创建用户

#设置path=/acl的ACL信息,设置失败,因为没有创建用户user1
[zk: localhost:2181(CONNECTED) 6] setAcl /acl auth:user1:123456:crwa
Acl is not valid : /acl

#addauth digest创建use1。注:这里应该是user1,但手敲命令时敲成了use1,并不影响后续的理解
[zk: localhost:2181(CONNECTED) 7] addauth digest use1 123456

# 使用scheme=auth的形式设置ACL信息
[zk: localhost:2181(CONNECTED) 8] setAcl /acl auth:use1:123456:crwa
cZxid = 0x4c
ctime = Thu May 18 14:58:06 CST 2023
mZxid = 0x4c
mtime = Thu May 18 14:58:06 CST 2023
pZxid = 0x4c
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 4
numChildren = 0
# 使用scheme=auth以明文设置ACL信息,展示的是密文的形式
[zk: localhost:2181(CONNECTED) 9] getAcl /acl
'digest,'use1:Bw00EEOEYvTk9+7ckGoBdAICO4Q=
: crwa
#成功创建path=acl/child
[zk: localhost:2181(CONNECTED) 10] create /acl/child data
Created /acl/child
#退出客户端
[zk: localhost:2181(CONNECTED) 11] 	quit
#重新登陆zkCli,输入ls /命令
ls/
[zookeeper, acl, persistent, wusp]
# getAcl /acl
[zk: localhost:2181(CONNECTED) 1] getAcl /acl
'digest,'use1:Bw00EEOEYvTk9+7ckGoBdAICO4Q=
: crwa
# set /acl data1,提示权限不足
[zk: localhost:2181(CONNECTED) 2] set /acl data1
Authentication is not valid : /acl
#create /acl/child2,提示权限不足
[zk: localhost:2181(CONNECTED) 4] create /acl/child2 data
Authentication is not valid : /acl/child2
#权限认证错误,但却没有任何提示,这个挺讨厌的
[zk: localhost:2181(CONNECTED) 5] addauth use1 12345
#权限正确认证
[zk: localhost:2181(CONNECTED) 10] addauth digest use1 123456
# 可以创建子节点
[zk: localhost:2181(CONNECTED) 11] create /acl/child2 data
Created /acl/child2
# 可以修改节点的data属性
[zk: localhost:2181(CONNECTED) 12] set /acl data1
cZxid = 0x4c
ctime = Thu May 18 14:58:06 CST 2023
mZxid = 0x59
mtime = Thu May 18 15:15:51 CST 2023
pZxid = 0x58
cversion = 2
dataVersion = 1
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 5
numChildren = 2
#新增path=/aclDigest
[zk: localhost:2181(CONNECTED) 5] create /aclDigest data
Created /aclDigest
#获取path =/aclDigest的ACL信息
[zk: localhost:2181(CONNECTED) 6] getAcl /aclDigest
'world,'anyone
: cdrwa
#以scheme=digest的形式设置ACL信息,这里设置成功了,这里没有向scheme=auth那样先认证授权,但需要先生成密文,生成方式如下
[zk: localhost:2181(CONNECTED) 7] setAcl /aclDigest digest:user3:SzpfOOuDCdri8p4n7oIaFCZpXeE=:cdrwa
cZxid = 0x71
ctime = Thu May 18 15:45:11 CST 2023
mZxid = 0x71
mtime = Thu May 18 15:45:11 CST 2023
pZxid = 0x71
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 4
numChildren = 0
#查看path=/aclDigest的ACL信息,修改配置成功
[zk: localhost:2181(CONNECTED) 8] getAcl /aclDigest
'digest,'user3:SzpfOOuDCdri8p4n7oIaFCZpXeE=
: cdrwa
#新增path=/aclDigest/child,提示权限不足
[zk: localhost:2181(CONNECTED) 9] create /aclDigest/child data
Authentication is not valid : /aclDigest/child
#认证授权信息
[zk: localhost:2181(CONNECTED) 4] addauth digest user3:123456
#新增path=/aclDigest/child成功
[zk: localhost:2181(CONNECTED) 5] create /aclDigest/child data
Created /aclDigest/child

scheme生成密文的方式(linux)

java -Djava.ext.dirs=${zkDir}/lib -cp  ${zkDir}/zookeeper-3.4.12.jar  org.apache.zookeeper.server.auth.DigestAuthenticationProvider ${user}:${passwd}

在这里插入图片描述

#ip的方式很好理解
setAcl ${path} ip:${ip}:cdrwa
Logo

权威|前沿|技术|干货|国内首个API全生命周期开发者社区

更多推荐