Using the Java API to manipulate ACL permissions for zookeeper

Source: Internet
Author: User
Tags zookeeper

Default Anonymous permissions

The zookeeper provides several authentication modes (scheme) as follows:

    • Digest:client driven by user name and password authentication, such as User:password,digest's password generation method is the Base64 form of the SHA1 Digest
    • Auth: Do not use any ID, on behalf of any confirmed users.
    • ip:client driven by IP address verification, e.g. 172.2.0.0/24
    • World: Fixed user for anyone, open permissions for all client side
    • Super: In this scheme case, the corresponding ID has super privilege and can do anything (Cdrwa)

Note that exists operations and GETACL operations are not controlled by ACL permissions, so any client can query the state of the node and the ACL of the node.

The permissions for a node (perms) are mainly as follows:

    • Create allows child node create operation
    • Read allows GetChildren and GetData operations on this node
    • Write allows SetData operations on this node
    • Delete allows child node delete operations
    • Admin allows setacl operation on this node

The Znode ACL permission is represented by a decimal number of type int perms, perms 5 bits represent SetACL, delete, create, write, read, respectively. such as 0x1f=adcwr,0x1=----r,0x15=a-c-r.

The following example creates a node with the default anonymous permission assigned to the node, the permission bit is ADCWR, and a decimal number means 3
1, and hexadecimal is 0x1f. The code is as follows:

Package Org.zero01.zk.demo;import Org.apache.zookeeper.*;import Org.apache.zookeeper.data.acl;import Org.apache.zookeeper.data.stat;import java.util.list;/** * @program: Zookeeper-connection * @description: Zookeeper Operation node ACL permissions demo * @author: 09:20 * @create: 2018-04-27 **/public class Zknodeacl implements Watcher {//cluster mode is multiple IP p    Rivate static final String zkserverips = "192.168.190.128:2181,192.168.190.129:2181,192.168.190.130:2181";    Timeout period private static final Integer timeout = 5000;    private static ZooKeeper ZooKeeper;    private static stat stat; Watch event notification method public void process (Watchedevent watchedevent) {} public static void Main (string[] args) throws E        xception {zooKeeper = new ZooKeeper (zkserverips, timeout, new Zknodeacl ()); This creates a node that is the default anonymous permission: ZooDefs.Ids.OPEN_ACL_UNSAFE String result = Zookeeper.create ("/testaclnode", "Test data". GetByte        S (), ZooDefs.Ids.OPEN_ACL_UNSAFE, createmode.persistent);     Thread.Sleep (1000);   Gets the ACL permission information for the node list<acl> acllist = Zookeeper.getacl ("/testaclnode", stat);            for (ACL acl:acllist) {System.out.println ("Privilege Scheme ID:" + acl.getid ());        Gets the decimal int type number SYSTEM.OUT.PRINTLN ("Permission bit:" + acl.getperms ());    }//Avoid connection with the server immediately disconnect Thread.Sleep (1000); }}

The console output reads as follows:

权限scheme id:‘world,‘anyone权限位:31

The permissions that zoodefs.ids can use directly are as follows:

ZooDefs.Ids.OPEN_ACL_UNSAFE   // 默认匿名权限,权限scheme id:‘world,‘anyone,权限位:31(adcwr)ZooDefs.Ids.READ_ACL_UNSAFE  // 只读权限,权限scheme id:‘world,‘anyone,权限位:1(r)
Customizing user Permissions

This section describes how to customize user permissions, which are shown here using digest, because digest is most commonly used at work. We all know that digest is set using ciphertext, so we need to customize a tool class to encrypt the plaintext password to get the ciphertext password. The code is as follows:

package org.zero01.zk.util;import org.apache.zookeeper.server.auth.DigestAuthenticationProvider;public class AclUtils {    public static String getDigestUserPwd(String id) throws Exception {        // 加密明文密码        return DigestAuthenticationProvider.generateDigest(id);    }}

Then modify the code for the Zknodeacl class as follows:

Package Org.zero01.zk.demo;import Org.apache.zookeeper.*;import Org.apache.zookeeper.data.acl;import Org.apache.zookeeper.data.id;import Org.apache.zookeeper.data.stat;import Org.zero01.zk.util.aclutils;import Java.util.arraylist;import java.util.list;/** * @program: Zookeeper-connection * @description: Zookeeper operation node ACL permissions demo * @ AUTHOR:01 * @create: 2018-04-27 09:20 **/public class Zknodeacl implements Watcher {//cluster mode is multiple IP private static f    inal String zkserverips = "192.168.190.128:2181,192.168.190.129:2181,192.168.190.130:2181";    Timeout period private static final Integer timeout = 5000;    private static ZooKeeper ZooKeeper;    private static stat stat;        public void process (Watchedevent watchedevent) {} public static void Main (string[] args) throws Exception {        ZooKeeper = new ZooKeeper (zkserverips, timeout, new Zknodeacl ());  Custom user authentication Access List<acl> ACLS = new arraylist<acl> (); Permission list//The first parameter is the permission scheme, the second parameter is the encrypted user name and password Id User1 = new Id ("Digest", Aclutils.getdigestuserpwd ("user1:123456a"));        ID user2 = new ID ("Digest", Aclutils.getdigestuserpwd ("user2:123456b"));  Acls.add (New ACL (ZooDefs.Perms.ALL, user1));  Give all Permissions Acls.add (new ACL (ZooDefs.Perms.READ, user2)); Give only Read permission Acls.add (new ACL (ZooDefs.Perms.DELETE |  ZooDefs.Perms.CREATE, User2)); How to give multiple permissions, using | Bitwise operator//Use a custom permission list to create a node String result = Zookeeper.create ("/testdigestnode", "Test Data". GetBytes (), ACLs, Cr        Eatemode.persistent);        if (result! = null) {System.out.println ("Create node: \ t" + result + "\ T succeeds ...");        } thread.sleep (1000);        Gets the ACL permission information for the node list<acl> acllist = Zookeeper.getacl ("/testdigestnode", stat);            for (ACL acl:acllist) {System.out.println ("\ n-----------------------\ n");            SYSTEM.OUT.PRINTLN ("Privilege Scheme ID:" + acl.getid ());        System.out.println ("Permission bit:" + acl.getperms ());    } thread.sleep (1000); }} 

The console output information is as follows:

创建节点:   /testDigestNode 成功...-----------------------权限scheme id:‘digest,‘user1:TQYTqd46qVVbWpOd02tLO5qb+JM=权限位:31-----------------------权限scheme id:‘digest,‘user2:CV4ED0rE6SxA3h/DN/WyScDMbCs=权限位:1-----------------------权限scheme id:‘digest,‘user2:CV4ED0rE6SxA3h/DN/WyScDMbCs=权限位:12

We can see if the ACL information for this node is consistent on the server:

If we need to operate a node that has digest permissions set, then we need to log in to the user for the appropriate permissions. This is also the case with the code, where we need to add the user information (account: plaintext password) through Addauthinfo to be able to manipulate the node with its permissions. The following example shows how to use Addauthinfo to add user information and manipulate the corresponding node, and modify the code for the Main method as follows:

...public class ZKNodeAcl implements Watcher {    ...    public static void main(String[] args) throws Exception {        zooKeeper = new ZooKeeper(zkServerIps, timeout, new ZKNodeAcl());        // 注册过的用户必须通过addAuthInfo才能操作节点,参考命令行 addauth        zooKeeper.addAuthInfo("digest", "user1:123456a".getBytes());        String result = zooKeeper.create("/testDigestNode/testOneNode", "test data".getBytes(), ZooDefs.Ids.CREATOR_ALL_ACL, CreateMode.PERSISTENT);        if (result != null) {            System.out.println("创建子节点:\t" + result + "\t成功...");        }        // 获取节点数据        byte[] data = zooKeeper.getData("/testDigestNode/testOneNode", false, stat);        System.out.println(new String(data));        // 设置节点数据        zooKeeper.setData("/testDigestNode/testOneNode", "new test data".getBytes(), 0);        Thread.sleep(1000);    }}

The console output information is as follows:

创建子节点:  /testDigestNode/testOneNode 成功...test data
IP rights

We have briefly demonstrated the default anonymous permissions and the custom digest permissions, and the following is a simple demonstration of how to set the IP permissions. Modify the Main method code in the Zknodeacl class as follows:

... public class Zknodeacl implements watcher {... public static void main (string[] args) throws Exception {        ZooKeeper = new ZooKeeper (zkserverips, timeout, new Zknodeacl ());  ACL for IP mode list<acl> aclsip = new arraylist<acl> ();        The permission list//first parameter is the permission scheme, the second parameter is the IP address ID ipId1 = new ID ("IP", "192.168.190.1");  Aclsip.add (New ACL (ZooDefs.Perms.ALL, ipId1)); Give all permissions//Use a custom list of permissions to create a node String result = Zookeeper.create ("/testipnode", "This is test IP node data". Get        Bytes (), Aclsip, createmode.persistent);        if (result! = null) {System.out.println ("Create node: \ t" + result + "\ T succeeds ...");        } thread.sleep (1000);        Gets the ACL permission information for the node list<acl> acllist = Zookeeper.getacl (result, stat);            for (ACL acl:acllist) {System.out.println ("\ n-----------------------\ n");            SYSTEM.OUT.PRINTLN ("Privilege Scheme ID:" + acl.getid ()); System.out.println ("Permission bit:" + ACL.GETPERMS ());        } thread.sleep (1000);        Get node data, verify IP has permissions byte[] data = Zookeeper.getdata ("/testipnode", false, stat);        System.out.println ("\ n-----------------------\ n");    SYSTEM.OUT.PRINTLN (Result + node Current data is: "+ new String"); }}

The console output information is as follows:

创建节点:   /testIpNode 成功...-----------------------权限scheme id:‘ip,‘192.168.190.1权限位:31-----------------------/testIpNode 节点当前的数据为:this is test ip node data

Using the Java API to manipulate ACL permissions for zookeeper

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.