Znode control using the Zookeeper ACL feature

Zookeeper as a configuration management service, because the configuration data has a high security requirements, need to have permission control, the client needs to login authentication before operation (view data, modify data, create children Znode, etc.) zookeeper above corresponds to Znode.

1. The Simple client Authentication zkcli.sh command is as follows:

[Zk:localhost:2181 (CONNECTED)] ls/tomauthentication is not valid:/tom

#添加认证之后 to view znode/tom[zk:localhost:2181 (CONNECTED) [Addauth Digest tom:tom[zk:localhost:2181 (CONNECTED)] LS/ Tom[]

2. Zookeeper provides the authentication method

  Zookeeper control of permissions is Znode level, does not inherit the parent node to set permissions, its child nodes do not inherit the permissions of the parent node.
World: There is a single id,anyone that represents anyone.
Auth: does not use any ID, which means any authenticated user (authentication is the right to create the Znode).
Digest: Use Username: password string to generate the MD5 hash as the ACL identifier ID. Authentication of permissions is done by sending the user name password string directly,
IP: Using the client host IP address as an ACL identifier, the ACL expression is represented in the addr/bits format. The ZK server will match the addr bits to the front bits of the client address to verify the permissions.

3. Auth authentication method

Perm:all, Id: ("auth", "") that is, the creator has access rights.

/auth data is "auth", auth authentication mode, read and Write permission.

[Zk:localhost:2181 (CONNECTED) Notoginseng] Create/auth auth Auth::rwcreated/auth

Viewing the access control list of the/auth can be seen through the digest mode user name password is tom/tom authentication to access, do not limit the ID.

[Zk:localhost:2181 (CONNECTED)] Getacl/auth ' Digest, ' tom:gcsmsia2mmdw+zdsjkav8gcnrpi=: RW

Successful certifications:

[zk:localhost:2181 (CONNECTED) 0] Ls/auth authentication is not valid:/auth[zk:localhost:2181 (CONNECTED) 1] Addauth Digest tom:tom[zk:localhost:2181 (CONNECTED) 2] ls/auth[]

Failed certifications:

[Zk:localhost:2181 (CONNECTED) 2] Addauth Digest supper:admin[zk:localhost:2181 (CONNECTED) 3] ls/authauthentication is Not valid:/aut

4. Create the Znode with zkcli.sh and set the ACL

4.1 Creating a Znode that sets ACLs

Figure 1-User/password super/admin create/supper:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/71/9B/wKiom1XUQebS6dP3AABboEhkzjQ610.jpg "style=" float: none; "title=" Zk-acl-supper.png "alt=" Wkiom1xuqebs6dp3aabboehkzjq610.jpg "/>

Figure 2- user/password Tom/tom create/tom:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/71/97/wKioL1XUQ_PyHV37AABWr1IgZxE562.jpg "style=" float: none; "title=" Zk-acl-tom.png "alt=" Wkiol1xuq_pyhv37aabwr1igzxe562.jpg "/>

Figure 3-View ACLs for/supper and/tom:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/71/9B/wKiom1XUQebxVoT-AACXNGAfKTg521.jpg "style=" float: none; "title=" Zk-getacl.png "alt=" Wkiom1xuqebxvot-aacxngafktg521.jpg "/>

4.2 Use the following code to generate a summary of the user name and password:

JAVA-CP $ZK _classpath Org.apache.zookeeper.server.auth.DigestAuthenticationProvider amy:secret....amy:secret-> amy:iq0onhjzb4kyxpap8ywoic8zzwy=

Note: The start zookeeper service is specified

-dzookeeper.digestauthenticationprovider.superdigest=super:<base64encoded (SHA1 (password))

Superuser will be enabled through the supper: password-authenticated client access will not be restricted by the ACL list.

5. Client Authentication

5.1 Verifying Supper/admin

ZooKeeper zooKeeper1 = new ZooKeeper ("192.168.88.153:2181", 10000, new Watcher () {@Override public void process (Wat    Chedevent event) {System.out.println (event); }});//zookeeper1.addauthinfo ("Digest", "Supper:admin". GetBytes ()); Stat stat = new stat (); byte[] Supperdata = Zookeeper1.getdata ("/supper", true, stat); System.out.println (New String (Supperdata) + "," + stat);

Run the above code and read (R) znode "/supper":

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/71/98/wKioL1XURobjrdJSAAFoTF3wkLo594.jpg "title=" Zk-noauth.png "alt=" Wkiol1xurobjrdjsaafotf3wklo594.jpg "/>

Remove the comment code after adding the authentication information to the client:

0,8589940093,8589940093,1439970090902,1439970090902,0,0,0,0,1,0,8589940093

The data is 0, which conforms to the value set in Figure 1 in 4.

5.2 Verifying Tom/tom

ZooKeeper zooKeeper2 = new ZooKeeper ("192.168.88.153:2181", 10000, new Watcher () {@Override public void process (Wat    Chedevent event) {System.out.println (event); }}); Zookeeper2.addauthinfo ("Digest", "Tom:tom". GetBytes ()); stat = new stat (); byte[] Tomdata = Zookeeper2.getdata ("/ Tom ", True, stat); System.out.println (New String (Tomdata) + "," + stat);

The result seems to be 5.1.

Through zkcli.sh client connection, authentication and read

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M01/71/98/wKioL1XUSdeCkx_-AAFruzksR4Y745.jpg "title=" Zk-tom-client.png "alt=" Wkiol1xusdeckx_-aafruzksr4y745.jpg "/>

6. Use zkcli.sh to verify ACLs (click to view larger image)

650) this.width=650; "src=" Http://s3.51cto.com/wyfs02/M02/71/9B/wKiom1XUTGywiY9SAAMtMoSLiWI715.jpg "title=" Zk-admin.png "alt=" Wkiom1xutgywiy9saamtmosliwi715.jpg "/>

Zookeeper The Permissions information table provided:

Permissions	Describe	Shorthand in SetACL
Write	Ability to set the value of Znode	W
Read	Be able to read the value of Znode and list its children Znode	R
Create	Ability to create children Znode	C
Delete	Ability to delete children Znode	D
Admin	Ability to execute SETACL to set access control list	A
All	All permissions	Wrcda

7: Note the problem:

7.1 The format of the ACL is set by zkcli.sh Scheme:id:perm,perm is a shorthand for connection, such as read-write permission RW and Linux file system permissions are similar. Some versions may be: read| WRITE, so you need to be aware of command-line prompt information.

7.2 When the ACL is set through zkcli.sh, the scheme is digest when the ID needs to be ciphertext, the specific generation see article 4.2

7.3 Add authentication through Zookeeper client encoding, digest corresponding AUTH data is clear text, see article 5.1

Extensions for 8.Zookeeper authentication

Implement the Authenticationprovider interface to provide a custom authentication method.

Org.apache.zookeeper.server.auth.AuthenticationProvider

For example, the custom implementation Authenticationprovider class is Secondriver.myprovier, you can register the Zookeeper authentication system in two ways.

The first type: Start the Zookeeper service is through-dzookeeper.authporivder.x=secondriver. MyProvider

The second type: added to the configuration file (zoo.conf) as:

Zookeeper.authprovider.1=secondriver. MyProvider

Note: The above x is a Authprovider implementation that provides numbers to differentiate between different authprovider.

This article is from the "Red Horse Red" blog, please be sure to keep this source http://aiilive.blog.51cto.com/1925756/1686132

Znode control using the Zookeeper ACL feature