Zookeeper 中的ACL

来源：互联网发布：犀牛软件界面编辑：程序博客网时间：2024/06/16 15:58

1. 概述
传统的文件系统中，ACL分为两个维度，一个是属组，一个是权限，子目录/文件默认继承父目录的ACL。而在Zookeeper中，node的ACL是没有继承关系的，是独立控制的。Zookeeper的ACL，可以从三个维度来理解：一是scheme; 二是user; 三是permission，通常表示为scheme:id:permissions, 下面从这三个方面分别来介绍：
（1）scheme: scheme对应于采用哪种方案来进行权限管理，zookeeper实现了一个pluggable的ACL方案，可以通过扩展scheme，来扩展ACL的机制。zookeeper-3.4.4缺省支持下面几种scheme:
- world: 它下面只有一个id, 叫anyone, world:anyone代表任何人，zookeeper中对所有人有权限的结点就是属于world:anyone的
- auth: 它不需要id, 只要是通过authentication的user都有权限（zookeeper支持通过kerberos来进行authencation, 也支持username/password形式的authentication)
- digest: 它对应的id为username:BASE64(SHA1(password))，它需要先通过username:password形式的authentication
- ip: 它对应的id为客户机的IP地址，设置的时候可以设置一个ip段，比如ip:192.168.1.0/16, 表示匹配前16个bit的IP段
- super: 在这种scheme情况下，对应的id拥有超级权限，可以做任何事情(cdrwa)
另外，zookeeper-3.4.4的代码中还提供了对sasl的支持，不过缺省是没有开启的，需要配置才能启用，具体怎么配置在下文中介绍。
- sasl: sasl的对应的id，是一个通过sasl authentication用户的id，zookeeper-3.4.4中的sasl authentication是通过kerberos来实现的，也就是说用户只有通过了kerberos认证，才能访问它有权限的node.
（2）id: id与scheme是紧密相关的，具体的情况在上面介绍scheme的过程都已介绍，这里不再赘述。
（3）permission: zookeeper目前支持下面一些权限：
- CREATE(c): 创建权限，可以在在当前node下创建child node
- DELETE(d): 删除权限，可以删除当前的node
- READ(r): 读权限，可以获取当前node的数据，可以list当前node所有的child nodes
- WRITE(w): 写权限，可以向当前node写数据
- ADMIN(a): 管理权限，可以设置当前node的permission
2. 实现
如前所述，在zookeeper中提供了一种pluggable的ACL机制。具体来说就是每种scheme对应于一种ACL机制，可以通过扩展scheme来扩展ACL的机制。在具体的实现中，每种scheme对应一种AuthenticationProvider。每种AuthenticationProvider实现了当前机制下authentication的检查，通过了authentication的检查，然后再进行统一的permission检查，如此便实现了ACL。所有的AuthenticationProvider都注册在ProviderRegistry中，新扩展的AuthenticationProvider可以通过配置注册到ProviderRegistry中去。下面是实施检查的具体实现：

import java.util.ArrayList;import java.util.List;import java.util.concurrent.CountDownLatch;import java.util.concurrent.atomic.AtomicInteger;import org.apache.zookeeper.CreateMode;import org.apache.zookeeper.WatchedEvent;import org.apache.zookeeper.Watcher;import org.apache.zookeeper.Watcher.Event.EventType;import org.apache.zookeeper.Watcher.Event.KeeperState;import org.apache.zookeeper.ZooDefs.Ids;import org.apache.zookeeper.ZooKeeper;import org.apache.zookeeper.data.ACL;import org.apache.zookeeper.data.Stat;/** * Zookeeper 节点授权 */public class ZookeeperAuth implements Watcher {/** 连接地址 */final static String CONNECT_ADDR = "192.168.80.88:2181";/** 测试路径 */final static String PATH = "/testAuth";final static String PATH_DEL = "/testAuth/delNode";/** 认证类型 */final static String authentication_type = "digest";/** 认证正确方法 */final static String correctAuthentication = "123456";/** 认证错误方法 */final static String badAuthentication = "654321";static ZooKeeper zk = null;/** 计时器 */AtomicInteger seq = new AtomicInteger();/** 标识 */private static final String LOG_PREFIX_OF_MAIN = "【Main】";private CountDownLatch connectedSemaphore = new CountDownLatch(1);@Overridepublic void process(WatchedEvent event) {try {Thread.sleep(200);} catch (InterruptedException e) {e.printStackTrace();}if (event==null) {return;}// 连接状态KeeperState keeperState = event.getState();// 事件类型EventType eventType = event.getType();// 受影响的pathString path = event.getPath();String logPrefix = "【Watcher-" + this.seq.incrementAndGet() + "】";System.out.println(logPrefix + "收到Watcher通知");System.out.println(logPrefix + "连接状态:\t" + keeperState.toString());System.out.println(logPrefix + "事件类型:\t" + eventType.toString());if (KeeperState.SyncConnected == keeperState) {// 成功连接上ZK服务器if (EventType.None == eventType) {System.out.println(logPrefix + "成功连接上ZK服务器");connectedSemaphore.countDown();} } else if (KeeperState.Disconnected == keeperState) {System.out.println(logPrefix + "与ZK服务器断开连接");} else if (KeeperState.AuthFailed == keeperState) {System.out.println(logPrefix + "权限检查失败");} else if (KeeperState.Expired == keeperState) {System.out.println(logPrefix + "会话失效");}System.out.println("--------------------------------------------");}/** * 创建ZK连接 *  * @param connectString *            ZK服务器地址列表 * @param sessionTimeout *            Session超时时间 */public void createConnection(String connectString, int sessionTimeout) {this.releaseConnection();try {zk = new ZooKeeper(connectString, sessionTimeout, this);//添加节点授权zk.addAuthInfo(authentication_type,correctAuthentication.getBytes());System.out.println(LOG_PREFIX_OF_MAIN + "开始连接ZK服务器");//倒数等待connectedSemaphore.await();} catch (Exception e) {e.printStackTrace();}}/** * 关闭ZK连接 */public void releaseConnection() {if (this.zk!=null) {try {this.zk.close();} catch (InterruptedException e) {}}}/** *  * <B>方法名称：</B>测试函数<BR> * <B>概要说明：</B>测试认证<BR> * @param args * @throws Exception */public static void main(String[] args) throws Exception {ZookeeperAuth testAuth = new ZookeeperAuth();testAuth.createConnection(CONNECT_ADDR,2000);List<ACL> acls = new ArrayList<ACL>(1);for (ACL ids_acl : Ids.CREATOR_ALL_ACL) {acls.add(ids_acl);}try {zk.create(PATH, "init content".getBytes(), acls, CreateMode.PERSISTENT);System.out.println("使用授权key：" + correctAuthentication + "创建节点："+ PATH + ", 初始内容是: init content");} catch (Exception e) {e.printStackTrace();}try {zk.create(PATH_DEL, "will be deleted! ".getBytes(), acls, CreateMode.PERSISTENT);System.out.println("使用授权key：" + correctAuthentication + "创建节点："+ PATH_DEL + ", 初始内容是: init content");} catch (Exception e) {e.printStackTrace();}// 获取数据getDataByNoAuthentication();getDataByBadAuthentication();getDataByCorrectAuthentication();// 更新数据updateDataByNoAuthentication();updateDataByBadAuthentication();updateDataByCorrectAuthentication();// 删除数据deleteNodeByBadAuthentication();deleteNodeByNoAuthentication();deleteNodeByCorrectAuthentication();//Thread.sleep(1000);deleteParent();//释放连接testAuth.releaseConnection();}/** 获取数据：采用错误的密码 */static void getDataByBadAuthentication() {String prefix = "[使用错误的授权信息]";try {ZooKeeper badzk = new ZooKeeper(CONNECT_ADDR, 2000, null);//授权badzk.addAuthInfo(authentication_type,badAuthentication.getBytes());Thread.sleep(2000);System.out.println(prefix + "获取数据：" + PATH);System.out.println(prefix + "成功获取数据：" + badzk.getData(PATH, false, null));} catch (Exception e) {System.err.println(prefix + "获取数据失败，原因：" + e.getMessage());}}/** 获取数据：不采用密码 */static void getDataByNoAuthentication() {String prefix = "[不使用任何授权信息]";try {System.out.println(prefix + "获取数据：" + PATH);ZooKeeper nozk = new ZooKeeper(CONNECT_ADDR, 2000, null);Thread.sleep(2000);System.out.println(prefix + "成功获取数据：" + nozk.getData(PATH, false, null));} catch (Exception e) {System.err.println(prefix + "获取数据失败，原因：" + e.getMessage());}}/** 采用正确的密码 */static void getDataByCorrectAuthentication() {String prefix = "[使用正确的授权信息]";try {System.out.println(prefix + "获取数据：" + PATH);System.out.println(prefix + "成功获取数据：" + zk.getData(PATH, false, null));} catch (Exception e) {System.out.println(prefix + "获取数据失败，原因：" + e.getMessage());}}/** * 更新数据：不采用密码 */static void updateDataByNoAuthentication() {String prefix = "[不使用任何授权信息]";System.out.println(prefix + "更新数据： " + PATH);try {ZooKeeper nozk = new ZooKeeper(CONNECT_ADDR, 2000, null);Thread.sleep(2000);Stat stat = nozk.exists(PATH, false);if (stat!=null) {nozk.setData(PATH, prefix.getBytes(), -1);System.out.println(prefix + "更新成功");}} catch (Exception e) {System.err.println(prefix + "更新失败，原因是：" + e.getMessage());}}/** * 更新数据：采用错误的密码 */static void updateDataByBadAuthentication() {String prefix = "[使用错误的授权信息]";System.out.println(prefix + "更新数据：" + PATH);try {ZooKeeper badzk = new ZooKeeper(CONNECT_ADDR, 2000, null);//授权badzk.addAuthInfo(authentication_type,badAuthentication.getBytes());Thread.sleep(2000);Stat stat = badzk.exists(PATH, false);if (stat!=null) {badzk.setData(PATH, prefix.getBytes(), -1);System.out.println(prefix + "更新成功");}} catch (Exception e) {System.err.println(prefix + "更新失败，原因是：" + e.getMessage());}}/** * 更新数据：采用正确的密码 */static void updateDataByCorrectAuthentication() {String prefix = "[使用正确的授权信息]";System.out.println(prefix + "更新数据：" + PATH);try {Stat stat = zk.exists(PATH, false);if (stat!=null) {zk.setData(PATH, prefix.getBytes(), -1);System.out.println(prefix + "更新成功");}} catch (Exception e) {System.err.println(prefix + "更新失败，原因是：" + e.getMessage());}}/** * 不使用密码 删除节点 */static void deleteNodeByNoAuthentication() throws Exception {String prefix = "[不使用任何授权信息]";try {System.out.println(prefix + "删除节点：" + PATH_DEL);ZooKeeper nozk = new ZooKeeper(CONNECT_ADDR, 2000, null);Thread.sleep(2000);Stat stat = nozk.exists(PATH_DEL, false);if (stat!=null) {nozk.delete(PATH_DEL,-1);System.out.println(prefix + "删除成功");}} catch (Exception e) {System.err.println(prefix + "删除失败，原因是：" + e.getMessage());}}/** * 采用错误的密码删除节点 */static void deleteNodeByBadAuthentication() throws Exception {String prefix = "[使用错误的授权信息]";try {System.out.println(prefix + "删除节点：" + PATH_DEL);ZooKeeper badzk = new ZooKeeper(CONNECT_ADDR, 2000, null);//授权badzk.addAuthInfo(authentication_type,badAuthentication.getBytes());Thread.sleep(2000);Stat stat = badzk.exists(PATH_DEL, false);if (stat!=null) {badzk.delete(PATH_DEL, -1);System.out.println(prefix + "删除成功");}} catch (Exception e) {System.err.println(prefix + "删除失败，原因是：" + e.getMessage());}}/** * 使用正确的密码删除节点 */static void deleteNodeByCorrectAuthentication() throws Exception {String prefix = "[使用正确的授权信息]";try {System.out.println(prefix + "删除节点：" + PATH_DEL);Stat stat = zk.exists(PATH_DEL, false);if (stat!=null) {zk.delete(PATH_DEL, -1);System.out.println(prefix + "删除成功");}} catch (Exception e) {System.out.println(prefix + "删除失败，原因是：" + e.getMessage());}}/** * 使用正确的密码删除节点 */static void deleteParent() throws Exception {try {Stat stat = zk.exists(PATH_DEL, false);if (stat == null) {zk.delete(PATH, -1);}} catch (Exception e) {e.printStackTrace();}}}

下节连接http://blog.csdn.net/lm324114/article/details/71055527

阅读全文

0 0