java zookeeper权限控制ACL(auth,digest,ip)
学习前请参考:https://www.cnblogs.com/zwcry/p/10407806.html
zookeeper权限控制常用的就三种
1.auth 用户名:密码
将节点权限改为auth认证,但不加密。每次操作数据需要auth登录认证。
2.digest 用户名:加密(密码)
将节点权限改为auth认证,需digest加密(sha1)。每次操作数据需要auth登录认证。
3.ip 192.168.x.x
将节点权限改为限定ip访问
代码只写到digest和ip权限控制,至于auth明文,小朋友们可以手动写下测测。
ACL.java
package com.qy.zk;
import java.io.IOException;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.List;
import org.apache.zookeeper.KeeperException;
import org.apache.zookeeper.ZooDefs.Perms;
import org.apache.zookeeper.ZooKeeper;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
import org.apache.zookeeper.data.Stat;
import org.apache.zookeeper.server.auth.DigestAuthenticationProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* 描述:zookeeper节点访问权限,权限定以后,每次操作数据,需要auth认证登录或在ip限定的客服端访问
* 代码里也有写到如何auth认证登录 zk.addAuthInfo
* 作者:七脉
*/
public class MyZkAcl {
private static final Logger log = LoggerFactory.getLogger(MyZkAcl.class);
public static void main(String[] args) throws IOException, InterruptedException, KeeperException, NoSuchAlgorithmException {
ZooKeeper zk = MyZkConnect.connect();
/**创建一个节点,再进行测试**/
//该方法里的权限是 anyone word,crwda
MyZkConnect.create(zk, "/myacl", "myacl");
/**更改权限控制,指定用户名密码并digest加密**/
//digestAcL(zk, "/myacl");
/**更改权限控制,限定IP**/
ipAcL(zk, "/myacl");
}
/**
* 描述:将节点权限改为crwda,用户名密码为lry:123456并digest加密
* 作者:七脉
* @param zk
* @param nodePath
* @return
* @throws KeeperException
* @throws InterruptedException
* @throws NoSuchAlgorithmException
*/
public static Stat digestAcL(ZooKeeper zk, String nodePath) throws KeeperException, InterruptedException, NoSuchAlgorithmException{
log.info("准备权限修改节点 {} ACL",nodePath);
Stat stat = MyZkConnect.queryStat(zk, nodePath);
List<ACL> acls = new ArrayList<>();
//scheme 有world/auth/digest/host/ip/
//zk的digest是通过sha1加密
String scheme = "digest";
//定义一个用户名密码为lry:123456
Id id = new Id(scheme, DigestAuthenticationProvider.generateDigest("lry:123456"));
ACL acl = new ACL(Perms.ALL, id);
acls.add(acl);
//如果修改已经加密的节点,请先按原用户密码认证登录
//zk.addAuthInfo(scheme, "lry:123456".getBytes());
Stat newstat = zk.setACL(nodePath, acls, stat.getAversion());
log.info("完成权限修改节点 {} ACL",nodePath);
return newstat;
}
/**
* 描述:将节点权限改为crwda,并限制指定IP
* 作者:七脉
* @param zk
* @param nodePath
* @return
* @throws KeeperException
* @throws InterruptedException
* @throws NoSuchAlgorithmException
*/
public static Stat ipAcL(ZooKeeper zk, String nodePath) throws KeeperException, InterruptedException, NoSuchAlgorithmException{
log.info("准备权限修改节点 {} ACL",nodePath);
Stat stat = MyZkConnect.queryStat(zk, nodePath);
List<ACL> acls = new ArrayList<>();
//scheme 有world/auth/digest/host/ip/
//zk的digest是通过sha1加密
String scheme = "ip";
//定义权限IP(如果是vm虚拟机,ip为虚拟ip)
Id id = new Id(scheme, "192.168.159.1");
ACL acl = new ACL(Perms.ALL, id);
acls.add(acl);
//如果修改已经加密的节点,请先按原用户密码认证登录
//zk.addAuthInfo("digest", "lry:123456".getBytes());
Stat newstat = zk.setACL(nodePath, acls, stat.getAversion());
log.info("完成权限修改节点 {} ACL",nodePath);
return newstat;
}
}
不明白的地方,代码里都有注释。相关的类可以在https://www.cnblogs.com/zwcry/p/10407806.html复制,也可以下载源码