五、Zookeeper的ACL(AUTH) · Zookeeper

## 一、ACL（Access contol List）什么是ACL，Zookeeper作為一個分布式協調框架，其內部存儲的都是一些關乎分布式系統運行時狀態的元數據，尤其是設計到了一些分布式鎖，Master選舉和協調應用場景，有效的保障Zookeeper中的數據安全，Zookeeper ZK提供了三種模式，權限模式，授權對象，權限權限模式：Scheme 開發人員最多使用的如下四種權限模式 IP: ip模式通過ip地址，來進行權限控制 Digest： digest是最常用的權限控制模式，zk會對形成的權限標識先后進行兩次編碼處理，分別是SHA-1加密算法、BASE64編碼。 World：World是一值最開放的權限控制模式、這種模式可以看做為特殊的Digest，他僅僅是一個標識而已 Super：超級用戶模式，在超級用戶模式下可以ZK進行操作權限：權限就是指那些通過權限檢測后可以允許執行的操作，在ZK中，對數據的操作權限分為以下五大類 CREATE、Delete、READ、WRITE、ADMIN ## 二、代碼的實現 /** * Zookeeper 節點授權 * @author（alienware） * @since 2015-6-14 */ public class ZookeeperAuth implements Watcher { /** 連接地址 */ final static String CONNECT_ADDR = "192.168.80.88:2181"; /** 測試路徑 */ final static String PATH = "/testAuth"; final static String PATH_DEL = "/testAuth/delNode"; /** 認證類型 */ final static String authentication_type = "digest"; /** 認證正確方法 */ final static String correctAuthentication = "123456"; /** 認證錯誤方法 */ final static String badAuthentication = "654321"; static ZooKeeper zk = null; /** 計時器 */ AtomicInteger seq = new AtomicInteger(); /** 標識 */ private static final String LOG_PREFIX_OF_MAIN = "【Main】"; private CountDownLatch connectedSemaphore = new CountDownLatch(1); @Override public void process(WatchedEvent event) { try { Thread.sleep(200); } catch (InterruptedException e) { e.printStackTrace(); } if (event==null) { return; } // 連接狀態 KeeperState keeperState = event.getState(); // 事件類型 EventType eventType = event.getType(); // 受影響的path String path = event.getPath(); String logPrefix = "【Watcher-" + this.seq.incrementAndGet() + "】"; System.out.println(logPrefix + "收到Watcher通知"); System.out.println(logPrefix + "連接狀態:\t" + keeperState.toString()); System.out.println(logPrefix + "事件類型:\t" + eventType.toString()); if (KeeperState.SyncConnected == keeperState) { // 成功連接上ZK服務器 if (EventType.None == eventType) { System.out.println(logPrefix + "成功連接上ZK服務器"); connectedSemaphore.countDown(); } } else if (KeeperState.Disconnected == keeperState) { System.out.println(logPrefix + "與ZK服務器斷開連接"); } else if (KeeperState.AuthFailed == keeperState) { System.out.println(logPrefix + "權限檢查失敗"); } else if (KeeperState.Expired == keeperState) { System.out.println(logPrefix + "會話失效"); } System.out.println("--------------------------------------------"); } /** * 創建ZK連接 * * @param connectString * ZK服務器地址列表 * @param sessionTimeout * Session超時時間 */ public void createConnection(String connectString, int sessionTimeout) { this.releaseConnection(); try { zk = new ZooKeeper(connectString, sessionTimeout, this); //添加節點授權 zk.addAuthInfo(authentication_type,correctAuthentication.getBytes()); System.out.println(LOG_PREFIX_OF_MAIN + "開始連接ZK服務器"); //倒數等待 connectedSemaphore.await(); } catch (Exception e) { e.printStackTrace(); } } /** * 關閉ZK連接 */ public void releaseConnection() { if (this.zk!=null) { try { this.zk.close(); } catch (InterruptedException e) { } } } /** * * 方法名稱：測試函數 * 概要說明：測試認證 * @param args * @throws Exception */ public static void main(String[] args) throws Exception { ZookeeperAuth testAuth = new ZookeeperAuth(); testAuth.createConnection(CONNECT_ADDR,2000); List<ACL> acls = new ArrayList<ACL>(1); for (ACL ids_acl : Ids.CREATOR_ALL_ACL) { acls.add(ids_acl); } try { zk.create(PATH, "init content".getBytes(), acls, CreateMode.PERSISTENT); System.out.println("使用授權key：" + correctAuthentication + "創建節點："+ PATH + ", 初始內容是: init content"); } catch (Exception e) { e.printStackTrace(); } try { zk.create(PATH_DEL, "will be deleted! ".getBytes(), acls, CreateMode.PERSISTENT); System.out.println("使用授權key：" + correctAuthentication + "創建節點："+ PATH_DEL + ", 初始內容是: init content"); } catch (Exception e) { e.printStackTrace(); } // 獲取數據 getDataByNoAuthentication(); getDataByBadAuthentication(); getDataByCorrectAuthentication(); // 更新數據 updateDataByNoAuthentication(); updateDataByBadAuthentication(); updateDataByCorrectAuthentication(); // 刪除數據 deleteNodeByBadAuthentication(); deleteNodeByNoAuthentication(); deleteNodeByCorrectAuthentication(); // Thread.sleep(1000); deleteParent(); //釋放連接 testAuth.releaseConnection(); } /** 獲取數據：采用錯誤的密碼 */ static void getDataByBadAuthentication() { String prefix = "[使用錯誤的授權信息]"; try { ZooKeeper badzk = new ZooKeeper(CONNECT_ADDR, 2000, null); //授權 badzk.addAuthInfo(authentication_type,badAuthentication.getBytes()); Thread.sleep(2000); System.out.println(prefix + "獲取數據：" + PATH); System.out.println(prefix + "成功獲取數據：" + badzk.getData(PATH, false, null)); } catch (Exception e) { System.err.println(prefix + "獲取數據失敗，原因：" + e.getMessage()); } } /** 獲取數據：不采用密碼 */ static void getDataByNoAuthentication() { String prefix = "[不使用任何授權信息]"; try { System.out.println(prefix + "獲取數據：" + PATH); ZooKeeper nozk = new ZooKeeper(CONNECT_ADDR, 2000, null); Thread.sleep(2000); System.out.println(prefix + "成功獲取數據：" + nozk.getData(PATH, false, null)); } catch (Exception e) { System.err.println(prefix + "獲取數據失敗，原因：" + e.getMessage()); } } /** 采用正確的密碼 */ static void getDataByCorrectAuthentication() { String prefix = "[使用正確的授權信息]"; try { System.out.println(prefix + "獲取數據：" + PATH); System.out.println(prefix + "成功獲取數據：" + zk.getData(PATH, false, null)); } catch (Exception e) { System.out.println(prefix + "獲取數據失敗，原因：" + e.getMessage()); } } /** * 更新數據：不采用密碼 */ static void updateDataByNoAuthentication() { String prefix = "[不使用任何授權信息]"; System.out.println(prefix + "更新數據： " + PATH); try { ZooKeeper nozk = new ZooKeeper(CONNECT_ADDR, 2000, null); Thread.sleep(2000); Stat stat = nozk.exists(PATH, false); if (stat!=null) { nozk.setData(PATH, prefix.getBytes(), -1); System.out.println(prefix + "更新成功"); } } catch (Exception e) { System.err.println(prefix + "更新失敗，原因是：" + e.getMessage()); } } /** * 更新數據：采用錯誤的密碼 */ static void updateDataByBadAuthentication() { String prefix = "[使用錯誤的授權信息]"; System.out.println(prefix + "更新數據：" + PATH); try { ZooKeeper badzk = new ZooKeeper(CONNECT_ADDR, 2000, null); //授權 badzk.addAuthInfo(authentication_type,badAuthentication.getBytes()); Thread.sleep(2000); Stat stat = badzk.exists(PATH, false); if (stat!=null) { badzk.setData(PATH, prefix.getBytes(), -1); System.out.println(prefix + "更新成功"); } } catch (Exception e) { System.err.println(prefix + "更新失敗，原因是：" + e.getMessage()); } } /** * 更新數據：采用正確的密碼 */ static void updateDataByCorrectAuthentication() { String prefix = "[使用正確的授權信息]"; System.out.println(prefix + "更新數據：" + PATH); try { Stat stat = zk.exists(PATH, false); if (stat!=null) { zk.setData(PATH, prefix.getBytes(), -1); System.out.println(prefix + "更新成功"); } } catch (Exception e) { System.err.println(prefix + "更新失敗，原因是：" + e.getMessage()); } } /** * 不使用密碼刪除節點 */ static void deleteNodeByNoAuthentication() throws Exception { String prefix = "[不使用任何授權信息]"; try { System.out.println(prefix + "刪除節點：" + PATH_DEL); ZooKeeper nozk = new ZooKeeper(CONNECT_ADDR, 2000, null); Thread.sleep(2000); Stat stat = nozk.exists(PATH_DEL, false); if (stat!=null) { nozk.delete(PATH_DEL,-1); System.out.println(prefix + "刪除成功"); } } catch (Exception e) { System.err.println(prefix + "刪除失敗，原因是：" + e.getMessage()); } } /** * 采用錯誤的密碼刪除節點 */ static void deleteNodeByBadAuthentication() throws Exception { String prefix = "[使用錯誤的授權信息]"; try { System.out.println(prefix + "刪除節點：" + PATH_DEL); ZooKeeper badzk = new ZooKeeper(CONNECT_ADDR, 2000, null); //授權 badzk.addAuthInfo(authentication_type,badAuthentication.getBytes()); Thread.sleep(2000); Stat stat = badzk.exists(PATH_DEL, false); if (stat!=null) { badzk.delete(PATH_DEL, -1); System.out.println(prefix + "刪除成功"); } } catch (Exception e) { System.err.println(prefix + "刪除失敗，原因是：" + e.getMessage()); } } /** * 使用正確的密碼刪除節點 */ static void deleteNodeByCorrectAuthentication() throws Exception { String prefix = "[使用正確的授權信息]"; try { System.out.println(prefix + "刪除節點：" + PATH_DEL); Stat stat = zk.exists(PATH_DEL, false); if (stat!=null) { zk.delete(PATH_DEL, -1); System.out.println(prefix + "刪除成功"); } } catch (Exception e) { System.out.println(prefix + "刪除失敗，原因是：" + e.getMessage()); } } /** * 使用正確的密碼刪除節點 */ static void deleteParent() throws Exception { try { Stat stat = zk.exists(PATH_DEL, false); if (stat == null) { zk.delete(PATH, -1); } } catch (Exception e) { e.printStackTrace(); } } }