ACL permission control of zookeeper

Permission test

Create directory

[zk: localhost:2181(CONNECTED) 1] create /dlw "dlw"
Created /dlw

Check directory permissions

[zk: localhost:2181(CONNECTED) 3] getAcl /dlw
'world,'anyone
: cdrwa

Modify the ACL permission of the directory, which means to add accumula user to the/DLW directory. The MD5 hash code of the password is skvnzlriq19gnd7eldxgkg0esgw =, and R means read-only

[zk: localhost:2181(CONNECTED) 5] setAcl /dlw digest:accumulo:SkvnZlrIQ19GNd7eLDXGKg0Esgw=:r
cZxid = 0x30000003f
ctime = Mon Feb 05 16:47:14 CHOT 2018
mZxid = 0x30000003f
mtime = Mon Feb 05 16:47:14 CHOT 2018
pZxid = 0x30000003f
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 5
numChildren = 0

Check the directory permissions again

[zk: localhost:2181(CONNECTED) 6] getAcl /dlw
'digest,'accumulo:SkvnZlrIQ19GNd7eLDXGKg0Esgw=
: r

It is found that the directory cannot be accessed because of insufficient permissions

[zk: localhost:2181(CONNECTED) 7] ls /dlw
Authentication is not valid : /dlw

Suddenly I found that although I knew the MD5 value of accumula user password, I didn’t know how much the password was. Then I couldn’t access the/DLW directory

At this time, you can use zookeeper’s ACL super administrator to operate

ACL super administrator of zookeeper

Modify zookeeper’s startup script

$ cd $ZOOKEEPER_HOME/bin
$ vi zkServer.sh

Add a line

SUPER_ACL="-Dzookeeper.DigestAuthenticationProvider.superDigest=super:xQJmxLMiHGwaqBvst5y6rkB6HQs="
super:xQJmxLMiHGwaqBvst5y6rkB6HQs=super:admin

Modify the startup command, find nohup, and add super_ Add ACL to start command

nohup $JAVA $ZOO_DATADIR_AUTOCREATE "-Dzookeeper.log.dir=${ZOO_LOG_DIR}" \
    "-Dzookeeper.root.logger=${ZOO_LOG4J_PROP}" "${SUPER_ACL}" \
    -cp "$CLASSPATH" $JVMFLAGS $ZOOMAIN "$ZOOCFG" &> "$_ZOO_DAEMON_OUT" 2&>&1 < /dev/null &

Distribution zkServer.sh Go to other zookeeper nodes and restart zookeeper service

Log in again zkCli.sh , connect to super administrator, and you can operate/DLW

[zk: localhost:2181(CONNECTED) 14] addauth digest super:admin
[zk: localhost:2181(CONNECTED) 15] ls /dlw
[]

Change the ACL of the/DLW directory to the initial default

[zk: localhost:2181(CONNECTED) 23] setAcl /dlw world:anyone:crwda
cZxid = 0x30000003f
ctime = Mon Feb 05 16:47:14 CHOT 2018
mZxid = 0x30000003f
mtime = Mon Feb 05 16:47:14 CHOT 2018
pZxid = 0x30000003f
cversion = 0
dataVersion = 0
aclVersion = 2
ephemeralOwner = 0x0
dataLength = 5
numChildren = 0
[zk: localhost:2181(CONNECTED) 24] getAcl /dlw
'world,'anyone
: cdrwa

Authentication method of zookeeper

Digest: client side is verified by user name and password, such as user:password The password generation method of digest is the base64 form of SHA1 digest

Auth: no ID is used to represent any confirmed user.

IP: client is verified by IP address, such as 172.2.0.0/24

World: the fixed user is anyone, and the permission is open for all clients

Super: in this scheme case, the corresponding ID has super permissions and can do anything (cdrwa)

There are several types of perms in a node

Create allows create operations on child nodes

Read allows getchildren and GetData operations on this node

Write allows SetData operation on this node

Delete allows delete operations on child nodes

Admin allows setacl operation on this node

When setting ACL permissions, cdrwa is used as abbreviation

Similar Posts: