ZooKeeper ACL permission control

1.1 ACL permission control:

scheme, id and permission are used to identify, mainly covering three aspects:

Permission scheme: authorization policy

Authorization object (id): the authorized object

Permission: the permission granted

1.2. Features of Zookeeper ACL:

Zookeeper's permission control is based on znode nodes, and permissions need to be set for each node.

Each znode supports setting multiple permission control schemes and multiple permissions.

Child nodes do not inherit the permissions of the parent node. A client cannot access a node, but can access its child nodes

1.3 permission mode

Scheme description

There is only one user in the world: anyone, which represents the owner who logs in to zokeeper (default)

IP uses IP address authentication for clients

auth uses user authentication with added authentication

digest uses "user name: password" to authenticate

1.4 authorization

create, delete, read, writer and admin are the add, delete, modify, query and management permissions. These five permissions are abbreviated as cdrwa. Note: among these five permissions, delete refers to the delete permission of child nodes, and the other four permissions refer to the operation permission of their own nodes.

Short description of permission ACL

create c can create child nodes

delete d can delete child nodes (only lower level nodes)

read r can read node data and display the list of child nodes

write w can set node data

admin a can set node access control list permissions

2.1. Start ZooKeeper cluster

Start the ZooKeeper cluster. Refer to ZooKeeper installation and deployment for specific steps.

2.2. Start zkCli client

cd /usr/cstor/zookeeper


2.3. View node ACL

create /node1 "node1"

getAcl /node1

This is the default acl when creating a node, which means that any client connected to Zookeeper can cdrwa the node. The permission setting mode to use acl is scheme: id:permission, such as world:anyone:cdwa.

2.4 world permissions

The world permission mode has only one setting mode. setAcl world:anyone:[r][w][c][d][a]

(1) . cancel the node's permission to read data:

setAcl /node1 world:anyone:cdwa     Cancel the node's permission to read data

getAcl /node1                     View node permissions

get /node1                        obtain node1 Node value

After setting, attempting to read the / node1 node will be unauthorized Authentication is not valid.

(2) . cancel the permission of the node to set data

setAcl /node1 world:anyone:cda         Unset data permissions

getAcl /node1                        View node permissions

set /node1 "node111111"               modify node1 Node value

(3) . cancel the permission of the node to create child nodes

setAcl /node1 world:anyone:da           Cancel the permission of creating child nodes

getAcl /node1                         View node permissions

create /node1/node2 "node2"             stay node1 Create child nodes under node node2 And assign value node2

(4) . cancel permission to delete child nodes

create /node8 "888"    

create /node8/node9 "999"

setAcl /node8 world:anyone:a          Cancel permission to delete child nodes

delete /node8/node9                  delete node8 Child nodes under node node9

(5) . cancel ACL related permissions

create /node666 "666"

setAcl /node666 world:anyone:           cancel node666 Full permissions

getAcl /node666

setAcl /node666 world:anyone:rwcda       

After canceling the a permission, the getAcl setAcl command has no permission.

2.5. IP permission mode

The ACL mode used in this mode is ip:[r][w][c][d][a]

create /node20 "node20"

setAcl /node20 ip:

getAcl /node20

get /node20

Set that only the client connection with ip can carry out rwdca operation, and other ip can't do anything. Because the client setting the ACL in the figure is not this ip, after setting it, it will lose its permission to this node, so the getAcl command will have no permission.

getAcl /node20

get /node20

We use the client link with ip and have rwdca permission, so we can perform getAcl operation and read node data.

2.6 auth authorization mode

This should be combined with the addauth command.

Step 1: add the authorized user addauth digest username:password first

Step 2: set this node. Only the client connection of the authorized user can be operated.

addauth digest admin:123456

create /nodeAuth "nodeAuth"

setAcl /nodeAuth auth:admin:rwdca

getAcl /nodeAuth


After quit ting and reconnecting the client:

get /nodeAuth

Lost permissions on this node. You need to use the addauth command to add authorization. You can only have permission on this node after logging in.

addauth digest admin: 123456

get /nodeAuth

2.7 digest authorization mode

Digest authorization mode is based on the authorization mode of account and password, which is similar to Auth mode, but it does not use addauth digest username:password to add permission users before setting permissions. Directly use the command setAcl path digest:username:password:acl to authorize (only the password here should use the encrypted password, not the inscription password).

linux command line input

echo -n admin:123456 | openssl dgst -binary -sha1 | openssl base64

zkCli client input

create /nodeDigest "nodeDigest"

setAcl /nodeDigest digest:admin:0uek/hZ/V9fgiM35b0Z2226acMQ=:rwdca

getAcl /nodeDigest

get /nodeDigest

addauth digest admin:123456

getAcl /nodeDigest

get /nodeDigest

2.8 multiple authorization modes

The same node can use multiple authorization modes at the same time

create /nodeManyAcl "nodeManyAcl"

addauth digest admin:123456

setAcl /nodeManyAcl ip:,auth:admin:rwdca,digest:admin:0uek/hZ/V9fgiM35b0Z2226acMQ=:rwdca

getAcl /nodeManyAcl

Keywords: Zookeeper Distribution server

Added by Highlander on Mon, 07 Mar 2022 10:09:01 +0200