目的:在zookeeper中,znode默认是没有权限认证的,任何用户都可以访问和删除,这样很不安全。我们调用zookeeper的api实现zookeeper的znode的限制主机访问。
注:如果要实现限制用户访问,需要集成zookeeper自身的用户认证机制。
首先,附上代码:TestAcl3.java
import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.ArrayList;
import java.util.List;
import org.apache.zookeeper.KeeperException;
import org.apache.zookeeper.Watcher;
import org.apache.zookeeper.ZooDefs;
import org.apache.zookeeper.ZooKeeper;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
public class TestAcl3 {
//实现zookeeper访问控制
private static final int SESSION_TIMEOUT=300000;
ZooKeeper zk;
Watcher wh=new Watcher(){
public void process(org.apache.zookeeper.WatchedEvent event) {
System.out.println(event.toString());
}
};
private void createZKInstance(String zk_conf) throws IOException {
zk=new ZooKeeper(zk_conf,TestAcl3.SESSION_TIMEOUT,this.wh);
}
private void confAcl(String path,String filepath) throws KeeperException, InterruptedException
{
try {
String encoding="GBK";
File file=new File(filepath);
if(file.isFile() && file.exists()){
InputStreamReader read = new InputStreamReader(
new FileInputStream(file),encoding);
BufferedReader bufferedReader = new BufferedReader(read);
String lineTxt = null;
List<ACL> acls = new ArrayList<ACL>();
while((lineTxt = bufferedReader.readLine()) != null){
System.out.println(lineTxt);
Id id = new Id("ip", lineTxt.toString());
ACL acl = new ACL(ZooDefs.Perms.ALL, id);
acls.add(acl);
}
zk.setACL(path, acls, -1);
System.out.println("set ACL succ:"+path);
System.out.println("set ACL succ:"+acls);
read.close();
}else{
System.out.println("file not found!");
}
} catch (Exception e) {
System.out.println("read error!");
e.printStackTrace();
} }
private void ZKClose() throws InterruptedException
{
zk.close();
}
public static void main(String[] args) throws IOException,InterruptedException,KeeperException {
/**
* @author yinkaipeng
*
* param
*
* 1.zookeeper data path.
* 2.ip file path
*
* */
TestAcl3 dm=new TestAcl3();
dm.createZKInstance("10.1.236.51:2181");
dm.confAcl("/","D:\\data.txt");
dm.ZKClose();
}
}
我们在windows/linux环境下将代码打成jar包,然后就可以使用jar包去实现zookeeper znode的ip访问了。具体如下:
1.上传jar到其中一台zookeeper主机。
2.创建允许访问zookeeper的主机ip白名单
vi data
格式如下:
10.1.236.52
10.1.236.53
10.1.236.54
3.执行如下命令:
hadoop jar setAcl.jar SetAcl 10.1.236.52:2181 / /root/data
10.1.236.52:2181 zookeeper主机ip
/: zookeepepr根路径
/root/data:ip白名单列表路径
4.查看权限:
/usr/hdp/2.4.0.0-169/zookeeper/bin/zkCli.sh -server 10.1.236.52
[zk: localhost:2181(CONNECTED) 0] ls /
[hiveserver2, test2, zookeeper, test, hbase-unsecure, rmstore, zk001, zk003]
[zk: localhost:2181(CONNECTED) 1] getAcl /
如果结果有对应ip白名单里面的主机ip则OK.
5.故障恢复:
/usr/hdp/2.4.0.0-169/zookeeper/bin/zkCli.sh -server 10.1.236.52
[zk: 10.1.236.52(CONNECTED) 9] setAcl / world:anyone:cdrwa
[zk: 10.1.236.52(CONNECTED) 8] getAcl /
'world,'anyone
: cdrwa
如果结果如上,则权限已经恢复。
网友评论