如何使用 zkCli 从 ZooKeeper 访问受保护的 znode?
How to access a protected znode from ZooKeeper using zkCli?
我使用以下方法创建了一个 znode:
zookeeper-0:/opt/zookeeper/bin # ./zkCli.sh create /mynode content digest:user:pass:cdrwa
现在如何使用 zkCli.sh 实用程序访问 znode?
zookeeper-0:/opt/zookeeper/bin # ./zkCli.sh get /mynode
Connecting to localhost:2181
WATCHER::
WatchedEvent state:SyncConnected type:None path:null
Authentication is not valid : /mynode
zookeeper-0:/opt/zookeeper/bin #
getAcl 显示如下:
zookeeper-0:/opt/zookeeper/bin # ./zkCli.sh getAcl /mynode
Connecting to localhost:2181
WATCHER::
WatchedEvent state:SyncConnected type:None path:null
'digest,'user:pass
: cdrwa
zookeeper-0:/opt/zookeeper/bin #
您需要使用散列密码创建摘要 ACL。
digest uses a username:password string to generate MD5 hash which is then used as an ACL ID identity. Authentication is done by sending the username:password in clear text. When used in the ACL the expression will be the username:base64 encoded SHA1 password digest.
生成哈希密码
$ java -cp "./zookeeper-3.4.13.jar:./lib/slf4j-api-1.7.25.jar" \
org.apache.zookeeper.server.auth.DigestAuthenticationProvider user:pass
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
user:pass->user:smGaoVKd/cQkjm7b88GyorAUz20=
使用散列密码创建节点
[zk: zookeeper(CONNECTED) 0] create /mynode content digest:user:smGaoVKd/cQkjm7b88GyorAUz20=:cdrwa
Created /mynode
访问受保护节点
[zk: zookeeper(CONNECTED) 1] get /mynode
Authentication is not valid : /mynode
[zk: zookeeper(CONNECTED) 2] addauth digest user:pass
[zk: zookeeper(CONNECTED) 3] get /mynode
content
cZxid = 0x14
ctime = Wed Sep 12 19:37:48 GMT 2018
mZxid = 0x14
mtime = Wed Sep 12 19:37:48 GMT 2018
pZxid = 0x14
cversion = 0
dataVersion = 0
aclVersion = 0
ephemeralOwner = 0x0
dataLength = 7
numChildren = 0
如果您查看 zkcli.sh 脚本的内容,您将看到一个注释掉的块,显示如何使用凭据配置环境变量:
#SOLR_ZK_CREDS_AND_ACLS="-DzkACLProvider=org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider \
# -DzkCredentialsProvider=org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider \
# -DzkDigestUsername=admin-user -DzkDigestPassword=CHANGEME-ADMIN-PASSWORD \
# -DzkDigestReadonlyUsername=readonly-user -DzkDigestReadonlyPassword=CHANGEME-READONLY-PASSWORD"
您可以按照此模板使用正确的凭据在本地系统上配置环境变量 SOLR_ZK_CREDS_AND_ACLS,然后 zkcli.sh 脚本将在与 ZooKeeper 通信时使用它们。
我使用以下方法创建了一个 znode:
zookeeper-0:/opt/zookeeper/bin # ./zkCli.sh create /mynode content digest:user:pass:cdrwa
现在如何使用 zkCli.sh 实用程序访问 znode?
zookeeper-0:/opt/zookeeper/bin # ./zkCli.sh get /mynode
Connecting to localhost:2181
WATCHER::
WatchedEvent state:SyncConnected type:None path:null
Authentication is not valid : /mynode
zookeeper-0:/opt/zookeeper/bin #
getAcl 显示如下:
zookeeper-0:/opt/zookeeper/bin # ./zkCli.sh getAcl /mynode
Connecting to localhost:2181
WATCHER::
WatchedEvent state:SyncConnected type:None path:null
'digest,'user:pass
: cdrwa
zookeeper-0:/opt/zookeeper/bin #
您需要使用散列密码创建摘要 ACL。
digest uses a username:password string to generate MD5 hash which is then used as an ACL ID identity. Authentication is done by sending the username:password in clear text. When used in the ACL the expression will be the username:base64 encoded SHA1 password digest.
生成哈希密码
$ java -cp "./zookeeper-3.4.13.jar:./lib/slf4j-api-1.7.25.jar" \
org.apache.zookeeper.server.auth.DigestAuthenticationProvider user:pass
SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
SLF4J: Defaulting to no-operation (NOP) logger implementation
SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
user:pass->user:smGaoVKd/cQkjm7b88GyorAUz20=
使用散列密码创建节点
[zk: zookeeper(CONNECTED) 0] create /mynode content digest:user:smGaoVKd/cQkjm7b88GyorAUz20=:cdrwa
Created /mynode
访问受保护节点
[zk: zookeeper(CONNECTED) 1] get /mynode
Authentication is not valid : /mynode
[zk: zookeeper(CONNECTED) 2] addauth digest user:pass
[zk: zookeeper(CONNECTED) 3] get /mynode
content
cZxid = 0x14
ctime = Wed Sep 12 19:37:48 GMT 2018
mZxid = 0x14
mtime = Wed Sep 12 19:37:48 GMT 2018
pZxid = 0x14
cversion = 0
dataVersion = 0
aclVersion = 0
ephemeralOwner = 0x0
dataLength = 7
numChildren = 0
如果您查看 zkcli.sh 脚本的内容,您将看到一个注释掉的块,显示如何使用凭据配置环境变量:
#SOLR_ZK_CREDS_AND_ACLS="-DzkACLProvider=org.apache.solr.common.cloud.VMParamsAllAndReadonlyDigestZkACLProvider \
# -DzkCredentialsProvider=org.apache.solr.common.cloud.VMParamsSingleSetCredentialsDigestZkCredentialsProvider \
# -DzkDigestUsername=admin-user -DzkDigestPassword=CHANGEME-ADMIN-PASSWORD \
# -DzkDigestReadonlyUsername=readonly-user -DzkDigestReadonlyPassword=CHANGEME-READONLY-PASSWORD"
您可以按照此模板使用正确的凭据在本地系统上配置环境变量 SOLR_ZK_CREDS_AND_ACLS,然后 zkcli.sh 脚本将在与 ZooKeeper 通信时使用它们。