Java 与策展人一起使用ACL
使用,有人能解释一下我如何:Java 与策展人一起使用ACL,java,apache-zookeeper,apache-curator,Java,Apache Zookeeper,Apache Curator,使用,有人能解释一下我如何: 创建新路径 设置此路径的数据 走这条路 使用用户名foo和密码bar?那些不知道此用户/通行证的用户将无法执行任何操作 我不关心SSL或密码是否通过明文发送用于此问题。Apache Curator中的ACL用于访问控制。因此,ZooKeeper不提供任何身份验证机制,例如,没有正确密码的客户端无法连接到ZooKeeper或无法创建zNode。它可以做的是,防止未经授权的客户机访问特定的Znode/Znode。为了做到这一点,您必须设置CuratorFramework
foo
和密码bar
?那些不知道此用户/通行证的用户将无法执行任何操作
我不关心SSL或密码是否通过明文发送用于此问题。Apache Curator中的ACL用于访问控制。因此,ZooKeeper不提供任何身份验证机制,例如,
没有正确密码的客户端无法连接到ZooKeeper或无法创建zNode。它可以做的是,防止未经授权的客户机访问特定的Znode/Znode。为了做到这一点,您必须设置CuratorFramework实例,正如我在下面所描述的。请记住,这将保证使用给定ACL创建的ZNode可以被同一客户端或呈现相同身份验证信息的客户端再次访问
首先,您应该构建CuratorFramework
实例,如下所示。在这里,connectString
表示一个以逗号分隔的列表,其中包含集合中zookeeper服务器的ip和端口组合
CuratorFrameworkFactory.Builder builder = CuratorFrameworkFactory.builder()
.connectString(connectString)
.retryPolicy(new ExponentialBackoffRetry(retryInitialWaitMs, maxRetryCount))
.connectionTimeoutMs(connectionTimeoutMs)
.sessionTimeoutMs(sessionTimeoutMs);
/*
* If authorization information is available, those will be added to the client. NOTE: These auth info are
* for access control, therefore no authentication will happen when the client is being started. These
* info will only be required whenever a client is accessing an already create ZNode. For another client of
* another node to make use of a ZNode created by this node, it should also provide the same auth info.
*/
if (zkUsername != null && zkPassword != null) {
String authenticationString = zkUsername + ":" + zkPassword;
builder.authorization("digest", authenticationString.getBytes())
.aclProvider(new ACLProvider() {
@Override
public List<ACL> getDefaultAcl() {
return ZooDefs.Ids.CREATOR_ALL_ACL;
}
@Override
public List<ACL> getAclForPath(String path) {
return ZooDefs.Ids.CREATOR_ALL_ACL;
}
});
}
CuratorFramework client = builder.build();
创建路径。
client.create().withMode(CreateMode.PERSISTENT).forPath("/your/ZNode/path");
在这里,CreateMode
指定要创建的节点类型。可用的类型有PERSISTENT、EPHEMERAL、EPHEMERAL\u SEQUENTIAL、PERSISTENT\u SEQUENTIAL、CONTAINER
如果不确定到/your/ZNode
的路径是否已经存在,也可以创建它们
client.create().creatingParentsIfNeeded().withMode(CreateMode.PERSISTENT).forPath("/your/ZNode/path");
设置数据
您可以在创建ZNode时设置数据,也可以更高版本。如果在创建时设置数据,请将数据作为字节
数组作为第二个参数传递给forPath()
方法
client.create().withMode(CreateMode.PERSISTENT).forPath("/your/ZNode/path","your data as String".getBytes());
如果以后再做,(数据应以字节数组的形式给出)
最后
我不明白你所说的“获取此路径”是什么意思Apache Curator
是一个java客户机(比Curator配方的客户机更多),它在后台使用Apache Zookeeper
,隐藏Zookeeper的边缘情况和复杂性。在Zookeeper中,他们使用ZNodes
的概念来存储数据。您可以将其视为Linux目录结构。所有ZNodePaths
都应该以/
(根)开头,您可以继续指定类似ZNodePaths的目录。例如:/someName/other/test/sample
如上图所示,ZNode以树状结构组织。每个ZNode
可以存储高达1MB的数据。因此,如果要检索存储在ZNode中的数据,需要知道该ZNode的路径。(就像您应该知道数据库的表和列以便检索数据一样)
如果要检索给定路径中的数据
client.getData().forPath("/path/to/ZNode");
当你想和馆长一起工作时,你只需要知道这些
还有一件事
Apache Curator中的ACL用于访问控制。也就是说,如果按如下方式设置ACLProvider
new ACLProvider() {
@Override
public List<ACL> getDefaultAcl () {
return ZooDefs.Ids.CREATOR_ALL_ACL;
}
@Override
public List<ACL> getAclForPath (String path){
return ZooDefs.Ids.CREATOR_ALL_ACL;
}
}
它们稍后将用于控制对给定ZNode的访问
简而言之,如果您想防止其他人干扰您的zNode,可以将ACLProvider设置为返回CREATOR\u ALL\u ACL
,并将授权设置为摘要
,如上所示。只有使用相同授权字符串(“用户名:密码”
)的CuratorFramework实例才能访问这些zNode。但它不会阻止其他人在不干扰您的路径中创建znode
希望您能找到您想要的:-)这不是原始问题的一部分,但我想我会分享一个我提出的解决方案,其中使用的凭据决定访问级别
我没有太多的运气找到任何例子,并一直在这个页面结束,所以它可能会帮助其他人。我翻阅了Curator Framework的源代码,幸运的是org.apache.Curator.Framework.recipes.leader.TestLeaderAcls类为我指明了正确的方向
所以在这个例子中:
一个通用客户端用于多个应用程序,只需要从ZK读取数据
另一个管理客户端能够读取、删除和更新ZK中的节点
只读或管理员访问权限由使用的凭据决定
完全控制管理客户端
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.List;
import org.apache.curator.RetryPolicy;
import org.apache.curator.framework.CuratorFramework;
import org.apache.curator.framework.CuratorFrameworkFactory;
import org.apache.curator.framework.api.ACLProvider;
import org.apache.curator.retry.ExponentialBackoffRetry;
import org.apache.zookeeper.ZooDefs;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
import org.apache.zookeeper.server.auth.DigestAuthenticationProvider;
public class AdminClient {
protected static CuratorFramework client = null;
public void initializeClient() throws NoSuchAlgorithmException {
String zkConnectString = "127.0.0.1:2181";
RetryPolicy retryPolicy = new ExponentialBackoffRetry(1000, 3);
final List<ACL> acls = new ArrayList<>();
//full-control ACL
String zkUsername = "adminuser";
String zkPassword = "adminpass";
String fullControlAuth = zkUsername + ":" + zkPassword;
String fullControlDigest = DigestAuthenticationProvider.generateDigest(fullControlAuth);
ACL fullControlAcl = new ACL(ZooDefs.Perms.ALL, new Id("digest", fullControlDigest));
acls.add(fullControlAcl);
//read-only ACL
String zkReadOnlyUsername = "readuser";
String zkReadOnlyPassword = "readpass";
String readOnlyAuth = zkReadOnlyUsername + ":" + zkReadOnlyPassword;
String readOnlyDigest = DigestAuthenticationProvider.generateDigest(readOnlyAuth);
ACL readOnlyAcl = new ACL(ZooDefs.Perms.READ, new Id("digest", readOnlyDigest));
acls.add(readOnlyAcl);
//create the client with full-control access
client = CuratorFrameworkFactory.builder()
.connectString(zkConnectString)
.retryPolicy(retryPolicy)
.authorization("digest", fullControlAuth.getBytes())
.aclProvider(new ACLProvider() {
@Override
public List<ACL> getDefaultAcl() {
return acls;
}
@Override
public List<ACL> getAclForPath(String string) {
return acls;
}
})
.build();
client.start();
//Now create, read, delete ZK nodes
}
}
import java.security.NoSuchAlgorithmException;
import org.apache.curator.RetryPolicy;
import org.apache.curator.framework.CuratorFramework;
import org.apache.curator.framework.CuratorFrameworkFactory;
import org.apache.curator.retry.ExponentialBackoffRetry;
public class ReadOnlyClient {
protected static CuratorFramework client = null;
public void initializeClient() throws NoSuchAlgorithmException {
String zkConnectString = "127.0.0.1:2181";
RetryPolicy retryPolicy = new ExponentialBackoffRetry(1000, 3);
String zkReadOnlyUsername = "readuser";
String zkReadOnlyPassword = "readpass";
String readOnlyAuth = zkReadOnlyUsername + ":" + zkReadOnlyPassword;
client = CuratorFrameworkFactory.builder()
.connectString(zkConnectString)
.retryPolicy(retryPolicy)
.authorization("digest", readOnlyAuth.getBytes())
.build();
client.start();
//Now read ZK nodes
}
}
authorization("digest", authorizationString.getBytes())
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.List;
import org.apache.curator.RetryPolicy;
import org.apache.curator.framework.CuratorFramework;
import org.apache.curator.framework.CuratorFrameworkFactory;
import org.apache.curator.framework.api.ACLProvider;
import org.apache.curator.retry.ExponentialBackoffRetry;
import org.apache.zookeeper.ZooDefs;
import org.apache.zookeeper.data.ACL;
import org.apache.zookeeper.data.Id;
import org.apache.zookeeper.server.auth.DigestAuthenticationProvider;
public class AdminClient {
protected static CuratorFramework client = null;
public void initializeClient() throws NoSuchAlgorithmException {
String zkConnectString = "127.0.0.1:2181";
RetryPolicy retryPolicy = new ExponentialBackoffRetry(1000, 3);
final List<ACL> acls = new ArrayList<>();
//full-control ACL
String zkUsername = "adminuser";
String zkPassword = "adminpass";
String fullControlAuth = zkUsername + ":" + zkPassword;
String fullControlDigest = DigestAuthenticationProvider.generateDigest(fullControlAuth);
ACL fullControlAcl = new ACL(ZooDefs.Perms.ALL, new Id("digest", fullControlDigest));
acls.add(fullControlAcl);
//read-only ACL
String zkReadOnlyUsername = "readuser";
String zkReadOnlyPassword = "readpass";
String readOnlyAuth = zkReadOnlyUsername + ":" + zkReadOnlyPassword;
String readOnlyDigest = DigestAuthenticationProvider.generateDigest(readOnlyAuth);
ACL readOnlyAcl = new ACL(ZooDefs.Perms.READ, new Id("digest", readOnlyDigest));
acls.add(readOnlyAcl);
//create the client with full-control access
client = CuratorFrameworkFactory.builder()
.connectString(zkConnectString)
.retryPolicy(retryPolicy)
.authorization("digest", fullControlAuth.getBytes())
.aclProvider(new ACLProvider() {
@Override
public List<ACL> getDefaultAcl() {
return acls;
}
@Override
public List<ACL> getAclForPath(String string) {
return acls;
}
})
.build();
client.start();
//Now create, read, delete ZK nodes
}
}
import java.security.NoSuchAlgorithmException;
import org.apache.curator.RetryPolicy;
import org.apache.curator.framework.CuratorFramework;
import org.apache.curator.framework.CuratorFrameworkFactory;
import org.apache.curator.retry.ExponentialBackoffRetry;
public class ReadOnlyClient {
protected static CuratorFramework client = null;
public void initializeClient() throws NoSuchAlgorithmException {
String zkConnectString = "127.0.0.1:2181";
RetryPolicy retryPolicy = new ExponentialBackoffRetry(1000, 3);
String zkReadOnlyUsername = "readuser";
String zkReadOnlyPassword = "readpass";
String readOnlyAuth = zkReadOnlyUsername + ":" + zkReadOnlyPassword;
client = CuratorFrameworkFactory.builder()
.connectString(zkConnectString)
.retryPolicy(retryPolicy)
.authorization("digest", readOnlyAuth.getBytes())
.build();
client.start();
//Now read ZK nodes
}
}