CNDBA社区
在上篇我们看了ZooKeeper集群的搭建,如下:
Zookeeper 集群安装配置
https://www.cndba.cn/dave/article/3295
1 查看帮助
当ZooKeeper集合启动时,它会等待客户端连接。客户端将连接到ZooKeeper的集合的其中一个节点。它可能是一个领导者或跟随者节点。当客户机连接时,该节点分配会话ID给特定的客户端,并发送一个确认消息给客户端。如果客户端没有得到确认,它会尝试连接ZooKeeper集合的另一个节点。当连接到一个节点后,客户端将以规则的间隔发送心跳到节点,以确保连接不会丢失。
ZooKeeper命令行界面(CLI)可以连接到ZooKeeper集群并进行交互。在执行ZooKeeper CLI操作之前,先确保已经启动了ZooKeeper服务。
通过zkCli.sh 连接到ZooKeeper之后,可以执行help来查看相关的命令。
[hadoop@Slave2 ~]$ zkCli.sh -server 192.168.56.100:2181
Connecting to 192.168.56.100:2181
2019-03-02 18:11:58,166 [myid:] - INFO [main:Environment@100] - Client environment:zookeeper.version=3.4.13-2d71af4dbe22557fda74f9a9b4309b15a7487f03, built on 06/29/2018 04:05 GMT
2019-03-02 18:11:58,178 [myid:] - INFO [main:Environment@100] - Client environment:host.name=Slave2
2019-03-02 18:11:58,178 [myid:] - INFO [main:Environment@100] - Client environment:java.version=1.8.0_181
2019-03-02 18:11:58,181 [myid:] - INFO [main:Environment@100] - Client environment:java.vendor=Oracle Corporation
2019-03-02 18:11:58,181 [myid:] - INFO [main:Environment@100] - Client environment:java.home=/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.181-7.b13.el7.x86_64/jre
……
[zk: 192.168.56.100:2181(CONNECTED) 0] help
ZooKeeper -server host:port cmd args
stat path [watch]
set path data [version]
ls path [watch]
delquota [-n|-b] path
ls2 path [watch]
setAcl path acl
setquota -n|-b val path
history
redo cmdno
printwatches on|off
delete path [version]
sync path
listquota path
rmr path
get path [watch]
create [-s] [-e] path data acl
addauth scheme auth
quit
getAcl path
close
connect host:port
[zk: 192.168.56.100:2181(CONNECTED) 1]
2 对 znode 进行增删改查
关于znode的概念,在之前的博客有说明,如下:
Zookeeper 基础
https://www.cndba.cn/dave/article/3293
Zookeeper 工作流
https://www.cndba.cn/dave/article/3294
2.1 创建节点 create
语法:
create [-s] [-e] path data acl
-s 创建有序节点
如果在创建znode时,我们使用排序标志的话,ZooKeeper会在我们指定的znode名字后面增加一个数字。我们继续加入相同名字的znode时,这个数字会不断增加。这个序号的计数器是由这些排序znode的父节点来维护的。
-e 创建临时节点
znode有两种类型:ephemeral和persistent。
在创建znode时,我们指定znode的类型,并且在之后不会再被修改。当创建znode的客户端的session结束后,ephemeral类型的znode将被删除。
persistent类型的znode在创建以后,就与客户端没什么联系了,除非主动去删除它,否则他会一直存在。Ephemeral znode没有任何子节点。
示例:
普通节点
[zk: 192.168.56.100:2181(CONNECTED) 3] create /cndba https://www.cndba.cn
Created /cndba
[zk: 192.168.56.100:2181(CONNECTED) 4] create /cndba/dave https://www.cndba.cn/dave
Created /cndba/dave
有序节点
[zk: 192.168.56.100:2181(CONNECTED) 5] create -s /oracle www.oracle.com
Created /oracle0000000001
[zk: 192.168.56.100:2181(CONNECTED) 6] create -s /oracle www.mysql.com
Created /oracle0000000002
[zk: 192.168.56.100:2181(CONNECTED) 7]
临时节点
[zk: 192.168.56.100:2181(CONNECTED) 7] create -e /Tidb www.ahdba.com
Created /Tidb
临时节点在退出 zkCli后也会被删除。
2.2 列出节点 ls
语法:
ls path [watch]
ls2 path [watch]
[watch] 添加一个 watch(监视器),如果该节点发生变化,watch 可以使客户端得到通知。watch 只能被触发一次。如果要一直获得znode的创建和删除的通知,那么就需要不断的在znode上开启观察模式。
如果在该 path 下创建节点,会产生 NodeChildrenChanged 事件;如果在该 path 下删除节点,会产生 NodeDeleted 事件。
使用 ls2 命令来查看某个目录包含的所有文件,与 ls 不同的是它查看到time、version等信息
列出根节点:
[zk: 192.168.56.100:2181(CONNECTED) 8] ls /
[oracle0000000001, zookeeper, Tidb, cndba, oracle0000000002]
[zk: 192.168.56.100:2181(CONNECTED) 9] ls2 /
[oracle0000000001, zookeeper, Tidb, cndba, oracle0000000002]
cZxid = 0x0
ctime = Thu Jan 01 08:00:00 CST 1970
mZxid = 0x0
mtime = Thu Jan 01 08:00:00 CST 1970
pZxid = 0x100000008
cversion = 3
dataVersion = 0
aclVersion = 0
ephemeralOwner = 0x0
dataLength = 0
numChildren = 5
[zk: 192.168.56.100:2181(CONNECTED) 10]
列出子节点:
[zk: 192.168.56.100:2181(CONNECTED) 10] ls /cndba
[dave]
[zk: 192.168.56.100:2181(CONNECTED) 11]
使用 watch:
创建一个名为 mywatch 的watch,然后再根节点下添加(删除)节点,就会触发该 watch。在其他节点下创建子节点,不会触发该 watch。
[zk: 192.168.56.100:2181(CONNECTED) 11] ls / mywatch
[oracle0000000001, zookeeper, Tidb, cndba, oracle0000000002]
[zk: 192.168.56.100:2181(CONNECTED) 13] create /ustc www.ustc.edu.cn
WATCHER::
WatchedEvent state:SyncConnected type:NodeChildrenChanged path:/
Created /ustc
[zk: 192.168.56.100:2181(CONNECTED) 14]
从上面的操作可以看到,在根节点添加了 /ustc节点之后,触发了 watch,WatchedEvent 的类型是 NodeChildrenChanged。
2.3 获取节点信息 get
语法:
get path [watch]
[watch] 添加一个 watch(监视器),如果节点内容发生改变,会产生 NodeDataChanged 事件;如果删除节点,会产生 NodeDeleted 事件。
示例:
[zk: 192.168.56.100:2181(CONNECTED) 14] get /ustc
www.ustc.edu.cn
cZxid = 0x10000000a
ctime = Sat Mar 02 19:03:27 CST 2019
mZxid = 0x10000000a
mtime = Sat Mar 02 19:03:27 CST 2019
pZxid = 0x10000000a
cversion = 0
dataVersion = 0
aclVersion = 0
ephemeralOwner = 0x0
dataLength = 15
numChildren = 0
[zk: 192.168.56.100:2181(CONNECTED) 15]
每个对znode树的更新操作,都会被赋予一个全局唯一的ID,称为zxid(ZooKeeper Transaction ID)。更新操作的ID按照发生的时间顺序升序排序。例如,z1大于z2,那么z1的操作就早于z2操作。
每个 znode 的状态信息包含以下内容:
- czxid,创建(create)该 znode 的 zxid
- mzxid,最后一次修改(modify)该 znode 的 zxid
- pzxid,最后一次修改该 znode 子节点的 zxid
- ctime,创建该 znode 的时间
- mtime,最后一次修改该 znode 的时间
- dataVersion,该节点内容的版本,每次修改内容,版本都会增加
- cversion,该节点子节点的版本
- aclVersion,该节点的 ACL 版本
- ephemeralOwner,如果该节点是临时节点(ephemeral node),会列出该节点所在客户端的 session id;如果不是临时节点,该值为 0
- dataLength,该节点存储的数据长度
- numChildren,该节点子节点的个数
2.4 检查状态 stat
语法:
stat path [watch]
[watch] 添加一个 watch(监视器),如果节点内容发生改变,会产生 NodeDataChanged 事件;如果删除节点,会产生 NodeDeleted 事件。
与 get 的区别是,不显示znode 的值。
示例:
[zk: 192.168.56.100:2181(CONNECTED) 15] stat /ustc
cZxid = 0x10000000a
ctime = Sat Mar 02 19:03:27 CST 2019
mZxid = 0x10000000a
mtime = Sat Mar 02 19:03:27 CST 2019
pZxid = 0x10000000a
cversion = 0
dataVersion = 0
aclVersion = 0
ephemeralOwner = 0x0
dataLength = 15
numChildren = 0
2.5 修改节点 set
语法:
set path data [version]
修改已经存在的节点的值
示例:
[zk: 192.168.56.100:2181(CONNECTED) 16] set /ustc mba.ustc.edu.cn
cZxid = 0x10000000a
ctime = Sat Mar 02 19:03:27 CST 2019
mZxid = 0x10000000b
mtime = Sat Mar 02 19:09:20 CST 2019
pZxid = 0x10000000a
cversion = 0
dataVersion = 1
aclVersion = 0
ephemeralOwner = 0x0
dataLength = 15
numChildren = 0
可以看到,在修改节点值之后,mZxid、mtime、dataVersion 都发生了变化。
2.6 删除节点 rmr
语法:
rmr path
示例:
[zk: 192.168.56.100:2181(CONNECTED) 17] rmr /ustc
[zk: 192.168.56.100:2181(CONNECTED) 18] ls /
[oracle0000000001, zookeeper, Tidb, cndba, oracle0000000002]
[zk: 192.168.56.100:2181(CONNECTED) 19]
删除不会返回任何内容。如果有子节点的时候,连带子节点也一起删除。
2.7 删除节点 delete
语法:
delete path [version]
调用delete和set操作时,如果指定znode版本号,需要与当前的版本号匹配。如果版本号不匹配,操作将会失败。失败的原因可能是在我们提交之前,该znode已经被修改过了,版本号发生了增量变化。如果不指定版本号,就是直接操作最新版本的 znode。
示例:
[zk: 192.168.56.100:2181(CONNECTED) 19] create /dave www.cndba.cn
Created /dave
[zk: 192.168.56.100:2181(CONNECTED) 20] ls /
[oracle0000000001, dave, zookeeper, Tidb, cndba, oracle0000000002]
[zk: 192.168.56.100:2181(CONNECTED) 21] delete /dave
[zk: 192.168.56.100:2181(CONNECTED) 22] ls
[zk: 192.168.56.100:2181(CONNECTED) 23]
如果要删除的节点有子节点,不能删除
[zk: 192.168.56.100:2181(CONNECTED) 23] delete /cndba
Node not empty: /cndba
[zk: 192.168.56.100:2181(CONNECTED) 24]
3 其他指令
3.1 历史记录 history
history 列出最近的10条历史记录
[zk: 192.168.56.100:2181(CONNECTED) 24] history
14 - get /ustc
15 - stat /ustc
16 - set /ustc mba.ustc.edu.cn
17 - rmr /ustc
18 - ls /
19 - create /dave www.cndba.cn
20 - ls /
21 - delete /dave
22 - ls
23 - delete /cndba
24 - history
[zk: 192.168.56.100:2181(CONNECTED) 25]
3.2 重复之前的命令 redo
语法:redo cmdno
根据 cmdno 重复之前的命令,cmdno 就是方括号里面最后的数字,每次执行命令都会自增。
[zk: 192.168.56.100:2181(CONNECTED) 25] redo 19
Created /dave
[zk: 192.168.56.100:2181(CONNECTED) 27] ls /
[oracle0000000001, dave, zookeeper, Tidb, cndba, oracle0000000002]
[zk: 192.168.56.100:2181(CONNECTED) 28] redo 21
[zk: 192.168.56.100:2181(CONNECTED) 29] ls /
[oracle0000000001, zookeeper, Tidb, cndba, oracle0000000002]
[zk: 192.168.56.100:2181(CONNECTED) 30]
3.3 是否输出 watch 事件(printwatches)
语法:
printwatches on|off
默认打开,如果设置 printwatches off ,不返回 WATCHER 事件。
示例:
[zk: 192.168.56.100:2181(CONNECTED) 30] printwatches
printwatches is on
[zk: 192.168.56.100:2181(CONNECTED) 31] ls / mywatch
[oracle0000000001, zookeeper, Tidb, cndba, oracle0000000002]
[zk: 192.168.56.100:2181(CONNECTED) 32] create /dave dave
WATCHER::
WatchedEvent state:SyncConnected type:NodeChildrenChanged path:/
Created /dave
[zk: 192.168.56.100:2181(CONNECTED) 33] printwatches off
[zk: 192.168.56.100:2181(CONNECTED) 34] ls / mywatch
[oracle0000000001, dave, zookeeper, Tidb, cndba, oracle0000000002]
[zk: 192.168.56.100:2181(CONNECTED) 35] rmr /dave
[zk: 192.168.56.100:2181(CONNECTED) 36] printwatches on
[zk: 192.168.56.100:2181(CONNECTED) 37] create /dave dave
Created /dave
[zk: 192.168.56.100:2181(CONNECTED) 38] rmr /dave
[zk: 192.168.56.100:2181(CONNECTED) 39] ls / mywatch
[oracle0000000001, zookeeper, Tidb, cndba, oracle0000000002]
[zk: 192.168.56.100:2181(CONNECTED) 40] create /dave dave
WATCHER::
WatchedEvent state:SyncConnected type:NodeChildrenChanged path:/
Created /dave
[zk: 192.168.56.100:2181(CONNECTED) 41] rmr /dave
[zk: 192.168.56.100:2181(CONNECTED) 42] create /dave dave
Created /dave
[zk: 192.168.56.100:2181(CONNECTED) 43] rmr /dave
[zk: 192.168.56.100:2181(CONNECTED) 44] ls / mywatch
[oracle0000000001, zookeeper, Tidb, cndba, oracle0000000002]
[zk: 192.168.56.100:2181(CONNECTED) 45] create /dave dave
WATCHER::
WatchedEvent state:SyncConnected type:NodeChildrenChanged path:/
Created /dave
[zk: 192.168.56.100:2181(CONNECTED) 46] ls / mywatch
[oracle0000000001, dave, zookeeper, Tidb, cndba, oracle0000000002]
[zk: 192.168.56.100:2181(CONNECTED) 47] rmr /dave
WATCHER::
WatchedEvent state:SyncConnected type:NodeChildrenChanged path:/
[zk: 192.168.56.100:2181(CONNECTED) 48]
3.4 关闭连接 close
语法:close
[zk: 192.168.56.100:2181(CONNECTED) 49] close
2019-03-02 19:21:35,964 [myid:] - INFO [main:ZooKeeper@693] - Session: 0x10000b7c1860001 closed
[zk: 192.168.56.100:2181(CLOSED) 50] 2019-03-02 19:21:35,965 [myid:] - INFO [main-EventThread:ClientCnxn$EventThread@522] - EventThread shut down for session: 0x10000b7c1860001
[zk: 192.168.56.100:2181(CLOSED) 50] ls /
Not connected
[zk: 192.168.56.100:2181(CLOSED) 51]
3.5 打开连接 connect
语法:
connect host:port
指定 host:port 可以连接远程的 zk 服务。缺省时连接本地的 2181 端口。
[zk: 192.168.56.100:2181(CLOSED) 51] connect
2019-03-02 19:22:11,019 [myid:] - INFO [main:ZooKeeper@442] - Initiating client connection, connectString=192.168.56.100:2181 sessionTimeout=30000 watcher=org.apache.zookeeper.ZooKeeperMain$MyWatcher@6a38e57f
[zk: 192.168.56.100:2181(CONNECTING) 52] 2019-03-02 19:22:11,022 [myid:] - INFO [main-SendThread(Master:2181):ClientCnxn$SendThread@1029] - Opening socket connection to server Master/192.168.56.100:2181. Will not attempt to authenticate using SASL (unknown error)
2019-03-02 19:22:11,024 [myid:] - INFO [main-SendThread(Master:2181):ClientCnxn$SendThread@879] - Socket connection established to Master/192.168.56.100:2181, initiating session
2019-03-02 19:22:11,032 [myid:] - INFO [main-SendThread(Master:2181):ClientCnxn$SendThread@1303] - Session establishment complete on server Master/192.168.56.100:2181, sessionid = 0x10000b7c1860002, negotiated timeout = 30000
WATCHER::
WatchedEvent state:SyncConnected type:None path:null
[zk: 192.168.56.100:2181(CONNECTED) 52] ls /
[oracle0000000001, zookeeper, cndba, oracle0000000002]
[zk: 192.168.56.100:2181(CONNECTED) 53]
3.6 强制同步 sync
语法:
sync path
sync方法会强制客户端所连接的服务器状态与leader的状态同步,这样在读取 path 的值就是最新的值。
[zk: 192.168.56.100:2181(CONNECTED) 53] sync /cndba
[zk: 192.168.56.100:2181(CONNECTED) 54] Sync returned 0
3.7 退出连接 quit
语法:
quit
直接退出当前的 zkCli 命令行。
[zk: 192.168.56.100:2181(CONNECTED) 55] quit
Quitting...
2019-03-02 19:24:30,320 [myid:] - INFO [main:ZooKeeper@693] - Session: 0x10000b7c1860002 closed
2019-03-02 19:24:30,321 [myid:] - INFO [main-EventThread:ClientCnxn$EventThread@522] - EventThread shut down for session: 0x10000b7c1860002
[hadoop@Slave2 ~]$
4 ACL 操作
znode中不仅包含了存储的数据,还有 ACL(Access Control List)。znode的创建时,可以给它设置一个ACL(Access Control List),来决定谁可以对znode做哪些操作。
ACL 具有以下特点:
- ZooKeeper的权限控制是基于每个znode节点的,需要对每个节点设置权限
- 每个znode支持设置多种权限控制方案和多个权限
- 子节点不会继承父节点的权限,客户端无权访问某节点,但可能可以访问它的子节点
- 所以任何一个客户端都可以通过exists 操作来获得任何znode的状态,从而得知znode是否真的存在。
ACL Permissions
| ACL 权限 | ACL 简写 | 允许的操作 |
|---|---|---|
| CREATE | c | 创建子节点 |
| READ | r | 获取节点的数据和它的子节点 |
| WRITE | w | 设置节点的数据 |
| DELETE | d | 删除子节点 (仅下一级节点) |
| ADMIN | a | 设置 ACL 权限 |
权限相关命令
| 命令 | 语法 | 描述 |
|---|---|---|
| getAcl | getAcl path | 读取ACL权限 |
| setAcl | setAcl path acl | 设置ACL权限 |
| addauth | addauth scheme auth | 添加认证用户 |
| create | create [-s] [-e] path data acl | 创建节点时指明 ACL 权限 |
ACL Schemes方案
ZooKeeper内置了一些权限控制方案,可以用以下方案为每个节点设置权限:
| 方案 | 描述 | |
|---|---|---|
| world | 只有一个用户:anyone,代表所有人(默认) | |
| ip | 使用IP地址认证 | |
| auth | 使用已添加认证的用户认证 | |
| digest | 使用“用户名:密码”方式认证 |
ACL是由鉴权方式、鉴权方式的ID和一个许可(permession)的集合组成。例如,我们想通过一个ip地址为10.0.0.1的客户端访问一个znode。那么,我们需要为znode设置一个ACL,鉴权方式使用IP鉴权方式,鉴权方式的ID为10.0.0.1,只允许读权限。那么 ACL 的格式就是:ip:10.0.0.1:w
4.1 world 方案
语法:
setAcl <path> world:anyone:<acl>
默认情况下时 world 方法,任何人有所有权限:
示例:
[zk: 192.168.56.102:2181(CONNECTED) 0] ls /
[oracle0000000001, zookeeper, cndba, oracle0000000002]
[zk: 192.168.56.102:2181(CONNECTED) 1] getAcl /cndba
'world,'anyone
: cdrwa
[zk: 192.168.56.102:2181(CONNECTED) 2] setAcl /cndba world:anyone:cdr
cZxid = 0x100000004
ctime = Sat Mar 02 18:54:54 CST 2019
mZxid = 0x100000004
mtime = Sat Mar 02 18:54:54 CST 2019
pZxid = 0x100000005
cversion = 1
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 20
numChildren = 1
[zk: 192.168.56.102:2181(CONNECTED) 3] set /cndba dave
Authentication is not valid : /cndba
[zk: 192.168.56.102:2181(CONNECTED) 4]
可以看出,在修改权限为 cdr 之后,不能再设置节点数据了。注意 aclVersion 也发生了变化。
4.2 IP 方案
语法:
setAcl <path> ip:<ip>:<acl>
<ip>:可以是具体IP或者IP/bit格式,即IP转换为二进制,匹配前bit位,如192.168.0.0/16匹配192.168.*.*
示例:
[zk: 192.168.56.102:2181(CONNECTED) 4] create /acl test
Created /acl
[zk: 192.168.56.102:2181(CONNECTED) 5] setAcl /acl ip:192.168.56.102:cdrwa
cZxid = 0x100000023
ctime = Sat Mar 02 19:29:07 CST 2019
mZxid = 0x100000023
mtime = Sat Mar 02 19:29:07 CST 2019
pZxid = 0x100000023
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 4
numChildren = 0
[zk: 192.168.56.102:2181(CONNECTED) 6] getAcl /acl
'ip,'192.168.56.102
: cdrwa
[zk: 192.168.56.102:2181(CONNECTED) 7]
使用其他电脑方法方法该节点:
[zk: 192.168.56.101:2181(CONNECTED) 1] get /acl
Authentication is not valid : /acl
[zk: 192.168.56.101:2181(CONNECTED) 2]
这里提示没有权限,我们创建子节点:
[zk: 192.168.56.102:2181(CONNECTED) 7] create /acl/subacl test
Created /acl/subacl
[zk: 192.168.56.102:2181(CONNECTED) 8]
其他节点就可以操作了:
[zk: 192.168.56.101:2181(CONNECTED) 2] get /acl/subacl
test
cZxid = 0x100000025
ctime = Sat Mar 02 19:30:45 CST 2019
mZxid = 0x100000025
mtime = Sat Mar 02 19:30:45 CST 2019
pZxid = 0x100000025
cversion = 0
dataVersion = 0
aclVersion = 0
ephemeralOwner = 0x0
dataLength = 4
numChildren = 0
[zk: 192.168.56.101:2181(CONNECTED) 3]
4.3 auth 方案
语法:
addauth digest <user>:<password> #添加认证用户
setAcl <path> auth:<user>:<acl>
示例:
[zk: 192.168.56.102:2181(CONNECTED) 8] addauth digest dave:dave
[zk: 192.168.56.102:2181(CONNECTED) 9] setAcl /acl auth:dave:cdrwa
cZxid = 0x100000023
ctime = Sat Mar 02 19:29:07 CST 2019
mZxid = 0x100000023
mtime = Sat Mar 02 19:29:07 CST 2019
pZxid = 0x100000025
cversion = 1
dataVersion = 0
aclVersion = 2
ephemeralOwner = 0x0
dataLength = 4
numChildren = 1
[zk: 192.168.56.102:2181(CONNECTED) 10] getAcl /acl
'digest,'dave:iuMj90UmMB4J/1hbVvj1iTDNdbU=
: cdrwa
[zk: 192.168.56.102:2181(CONNECTED) 11] get /acl
test
cZxid = 0x100000023
ctime = Sat Mar 02 19:29:07 CST 2019
mZxid = 0x100000023
mtime = Sat Mar 02 19:29:07 CST 2019
pZxid = 0x100000025
cversion = 1
dataVersion = 0
aclVersion = 2
ephemeralOwner = 0x0
dataLength = 4
numChildren = 1
[zk: 192.168.56.102:2181(CONNECTED) 12]
如果测试断开会话,就不能访问,必须重新addauth添加认证用户才可以:
[zk: 192.168.56.102:2181(CONNECTED) 0] get /acl
Authentication is not valid : /acl
[zk: 192.168.56.102:2181(CONNECTED) 1] addauth digest dave:dave
[zk: 192.168.56.102:2181(CONNECTED) 2] get /acl
test
cZxid = 0x100000023
ctime = Sat Mar 02 19:29:07 CST 2019
mZxid = 0x100000023
mtime = Sat Mar 02 19:29:07 CST 2019
pZxid = 0x100000025
cversion = 1
dataVersion = 0
aclVersion = 2
ephemeralOwner = 0x0
dataLength = 4
numChildren = 1
[zk: 192.168.56.102:2181(CONNECTED) 3]
当然,在创建znode时也可以直接指定ACL,但断开之后同样需要添加认证用户才可以获取数据:
[zk: 192.168.56.102:2181(CONNECTED) 14] create /newacl dave auth:admin:cdrwa
Created /newacl
4.4 digest 方案
语法:
setAcl <path> digest:<user>:<password>:<acl>
注意这里的密码是经过SHA1及BASE64处理的密文,在SHELL中可以通过以下命令计算:
格式:echo -n <user>:<password> | openssl dgst -binary -sha1 | openssl base64
[root@Master ~]# echo -n admin:admin | openssl dgst -binary -sha1 | openssl base64
x1nq8J5GOJVPY6zgzhtTtA9izLc=
示例:
[zk: localhost:2181(CONNECTED) 8] create /mynode2 hello
Created /mynode2
#使用是上面算好的密文密码添加权限:
[zk: 192.168.56.102:2181(CONNECTED) 7] create /ustc ustc
Created /ustc
[zk: 192.168.56.102:2181(CONNECTED) 8] setAcl /ustc digest:admin:x1nq8J5GOJVPY6zgzhtTtA9izLc=:cdrwa
cZxid = 0x10000002a
ctime = Sat Mar 02 19:54:57 CST 2019
mZxid = 0x10000002a
mtime = Sat Mar 02 19:54:57 CST 2019
pZxid = 0x10000002a
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 4
numChildren = 0
[zk: 192.168.56.102:2181(CONNECTED) 9]
[zk: 192.168.56.102:2181(CONNECTED) 9] getAcl /ustc
'digest,'admin:x1nq8J5GOJVPY6zgzhtTtA9izLc=
: cdrwa
[zk: 192.168.56.102:2181(CONNECTED) 11] get /ustc
Authentication is not valid : /ustc
[zk: 192.168.56.102:2181(CONNECTED) 12]
但这里查询提示没有权限,添加认证用户后就可以正常访问了:
[zk: 192.168.56.102:2181(CONNECTED) 12] addauth digest admin:admin
[zk: 192.168.56.102:2181(CONNECTED) 13] get /ustc
ustc
cZxid = 0x10000002a
ctime = Sat Mar 02 19:54:57 CST 2019
mZxid = 0x10000002a
mtime = Sat Mar 02 19:54:57 CST 2019
pZxid = 0x10000002a
cversion = 0
dataVersion = 0
aclVersion = 1
ephemeralOwner = 0x0
dataLength = 4
numChildren = 0
[zk: 192.168.56.102:2181(CONNECTED) 14]
5 zookeeper quota
zookeeper quota 机制支持节点个数(namespace)和空间大小(bytes)的设置。zookeeper quota 保存在 /zookeeper/quota 节点下,可以设置该节点的 ACL 权限,以防其他人修改。
语法:
listquota path
setquota -n|-b val path
delquota [-n|-b] path
使用方法:
[zk: 192.168.56.102:2181(CONNECTED) 16] ls /
[newacl, zookeeper, oracle0000000002, oracle0000000001, acl, ustc, cndba]
[zk: 192.168.56.102:2181(CONNECTED) 17]
#默认没有任何设置
[zk: 192.168.56.102:2181(CONNECTED) 18] ls /zookeeper/quota
[]
[zk: 192.168.56.102:2181(CONNECTED) 21] listquota /ustc
absolute path is /zookeeper/quota/ustc/zookeeper_limits
quota for /ustc does not exist.
[zk: 192.168.56.102:2181(CONNECTED) 22]
设置quota:
[zk: 192.168.56.102:2181(CONNECTED) 22] setquota -n 3 /ustc
Comment: the parts are option -n val 3 path /ustc
这里的-n表示设置znode count限制,这里表示/ustc这个path下的znode count个数限制为3(包括/mynode本身)
[zk: 192.168.56.102:2181(CONNECTED) 23] create /ustc/dave sub1
Created /ustc/dave
[zk: 192.168.56.102:2181(CONNECTED) 24] create /ustc/dave1 sub1
Created /ustc/dave1
[zk: 192.168.56.102:2181(CONNECTED) 25] create /ustc/dave2 sub1
Created /ustc/dave2
[zk: 192.168.56.102:2181(CONNECTED) 26] create /ustc/dave3 sub1
Created /ustc/dave3
[zk: 192.168.56.102:2181(CONNECTED) 27] listquota /ustc
absolute path is /zookeeper/quota/ustc/zookeeper_limits
Output quota for /ustc count=3,bytes=-1
Output stat for /ustc count=5,bytes=20
[zk: 192.168.56.102:2181(CONNECTED) 28]
注意:即使节点数超出了限制,也不会看到提示信息,zookeeper 只会在日志中提醒一下。
使用 listquota 列出了节点的设置的 quota,和节点实际的容量。
[zk: 192.168.56.102:2181(CONNECTED) 28] delquota -n /ustc
[zk: 192.168.56.102:2181(CONNECTED) 29] listquota /ustc
absolute path is /zookeeper/quota/ustc/zookeeper_limits
Output quota for /ustc count=-1,bytes=-1
Output stat for /ustc count=5,bytes=20
删除 quota 之后,count 也变成了 -1
版权声明:本文为博主原创文章,未经博主允许不得转载。
