Zookeeper Watcher核心機制·安全認證(ACL)·實際應用

zookeeper有watch事件,是一次性觸發的,當watch監視的數據發生變化時,通知設置了該watch的client,即watcher。

同樣,其watcher是監聽數據發送了某些變化,那就一定會有相應的事件類型和狀態類型

事件類型:

  • EventType.NodeCreated 節點創建
  • EventType.NodeDeleted節點刪除
  • EventType.NodeDataChanged節點數據改變
  • EventType.NodeChildChanged子節點改變

狀態類型

  • KeeperState.Disconnected
  • KeeperState.SyncConnected
  • KeeperState.AuthFailed
  • KeeperState.Expired

watcher簡單示例

/**
 * Zookeeper Wathcher 
 * 本類就是一個Watcher類(實現了org.apache.zookeeper.Watcher類)
 */
public class ZooKeeperWatcher implements Watcher {

    /** 定義原子變量 */
    AtomicInteger seq = new AtomicInteger();
    /** 定義session失效時間 */
    private static final int SESSION_TIMEOUT = 10000;
    /** zookeeper服務器地址 */
    private static final String CONNECTION_ADDR = "192.168.252.132:2181";
    /** zk父路徑設置 */
    private static final String PARENT_PATH = "/testWatch";
    /** zk子路徑設置 */
    private static final String CHILDREN_PATH = "/testWatch/children";
    /** 進入標識 */
    private static final String LOG_PREFIX_OF_MAIN = "【Main】";
    /** zk變量 */
    private ZooKeeper zk = null;
    /** 信號量設置,用於等待zookeeper連接建立之後 通知阻塞程序繼續向下執行 */
    private CountDownLatch connectedSemaphore = new CountDownLatch(1);

    /**
     * 創建ZK連接
     * @param connectAddr ZK服務器地址列表
     * @param sessionTimeout Session超時時間
     */
    public void createConnection(String connectAddr, int sessionTimeout) {
        this.releaseConnection();
        try {
            zk = new ZooKeeper(connectAddr, sessionTimeout, this);
            System.out.println(LOG_PREFIX_OF_MAIN + "開始連接ZK服務器");
            connectedSemaphore.await();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    /**
     * 關閉ZK連接
     */
    public void releaseConnection() {
        if (this.zk != null) {
            try {
                this.zk.close();
            } catch (InterruptedException e) {
                e.printStackTrace();
            }
        }
    }

    /**
     * 創建節點
     * @param path 節點路徑
     * @param data 數據內容
     * @return boolean
     */
    public boolean createPath(String path, String data) {
        try {
            //watcher是一次性的
            //設置監控(由於zookeeper的監控都是一次性的所以 每次必須設置監控)
            this.zk.exists(path, true);
            System.out.println(LOG_PREFIX_OF_MAIN + "節點創建成功, Path: " + 
                               this.zk.create(  /**路徑*/ 
                                                path, 
                                                /**數據*/
                                                data.getBytes(), 
                                                /**所有可見*/
                                                Ids.OPEN_ACL_UNSAFE, 
                                                /**永久存儲*/
                                                CreateMode.PERSISTENT ) +   
                               ", content: " + data);
        } catch (Exception e) {
            e.printStackTrace();
            return false;
        }
        return true;
    }

    /**
     * 讀取指定節點數據內容
     * @param path 節點路徑
     * @return
     */
    public String readData(String path, boolean needWatch) {
        try {
            return new String(this.zk.getData(path, needWatch, null));
        } catch (Exception e) {
            e.printStackTrace();
            return "";
        }
    }

    /**
     * 更新指定節點數據內容
     * @param path 節點路徑
     * @param data 數據內容
     * @return
     */
    public boolean writeData(String path, String data) {
        try {
            System.out.println(LOG_PREFIX_OF_MAIN + "更新數據成功,path:" + path + ", stat: " +
                                this.zk.setData(path, data.getBytes(), -1));
        } catch (Exception e) {
            e.printStackTrace();
        }
        return false;
    }

    /**
     * 刪除指定節點
     * 
     * @param path
     *            節點path
     */
    public void deleteNode(String path) {
        try {
            this.zk.delete(path, -1);
            System.out.println(LOG_PREFIX_OF_MAIN + "刪除節點成功,path:" + path);
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    /**
     * 判斷指定節點是否存在
     * @param path 節點路徑
     */
    public Stat exists(String path, boolean needWatch) {
        try {
            return this.zk.exists(path, needWatch);
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }

    /**
     * 獲取子節點
     * @param path 節點路徑
     */
    private List<String> getChildren(String path, boolean needWatch) {
        try {
            return this.zk.getChildren(path, needWatch);
        } catch (Exception e) {
            e.printStackTrace();
            return null;
        }
    }

    /**
     * 刪除所有節點
     */
    public void deleteAllTestPath() {
        if(this.exists(CHILDREN_PATH, false) != null){
            this.deleteNode(CHILDREN_PATH);
        }
        if(this.exists(PARENT_PATH, false) != null){
            this.deleteNode(PARENT_PATH);
        }       
    }

    /**
     * 收到來自Server的Watcher通知後的處理。
     */
    @Override
    public void process(WatchedEvent event) {

        System.out.println("進入 process 。。。。。event = " + event);

        try {
            Thread.sleep(200);
        } catch (InterruptedException e) {
            e.printStackTrace();
        }

        if (event == null) {
            return;
        }

        // 連接狀態
        KeeperState keeperState = event.getState();
        // 事件類型
        EventType eventType = event.getType();
        // 受影響的path
        String path = event.getPath();

        String logPrefix = "【Watcher-" + this.seq.incrementAndGet() + "】";

        System.out.println(logPrefix + "收到Watcher通知");
        System.out.println(logPrefix + "連接狀態:\t" + keeperState.toString());
        System.out.println(logPrefix + "事件類型:\t" + eventType.toString());

        if (KeeperState.SyncConnected == keeperState) {
            // 成功連接上ZK服務器
            if (EventType.None == eventType) {
                System.out.println(logPrefix + "成功連接上ZK服務器");
                connectedSemaphore.countDown();
            } 
            //創建節點
            else if (EventType.NodeCreated == eventType) {
                System.out.println(logPrefix + "節點創建");
                try {
                    Thread.sleep(100);
                } catch (InterruptedException e) {
                    e.printStackTrace();
                }
                this.exists(path, true);
            } 
            //更新節點
            else if (EventType.NodeDataChanged == eventType) {
                System.out.println(logPrefix + "節點數據更新");
                System.out.println("我看看走不走這裏........");
                try {
                    Thread.sleep(100);
                } catch (InterruptedException e) {
                    e.printStackTrace();
                }
                System.out.println(logPrefix + "數據內容: " + this.readData(PARENT_PATH, true));
            } 
            //更新子節點
            else if (EventType.NodeChildrenChanged == eventType) {
                System.out.println(logPrefix + "子節點變更");
                try {
                    Thread.sleep(3000);
                } catch (InterruptedException e) {
                    e.printStackTrace();
                }
                System.out.println(logPrefix + "子節點列表:" + this.getChildren(PARENT_PATH, true));
            } 
            //刪除節點
            else if (EventType.NodeDeleted == eventType) {
                System.out.println(logPrefix + "節點 " + path + " 被刪除");
            }
            else ;
        } 
        else if (KeeperState.Disconnected == keeperState) {
            System.out.println(logPrefix + "與ZK服務器斷開連接");
        } 
        else if (KeeperState.AuthFailed == keeperState) {
            System.out.println(logPrefix + "權限檢查失敗");
        } 
        else if (KeeperState.Expired == keeperState) {
            System.out.println(logPrefix + "會話失效");
        }
        else ;

        System.out.println("--------------------------------------------");

    }

    /**
     * <B>方法名稱:</B>測試zookeeper監控<BR>
     * <B>概要說明:</B>主要測試watch功能<BR>
     * @param args
     * @throws Exception
     */
    public static void main(String[] args) throws Exception {

        //建立watcher
        ZooKeeperWatcher zkWatch = new ZooKeeperWatcher();
        //創建連接
        zkWatch.createConnection(CONNECTION_ADDR, SESSION_TIMEOUT);
        //System.out.println(zkWatch.zk.toString());

        Thread.sleep(1000);

        // 清理節點
        zkWatch.deleteAllTestPath();

        if (zkWatch.createPath(PARENT_PATH, System.currentTimeMillis() + "")) {

            Thread.sleep(1000);         

            // 讀取數據
            System.out.println("---------------------- read parent ----------------------------");
            zkWatch.readData(PARENT_PATH, true);

            // 讀取子節點
            System.out.println("---------------------- read children path ----------------------------");
            zkWatch.getChildren(PARENT_PATH, true);

            // 更新數據
            zkWatch.writeData(PARENT_PATH, System.currentTimeMillis() + "");

            Thread.sleep(1000);

        // 創建子節點
            zkWatch.createPath(CHILDREN_PATH, System.currentTimeMillis() + "");
            Thread.sleep(1000);

            zkWatch.writeData(CHILDREN_PATH, System.currentTimeMillis() + "");
        }

        Thread.sleep(50000);
    // 清理節點
        zkWatch.deleteAllTestPath();
        Thread.sleep(1000);
        zkWatch.releaseConnection();
    }

}

Zookeeper中的Access Control(ACL)

概述
傳統的文件系統中,ACL分爲兩個維度,一個是屬組,一個是權限,子目錄/文件默認繼承父目錄的ACL。而在Zookeeper中,node的ACL是沒有繼承關係的,是獨立控制的。Zookeeper的ACL,可以從三個維度來理解:一是scheme; 二是user; 三是permission,通常表示爲scheme:id:permissions, 下面從這三個方面分別來介紹:

  1. scheme: scheme對應於採用哪種方案來進行權限管理,zookeeper實現了一個pluggable的ACL方案,可以通過擴展scheme,來擴展ACL的機制。zookeeper-3.4.4缺省支持下面幾種scheme:

    • world: 它下面只有一個id, 叫anyone, world:anyone代表任何人,zookeeper中對所有人有權限的結點就是屬於world:anyone的

    • auth: 它不需要id, 只要是通過authentication的user都有權限(zookeeper支持通過kerberos來進行authencation, 也支持username/password形式的authentication)

    • digest: 它對應的id爲username:BASE64(SHA1(password)),它需要先通過username:password形式的authentication

    • ip: 它對應的id爲客戶機的IP地址,設置的時候可以設置一個ip段,比如ip:192.168.1.0/16, 表示匹配前16個bit的IP段

    • super: 在這種scheme情況下,對應的id擁有超級權限,可以做任何事情(cdrwa)

    • sasl: sasl的對應的id,是一個通過sasl authentication用戶的id,zookeeper-3.4.4中的sasl authentication是通過kerberos來實現的,也就是說用戶只有通過了kerberos認證,才能訪問它有權限的node.

2 . id: id與scheme是緊密相關的,具體的情況在上面介紹scheme的過程都已介紹,這裏不再贅述。
3. permission: zookeeper目前支持下面一些權限:

CREATE(c): 創建權限,可以在在當前node下創建child node DELETE(d): 刪除權限,可以刪除當前的node
READ(r): 讀權限,可以獲取當前node的數據,可以list當前node所有的child nodes WRITE(w):
寫權限,可以向當前node寫數據 ADMIN(a): 管理權限,可以設置當前node的permission


digest模式下的示例

public class ZookeeperAuth implements Watcher {

    /** 連接地址 */
    final static String CONNECT_ADDR = "192.168.252.132:2181";
    /** 測試路徑 */
    final static String PATH = "/testAuth";
    final static String PATH_DEL = "/testAuth/delNode";
    /** 認證類型 */
    final static String authentication_type = "digest";
    /** 認證正確方法 */
    final static String correctAuthentication = "123456";
    /** 認證錯誤方法 */
    final static String badAuthentication = "654321";

    static ZooKeeper zk = null;
    /** 計時器 */
    AtomicInteger seq = new AtomicInteger();
    /** 標識 */
    private static final String LOG_PREFIX_OF_MAIN = "【Main】";

    private CountDownLatch connectedSemaphore = new CountDownLatch(1);

    @Override
    public void process(WatchedEvent event) {
        try {
            Thread.sleep(200);
        } catch (InterruptedException e) {
            e.printStackTrace();
        }
        if (event==null) {
            return;
        }
        // 連接狀態
        KeeperState keeperState = event.getState();
        // 事件類型
        EventType eventType = event.getType();
        // 受影響的path
        String path = event.getPath();

        String logPrefix = "【Watcher-" + this.seq.incrementAndGet() + "】";

        System.out.println(logPrefix + "收到Watcher通知");
        System.out.println(logPrefix + "連接狀態:\t" + keeperState.toString());
        System.out.println(logPrefix + "事件類型:\t" + eventType.toString());
        if (KeeperState.SyncConnected == keeperState) {
            // 成功連接上ZK服務器
            if (EventType.None == eventType) {
                System.out.println(logPrefix + "成功連接上ZK服務器");
                connectedSemaphore.countDown();
            } 
        } else if (KeeperState.Disconnected == keeperState) {
            System.out.println(logPrefix + "與ZK服務器斷開連接");
        } else if (KeeperState.AuthFailed == keeperState) {
            System.out.println(logPrefix + "權限檢查失敗");
        } else if (KeeperState.Expired == keeperState) {
            System.out.println(logPrefix + "會話失效");
        }
        System.out.println("--------------------------------------------");
    }
    /**
     * 創建ZK連接
     * 
     * @param connectString
     *            ZK服務器地址列表
     * @param sessionTimeout
     *            Session超時時間
     */
    public void createConnection(String connectString, int sessionTimeout) {
        this.releaseConnection();
        try {
            zk = new ZooKeeper(connectString, sessionTimeout, this);
            //添加節點授權
            zk.addAuthInfo(authentication_type,correctAuthentication.getBytes());
            System.out.println(LOG_PREFIX_OF_MAIN + "開始連接ZK服務器");
            //倒數等待
            connectedSemaphore.await();
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    /**
     * 關閉ZK連接
     */
    public void releaseConnection() {
        if (this.zk!=null) {
            try {
                this.zk.close();
            } catch (InterruptedException e) {
            }
        }
    }

    /**
     * 
     * <B>方法名稱:</B>測試函數<BR>
     * <B>概要說明:</B>測試認證<BR>
     * @param args
     * @throws Exception
     */
    public static void main(String[] args) throws Exception {

        ZookeeperAuth testAuth = new ZookeeperAuth();
        testAuth.createConnection(CONNECT_ADDR,2000);
        List<ACL> acls = new ArrayList<ACL>(1);
        for (ACL ids_acl : Ids.CREATOR_ALL_ACL) {
            acls.add(ids_acl);
        }

        try {
            zk.create(PATH, "init content".getBytes(), acls, CreateMode.PERSISTENT);
            System.out.println("使用授權key:" + correctAuthentication + "創建節點:"+ PATH + ", 初始內容是: init content");
        } catch (Exception e) {
            e.printStackTrace();
        }
        try {
            zk.create(PATH_DEL, "will be deleted! ".getBytes(), acls, CreateMode.PERSISTENT);
            System.out.println("使用授權key:" + correctAuthentication + "創建節點:"+ PATH_DEL + ", 初始內容是: init content");
        } catch (Exception e) {
            e.printStackTrace();
        }

        // 獲取數據
        getDataByNoAuthentication();
        getDataByBadAuthentication();
        getDataByCorrectAuthentication();

        // 更新數據
        updateDataByNoAuthentication();
        updateDataByBadAuthentication();
        updateDataByCorrectAuthentication();

        // 刪除數據
        deleteNodeByBadAuthentication();
        deleteNodeByNoAuthentication();
        deleteNodeByCorrectAuthentication();
        //
        Thread.sleep(1000);

        deleteParent();
        //釋放連接
        testAuth.releaseConnection();
    }
    /** 獲取數據:採用錯誤的密碼 */
    static void getDataByBadAuthentication() {
        String prefix = "[使用錯誤的授權信息]";
        try {
            ZooKeeper badzk = new ZooKeeper(CONNECT_ADDR, 2000, null);
            //授權
            badzk.addAuthInfo(authentication_type,badAuthentication.getBytes());
            Thread.sleep(2000);
            System.out.println(prefix + "獲取數據:" + PATH);
            System.out.println(prefix + "成功獲取數據:" + badzk.getData(PATH, false, null));
        } catch (Exception e) {
            System.err.println(prefix + "獲取數據失敗,原因:" + e.getMessage());
        }
    }

    /** 獲取數據:不採用密碼 */
    static void getDataByNoAuthentication() {
        String prefix = "[不使用任何授權信息]";
        try {
            System.out.println(prefix + "獲取數據:" + PATH);
            ZooKeeper nozk = new ZooKeeper(CONNECT_ADDR, 2000, null);
            Thread.sleep(2000);
            System.out.println(prefix + "成功獲取數據:" + nozk.getData(PATH, false, null));
        } catch (Exception e) {
            System.err.println(prefix + "獲取數據失敗,原因:" + e.getMessage());
        }
    }

    /** 採用正確的密碼 */
    static void getDataByCorrectAuthentication() {
        String prefix = "[使用正確的授權信息]";
        try {
            System.out.println(prefix + "獲取數據:" + PATH);

            System.out.println(prefix + "成功獲取數據:" + zk.getData(PATH, false, null));
        } catch (Exception e) {
            System.out.println(prefix + "獲取數據失敗,原因:" + e.getMessage());
        }
    }

    /**
     * 更新數據:不採用密碼
     */
    static void updateDataByNoAuthentication() {

        String prefix = "[不使用任何授權信息]";

        System.out.println(prefix + "更新數據: " + PATH);
        try {
            ZooKeeper nozk = new ZooKeeper(CONNECT_ADDR, 2000, null);
            Thread.sleep(2000);
            Stat stat = nozk.exists(PATH, false);
            if (stat!=null) {
                nozk.setData(PATH, prefix.getBytes(), -1);
                System.out.println(prefix + "更新成功");
            }
        } catch (Exception e) {
            System.err.println(prefix + "更新失敗,原因是:" + e.getMessage());
        }
    }

    /**
     * 更新數據:採用錯誤的密碼
     */
    static void updateDataByBadAuthentication() {

        String prefix = "[使用錯誤的授權信息]";

        System.out.println(prefix + "更新數據:" + PATH);
        try {
            ZooKeeper badzk = new ZooKeeper(CONNECT_ADDR, 2000, null);
            //授權
            badzk.addAuthInfo(authentication_type,badAuthentication.getBytes());
            Thread.sleep(2000);
            Stat stat = badzk.exists(PATH, false);
            if (stat!=null) {
                badzk.setData(PATH, prefix.getBytes(), -1);
                System.out.println(prefix + "更新成功");
            }
        } catch (Exception e) {
            System.err.println(prefix + "更新失敗,原因是:" + e.getMessage());
        }
    }

    /**
     * 更新數據:採用正確的密碼
     */
    static void updateDataByCorrectAuthentication() {

        String prefix = "[使用正確的授權信息]";

        System.out.println(prefix + "更新數據:" + PATH);
        try {
            Stat stat = zk.exists(PATH, false);
            if (stat!=null) {
                zk.setData(PATH, prefix.getBytes(), -1);
                System.out.println(prefix + "更新成功");
            }
        } catch (Exception e) {
            System.err.println(prefix + "更新失敗,原因是:" + e.getMessage());
        }
    }

    /**
     * 不使用密碼 刪除節點
     */
    static void deleteNodeByNoAuthentication() throws Exception {

        String prefix = "[不使用任何授權信息]";

        try {
            System.out.println(prefix + "刪除節點:" + PATH_DEL);
            ZooKeeper nozk = new ZooKeeper(CONNECT_ADDR, 2000, null);
            Thread.sleep(2000);
            Stat stat = nozk.exists(PATH_DEL, false);
            if (stat!=null) {
                nozk.delete(PATH_DEL,-1);
                System.out.println(prefix + "刪除成功");
            }
        } catch (Exception e) {
            System.err.println(prefix + "刪除失敗,原因是:" + e.getMessage());
        }
    }

    /**
     * 採用錯誤的密碼刪除節點
     */
    static void deleteNodeByBadAuthentication() throws Exception {

        String prefix = "[使用錯誤的授權信息]";

        try {
            System.out.println(prefix + "刪除節點:" + PATH_DEL);
            ZooKeeper badzk = new ZooKeeper(CONNECT_ADDR, 2000, null);
            //授權  使用錯誤的授權碼badAuthentication
            badzk.addAuthInfo(authentication_type,badAuthentication.getBytes());
            Thread.sleep(2000);
            Stat stat = badzk.exists(PATH_DEL, false);
            if (stat!=null) {
                badzk.delete(PATH_DEL, -1);
                System.out.println(prefix + "刪除成功");
            }
        } catch (Exception e) {
            System.err.println(prefix + "刪除失敗,原因是:" + e.getMessage());
        }
    }

    /**
     * 使用正確的密碼刪除節點
     */
    static void deleteNodeByCorrectAuthentication() throws Exception {

        String prefix = "[使用正確的授權信息]";

        try {
            System.out.println(prefix + "刪除節點:" + PATH_DEL);
            Stat stat = zk.exists(PATH_DEL, false);
            if (stat!=null) {
                zk.delete(PATH_DEL, -1);
                System.out.println(prefix + "刪除成功");
            }
        } catch (Exception e) {
            System.out.println(prefix + "刪除失敗,原因是:" + e.getMessage());
        }
    }

    /**
     * 使用正確的密碼刪除節點
     */
    static void deleteParent() throws Exception {
        try {
            Stat stat = zk.exists(PATH_DEL, false);
            if (stat == null) {
                zk.delete(PATH, -1);
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

}
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.
相關文章