使用zookeeper zkCli.sh 连接 zookeeper服务时,默认裸连,晓得ip与端口之后即可连接zookeeper服务,本文使用SASL 用户名密码配置服务端与客户端,在zkCli连接前,服务端配置xxxjaas.conf保存用户名密码,客户端(也就是zkCli或者各种语言的sdk)连接时同样也需要xxxjaas.conf文件来进行认证
JAAS文件格式以及读取时注意事项
原文连接
文章使用zookeeper官方网站下载的服务包 apache-zookeeper-3.6.4-bin
(巨坑!!!)注意Server 尖括号,尖括号的上一行的末尾要加分号 ;
(巨坑!!!)注意Server 尖括号,尖括号的上一行的末尾要加分号 ;
(巨坑!!!)注意Server 尖括号,尖括号的上一行的末尾要加分号 ;
(文章使用zookeeper官网下载的包)zookeeper服务端和客户端,分别在在zookeeper的conf/ 目录下添加xxxjaas.conf (注意要以.conf结尾,文件名应该没有要求)
这里在 服务端和客户端的 conf目录下分别建立了 java.env 和 zookeeper-env.sh
zkServer.sh启动时会执行一下 zkEnv.sh, 在zkEnv.sh 执行时会判断一下java.env zookeeper-env.sh 是否存在,这两个脚本谁存在就执行一下,因此这俩脚本可以做zookeeper 服务或者客户端启动前的变量配置,样例如下
服务端 /conf 下 vim 创建 zookeeper-env.sh 文件
客户端 /conf 下创建 zookeeper-env.sh 文件
记得创建完 java.env 或者 zookeeper-env.sh后 使用chmod a+x 赋予这俩脚本的可执行权限,不然zookeeper服务端或者客户端启动时是不会给你带上自定义参数的!!!
windows端可以看下 zkServer.cmd 与 zkCli.cmd 脚本的内容,可以修改脚本设置环境参数,具体如何修改照着脚本内的语句写
=========================================================================
需要注意的参数
-
maxClientCnxns=5
可以防止针对zookeeper的dos... 这个参数限制单个ip对zookeepeer服务的最大连接数,下面的服务配置为5,然后本地启动多个zkCli.sh 对zookeeper服务进行连接,第六个时则报错,服务端报错信息如下
2023-07-12 00:32:39,683 [myid:x] - WARN [NIOServerCxnFactory.AcceptThread:0.0.0.0/0.0.0.0:19010:RateLogger@56] - Message: Error accepting new connection: Too many connections from /xxx.xxx.xxx.xxx - max is 5
-
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
- 可以指定多个认证 用法authProvider.<int>=xxx.xxx.xxAuthenticationProvider 也可以自己实现然后重新打zookeeper的jar包,不过zookeeper给的实现都够一般使用了
- sessionRequireClientSASLAuth=true
- 3.6.0(包括)新加的参数 指定客户端是否必须sasl认证成功后才能成功生成session
# The number of milliseconds of each tick
tickTime=2000
# The number of ticks that the initial
# synchronization phase can take
initLimit=10
# The number of ticks that can pass between
# sending a request and getting an acknowledgement
syncLimit=30
# the directory where the snapshot is stored.
# do not use /tmp for storage, /tmp here is just
# example sakes.
dataDir=/opt/zookeeper/zookeeper-dir
# dataLogDir : (No Java system property) This option will direct the machine to write the transaction log to the dataLogDir rather than the dataDir.
# This allows a dedicated log device to be used, and helps avoid competition between logging and snapshots.
# Note
# Having a dedicated log device has a large impact on throughput and stable latencies.
# It is highly recommended dedicating a log device and set dataLogDir to point to a directory on that device
# and then make sure to point dataDir to a directory not residing on that device.
# zookeeper 事务日志文件存储位置
dataLogDir=/opt/zookeeper/zookeeper-logs
# the port at which the clients will connect
# zookeeper 客户端暴露端口,默认2181
clientPort=19010
# the maximum number of client connections.
# increase this if you need to handle more clients
#maxClientCnxns=60
#
# Be sure to read the maintenance section of the
# administrator guide before turning on autopurge.
#
# http://zookeeper.apache.org/doc/current/zookeeperAdmin.html#sc_maintenance
#
# The number of snapshots to retain in dataDir
#autopurge.snapRetainCount=3
# Purge task interval in hours
# Set to "0" to disable auto purge feature
#autopurge.purgeInterval=1
## Metrics Providers
#
# https://prometheus.io Metrics Exporter
#metricsProvider.className=org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider
#metricsProvider.httpPort=7000
#metricsProvider.exportJvmInfo=true
# 集群服务需要配置 server.<int>=<ip>:<zk服务port>:<选举专用port>
server.1=0.0.0.0:xxxx:xxxx
#server.2=x.x.x.x:xxxx:xxxx
#server.3=x.x.x.x:xxxx:xxxx
# zookeeper security
# 表明单个ip可以同时连接zookeeper服务的次数,这里配置为5
maxClientCnxns=5
#authProvider.1=org.apache.zookeeper.server.auth.DigestLoginModule
# 官方给的写法, authProvider.x=x.x.x.x.xxxAuthenticationProvider
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
# 3.6.0 版本新参数 SASL 认证成功才能与zookeeper服务建立会话,否则任何命令都无法发送到zookeeper
sessionRequireClientSASLAuth=true
# 在stackOverFlow上搜的,去掉了认证服务也正常
requireClientAuthScheme=sasl
# 根据文章推算,此处写法jaas默认重新登录时间为1小时
jaasLoginRenew=3600000
一切就绪
服务端启动后,使用 ps -aux | grep java 查看zookeeper启动的参数
可以看到 -Djava.security.auth.login.config=,-Dzookeeper.requireClientAuthScheme=sasl 都加入到服务启动时了
客户端启动时
Client successfully logged in
SASL config status: Will attempt to SASL-authenticate using Login Context section 'Client'
注意 客户端若启动后认证失败可写一个脚本来加入zookeeper客户端的环境变量,再执行连接zookeeper的命令文章来源:https://www.toymoban.com/news/detail-686657.html
文章来源地址https://www.toymoban.com/news/detail-686657.html
到了这里,关于[zookeeper] SASL(Simple Authentication and Security Layer) 用户名密码认证配置的文章就介绍完了。如果您还想了解更多内容,请在右上角搜索TOY模板网以前的文章或继续浏览下面的相关文章,希望大家以后多多支持TOY模板网!