当前位置:网站首页>Zoomeeper sets ACL permission control (only specific IP access is allowed to enhance security)

Zoomeeper sets ACL permission control (only specific IP access is allowed to enhance security)

2022-06-26 13:12:00 devops_ sre

Preface

To enhance access zookeeper The safety of the , Prevent intrusive attacks , Set up acl Access control , Only specific Ip visit

acl To configure ip

  • Here we use zookeeper edition 3.6.1 For example , take docker Mode deployment
Log in to the execution terminal
  • grammar 
zkCli.sh -server <IP>:<port>

]# docker exec -it zookeeper /bin/bash
[email protected]:/apache-zookeeper-3.6.1-bin# /apache-zookeeper-3.6.1-bin/bin/zkCli.sh  -server 192.168.3.80:2181
Connecting to 192.168.3.80:2181
2022-06-15 16:18:55,868 [myid:] - INFO  [main:[email protected]] - Client environment:zookeeper.version=3.6.1--104dcb3e3fb464b30c5186d229e00af9f332524b, built on 04/21/2020 15:01 GMT
2022-06-15 16:18:55,873 [myid:] - INFO  [main:[email protected]] - Client environment:host.name=<NA>
2022-06-15 16:18:55,873 [myid:] - INFO  [main:[email protected]] - Client environment:java.version=11.0.8
2022-06-15 16:18:55,876 [myid:] - INFO  [main:[email protected]] - Client environment:java.vendor=N/A
2022-06-15 16:18:55,876 [myid:] - INFO  [main:[email protected]] - Client environment:java.home=/usr/local/openjdk-11
2022-06-15 16:18:55,877 [myid:] - INFO  [main:[email protected]] - Client environment:java.class.path=/apache-zookeeper-3.6.1-bin/bin/../zookeeper-server/target/classes:/apache-zookeeper-3.6.1-bin/bin/../build/classes:/apache-zookeeper-3.6.1-bin/bin/../zookeeper-server/target/lib/*.jar:/apache-zookeeper-3.6.1-bin/bin/../build/lib/*.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/zookeeper-prometheus-metrics-3.6.1.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/zookeeper-jute-3.6.1.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/zookeeper-3.6.1.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/snappy-java-1.1.7.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/slf4j-log4j12-1.7.25.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/slf4j-api-1.7.25.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/simpleclient_servlet-0.6.0.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/simpleclient_hotspot-0.6.0.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/simpleclient_common-0.6.0.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/simpleclient-0.6.0.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/netty-transport-native-unix-common-4.1.48.Final.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/netty-transport-native-epoll-4.1.48.Final.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/netty-transport-4.1.48.Final.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/netty-resolver-4.1.48.Final.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/netty-handler-4.1.48.Final.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/netty-common-4.1.48.Final.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/netty-codec-4.1.48.Final.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/netty-buffer-4.1.48.Final.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/metrics-core-3.2.5.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/log4j-1.2.17.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/json-simple-1.1.1.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/jline-2.11.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/jetty-util-9.4.24.v20191120.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/jetty-servlet-9.4.24.v20191120.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/jetty-server-9.4.24.v20191120.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/jetty-security-9.4.24.v20191120.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/jetty-io-9.4.24.v20191120.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/jetty-http-9.4.24.v20191120.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/javax.servlet-api-3.1.0.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/jackson-databind-2.10.3.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/jackson-core-2.10.3.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/jackson-annotations-2.10.3.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/commons-lang-2.6.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/commons-cli-1.2.jar:/apache-zookeeper-3.6.1-bin/bin/../lib/audience-annotations-0.5.0.jar:/apache-zookeeper-3.6.1-bin/bin/../zookeeper-*.jar:/apache-zookeeper-3.6.1-bin/bin/../zookeeper-server/src/main/resources/lib/*.jar:/conf:
2022-06-15 16:18:55,877 [myid:] - INFO  [main:[email protected]] - Client environment:java.library.path=/usr/java/packages/lib:/usr/lib64:/lib64:/lib:/usr/lib
2022-06-15 16:18:55,877 [myid:] - INFO  [main:[email protected]] - Client environment:java.io.tmpdir=/tmp
2022-06-15 16:18:55,877 [myid:] - INFO  [main:[email protected]] - Client environment:java.compiler=<NA>
2022-06-15 16:18:55,877 [myid:] - INFO  [main:[email protected]] - Client environment:os.name=Linux
2022-06-15 16:18:55,878 [myid:] - INFO  [main:[email protected]] - Client environment:os.arch=amd64
2022-06-15 16:18:55,878 [myid:] - INFO  [main:[email protected]] - Client environment:os.version=3.10.0-1062.9.1.el7.x86_64
2022-06-15 16:18:55,878 [myid:] - INFO  [main:[email protected]] - Client environment:user.name=root
2022-06-15 16:18:55,878 [myid:] - INFO  [main:[email protected]] - Client environment:user.home=/root
2022-06-15 16:18:55,878 [myid:] - INFO  [main:[email protected]] - Client environment:user.dir=/apache-zookeeper-3.6.1-bin
2022-06-15 16:18:55,879 [myid:] - INFO  [main:[email protected]] - Client environment:os.memory.free=248MB
2022-06-15 16:18:55,881 [myid:] - INFO  [main:[email protected]] - Client environment:os.memory.max=256MB
2022-06-15 16:18:55,881 [myid:] - INFO  [main:[email protected]] - Client environment:os.memory.total=256MB
2022-06-15 16:18:55,889 [myid:] - INFO  [main:[email protected]] - Initiating client connection, connectString=192.168.3.80:2181 sessionTimeout=30000 [email protected]
2022-06-15 16:18:55,904 [myid:] - INFO  [main:[email protected]] - Setting -D jdk.tls.rejectClientInitiatedRenegotiation=true to disable client-initiated TLS renegotiation
2022-06-15 16:18:55,924 [myid:] - INFO  [main:[email protected]] - jute.maxbuffer value is 1048575 Bytes
2022-06-15 16:18:55,941 [myid:] - INFO  [main:[email protected]] - zookeeper.request.timeout value is 0. feature enabled=false
Welcome to ZooKeeper!
2022-06-15 16:18:55,971 [myid:192.168.3.80:2181] - INFO  [main-SendThread(192.168.3.80:2181):[email protected]] - Opening socket connection to server 192.168.3.80/192.168.3.80:2181.
2022-06-15 16:18:55,972 [myid:192.168.3.80:2181] - INFO  [main-SendThread(192.168.3.80:2181):[email protected]] - SASL config status: Will not attempt to authenticate using SASL (unknown error)
2022-06-15 16:18:55,995 [myid:192.168.3.80:2181] - INFO  [main-SendThread(192.168.3.80:2181):[email protected]] - Socket connection established, initiating session, client: /192.168.3.80:47584, server: 192.168.3.80/192.168.3.80:2181
JLine support is enabled
2022-06-15 16:18:56,018 [myid:192.168.3.80:2181] - INFO  [main-SendThread(192.168.3.80:2181):[email protected]] - Session establishment complete on server 192.168.3.80/192.168.3.80:2181, session id = 0x1012c090b8f0004, negotiated timeout = 30000

WATCHER::

WatchedEvent state:SyncConnected type:None path:null
[zk: 192.168.3.80:2181(CONNECTED) 0]
View current permissions
  • grammar 
getAcl /

[zk: 192.168.3.80:2181(CONNECTED) 0] getAcl /
'world,'anyone
: cdrwa
Add accessible IP
  • grammar 
setAcl / ip:${ip}:cdrwa,ip:${ip}:cdrwa    #  You can add a , You can also add multiple at the same time 

[zk: 192.168.3.80:2181(CONNECTED) 1] setAcl / ip:192.168.3.80:cdrwa
[zk: 192.168.3.80:2181(CONNECTED) 2] getAcl /	#   View added permissions 
'ip,'192.168.3.80
: cdrwa
recovery
  • grammar 
setAcl / world:anyone:cdrwa

[zk: 192.168.3.80:2181(CONNECTED) 3] setAcl / world:anyone:cdrwa
[zk: 192.168.3.80:2181(CONNECTED) 4] getAcl /	#   View restored permissions 
'world,'anyone
: cdrwa

Conclusion

Linux System security reinforcement -ZooKeeper Unauthorized access vulnerability handling
Zookeeper Access control ACL
ZooKeeper-cli: the ZooKeeper command line interface

原网站

版权声明
本文为[devops_ sre]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/177/202206261220268548.html

边栏推荐

猜你喜欢

随机推荐