赞
踩
使用zookeeper zkCli.sh 连接 zookeeper服务时,默认裸连,晓得ip与端口之后即可连接zookeeper服务,本文使用SASL 用户名密码配置服务端与客户端,在zkCli连接前,服务端配置xxxjaas.conf保存用户名密码,客户端(也就是zkCli或者各种语言的sdk)连接时同样也需要xxxjaas.conf文件来进行认证
文章使用zookeeper官方网站下载的服务包 apache-zookeeper-3.6.4-bin
(巨坑!!!)注意Server 尖括号,尖括号的上一行的末尾要加分号 ;
(巨坑!!!)注意Server 尖括号,尖括号的上一行的末尾要加分号 ;
(巨坑!!!)注意Server 尖括号,尖括号的上一行的末尾要加分号 ;
(文章使用zookeeper官网下载的包)zookeeper服务端和客户端,分别在在zookeeper的conf/ 目录下添加xxxjaas.conf (注意要以.conf结尾,文件名应该没有要求)
这里在 服务端和客户端的 conf目录下分别建立了 java.env 和 zookeeper-env.sh
zkServer.sh启动时会执行一下 zkEnv.sh, 在zkEnv.sh 执行时会判断一下java.env zookeeper-env.sh 是否存在,这两个脚本谁存在就执行一下,因此这俩脚本可以做zookeeper 服务或者客户端启动前的变量配置,样例如下
服务端 /conf 下 vim 创建 zookeeper-env.sh 文件
客户端 /conf 下创建 zookeeper-env.sh 文件
记得创建完 java.env 或者 zookeeper-env.sh后 使用chmod a+x 赋予这俩脚本的可执行权限,不然zookeeper服务端或者客户端启动时是不会给你带上自定义参数的!!!
windows端可以看下 zkServer.cmd 与 zkCli.cmd 脚本的内容,可以修改脚本设置环境参数,具体如何修改照着脚本内的语句写
=========================================================================
可以防止针对zookeeper的dos... 这个参数限制单个ip对zookeepeer服务的最大连接数,下面的服务配置为5,然后本地启动多个zkCli.sh 对zookeeper服务进行连接,第六个时则报错,服务端报错信息如下
2023-07-12 00:32:39,683 [myid:x] - WARN [NIOServerCxnFactory.AcceptThread:0.0.0.0/0.0.0.0:19010:RateLogger@56] - Message: Error accepting new connection: Too many connections from /xxx.xxx.xxx.xxx - max is 5
- # The number of milliseconds of each tick
- tickTime=2000
- # The number of ticks that the initial
- # synchronization phase can take
- initLimit=10
- # The number of ticks that can pass between
- # sending a request and getting an acknowledgement
- syncLimit=30
- # the directory where the snapshot is stored.
- # do not use /tmp for storage, /tmp here is just
- # example sakes.
- dataDir=/opt/zookeeper/zookeeper-dir
- # dataLogDir : (No Java system property) This option will direct the machine to write the transaction log to the dataLogDir rather than the dataDir.
- # This allows a dedicated log device to be used, and helps avoid competition between logging and snapshots.
- # Note
- # Having a dedicated log device has a large impact on throughput and stable latencies.
- # It is highly recommended dedicating a log device and set dataLogDir to point to a directory on that device
- # and then make sure to point dataDir to a directory not residing on that device.
- # zookeeper 事务日志文件存储位置
- dataLogDir=/opt/zookeeper/zookeeper-logs
- # the port at which the clients will connect
- # zookeeper 客户端暴露端口,默认2181
- clientPort=19010
- # the maximum number of client connections.
- # increase this if you need to handle more clients
- #maxClientCnxns=60
- #
- # Be sure to read the maintenance section of the
- # administrator guide before turning on autopurge.
- #
- # http://zookeeper.apache.org/doc/current/zookeeperAdmin.html#sc_maintenance
- #
- # The number of snapshots to retain in dataDir
- #autopurge.snapRetainCount=3
- # Purge task interval in hours
- # Set to "0" to disable auto purge feature
- #autopurge.purgeInterval=1
-
- ## Metrics Providers
- #
- # https://prometheus.io Metrics Exporter
- #metricsProvider.className=org.apache.zookeeper.metrics.prometheus.PrometheusMetricsProvider
- #metricsProvider.httpPort=7000
- #metricsProvider.exportJvmInfo=true
- # 集群服务需要配置 server.<int>=<ip>:<zk服务port>:<选举专用port>
- server.1=0.0.0.0:xxxx:xxxx
- #server.2=x.x.x.x:xxxx:xxxx
- #server.3=x.x.x.x:xxxx:xxxx
-
- # zookeeper security
- # 表明单个ip可以同时连接zookeeper服务的次数,这里配置为5
- maxClientCnxns=5
- #authProvider.1=org.apache.zookeeper.server.auth.DigestLoginModule
- # 官方给的写法, authProvider.x=x.x.x.x.xxxAuthenticationProvider
- authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
- # 3.6.0 版本新参数 SASL 认证成功才能与zookeeper服务建立会话,否则任何命令都无法发送到zookeeper
- sessionRequireClientSASLAuth=true
- # 在stackOverFlow上搜的,去掉了认证服务也正常
- requireClientAuthScheme=sasl
- # 根据文章推算,此处写法jaas默认重新登录时间为1小时
- jaasLoginRenew=3600000
服务端启动后,使用 ps -aux | grep java 查看zookeeper启动的参数
可以看到 -Djava.security.auth.login.config=,-Dzookeeper.requireClientAuthScheme=sasl 都加入到服务启动时了
客户端启动时
Client successfully logged in
SASL config status: Will attempt to SASL-authenticate using Login Context section 'Client'
注意 客户端若启动后认证失败可写一个脚本来加入zookeeper客户端的环境变量,再执行连接zookeeper的命令
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。