Ubuntu上Zookeeper安全设置主要包括以下关键方面:
使用ufw(Uncomplicated Firewall)限制对Zookeeper端口的访问,仅允许可信IP连接。例如,允许192.168.1.0/24网络访问2181端口,拒绝其他IP:
sudo ufw enable # 启用防火墙
sudo ufw allow from 192.168.1.0/24 to any port 2181 # 允许指定IP段
sudo ufw deny 2181 # 拒绝其他所有IP访问2181端口
sudo ufw status verbose # 检查防火墙状态
编辑/etc/zookeeper/conf/zoo.cfg,启用简单认证并配置用户密码:
security.auth.simple.enable=true
auth.type=simple
auth.simple.users=admin:password # 格式:用户名:密码(实际使用需替换为强密码)
重启Zookeeper使配置生效:
sudo systemctl restart zookeeper
客户端连接时需提供认证信息:
ZooKeeper zk = new ZooKeeper("localhost:2181", 3000, null);
zk.addAuthInfo("digest", "admin:password".getBytes()); // 添加认证信息
通过zkCli.sh命令行工具或配置文件设置节点权限:
# 连接到Zookeeper
./zkCli.sh -server localhost:2181
# 添加用户认证(digest模式)
addauth digest user1:password123
# 设置节点ACL(用户user1对/myNode有读写创建删除权限)
setAcl /myNode digest:user1:password123:cdrwa
/etc/zookeeper/conf/zoo_acls.conf,定义ACL规则:create /myNode "data" digest:user1:password123:cdrwa
read /public "data" world:anyone:r
为防止数据传输被窃听,配置SSL/TLS加密:
mkdir -p /etc/zookeeper/ssl
keytool -genkey -alias zookeeper -keyalg RSA -keysize 2048 \
-keystore /etc/zookeeper/ssl/zookeeper.jks -validity 3650
zoo.cfg,添加以下参数:ssl.enable=true
ssl.keystore.location=/etc/zookeeper/ssl/zookeeper.jks
ssl.keystore.password=your_keystore_password
ssl.keyPassword=your_key_password
重启Zookeeper服务:
sudo systemctl restart zookeeper
避免以root用户运行Zookeeper,创建专用用户和组:
sudo addgroup zookeeper # 创建zookeeper组
sudo adduser --system --group --no-create-home --home /var/lib/zookeeper zookeeper # 创建专用用户
确保ZooKeeper关键目录仅能被专用用户访问:
sudo chown -R zookeeper:zookeeper /var/lib/zookeeper # 数据目录
sudo chown zookeeper:zookeeper /etc/zookeeper/conf/zoo.cfg # 配置文件
sudo chmod -R 750 /var/lib/zookeeper # 数据目录权限(所有者可读写执行,组可读执行)
sudo chmod 640 /etc/zookeeper/conf/zoo.cfg # 配置文件权限(所有者可读写,组可读)
/etc/ssh/sshd_config,禁用root远程登录并启用密钥认证:PermitRootLogin no
PasswordAuthentication no
sudo systemctl restart sshd
/var/log/zookeeper/)和系统日志,监控异常操作;使用工具(如auditd)记录关键操作。sudo apt update && sudo apt upgrade zookeeper