1. 配置防火墙限制访问
使用ufw(Uncomplicated Firewall)限制对Zookeeper端口(默认2181)的访问,仅允许可信IP连接。操作步骤:
sudo apt install ufwsudo ufw enablesudo ufw allow OpenSSHsudo ufw allow from 192.168.1.0/24 to any port 2181sudo ufw deny 2181sudo ufw status verbose2. 设置Zookeeper用户认证(SASL/Digest)
通过SASL认证确保客户端身份合法性,步骤如下:
sudo apt-get install libsasl2-modules/etc/zookeeper/conf/jaas.conf),定义用户凭证:Server {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_super="super_secret_password"
user_admin="admin_secret_password";
};
zoo.cfg中添加:java.opts=-Djava.security.auth.login.config=/etc/zookeeper/conf/jaas.conf
authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl
sudo systemctl restart zookeeper3. 配置ACL(访问控制列表)
使用ACL精细控制节点访问权限,操作流程:
/path/to/zookeeper/bin/zkCli.sh -server localhost:2181/secure_node,仅super用户可读写):create /secure_node "secure_data" acl:super:cdrwa
admin添加/test_node的读写权限):setAcl /test_node digest:admin:admin_secret_password:cdrwa
getAcl /secure_node(应显示super用户的cdrwa权限)4. 启用SSL/TLS加密通信
防止数据传输被窃听或篡改,配置步骤:
mkdir -p /etc/zookeeper/ssl
keytool -genkey -alias zookeeper -keyalg RSA -keysize 2048 -keystore /etc/zookeeper/ssl/zookeeper.jks -validity 3650
zoo.cfg中添加:ssl.enable=true
ssl.keystore.location=/etc/zookeeper/ssl/zookeeper.jks
ssl.keystore.password=your_keystore_password
ssl.keyPassword=your_key_password
sudo systemctl restart zookeeper5. 限制SSH访问(增强管理安全)
防止未经授权的服务器访问,配置SSH安全:
/etc/ssh/sshd_config):PermitRootLogin no # 禁止root直接远程登录
PasswordAuthentication no # 禁用密码认证(需配合SSH密钥)
AllowUsers your_username # 仅允许指定用户登录
sudo systemctl restart sshd6. 监控与定期维护
/var/log/zookeeper/zookeeper.log),关注异常操作(如频繁的节点删除、权限变更)。sudo apt update && sudo apt upgrade zookeeper)及Ubuntu系统补丁,修复已知安全漏洞。/var/lib/zookeeper),防止数据丢失