1. 前置准备
在开始安全配置前,确保已安装Java(Zookeeper依赖11及以上版本)和Zookeeper本身。若未安装,可通过以下命令完成:
sudo apt update && sudo apt install openjdk-11-jdk -y # 安装Java
sudo apt install zookeeper -y # 安装Zookeeper(默认版本可能较旧,建议手动下载最新版)
验证Java和Zookeeper安装:
java -version # 确认Java版本≥11
sudo systemctl status zookeeper # 确认Zookeeper服务状态
2. 配置文件系统权限
Zookeeper的数据目录(默认/var/lib/zookeeper)和日志目录(默认/var/log/zookeeper)需设置正确权限,避免未授权访问:
sudo chown -R zookeeper:zookeeper /var/lib/zookeeper # 将数据目录所有者设为zookeeper用户
sudo chown -R zookeeper:zookeeper /var/log/zookeeper # 将日志目录所有者设为zookeeper用户
sudo chmod -R 755 /var/lib/zookeeper # 设置数据目录权限(所有者可读写执行,其他用户可读执行)
sudo chmod -R 755 /var/log/zookeeper # 设置日志目录权限
同时,修改Zookeeper运行用户(避免以root运行):编辑/etc/default/zookeeper,添加或修改:
ZOOKEEPER_USER=zookeeper
重启服务使变更生效:
sudo systemctl restart zookeeper
3. 启用SASL认证(Digest机制)
SASL是Zookeeper主流认证方式,推荐使用Digest机制(基于用户名/密码):
/etc/zookeeper/conf下创建zookeeper_jaas.conf,内容如下(替换为实际用户名和密码):Server {
org.apache.zookeeper.server.auth.DigestLoginModule required
user_admin="admin_secret" # 用户名=密码(明文,后续会哈希存储)
};
sudo chown zookeeper:zookeeper /etc/zookeeper/conf/zookeeper_jaas.conf
sudo chmod 600 /etc/zookeeper/conf/zookeepe_jaas.conf
/etc/zookeeper/conf/zoo.cfg,添加以下行以启用SASL:authProvider.1=org.apache.zookeeper.server.auth.SASLAuthenticationProvider
requireClientAuthScheme=sasl
jaasLoginRenew=3600000 # JAAS配置刷新间隔(毫秒)
/etc/default/zookeeper,在ZOOKEEPER_OPTS中添加JAAS配置文件路径:ZOOKEEPER_OPTS="-Djava.security.auth.login.config=/etc/zookeeper/conf/zookeeper_jaas.conf"
sudo systemctl restart zookeeper
4. 配置ACL(访问控制列表)
ACL用于限制用户对Zookeeper节点的访问权限(如读、写、管理ACL等)。以下是具体操作:
/opt/zookeeper/bin/zkCli.sh -server localhost:2181 # 进入交互式命令行
adduser admin # 创建系统用户(可选)
./zkCli.sh addauth digest admin:admin_secret # 为客户端添加认证信息(用户名:密码)
create /secure_node "sensitive_data" # 创建节点
setAcl /secure_node digest:admin:admin_secret:cdrwa # 设置ACL(admin用户拥有所有权限)
c(创建)、r(读取)、w(写入)、d(删除)、a(管理ACL)。/secure_node会返回Authentication failed,认证后(addauth digest admin:admin_secret)可正常访问。5. 配置SSL/TLS加密通信
默认情况下,Zookeeper通信是明文的,需启用SSL/TLS加密:
sudo mkdir -p /etc/zookeeper/ssl
sudo openssl req -newkey rsa:2048 -nodes -keyout /etc/zookeeper/ssl/zookeeper.key -x509 -days 365 -out /etc/zookeeper/ssl/zookeeper.crt
sudo keytool -import -alias zookeeper -file /etc/zookeeper/ssl/zookeeper.crt -keystore /etc/zookeeper/ssl/zookeeper.jks -storepass zookeeper_pass -noprompt
/etc/zookeeper/conf/zoo.cfg,添加以下行:ssl=true
ssl.keystore.location=/etc/zookeeper/ssl/zookeeper.jks
ssl.keystore.password=zookeeper_pass
ssl.truststore.location=/etc/zookeeper/ssl/zookeeper.jks
ssl.truststore.password=zookeeper_pass
ssl.clientAuth=need # 要求客户端提供证书(可选,根据需求设置)
sudo systemctl restart zookeeper
/opt/zookeeper/bin/zkCli.sh -server localhost:2181 -ssl -Djavax.net.ssl.keyStore=/etc/zookeeper/ssl/zookeeper.jks -Djavax.net.ssl.keyStorePassword=zookeeper_pass
6. 配置防火墙限制访问
使用ufw(Uncomplicated Firewall)限制仅授权IP可访问Zookeeper端口(默认2181为客户端端口,2888/3888为集群端口):
sudo ufw allow from 192.168.1.0/24 to any port 2181 proto tcp # 允许192.168.1.0/24网段访问客户端端口
sudo ufw allow from 192.168.1.0/24 to any port 2888 proto tcp # 允许集群节点间通信
sudo ufw allow from 192.168.1.0/24 to any port 3888 proto tcp
sudo ufw deny 2181/tcp # 默认拒绝其他IP访问客户端端口
sudo ufw enable # 启用防火墙
验证防火墙规则:
sudo ufw status verbose
7. 其他安全强化措施
4lw.commands.whitelist),编辑zoo.cfg:4lw.commands.whitelist=ruok,stat # 仅允许ruok(服务器状态)和stat(统计信息)命令
sudo apt update && sudo apt upgrade zookeeper -y
Logwatch或Fail2ban监控Zookeeper日志(/var/log/zookeeper/zookeeper.log),检测异常访问行为。8. 验证安全配置
/opt/zookeeper/bin/zkCli.sh -server localhost:2181
addauth digest admin:admin_secret # 输入认证信息
ls /secure_node # 应能正常列出节点
/secure_node,应返回Authentication failed。
