安装和使用Confluent CLI
本文介绍如何安装和使用流数据服务Confluent的命令行界面(CLI)。
安装Confluent CLI
安装方式详情请参见官方安装文档。
安装
根据平台下载并安装最近发布的二进制文件:
将PATH环境设置为包含您在上一步中下载 CLI 二进制文件的目录。
export PATH=<$CONFLUENT_HOME>/bin:<$CONFLUENT_HOME>:${PATH};
(可选项)如果CLI 存储日志和数据的默认目录中没有足够的空间,可以将CONFLUENT_CURRENT环境变量设置指定的目录。
export CONFLUENT_CURRENT=<Directory you want to use for CLI logs and data>
验证
验证客户端是否安装成功。
在命令行终端窗口中输入如下命令。
confluent
命令执行后,应返回类似的如下结构。
Manage your Confluent Platform.
Usage:
confluent [command]
Available Commands:
completion Print Shell completion code.
help Help about any command
iam Manage RBAC and IAM permissions.
local Manage a local Confluent Platform development environment.
login Log in to Confluent Platform. This is required for RBAC.
logout Log out of Confluent Platform.
secret Manage secrets for Confluent Platform.
update Update the confluent CLI.
version Print the confluent CLI version.
Flags:
-h, --help help for confluent
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).
--version version for confluent
Use "confluent [command] --help" for more information about a command.
验证mds地址是否可以正常登录。
confluent login --url https://mds-xxxxxxxxx.csp.aliyuncs.com:443 --ca-cert-path xxxxx.pem
Enter your Confluent credentials:
Username: your-username
Password: your-password
您应能看到成功登录的结果。
Logged in as "your-username"
登录Confluent CLI
使用Confluent CLI需要首先登录MDS服务:MDS服务使用用户名/密码的方式进行登录认证,并使用HTTPS协议进行加密传输。
登录MDS服务前请准备好用户名/密码以及SSL证书。
用户名/密码:用户名/密码在流数据服务Confluent控制台的用户管理模块中进行管理。如果需要创建新用户,请登录流数据服务Confluent控制台进行操作,详情请参见用户管理。
SSL证书:Confluent CLI登录MDS服务需要使用PEM格式证书,证书可在流数据服务Confluent控制台进行下载。
若集群未启用公网访问,使用“VPC内访问证书”登录MDS服务;若集群启用公网访问,使用“阿里云签名证书”登录MDS服务。
在您的终端执行如下命令登录MDS服务。
confluent login --url https://mds-xxxxxxxxx.csp.aliyuncs.com:443 --ca-cert-path xxxxx.pem
Enter your Confluent credentials:
Username: your-username
Password: your-password
如果登录成功,应该返回如下结果。
Logged in as "your-username"
使用Confluent CLI进行管理权限
使用Confluent CLI进行管理RBAC权限
流数据服务Confluent预置了系统角色,您可以基于这些预置的角色进行权限的管理。在使用Confluent CLI进行权限管理操作前,您应先登录MDS服务。
CSP预置角色介绍
详情请参见官方预置角色介绍文档。
IAM角色
查看IAM角色列表
列出可用的RBAC角色和相关信息,例如,该角色有权执行的资源类型和操作。
confluent iam role list [flags]
Flags
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")
--context string CLI context name.
Global Flags
-h, --help Show help for this command.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).
查看IAM角色详情
查看指定角色允许的资源和操作。
confluent iam role describe <name> [flags]
Flags
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")
--context string CLI context name.
Global Flags
-h, --help Show help for this command.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).
IAM角色绑定
创建角色绑定
绑定角色,给指定的用户授予集群相关角色的权限。
confluent iam rolebinding create [flags]
Flags
--role string REQUIRED: Role name of the new role binding.
--principal string REQUIRED: Qualified principal name for the role binding.
--prefix Whether the provided resource name is treated as a prefix pattern.
--resource string Qualified resource name for the role binding.
--kafka-cluster-id string Kafka cluster ID for the role binding.
--schema-registry-cluster-id string Schema Registry cluster ID for the role binding.
--ksql-cluster-id string ksqlDB cluster ID for the role binding.
--connect-cluster-id string Kafka Connect cluster ID for the role binding.
--cluster-name string Cluster name to uniquely identify the cluster for rolebinding listings.
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")
--context string CLI context name.
Global Flags
-h, --help Show help for this command.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).
示例
#给用户sr-read绑定集群$CID的registry schema只读权限
confluent iam rolebinding create --principal User:sr-read --role DeveloperRead --resource Subject:* --kafka-cluster-id $CID --schema-registry-cluster-id id_schemaregistry_confluent
#给用户sr-admin绑定集群$CID的registry schema所有权限
confluent iam rolebinding create --principal User:sr-admin --role SystemAdmin --resource Subject:* --kafka-cluster-id $CID --schema-registry-cluster-id id_schemaregistry_confluent
查看角色权限绑定情况
列出特定用户、角色以及特定范围的角色绑定情况。
confluent iam rolebinding list [flags]
Flags
--principal string Principal whose rolebindings should be listed.
--current-user Show rolebindings belonging to current user.
--role string List rolebindings under a specific role given to a principal. Or if no principal is specified, list principals with the role.
--kafka-cluster-id string Kafka cluster ID for scope of rolebinding listings.
--resource string If specified with a role and no principals, list principals with rolebindings to the role for this qualified resource.
--schema-registry-cluster-id string Schema Registry cluster ID for scope of rolebinding listings.
--ksql-cluster-id string ksqlDB cluster ID for scope of rolebinding listings.
--connect-cluster-id string Kafka Connect cluster ID for scope of rolebinding listings.
--cluster-name string Cluster name to uniquely identify the cluster for rolebinding listings.
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")
--context string CLI context name.
Global Flags
-h, --help Show help for this command.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).
示例
查看$CID集群SystemAdmin的绑定情况。
confluent iam rolebinding list --kafka-cluster-id $CID --role SystemAdmin
删除用户的角色绑定
删除角色绑定
confluent iam rolebinding delete [flags]
Flags
--role string REQUIRED: Role name of the existing role binding.
--principal string REQUIRED: Qualified principal name associated with the role binding.
--prefix Whether the provided resource name is treated as a prefix pattern.
--resource string Qualified resource name associated with the role binding.
--kafka-cluster-id string Kafka cluster ID for the role binding.
--schema-registry-cluster-id string Schema Registry cluster ID for the role binding.
--ksql-cluster-id string ksqlDB cluster ID for the role binding.
--connect-cluster-id string Kafka Connect cluster ID for the role binding.
--cluster-name string Cluster name to uniquely identify the cluster for rolebinding listings.
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")
--context string CLI context name.
Global Flags
-h, --help Show help for this command.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).
示例
删除用户sr-read的集群$CID schema registry只读权限。
confluent iam rolebinding delete --kafka-cluster-id $CID --schema-registry-cluster-id id_schemaregistry_confluent --principal User:sr-read --resource "Subject:*" --role DeveloperRead
使用Confluent CLI进行管理ACL
流数据服务Confluent使用MDS服务管理ACL权限。
创建限制
单个集群ACL的条目最多可达1000条。
创建ACL
confluent iam acl create [flags]
Flags
--kafka-cluster-id string REQUIRED: Kafka cluster ID for scope of ACL commands.
--allow ACL permission to allow access.
--deny ACL permission to restrict access to resource.
--principal string REQUIRED: Principal for this operation with User: or Group: prefix.
--host string Set host for access. Only IP addresses are supported. (default "*")
--operation string REQUIRED: Set ACL Operation to: (all, alter, alter-configs, cluster-action, create, delete, describe, describe-configs, idempotent-write, read, write).
--cluster-scope Set the cluster resource. With this option the ACL grants
access to the provided operations on the Kafka cluster itself.
--consumer-group string Set the Consumer Group resource.
--transactional-id string Set the TransactionalID resource.
--topic string Set the topic resource. With this option the ACL grants the provided
operations on the topics that start with that prefix, depending on whether
the --prefix option was also passed.
--prefix Set to match all resource names prefixed with this value.
--context string CLI context name.
Global Flags
-h, --help Show help for this command.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).
confluent iam acl支持 IPv6 地址,但不支持IP范围和子网。
默认情况下,没有ACL显示授权的访问都将被拒绝。同时,您也可以使用--deny来明确排除某些ACL访问。-deny选项的优先级比--allow选项高。
可以使用ACL对group和user进行权限管理,支持*通配符来对所有主体授权。
创建ACL时,可以使用--prefix前缀模式来对指定前缀的资源进行授权。例如,如果在命令中包含--topic abc- 和--prefix,它将影响名称以abc-开头的所有topic资源的权限。
示例
在此示例中,您将创建一个 ACL。其中 PrincipalUser:Bob可以从IP 198.51.xx.xx 对test-topic来自指定 Kafka 集群的Topic 执行读取操作。您可以通过执行以下操作进行授权:
confluent iam acl create --allow --principal User:Bob --operation READ --host 198.51.xx.xx --topic test-topic --kafka-cluster-id <kafka-cluster-id>
以下命令允许所有用户从指定的Kafka集群的test-topic中读取数据,但拒绝User:BadBob读取该数据:
confluent iam acl create --allow --principal User:'*' --operation READ --topic test-topic --kafka-cluster-id <kafka-cluster-id>
confluent iam acl create --deny --principal User:BadBob --operation READ --topic test-topic --kafka-cluster-id <kafka-cluster-id>
删除ACL
confluent iam acl delete [flags]
Flags
--kafka-cluster-id string REQUIRED: Kafka cluster ID for scope of ACL commands.
--allow ACL permission to allow access.
--deny ACL permission to restrict access to resource.
--principal string REQUIRED: Principal for this operation with User: or Group: prefix.
--host string REQUIRED: Set host for access. Only IP addresses are supported. (default "*")
--operation string REQUIRED: Set ACL Operation to: (all, alter, alter-configs, cluster-action, create, delete, describe, describe-configs, idempotent-write, read, write).
--cluster-scope Set the cluster resource. With this option the ACL grants
access to the provided operations on the Kafka cluster itself.
--consumer-group string Set the Consumer Group resource.
--transactional-id string Set the TransactionalID resource.
--topic string Set the topic resource. With this option the ACL grants the provided
operations on the topics that start with that prefix, depending on whether
the --prefix option was also passed.
--prefix Set to match all resource names prefixed with this value.
--context string CLI context name.
Global Flags
-h, --help Show help for this command.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).
示例
confluent iam acl delete --allow --principal User:Bob --operation READ --host 198.51.100.0 --topic test-topic --kafka-cluster-id <kafka-cluster-id>
如果要删除使用前缀模式创建的 ACL,请执行以下操作:
confluent iam acl create --allow --principal User:Jane --prefix --topic test-topic --kafka-cluster-id <kafka-cluster-id>
查看ACL
confluent iam acl list [flags]
Flags
--kafka-cluster-id string REQUIRED: Kafka cluster ID for scope of ACL commands.
--allow ACL permission to allow access.
--deny ACL permission to restrict access to resource.
--principal string Principal for this operation with User: or Group: prefix.
--host string Set host for access. Only IP addresses are supported. (default "*")
--operation string Set ACL Operation to: (all, alter, alter-configs, cluster-action, create, delete, describe, describe-configs, idempotent-write, read, write).
--cluster-scope Set the cluster resource. With this option the ACL grants
access to the provided operations on the Kafka cluster itself.
--consumer-group string Set the Consumer Group resource.
--transactional-id string Set the TransactionalID resource.
--topic string Set the topic resource. With this option the ACL grants the provided
operations on the topics that start with that prefix, depending on whether
the --prefix option was also passed.
--prefix Set to match all resource names prefixed with this value.
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")
--context string CLI context name.
Global Flags
-h, --help Show help for this command.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).
示例
列出指定集群的所有ACL。
confluent iam acl list --kafka-cluster-id <kafka-cluster-id>
Confluent CLI命令参考手册
- 本页导读 (0)