本文为您介绍使用Confluent CLI 进行RBAC授权的一些常见示例。
集群类型和资源
云消息队列 Confluent 版集群和资源详情如下表所示:
集群 | 资源类型 |
Kafka cluster | |
KSQL | |
Schema Registry | |
Connect cluster | |
Kafka cluster
Kafka cluster中包含Cluster、Group、Topic和TransactionalId四种类型资源。
Cluster
支持配置的角色有:
AuditAdmin
ClusterAdmin
DeveloperManage
DeveloperWrite
Operator
ResourceOwner
SecurityAdmin
SystemAdmin
UserAdmin
示例一:为用户test授予Kafka集群SystemAdmin角色
#创建授权
confluent iam rbac role-binding create --principal User:test --role SystemAdmin --kafka-cluster <kafka-cluster-id>
#查看授权
confluent iam rbac role-binding list --principal User:test --role SystemAdmin --kafka-cluster <kafka-cluster-id>
#删除授权
confluent iam rbac role-binding delete --principal User:test --role SystemAdmin --kafka-cluster <kafka-cluster-id>示例二:为用户test授予Kafka集群ResourceOwner角色
#创建授权
confluent iam rbac role-binding create --principal User:test --role ResourceOwner --resource Cluster:kafka-cluster --kafka-cluster <kafka-cluster-id>
#查看授权
confluent iam rbac role-binding list --principal User:test --role ResourceOwner --resource Cluster:kafka-cluster --kafka-cluster <kafka-cluster-id>
#删除授权
confluent iam rbac role-binding delete --principal User:test --role ResourceOwner --resource Cluster:kafka-cluster --kafka-cluster <kafka-cluster-id>Group
支持配置的角色有:
DeveloperManage
DeveloperRead
ResourceOwner
示例一:为用户test授予test_group DeveloperRead角色
#创建授权
confluent iam rbac role-binding create --principal User:test --role DeveloperRead --resource Group:group_test --kafka-cluster <kafka-cluster-id>
#查看授权
confluent iam rbac role-binding list --principal User:test --role DeveloperRead --resource Group:group_test --kafka-cluster <kafka-cluster-id>
#删除授权
confluent iam rbac role-binding delete --principal User:test --role DeveloperRead --resource Group:group_test --kafka-cluster <kafka-cluster-id>示例二:为用户test授予前缀为demo的Group ResourceOwner角色
#创建授权
confluent iam rbac role-binding create --principal User:test --role ResourceOwner --resource Group:demo --prefix --kafka-cluster <kafka-cluster-id>
#查看授权
confluent iam rbac role-binding list --principal User:test --role ResourceOwner --kafka-cluster <kafka-cluster-id>
#删除授权
confluent iam rbac role-binding delete --principal User:test --role ResourceOwner --resource Group:demo --prefix --kafka-cluster <kafka-cluster-id>示例三:为用户test授予所有Group ResourceOwner角色
#创建授权
confluent iam rbac role-binding create --principal User:test --role ResourceOwner --resource Group:* --kafka-cluster <kafka-cluster-id>
#查看授权
confluent iam rbac role-binding list --principal User:test --role ResourceOwner --resource Group:* --kafka-cluster <kafka-cluster-id>
#删除授权
confluent iam rbac role-binding delete --principal User:test --role ResourceOwner --resource Group:* --kafka-cluster <kafka-cluster-id>Topic
支持配置的角色有:
DeveloperManage
DeveloperRead
DeveloperWrite
ResourceOwner
示例一:为用户test授予test_topic DeveloperWrite角色
#创建授权
confluent iam rbac role-binding create --principal User:test --role DeveloperWrite --resource Topic:test_topic --kafka-cluster <kafka-cluster-id>
#查看授权
confluent iam rbac role-binding list --principal User:test --role DeveloperWrite --resource Topic:test_topic --kafka-cluster <kafka-cluster-id>
#删除授权
confluent iam rbac role-binding delete --principal User:test --role DeveloperWrite --resource Topic:test_topic --kafka-cluster <kafka-cluster-id>示例二:为用户test授予前缀为demo的Topic ResourceOwner角色
#创建授权
confluent iam rbac role-binding create --principal User:test --role ResourceOwner --resource Topic:demo --prefix --kafka-cluster <kafka-cluster-id>
#查看授权
confluent iam rbac role-binding list --principal User:test --role ResourceOwner --resource Topic:demo --prefix --kafka-cluster <kafka-cluster-id>
#删除授权
confluent iam rbac role-binding delete --principal User:test --role ResourceOwner --resource Topic:demo --prefix --kafka-cluster <kafka-cluster-id>示例三:为用户test授予所有Topic ResourceOwner角色
#创建授权
confluent iam rbac role-binding create --principal User:test --role ResourceOwner --resource Topic:* --kafka-cluster <kafka-cluster-id>
#查看授权
confluent iam rbac role-binding list --principal User:test --role ResourceOwner --resource Topic:* --kafka-cluster <kafka-cluster-id>
#删除授权
confluent iam rbac role-binding delete --principal User:test --role ResourceOwner --resource Topic:* --kafka-cluster <kafka-cluster-id>TransactionalId
支持配置的角色有:
DeveloperManage
DeveloperRead
DeveloperWrite
ResourceOwner
示例:为用户test授予所有TransactionalId ResourceOwner角色
#创建授权
confluent iam rbac role-binding create --principal User:test --role ResourceOwner --resource TransactionalId:* --kafka-cluster <kafka-cluster-id>
#查看授权
confluent iam rbac role-binding list --principal User:test --role ResourceOwner --resource TransactionalId:* --kafka-cluster <kafka-cluster-id>
#删除授权
confluent iam rbac role-binding delete --principal User:test --role ResourceOwner --resource TransactionalId:* --kafka-cluster <kafka-cluster-id>KSQL
KSQL中只有Cluster这一种类型资源。
Cluster
支持配置的角色有:
AuditAdmin
ClusterAdmin
DeveloperManage
DeveloperWrite
Operator
ResourceOwner
SecurityAdmin
SystemAdmin
UserAdmin
示例:为用户test授予KSQL集群ResourceOwner角色
#创建授权
confluent iam rbac role-binding create --principal User:test --role ResourceOwner --resource KsqlCluster:ksql-cluster --ksql-cluster <ksql-cluster-id> --kafka-cluster <kafka-cluster-id>
#查看授权
confluent iam rbac role-binding list --principal User:test --role ResourceOwner --resource KsqlCluster:ksql-cluster --ksql-cluster <ksql-cluster-id> --kafka-cluster <kafka-cluster-id>
#删除授权
confluent iam rbac role-binding delete --principal User:test --role ResourceOwner --resource KsqlCluster:ksql-cluster --ksql-cluster <ksql-cluster-id> --kafka-cluster <kafka-cluster-id>Schema Registry
Schema Registry中包含Cluster和Subject两种类型资源。
Cluster
支持配置的角色有:
AuditAdmin
ClusterAdmin
Operator
SecurityAdmin
SystemAdmin
UserAdmin
示例:为用户test授予Schema Registry集群SystemAdmin角色
#创建授权
confluent iam rbac role-binding create --principal User:test --role SystemAdmin --schema-registry-cluster <schema-registry-cluster-id> --kafka-cluster <kafka-cluster-id>
#查看授权
confluent iam rbac role-binding list --principal User:test --role SystemAdmin --schema-registry-cluster <schema-registry-cluster-id> --kafka-cluster <kafka-cluster-id>
#删除授权
confluent iam rbac role-binding delete --principal User:test --role SystemAdmin --schema-registry-cluster <schema-registry-cluster-id> --kafka-cluster <kafka-cluster-id>Subject
支持配置的角色有:
DeveloperManage
DeveloperRead
DeveloperWrite
ResourceOwner
示例:为用户test授予Subject所有资源ResourceOwner角色
#创建授权
confluent iam rbac role-binding create --principal User:test --role ResourceOwner --resource Subject:* --schema-registry-cluster <schema-registry-cluster-id> --kafka-cluster <kafka-cluster-id>
#查看授权
confluent iam rbac role-binding list --principal User:test --role ResourceOwner --resource Subject:* --schema-registry-cluster <schema-registry-cluster-id> --kafka-cluster <kafka-cluster-id>
#删除授权
confluent iam rbac role-binding delete --principal User:test --role ResourceOwner --resource Subject:* --schema-registry-cluster <schema-registry-cluster-id> --kafka-cluster <kafka-cluster-id>Connect cluster
Connect cluster中包含Cluster和Connector两种类型资源。
Cluster
支持配置的角色有:
AuditAdmin
ClusterAdmin
Operator
SecurityAdmin
SystemAdmin
UserAdmin
示例:为用户test授予Connect集群SystemAdmin角色
#创建授权
confluent iam rbac role-binding create --principal User:test --role SystemAdmin --connect-cluster <connect-cluster-id> --kafka-cluster <kafka-cluster-id>
#查看授权
confluent iam rbac role-binding list --principal User:test --role SystemAdmin --connect-cluster <connect-cluster-id> --kafka-cluster <kafka-cluster-id>
#删除授权
confluent iam rbac role-binding delete --principal User:test --role SystemAdmin --connect-cluster <connect-cluster-id> --kafka-cluster <kafka-cluster-id>Connector
支持配置的角色有:
DeveloperManage
DeveloperRead
DeveloperWrite
ResourceOwner
示例:为用户test授予所有Connector ResourceOwner角色
#创建授权
confluent iam rbac role-binding create --principal User:test --role ResourceOwner --resource Connector:* --connect-cluster <connect-cluster-id> --kafka-cluster <kafka-cluster-id>
#查看授权
confluent iam rbac role-binding list --principal User:test --role ResourceOwner --resource Connector:* --connect-cluster <connect-cluster-id> --kafka-cluster <kafka-cluster-id>
#删除授权
confluent iam rbac role-binding delete --principal User:test --role ResourceOwner --resource Connector:* --connect-cluster <connect-cluster-id> --kafka-cluster <kafka-cluster-id>该文章对您有帮助吗?