安装和使用Confluent CLI

本文介绍如何安装和使用云消息队列 Confluent 版的命令行界面(CLI)。

安装Confluent CLI

  1. 下载Confluent CLI并安装最新的二进制文件。

  2. 将PATH环境设置为包含您在上一步中下载CLI二进制文件的目录。

    export PATH=<$CONFLUENT_HOME>/bin:<$CONFLUENT_HOME>:${PATH};
  3. (可选)如果CLI存储日志和数据的默认目录中没有足够的空间,可以将CONFLUENT_CURRENT环境变量设置到指定的目录。

    export CONFLUENT_CURRENT=<Directory you want to use for CLI logs and data>
  4. 在命令行终端窗口中输入如下命令。

    confluent
  5. 命令执行后,应返回类似如下结构。

    Manage your Confluent Platform.
    
    Usage:
        confluent [command]
    
     Available Commands:
        completion  Print Shell completion code.
        help        Help about any command
        iam         Manage RBAC and IAM permissions.
        local       Manage a local Confluent Platform development environment.
        login       Log in to Confluent Platform. This is required for RBAC.
        logout      Log out of Confluent Platform.
        secret      Manage secrets for Confluent Platform.
        update      Update the confluent CLI.
        version     Print the confluent CLI version.
    
     Flags:
        -h, --help            help for confluent
        -v, --verbose count   Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).
            --version         version for confluent
    
     Use "confluent [command] --help" for more information about a command.
  6. 验证mds地址是否可以正常登录。

    confluent login --url https://mds-xxxxxxxxx.csp.aliyuncs.com:443 --ca-cert-path xxxxx.pem
    Enter your Confluent credentials:
    Username: your-username
    Password: your-password

    预期输出:

    Logged in as "your-username"

登录Confluent CLI

  1. 使用Confluent CLI需要首先登录MDS服务,MDS服务使用用户名/密码的方式进行登录认证,并使用HTTPS协议进行加密传输。

    用户名/密码:用户名/密码在云消息队列 Confluent 版控制台的用户管理页面中管理。如果需要创建新用户,请参见用户管理

  2. 在您的终端执行如下命令登录MDS服务。

    confluent login --url https://mds-xxxxxxxxx.csp.aliyuncs.com:443 --ca-cert-path xxxxx.pem
    Enter your Confluent credentials:
    Username: your-username
    Password: your-password

    预期结果如下,表示登录成功。

    Logged in as "your-username"

使用Confluent CLI管理RBAC权限

说明

云消息队列 Confluent 版预置了系统角色,您可以基于这些预置的角色进行权限的管理,预置角色详情,请参见预置角色介绍。在使用Confluent CLI进行权限管理操作前,您应先登录MDS服务。

查看IAM角色列表

云消息队列 Confluent 版中,IAM(Identity and Access Management)角色用于定义不同用户和服务对资源的访问权限。这些权限通常是以RBAC(Role-Based Access Control)的形式实施的,意味着用户或服务通过被分配角色来获取特定的权限集合。

执行以下命令,查看该角色有权执行的资源类型和操作。

confluent iam role list [flags]

Flags

-o, --output string    Specify the output format as "human", "json", or "yaml". (default "human")
    --context string   CLI context name.

Global Flags

-h, --help            Show help for this command.
-v, --verbose count   Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).

查看IAM角色详情

执行以下命令,查看指定角色允许的资源和操作。

confluent iam role describe <name> [flags]

Flags

-o, --output string    Specify the output format as "human", "json", or "yaml". (default "human")
    --context string   CLI context name.

Global Flags

-h, --help            Show help for this command.
-v, --verbose count   Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).

IAM角色绑定

执行以下命令,给指定的用户授予集群相关角色的权限。

confluent iam rolebinding create [flags]

Flags

--role string                         REQUIRED: Role name of the new role binding.
    --principal string                    REQUIRED: Qualified principal name for the role binding.
    --prefix                              Whether the provided resource name is treated as a prefix pattern.
    --resource string                     Qualified resource name for the role binding.
    --kafka-cluster-id string             Kafka cluster ID for the role binding.
    --schema-registry-cluster-id string   Schema Registry cluster ID for the role binding.
    --ksql-cluster-id string              ksqlDB cluster ID for the role binding.
    --connect-cluster-id string           Kafka Connect cluster ID for the role binding.
    --cluster-name string                 Cluster name to uniquely identify the cluster for rolebinding listings.
-o, --output string                       Specify the output format as "human", "json", or "yaml". (default "human")
    --context string                      CLI context name.

Global Flags

-h, --help            Show help for this command.
-v, --verbose count   Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).

示例如下:

#给用户sr-read绑定集群$CID的registry schema只读权限
confluent iam rolebinding create --principal User:sr-read --role DeveloperRead --resource Subject:* --kafka-cluster-id $CID --schema-registry-cluster-id id_schemaregistry_confluent
#给用户sr-admin绑定集群$CID的registry schema所有权限
confluent iam rolebinding create --principal User:sr-admin --role SystemAdmin --resource Subject:* --kafka-cluster-id $CID --schema-registry-cluster-id id_schemaregistry_confluent

查看角色权限绑定情况

执行以下命令,查询特定用户、角色以及特定范围的角色绑定情况。

confluent iam rolebinding list [flags]

Flags

--principal string                    Principal whose rolebindings should be listed.
    --current-user                        Show rolebindings belonging to current user.
    --role string                         List rolebindings under a specific role given to a principal. Or if no principal is specified, list principals with the role.
    --kafka-cluster-id string             Kafka cluster ID for scope of rolebinding listings.
    --resource string                     If specified with a role and no principals, list principals with rolebindings to the role for this qualified resource.
    --schema-registry-cluster-id string   Schema Registry cluster ID for scope of rolebinding listings.
    --ksql-cluster-id string              ksqlDB cluster ID for scope of rolebinding listings.
    --connect-cluster-id string           Kafka Connect cluster ID for scope of rolebinding listings.
    --cluster-name string                 Cluster name to uniquely identify the cluster for rolebinding listings.
-o, --output string                       Specify the output format as "human", "json", or "yaml". (default "human")
    --context string                      CLI context name.

Global Flags

-h, --help            Show help for this command.
-v, --verbose count   Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).

例如,查看$CID集群SystemAdmin的绑定情况 ,示例如下:

confluent iam rolebinding list --kafka-cluster-id $CID --role SystemAdmin

删除用户的角色绑定

执行以下命令,删除角色绑定。

confluent iam rolebinding delete [flags]

Flags

--role string                         REQUIRED: Role name of the existing role binding.
    --principal string                    REQUIRED: Qualified principal name associated with the role binding.
    --prefix                              Whether the provided resource name is treated as a prefix pattern.
    --resource string                     Qualified resource name associated with the role binding.
    --kafka-cluster-id string             Kafka cluster ID for the role binding.
    --schema-registry-cluster-id string   Schema Registry cluster ID for the role binding.
    --ksql-cluster-id string              ksqlDB cluster ID for the role binding.
    --connect-cluster-id string           Kafka Connect cluster ID for the role binding.
    --cluster-name string                 Cluster name to uniquely identify the cluster for rolebinding listings.
-o, --output string                       Specify the output format as "human", "json", or "yaml". (default "human")
    --context string                      CLI context name.

Global Flags

-h, --help            Show help for this command.
-v, --verbose count   Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).

例如,删除用户sr-read的集群$CID schema registry只读权限,示例如下:

confluent iam rolebinding  delete --kafka-cluster-id $CID --schema-registry-cluster-id id_schemaregistry_confluent --principal User:sr-read --resource "Subject:*" --role DeveloperRead

使用Confluent CLI进行管理ACL

云消息队列 Confluent 版使用MDS服务管理ACL权限。

创建限制

单个集群ACL的条目最多可达1000条。

创建ACL

执行以下命令,创建ACL。

confluent iam acl create [flags]

Flags

--kafka-cluster-id string   REQUIRED: Kafka cluster ID for scope of ACL commands.
--allow                     ACL permission to allow access.
--deny                      ACL permission to restrict access to resource.
--principal string          REQUIRED: Principal for this operation with User: or Group: prefix.
--host string               Set host for access. Only IP addresses are supported. (default "*")
--operation string          REQUIRED: Set ACL Operation to: (all, alter, alter-configs, cluster-action, create, delete, describe, describe-configs, idempotent-write, read, write).
--cluster-scope             Set the cluster resource. With this option the ACL grants
                            access to the provided operations on the Kafka cluster itself.
--consumer-group string     Set the Consumer Group resource.
--transactional-id string   Set the TransactionalID resource.
--topic string              Set the topic resource. With this option the ACL grants the provided
                            operations on the topics that start with that prefix, depending on whether
                            the --prefix option was also passed.
--prefix                    Set to match all resource names prefixed with this value.
--context string            CLI context name.

Global Flags

-h, --help            Show help for this command.
-v, --verbose count   Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).
重要
  • confluent iam acl支持 IPv6 地址,但不支持IP范围和子网。

  • 默认情况下,没有ACL显示授权的访问都将被拒绝。同时,您也可以使用--deny来明确排除某些ACL访问。-deny选项的优先级比--allow选项高。

  • 可以使用ACL对group和user进行权限管理,支持*通配符来对所有主体授权。

  • 创建ACL时,可以使用--prefix前缀模式来对指定前缀的资源进行授权。例如,如果在命令中包含--topic abc- 和--prefix,它将影响名称以abc-开头的所有topic资源的权限。

例如,您将创建一个ACL,规定IP为198.51.xx.xx的用户Bob可以从对指定Kafka集群的test-topic执行读取操作,您可以通过执行以下命令进行授权。

confluent iam acl create --allow --principal User:Bob --operation READ --host 198.51.xx.xx --topic test-topic  --kafka-cluster-id  <kafka-cluster-id>

以下命令允许所有用户从指定的Kafka集群的test-topic中读取数据,但拒绝用户BadBob读取该数据。

confluent iam acl create --allow --principal User:'*' --operation READ --topic test-topic --kafka-cluster-id <kafka-cluster-id> 
confluent iam acl create --deny --principal User:BadBob --operation READ --topic test-topic  --kafka-cluster-id <kafka-cluster-id>

删除ACL

执行以下命令,删除ACL。

confluent iam acl delete [flags]

Flags

--kafka-cluster-id string   REQUIRED: Kafka cluster ID for scope of ACL commands.
--allow                     ACL permission to allow access.
--deny                      ACL permission to restrict access to resource.
--principal string          REQUIRED: Principal for this operation with User: or Group: prefix.
--host string               REQUIRED: Set host for access. Only IP addresses are supported. (default "*")
--operation string          REQUIRED: Set ACL Operation to: (all, alter, alter-configs, cluster-action, create, delete, describe, describe-configs, idempotent-write, read, write).
--cluster-scope             Set the cluster resource. With this option the ACL grants
                            access to the provided operations on the Kafka cluster itself.
--consumer-group string     Set the Consumer Group resource.
--transactional-id string   Set the TransactionalID resource.
--topic string              Set the topic resource. With this option the ACL grants the provided
                            operations on the topics that start with that prefix, depending on whether
                            the --prefix option was also passed.
--prefix                    Set to match all resource names prefixed with this value.
--context string            CLI context name.

Global Flags

-h, --help            Show help for this command.
-v, --verbose count   Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).

示例如下:

confluent iam acl delete --allow --principal User:Bob --operation READ --host 198.51.100.0 --topic test-topic  --kafka-cluster-id  <kafka-cluster-id>

如果要删除使用前缀模式创建的ACL,请执行以下操作。

confluent iam acl create --allow --principal User:Jane --prefix  --topic test-topic --kafka-cluster-id <kafka-cluster-id>

查看ACL

执行以下命令,查看ACL。

confluent iam acl list [flags]

Flags

--kafka-cluster-id string   REQUIRED: Kafka cluster ID for scope of ACL commands.
    --allow                     ACL permission to allow access.
    --deny                      ACL permission to restrict access to resource.
    --principal string          Principal for this operation with User: or Group: prefix.
    --host string               Set host for access. Only IP addresses are supported. (default "*")
    --operation string          Set ACL Operation to: (all, alter, alter-configs, cluster-action, create, delete, describe, describe-configs, idempotent-write, read, write).
    --cluster-scope             Set the cluster resource. With this option the ACL grants
                                access to the provided operations on the Kafka cluster itself.
    --consumer-group string     Set the Consumer Group resource.
    --transactional-id string   Set the TransactionalID resource.
    --topic string              Set the topic resource. With this option the ACL grants the provided
                                operations on the topics that start with that prefix, depending on whether
                                the --prefix option was also passed.
    --prefix                    Set to match all resource names prefixed with this value.
-o, --output string             Specify the output format as "human", "json", or "yaml". (default "human")
    --context string            CLI context name.

Global Flags

-h, --help            Show help for this command.
-v, --verbose count   Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).

例如,列出指定集群的所有ACL,示例如下:

confluent iam acl list --kafka-cluster-id <kafka-cluster-id>

相关文档

Confluent CLI命令手册,请参见Confluent CLI Command Reference