本文介绍如何安装和使用云消息队列 Confluent 版的命令行界面(CLI)。
安装Confluent CLI
下载Confluent CLI并安装最新的二进制文件。
设置环境变量为CLI二进制文件的目录。
export PATH=<path-to-cli>:$PATH(可选)如果CLI存储日志和数据的默认目录中没有足够的空间,可以将CONFLUENT_CURRENT环境变量设置到指定的目录。
export CONFLUENT_CURRENT=<path-to-confluent-local-data>在命令行终端窗口中输入如下命令。
confluent命令执行后,应返回类似如下结构。
Manage your Confluent Platform. Usage: confluent [command] Available Commands: audit-log Manage audit log configuration. cloud-signup Sign up for Confluent Cloud. cluster Retrieve metadata about Confluent Platform clusters. completion Print shell completion code. configuration Configure the Confluent CLI. connect Manage Kafka Connect. context Manage CLI configuration contexts. flink Manage Apache Flink. help Help about any command iam Manage RBAC, ACL and IAM permissions. kafka Manage Apache Kafka. ksql Manage ksqlDB. local Manage a local Confluent Platform development environment. login Log in to Confluent Cloud or Confluent Platform. logout Log out of Confluent Platform. plugin Manage Confluent plugins. prompt Add Confluent CLI context to your terminal prompt. schema-registry Manage Schema Registry. secret Manage secrets for Confluent Platform. shell Start an interactive shell. update Update the Confluent CLI. version Show version of the Confluent CLI. Flags: --version Show version of the Confluent CLI. -h, --help Show help for this command. --unsafe-trace Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets. -v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace). Use "confluent [command] --help" for more information about a command.
登录Confluent CLI
使用Confluent CLI需要首先登录MDS服务,MDS服务使用用户名/密码的方式进行登录认证,并使用HTTPS协议进行加密传输。
用户名/密码:用户名/密码在云消息队列 Confluent 版控制台的用户管理页面中管理。如果需要使用新用户,则还需要对其进行授权操作,具体详情请参见用户管理和授权。
MDS服务地址:在云消息队列 Confluent 版控制台访问链接与接口页面获取,示例中以公网链接地址为例说明。
证书:在云消息队列 Confluent 版控制台实例详情页面证书区域进行下载。
在您的终端执行如下命令登录MDS服务。
confluent login --url https://pub-kafka-xxxxxxxxx.csp.aliyuncs.com:443 --certificate-authority-path xxxxx.pem Enter your Confluent credentials: Username: your-username Password: your-password预期结果如下,表示登录成功。
[root@iZbp13z******** cli]# confluent login --url https://pub-kafka-xxxxxxxxx.csp.aliyuncs.com:443 --certificate-authority-path xxxxx.pem Enter your Confluent credentials: Username: root Password: ******** [root@iZbp13z******** cli]#
使用Confluent CLI查看集群信息
在使用Confluent CLI命令时需要各集群ID信息,可以根据下面示例进行查询。其中参数url根据各服务在云消息队列 Confluent 版控制台访问链接与接口页面获取。例如:KsqlDB服务的公网链接地址示例值为https://pub-ksqldb-xxxxxxxxxxx.csp.aliyuncs.com:443。
#查看Kafka集群信息
confluent cluster describe --url <mds-url>
#查看Schema Registry集群信息
confluent cluster describe --url <schema-registry-url>
#查看KsqlDB集群信息
confluent cluster describe --url <ksqldb-url>使用Confluent CLI管理RBAC权限
说明
云消息队列 Confluent 版预置了系统角色,您可以基于这些预置的角色进行权限的管理,预置角色详情,请参见预置角色介绍。在使用Confluent CLI进行权限管理操作前,您应先登录MDS服务。
以下为您介绍使用Confluent CLI管理RBAC权限的主要命令,更多操作请参见Confluent CLI RBAC授权示例。
查看IAM角色列表
在云消息队列 Confluent 版中,IAM(Identity and Access Management)角色用于定义不同用户和服务对资源的访问权限。这些权限通常是以RBAC(Role-Based Access Control)的形式实施的,意味着用户或服务通过被分配角色来获取特定的权限集合。
执行以下命令,查看所有角色有权执行的资源类型和操作。
confluent iam rbac role list查看IAM角色详情
执行以下命令,查看指定角色允许的资源和操作。
confluent iam rbac role describe <name> [flags]Flags
--client-cert-path string Path to client cert to be verified by MDS. Include for mTLS authentication.
--client-key-path string Path to client private key, include for mTLS authentication.
--context string CLI context name.
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")Global Flags
-h, --help Show help for this command.
--unsafe-trace Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).IAM角色绑定
执行以下命令,给指定的用户授予集群相关角色的权限。
confluent iam rbac role-binding create [flags]Flags
--role string REQUIRED: Role name of the new role binding.
--principal string REQUIRED: Principal type and identifier using "Prefix:ID" format.
--kafka-cluster string Kafka cluster ID for the role binding.
--schema-registry-cluster string Schema Registry cluster ID for the role binding.
--ksql-cluster string ksqlDB cluster ID for the role binding.
--connect-cluster string Kafka Connect cluster ID for the role binding.
--cmf string Confluent Managed Flink (CMF) ID, which specifies the CMF scope.
--flink-environment string Flink environment ID, which specifies the Flink environment scope.
--cluster-name string Cluster name to uniquely identify the cluster for role binding listings.
--context string CLI context name.
--resource string Resource type and identifier using "Prefix:ID" format.
--prefix Whether the provided resource name is treated as a prefix pattern.
--client-cert-path string Path to client cert to be verified by MDS. Include for mTLS authentication.
--client-key-path string Path to client private key, include for mTLS authentication.
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")Global Flags
-h, --help Show help for this command.
--unsafe-trace Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).示例如下:
#给用户sr-read授予Kafka集群的Schema Registry只读权限
confluent iam rbac role-binding create --principal User:sr-read --role DeveloperRead --resource Subject:* --kafka-cluster <kafka-cluster-id> --schema-registry-cluster <schema-registry-cluster-id>
#给用户sr-admin授予Kafka集群的Schema Registry所有权限
confluent iam rbac role-binding create --principal User:sr-admin --role SystemAdmin --kafka-cluster <kafka-cluster-id> --schema-registry-cluster <schema-registry-cluster-id>查看角色权限绑定情况
执行以下命令,查询特定用户、角色以及特定范围的角色绑定情况。
confluent iam rbac role-binding list [flags]Flags
--principal string Principal ID, which limits role bindings to this principal. If unspecified, list all principals and role bindings.
--current-user List role bindings assigned to the current user.
--role string Predefined role assigned to "--principal". If "--principal" is unspecified, list all principals assigned the role.
--kafka-cluster string Kafka cluster ID, which specifies the Kafka cluster scope.
--schema-registry-cluster string Schema Registry cluster ID, which specifies the Schema Registry cluster scope.
--ksql-cluster string ksqlDB cluster ID, which specifies the ksqlDB cluster scope.
--connect-cluster string Kafka Connect cluster ID, which specifies the Connect cluster scope.
--cmf string Confluent Managed Flink (CMF) ID, which specifies the CMF scope.
--flink-environment string Flink environment ID, which specifies the Flink environment scope.
--client-cert-path string Path to client cert to be verified by MDS. Include for mTLS authentication.
--client-key-path string Path to client private key, include for mTLS authentication.
--context string CLI context name.
--cluster-name string Cluster name, which specifies the cluster scope.
--resource string Resource type and identifier using "Prefix:ID" format. If specified with "--role" and no principals, list all principals and role bindings.
--inclusive List role bindings for specified scopes and nested scopes. Otherwise, list role bindings for the specified scopes. If scopes are unspecified, list only organization-scoped role bindings.
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")Global Flags
-h, --help Show help for this command.
--unsafe-trace Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).示例如下:
#查看Kafka集群的registry schema只读权限
confluent iam rbac role-binding list --role DeveloperRead --kafka-cluster <kafka-cluster-id> --schema-registry-cluster <schema-registry-cluster-id>
#查看Kafka集群的registry schema所有权限
confluent iam rbac role-binding list --role SystemAdmin --kafka-cluster <kafka-cluster-id> --schema-registry-cluster <schema-registry-cluster-id>删除用户的角色绑定
执行以下命令,删除角色绑定。
confluent iam rbac role-binding delete [flags]Flags
--role string REQUIRED: Role name of the existing role binding.
--principal string REQUIRED: Principal type and identifier using "Prefix:ID" format.
--force Skip the deletion confirmation prompt.
--kafka-cluster string Kafka cluster ID for the role binding.
--schema-registry-cluster string Schema Registry cluster ID for the role binding.
--ksql-cluster string ksqlDB cluster ID for the role binding.
--connect-cluster string Kafka Connect cluster ID for the role binding.
--cmf string Confluent Managed Flink (CMF) ID, which specifies the CMF scope.
--flink-environment string Flink environment ID, which specifies the Flink environment scope.
--cluster-name string Cluster name to uniquely identify the cluster for role binding listings.
--context string CLI context name.
--resource string Resource type and identifier using "Prefix:ID" format.
--prefix Whether the provided resource name is treated as a prefix pattern.
--client-cert-path string Path to client cert to be verified by MDS. Include for mTLS authentication.
--client-key-path string Path to client private key, include for mTLS authentication.
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")Global Flags
-h, --help Show help for this command.
--unsafe-trace Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).示例如下:
#删除用户sr-read的Kafka集群schema registry只读权限
confluent iam rbac role-binding delete --principal User:sr-read --role DeveloperRead --resource Subject:* --kafka-cluster <kafka-cluster-id> --schema-registry-cluster <schema-registry-cluster-id>
#删除用户sr-admin的Kafka集群schema registry所有权限
confluent iam rbac role-binding delete --principal User:sr-admin --role SystemAdmin --kafka-cluster <kafka-cluster-id> --schema-registry-cluster <schema-registry-cluster-id>使用Confluent CLI进行管理ACL
以下为您介绍使用Confluent CLI进行管理ACL的主要命令,更多详情请参见confluent iam acl。
创建限制
单个集群ACL的条目最多可达1000条。
创建ACL
执行以下命令,创建ACL。
confluent iam acl create [flags]Flags
--kafka-cluster string REQUIRED: Kafka cluster ID for scope of ACL commands.
--principal string REQUIRED: Principal for this operation, prefixed with "User:" or "Group:".
--operation string REQUIRED: Set ACL Operation to: (all, alter, alter-configs, cluster-action, create, delete, describe, describe-configs, idempotent-write, read, write).
--host string Set host for access. Only IP addresses are supported. (default "*")
--allow ACL permission to allow access.
--deny ACL permission to restrict access to resource.
--cluster-scope Set the cluster resource. With this option the ACL grants access to the provided operations on the Kafka cluster itself.
--consumer-group string Set the Consumer Group resource.
--transactional-id string Set the TransactionalID resource.
--topic string Set the topic resource. With this option the ACL grants the provided operations on the topics that start with that prefix, depending on whether the "--prefix" option was also passed.
--prefix Set to match all resource names prefixed with this value.
--client-cert-path string Path to client cert to be verified by MDS. Include for mTLS authentication.
--client-key-path string Path to client private key, include for mTLS authentication.
--context string CLI context name.Global Flags
-h, --help Show help for this command.
--unsafe-trace Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).重要
confluent iam acl支持 IPv6 地址,但不支持IP范围和子网。
默认情况下,没有ACL显示授权的访问都将被拒绝。同时,您也可以使用--deny来明确排除某些ACL访问。-deny选项的优先级比--allow选项高。
可以使用ACL对group和user进行权限管理,支持*通配符来对所有主体授权。
创建ACL时,可以使用--prefix前缀模式来对指定前缀的资源进行授权。例如,如果在命令中包含--topic abc- 和--prefix,它将影响名称以abc-开头的所有topic资源的权限。
例如,您将创建一个ACL,规定IP为198.51.xx.xx的用户Bob可以从对指定Kafka集群的test-topic执行读取操作,您可以通过执行以下命令进行授权。
confluent iam acl create --allow --principal User:Bob --operation READ --host 198.51.xx.xx --topic test-topic --kafka-cluster <kafka-cluster-id>以下命令允许所有用户从指定的Kafka集群的test-topic中读取数据,但拒绝用户BadBob读取该数据。
confluent iam acl create --allow --principal User:'*' --operation READ --topic test-topic --kafka-cluster <kafka-cluster-id>
confluent iam acl create --deny --principal User:BadBob --operation READ --topic test-topic --kafka-cluster <kafka-cluster-id>查看ACL
执行以下命令,查看ACL。
confluent iam acl list [flags]Flags
--kafka-cluster string REQUIRED: Kafka cluster ID for scope of ACL commands.
--principal string Principal for this operation, prefixed with "User:" or "Group:".
--operation string Set ACL Operation to: (all, alter, alter-configs, cluster-action, create, delete, describe, describe-configs, idempotent-write, read, write).
--host string Set host for access. Only IP addresses are supported. (default "*")
--allow ACL permission to allow access.
--deny ACL permission to restrict access to resource.
--cluster-scope Set the cluster resource. With this option the ACL grants access to the provided operations on the Kafka cluster itself.
--consumer-group string Set the Consumer Group resource.
--transactional-id string Set the TransactionalID resource.
--topic string Set the topic resource. With this option the ACL grants the provided operations on the topics that start with that prefix, depending on whether the "--prefix" option was also passed.
--prefix Set to match all resource names prefixed with this value.
--client-cert-path string Path to client cert to be verified by MDS. Include for mTLS authentication.
--client-key-path string Path to client private key, include for mTLS authentication.
--context string CLI context name.
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")Global Flags
-h, --help Show help for this command.
--unsafe-trace Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).例如,列出指定集群的所有ACL,示例如下:
confluent iam acl list --kafka-cluster <kafka-cluster-id>删除ACL
执行以下命令,删除ACL。
confluent iam acl delete [flags]Flags
--kafka-cluster string REQUIRED: Kafka cluster ID for scope of ACL commands.
--principal string REQUIRED: Principal for this operation, prefixed with "User:" or "Group:".
--operation string REQUIRED: Set ACL Operation to: (all, alter, alter-configs, cluster-action, create, delete, describe, describe-configs, idempotent-write, read, write).
--host string REQUIRED: Set host for access. Only IP addresses are supported. (default "*")
--allow ACL permission to allow access.
--deny ACL permission to restrict access to resource.
--cluster-scope Set the cluster resource. With this option the ACL grants access to the provided operations on the Kafka cluster itself.
--consumer-group string Set the Consumer Group resource.
--transactional-id string Set the TransactionalID resource.
--topic string Set the topic resource. With this option the ACL grants the provided operations on the topics that start with that prefix, depending on whether the "--prefix" option was also passed.
--prefix Set to match all resource names prefixed with this value.
--client-cert-path string Path to client cert to be verified by MDS. Include for mTLS authentication.
--client-key-path string Path to client private key, include for mTLS authentication.
--force Skip the deletion confirmation prompt.
--context string CLI context name.Global Flags
-h, --help Show help for this command.
--unsafe-trace Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).示例如下:
confluent iam acl delete --allow --principal User:Bob --operation READ --host 198.51.xx.xx --topic test-topic --kafka-cluster <kafka-cluster-id>相关文档
Confluent CLI命令手册,请参见Confluent CLI Command Reference。
该文章对您有帮助吗?