本文介绍如何安装和使用云消息队列 Confluent 版的命令行界面(CLI)。
安装Confluent CLI
下载Confluent CLI并安装最新的二进制文件。
将PATH环境设置为包含您在上一步中下载CLI二进制文件的目录。
export PATH=<$CONFLUENT_HOME>/bin:<$CONFLUENT_HOME>:${PATH};
(可选)如果CLI存储日志和数据的默认目录中没有足够的空间,可以将CONFLUENT_CURRENT环境变量设置到指定的目录。
export CONFLUENT_CURRENT=<Directory you want to use for CLI logs and data>
在命令行终端窗口中输入如下命令。
confluent
命令执行后,应返回类似如下结构。
Manage your Confluent Platform. Usage: confluent [command] Available Commands: completion Print Shell completion code. help Help about any command iam Manage RBAC and IAM permissions. local Manage a local Confluent Platform development environment. login Log in to Confluent Platform. This is required for RBAC. logout Log out of Confluent Platform. secret Manage secrets for Confluent Platform. update Update the confluent CLI. version Print the confluent CLI version. Flags: -h, --help help for confluent -v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace). --version version for confluent Use "confluent [command] --help" for more information about a command.
验证mds地址是否可以正常登录。
confluent login --url https://mds-xxxxxxxxx.csp.aliyuncs.com:443 --ca-cert-path xxxxx.pem Enter your Confluent credentials: Username: your-username Password: your-password
预期输出:
Logged in as "your-username"
登录Confluent CLI
使用Confluent CLI需要首先登录MDS服务,MDS服务使用用户名/密码的方式进行登录认证,并使用HTTPS协议进行加密传输。
用户名/密码:用户名/密码在云消息队列 Confluent 版控制台的用户管理页面中管理。如果需要创建新用户,请参见用户管理。
在您的终端执行如下命令登录MDS服务。
confluent login --url https://mds-xxxxxxxxx.csp.aliyuncs.com:443 --ca-cert-path xxxxx.pem Enter your Confluent credentials: Username: your-username Password: your-password
预期结果如下,表示登录成功。
Logged in as "your-username"
使用Confluent CLI管理RBAC权限
云消息队列 Confluent 版预置了系统角色,您可以基于这些预置的角色进行权限的管理,预置角色详情,请参见预置角色介绍。在使用Confluent CLI进行权限管理操作前,您应先登录MDS服务。
查看IAM角色列表
在云消息队列 Confluent 版中,IAM(Identity and Access Management)角色用于定义不同用户和服务对资源的访问权限。这些权限通常是以RBAC(Role-Based Access Control)的形式实施的,意味着用户或服务通过被分配角色来获取特定的权限集合。
执行以下命令,查看该角色有权执行的资源类型和操作。
confluent iam role list [flags]
Flags
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")
--context string CLI context name.
Global Flags
-h, --help Show help for this command.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).
查看IAM角色详情
执行以下命令,查看指定角色允许的资源和操作。
confluent iam role describe <name> [flags]
Flags
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")
--context string CLI context name.
Global Flags
-h, --help Show help for this command.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).
IAM角色绑定
执行以下命令,给指定的用户授予集群相关角色的权限。
confluent iam rolebinding create [flags]
Flags
--role string REQUIRED: Role name of the new role binding.
--principal string REQUIRED: Qualified principal name for the role binding.
--prefix Whether the provided resource name is treated as a prefix pattern.
--resource string Qualified resource name for the role binding.
--kafka-cluster-id string Kafka cluster ID for the role binding.
--schema-registry-cluster-id string Schema Registry cluster ID for the role binding.
--ksql-cluster-id string ksqlDB cluster ID for the role binding.
--connect-cluster-id string Kafka Connect cluster ID for the role binding.
--cluster-name string Cluster name to uniquely identify the cluster for rolebinding listings.
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")
--context string CLI context name.
Global Flags
-h, --help Show help for this command.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).
示例如下:
#给用户sr-read绑定集群$CID的registry schema只读权限
confluent iam rolebinding create --principal User:sr-read --role DeveloperRead --resource Subject:* --kafka-cluster-id $CID --schema-registry-cluster-id id_schemaregistry_confluent
#给用户sr-admin绑定集群$CID的registry schema所有权限
confluent iam rolebinding create --principal User:sr-admin --role SystemAdmin --resource Subject:* --kafka-cluster-id $CID --schema-registry-cluster-id id_schemaregistry_confluent
查看角色权限绑定情况
执行以下命令,查询特定用户、角色以及特定范围的角色绑定情况。
confluent iam rolebinding list [flags]
Flags
--principal string Principal whose rolebindings should be listed.
--current-user Show rolebindings belonging to current user.
--role string List rolebindings under a specific role given to a principal. Or if no principal is specified, list principals with the role.
--kafka-cluster-id string Kafka cluster ID for scope of rolebinding listings.
--resource string If specified with a role and no principals, list principals with rolebindings to the role for this qualified resource.
--schema-registry-cluster-id string Schema Registry cluster ID for scope of rolebinding listings.
--ksql-cluster-id string ksqlDB cluster ID for scope of rolebinding listings.
--connect-cluster-id string Kafka Connect cluster ID for scope of rolebinding listings.
--cluster-name string Cluster name to uniquely identify the cluster for rolebinding listings.
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")
--context string CLI context name.
Global Flags
-h, --help Show help for this command.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).
例如,查看$CID集群SystemAdmin的绑定情况 ,示例如下:
confluent iam rolebinding list --kafka-cluster-id $CID --role SystemAdmin
删除用户的角色绑定
执行以下命令,删除角色绑定。
confluent iam rolebinding delete [flags]
Flags
--role string REQUIRED: Role name of the existing role binding.
--principal string REQUIRED: Qualified principal name associated with the role binding.
--prefix Whether the provided resource name is treated as a prefix pattern.
--resource string Qualified resource name associated with the role binding.
--kafka-cluster-id string Kafka cluster ID for the role binding.
--schema-registry-cluster-id string Schema Registry cluster ID for the role binding.
--ksql-cluster-id string ksqlDB cluster ID for the role binding.
--connect-cluster-id string Kafka Connect cluster ID for the role binding.
--cluster-name string Cluster name to uniquely identify the cluster for rolebinding listings.
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")
--context string CLI context name.
Global Flags
-h, --help Show help for this command.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).
例如,删除用户sr-read的集群$CID schema registry只读权限,示例如下:
confluent iam rolebinding delete --kafka-cluster-id $CID --schema-registry-cluster-id id_schemaregistry_confluent --principal User:sr-read --resource "Subject:*" --role DeveloperRead
使用Confluent CLI进行管理ACL
云消息队列 Confluent 版使用MDS服务管理ACL权限。
创建限制
单个集群ACL的条目最多可达1000条。
创建ACL
执行以下命令,创建ACL。
confluent iam acl create [flags]
Flags
--kafka-cluster-id string REQUIRED: Kafka cluster ID for scope of ACL commands.
--allow ACL permission to allow access.
--deny ACL permission to restrict access to resource.
--principal string REQUIRED: Principal for this operation with User: or Group: prefix.
--host string Set host for access. Only IP addresses are supported. (default "*")
--operation string REQUIRED: Set ACL Operation to: (all, alter, alter-configs, cluster-action, create, delete, describe, describe-configs, idempotent-write, read, write).
--cluster-scope Set the cluster resource. With this option the ACL grants
access to the provided operations on the Kafka cluster itself.
--consumer-group string Set the Consumer Group resource.
--transactional-id string Set the TransactionalID resource.
--topic string Set the topic resource. With this option the ACL grants the provided
operations on the topics that start with that prefix, depending on whether
the --prefix option was also passed.
--prefix Set to match all resource names prefixed with this value.
--context string CLI context name.
Global Flags
-h, --help Show help for this command.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).
confluent iam acl支持 IPv6 地址,但不支持IP范围和子网。
默认情况下,没有ACL显示授权的访问都将被拒绝。同时,您也可以使用--deny来明确排除某些ACL访问。-deny选项的优先级比--allow选项高。
可以使用ACL对group和user进行权限管理,支持*通配符来对所有主体授权。
创建ACL时,可以使用--prefix前缀模式来对指定前缀的资源进行授权。例如,如果在命令中包含--topic abc- 和--prefix,它将影响名称以abc-开头的所有topic资源的权限。
例如,您将创建一个ACL,规定IP为198.51.xx.xx的用户Bob可以从对指定Kafka集群的test-topic执行读取操作,您可以通过执行以下命令进行授权。
confluent iam acl create --allow --principal User:Bob --operation READ --host 198.51.xx.xx --topic test-topic --kafka-cluster-id <kafka-cluster-id>
以下命令允许所有用户从指定的Kafka集群的test-topic中读取数据,但拒绝用户BadBob读取该数据。
confluent iam acl create --allow --principal User:'*' --operation READ --topic test-topic --kafka-cluster-id <kafka-cluster-id>
confluent iam acl create --deny --principal User:BadBob --operation READ --topic test-topic --kafka-cluster-id <kafka-cluster-id>
删除ACL
执行以下命令,删除ACL。
confluent iam acl delete [flags]
Flags
--kafka-cluster-id string REQUIRED: Kafka cluster ID for scope of ACL commands.
--allow ACL permission to allow access.
--deny ACL permission to restrict access to resource.
--principal string REQUIRED: Principal for this operation with User: or Group: prefix.
--host string REQUIRED: Set host for access. Only IP addresses are supported. (default "*")
--operation string REQUIRED: Set ACL Operation to: (all, alter, alter-configs, cluster-action, create, delete, describe, describe-configs, idempotent-write, read, write).
--cluster-scope Set the cluster resource. With this option the ACL grants
access to the provided operations on the Kafka cluster itself.
--consumer-group string Set the Consumer Group resource.
--transactional-id string Set the TransactionalID resource.
--topic string Set the topic resource. With this option the ACL grants the provided
operations on the topics that start with that prefix, depending on whether
the --prefix option was also passed.
--prefix Set to match all resource names prefixed with this value.
--context string CLI context name.
Global Flags
-h, --help Show help for this command.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).
示例如下:
confluent iam acl delete --allow --principal User:Bob --operation READ --host 198.51.100.0 --topic test-topic --kafka-cluster-id <kafka-cluster-id>
如果要删除使用前缀模式创建的ACL,请执行以下操作。
confluent iam acl create --allow --principal User:Jane --prefix --topic test-topic --kafka-cluster-id <kafka-cluster-id>
查看ACL
执行以下命令,查看ACL。
confluent iam acl list [flags]
Flags
--kafka-cluster-id string REQUIRED: Kafka cluster ID for scope of ACL commands.
--allow ACL permission to allow access.
--deny ACL permission to restrict access to resource.
--principal string Principal for this operation with User: or Group: prefix.
--host string Set host for access. Only IP addresses are supported. (default "*")
--operation string Set ACL Operation to: (all, alter, alter-configs, cluster-action, create, delete, describe, describe-configs, idempotent-write, read, write).
--cluster-scope Set the cluster resource. With this option the ACL grants
access to the provided operations on the Kafka cluster itself.
--consumer-group string Set the Consumer Group resource.
--transactional-id string Set the TransactionalID resource.
--topic string Set the topic resource. With this option the ACL grants the provided
operations on the topics that start with that prefix, depending on whether
the --prefix option was also passed.
--prefix Set to match all resource names prefixed with this value.
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")
--context string CLI context name.
Global Flags
-h, --help Show help for this command.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).
例如,列出指定集群的所有ACL,示例如下:
confluent iam acl list --kafka-cluster-id <kafka-cluster-id>
相关文档
Confluent CLI命令手册,请参见Confluent CLI Command Reference。