本文介紹如何安裝和使用雲訊息佇列 Confluent 版的命令列介面(CLI)。
安裝Confluent CLI
下載Confluent CLI並安裝最新的二進位檔案。
設定環境變數為CLI二進位檔案的目錄。
export PATH=<path-to-cli>:$PATH(可選)如果CLI儲存日誌和資料的預設目錄中沒有足夠的空間,可以將CONFLUENT_CURRENT環境變數設定到指定的目錄。
export CONFLUENT_CURRENT=<path-to-confluent-local-data>在命令列終端視窗中輸入如下命令。
confluent命令執行後,應返回類似如下結構。
Manage your Confluent Platform. Usage: confluent [command] Available Commands: audit-log Manage audit log configuration. cloud-signup Sign up for Confluent Cloud. cluster Retrieve metadata about Confluent Platform clusters. completion Print shell completion code. configuration Configure the Confluent CLI. connect Manage Kafka Connect. context Manage CLI configuration contexts. flink Manage Apache Flink. help Help about any command iam Manage RBAC, ACL and IAM permissions. kafka Manage Apache Kafka. ksql Manage ksqlDB. local Manage a local Confluent Platform development environment. login Log in to Confluent Cloud or Confluent Platform. logout Log out of Confluent Platform. plugin Manage Confluent plugins. prompt Add Confluent CLI context to your terminal prompt. schema-registry Manage Schema Registry. secret Manage secrets for Confluent Platform. shell Start an interactive shell. update Update the Confluent CLI. version Show version of the Confluent CLI. Flags: --version Show version of the Confluent CLI. -h, --help Show help for this command. --unsafe-trace Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets. -v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace). Use "confluent [command] --help" for more information about a command.
登入Confluent CLI
使用Confluent CLI需要首先登入MDS服務,MDS服務使用使用者名稱/密碼的方式進行登入認證,並使用HTTPS協議進行加密傳輸。
使用者名稱/密碼:使用者名稱/密碼在雲訊息佇列 Confluent 版控制台的使用者管理頁面中管理。如果需要使用新使用者,則還需要對其進行授權操作,具體詳情請參見使用者管理和授權。
MDS服務地址:在雲訊息佇列 Confluent 版控制台訪問連結與介面頁面擷取,樣本中以公網連結地址為例說明。
認證:在雲訊息佇列 Confluent 版控制台執行個體詳情頁面認證地區進行下載。
在您的終端執行如下命令登入MDS服務。
confluent login --url https://pub-kafka-xxxxxxxxx.csp.aliyuncs.com:443 --certificate-authority-path xxxxx.pem Enter your Confluent credentials: Username: your-username Password: your-password預期結果如下,表示登入成功。
[root@iZbp13z******** cli]# confluent login --url https://pub-kafka-xxxxxxxxx.csp.aliyuncs.com:443 --certificate-authority-path xxxxx.pem Enter your Confluent credentials: Username: root Password: ******** [root@iZbp13z******** cli]#
使用Confluent CLI查看叢集資訊
在使用Confluent CLI命令時需要各叢集ID資訊,可以根據下面樣本進行查詢。其中參數url根據各服務在雲訊息佇列 Confluent 版控制台訪問連結與介面頁面擷取。例如:KsqlDB服務的公網連結地址樣本值為https://pub-ksqldb-xxxxxxxxxxx.csp.aliyuncs.com:443。
#查看Kafka叢集資訊
confluent cluster describe --url <mds-url>
#查看Schema Registry叢集資訊
confluent cluster describe --url <schema-registry-url>
#查看KsqlDB叢集資訊
confluent cluster describe --url <ksqldb-url>使用Confluent CLI管理RBAC許可權
說明
雲訊息佇列 Confluent 版預置了系統角色,您可以基於這些預置的角色進行許可權的管理,預置角色詳情,請參見預置角色介紹。在使用Confluent CLI進行許可權管理操作前,您應先登入MDS服務。
以下為您介紹使用Confluent CLI管理RBAC許可權的主要命令,更多操作請參見Confluent CLI RBAC授權樣本。
查看IAM角色列表
在雲訊息佇列 Confluent 版中,IAM(Identity and Access Management)角色用於定義不同使用者和服務對資源的存取權限。這些許可權通常是以RBAC(Role-Based Access Control)的形式實施的,意味著使用者或服務通過被分配角色來擷取特定的許可權集合。
執行以下命令,查看所有角色有權執行的資源類型和操作。
confluent iam rbac role list查看IAM角色詳情
執行以下命令,查看指定角色允許的資源和操作。
confluent iam rbac role describe <name> [flags]Flags
--client-cert-path string Path to client cert to be verified by MDS. Include for mTLS authentication.
--client-key-path string Path to client private key, include for mTLS authentication.
--context string CLI context name.
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")Global Flags
-h, --help Show help for this command.
--unsafe-trace Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).IAM角色綁定
執行以下命令,給指定的使用者授予叢集相關角色的許可權。
confluent iam rbac role-binding create [flags]Flags
--role string REQUIRED: Role name of the new role binding.
--principal string REQUIRED: Principal type and identifier using "Prefix:ID" format.
--kafka-cluster string Kafka cluster ID for the role binding.
--schema-registry-cluster string Schema Registry cluster ID for the role binding.
--ksql-cluster string ksqlDB cluster ID for the role binding.
--connect-cluster string Kafka Connect cluster ID for the role binding.
--cmf string Confluent Managed Flink (CMF) ID, which specifies the CMF scope.
--flink-environment string Flink environment ID, which specifies the Flink environment scope.
--cluster-name string Cluster name to uniquely identify the cluster for role binding listings.
--context string CLI context name.
--resource string Resource type and identifier using "Prefix:ID" format.
--prefix Whether the provided resource name is treated as a prefix pattern.
--client-cert-path string Path to client cert to be verified by MDS. Include for mTLS authentication.
--client-key-path string Path to client private key, include for mTLS authentication.
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")Global Flags
-h, --help Show help for this command.
--unsafe-trace Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).樣本如下:
#給使用者sr-read授予Kafka叢集的Schema Registry唯讀許可權
confluent iam rbac role-binding create --principal User:sr-read --role DeveloperRead --resource Subject:* --kafka-cluster <kafka-cluster-id> --schema-registry-cluster <schema-registry-cluster-id>
#給使用者sr-admin授予Kafka叢集的Schema Registry所有許可權
confluent iam rbac role-binding create --principal User:sr-admin --role SystemAdmin --kafka-cluster <kafka-cluster-id> --schema-registry-cluster <schema-registry-cluster-id>查看角色許可權綁定情況
執行以下命令,查詢特定使用者、角色以及特定範圍的角色綁定情況。
confluent iam rbac role-binding list [flags]Flags
--principal string Principal ID, which limits role bindings to this principal. If unspecified, list all principals and role bindings.
--current-user List role bindings assigned to the current user.
--role string Predefined role assigned to "--principal". If "--principal" is unspecified, list all principals assigned the role.
--kafka-cluster string Kafka cluster ID, which specifies the Kafka cluster scope.
--schema-registry-cluster string Schema Registry cluster ID, which specifies the Schema Registry cluster scope.
--ksql-cluster string ksqlDB cluster ID, which specifies the ksqlDB cluster scope.
--connect-cluster string Kafka Connect cluster ID, which specifies the Connect cluster scope.
--cmf string Confluent Managed Flink (CMF) ID, which specifies the CMF scope.
--flink-environment string Flink environment ID, which specifies the Flink environment scope.
--client-cert-path string Path to client cert to be verified by MDS. Include for mTLS authentication.
--client-key-path string Path to client private key, include for mTLS authentication.
--context string CLI context name.
--cluster-name string Cluster name, which specifies the cluster scope.
--resource string Resource type and identifier using "Prefix:ID" format. If specified with "--role" and no principals, list all principals and role bindings.
--inclusive List role bindings for specified scopes and nested scopes. Otherwise, list role bindings for the specified scopes. If scopes are unspecified, list only organization-scoped role bindings.
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")Global Flags
-h, --help Show help for this command.
--unsafe-trace Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).樣本如下:
#查看Kafka叢集的registry schema唯讀許可權
confluent iam rbac role-binding list --role DeveloperRead --kafka-cluster <kafka-cluster-id> --schema-registry-cluster <schema-registry-cluster-id>
#查看Kafka叢集的registry schema所有許可權
confluent iam rbac role-binding list --role SystemAdmin --kafka-cluster <kafka-cluster-id> --schema-registry-cluster <schema-registry-cluster-id>刪除使用者的角色綁定
執行以下命令,刪除角色綁定。
confluent iam rbac role-binding delete [flags]Flags
--role string REQUIRED: Role name of the existing role binding.
--principal string REQUIRED: Principal type and identifier using "Prefix:ID" format.
--force Skip the deletion confirmation prompt.
--kafka-cluster string Kafka cluster ID for the role binding.
--schema-registry-cluster string Schema Registry cluster ID for the role binding.
--ksql-cluster string ksqlDB cluster ID for the role binding.
--connect-cluster string Kafka Connect cluster ID for the role binding.
--cmf string Confluent Managed Flink (CMF) ID, which specifies the CMF scope.
--flink-environment string Flink environment ID, which specifies the Flink environment scope.
--cluster-name string Cluster name to uniquely identify the cluster for role binding listings.
--context string CLI context name.
--resource string Resource type and identifier using "Prefix:ID" format.
--prefix Whether the provided resource name is treated as a prefix pattern.
--client-cert-path string Path to client cert to be verified by MDS. Include for mTLS authentication.
--client-key-path string Path to client private key, include for mTLS authentication.
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")Global Flags
-h, --help Show help for this command.
--unsafe-trace Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).樣本如下:
#刪除使用者sr-read的Kafka叢集schema registry唯讀許可權
confluent iam rbac role-binding delete --principal User:sr-read --role DeveloperRead --resource Subject:* --kafka-cluster <kafka-cluster-id> --schema-registry-cluster <schema-registry-cluster-id>
#刪除使用者sr-admin的Kafka叢集schema registry所有許可權
confluent iam rbac role-binding delete --principal User:sr-admin --role SystemAdmin --kafka-cluster <kafka-cluster-id> --schema-registry-cluster <schema-registry-cluster-id>使用Confluent CLI進行管理ACL
以下為您介紹使用Confluent CLI進行管理ACL的主要命令,更多詳情請參見confluent iam acl。
建立限制
單個叢集ACL的條目最多可達1000條。
建立ACL
執行以下命令,建立ACL。
confluent iam acl create [flags]Flags
--kafka-cluster string REQUIRED: Kafka cluster ID for scope of ACL commands.
--principal string REQUIRED: Principal for this operation, prefixed with "User:" or "Group:".
--operation string REQUIRED: Set ACL Operation to: (all, alter, alter-configs, cluster-action, create, delete, describe, describe-configs, idempotent-write, read, write).
--host string Set host for access. Only IP addresses are supported. (default "*")
--allow ACL permission to allow access.
--deny ACL permission to restrict access to resource.
--cluster-scope Set the cluster resource. With this option the ACL grants access to the provided operations on the Kafka cluster itself.
--consumer-group string Set the Consumer Group resource.
--transactional-id string Set the TransactionalID resource.
--topic string Set the topic resource. With this option the ACL grants the provided operations on the topics that start with that prefix, depending on whether the "--prefix" option was also passed.
--prefix Set to match all resource names prefixed with this value.
--client-cert-path string Path to client cert to be verified by MDS. Include for mTLS authentication.
--client-key-path string Path to client private key, include for mTLS authentication.
--context string CLI context name.Global Flags
-h, --help Show help for this command.
--unsafe-trace Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).重要
confluent iam acl支援 IPv6 地址,但不支援IP範圍和子網。
預設情況下,沒有ACL顯示授權的訪問都將被拒絕。同時,您也可以使用--deny來明確排除某些ACL訪問。-deny選項的優先順序比--allow選項高。
可以使用ACL對group和user進行許可權管理,支援*萬用字元來對所有主體授權。
建立ACL時,可以使用--prefix前置位元型來對指定首碼的資源進行授權。例如,如果在命令中包含--topic abc- 和--prefix,它將影響名稱以abc-開頭的所有topic資源的許可權。
例如,您將建立一個ACL,規定IP為198.51.xx.xx的使用者Bob可以從對指定Kafka叢集的test-topic執行讀取操作,您可以通過執行以下命令進行授權。
confluent iam acl create --allow --principal User:Bob --operation READ --host 198.51.xx.xx --topic test-topic --kafka-cluster <kafka-cluster-id>以下命令允許所有使用者從指定的Kafka叢集的test-topic中讀取資料,但拒絕使用者BadBob讀取該資料。
confluent iam acl create --allow --principal User:'*' --operation READ --topic test-topic --kafka-cluster <kafka-cluster-id>
confluent iam acl create --deny --principal User:BadBob --operation READ --topic test-topic --kafka-cluster <kafka-cluster-id>查看ACL
執行以下命令,查看ACL。
confluent iam acl list [flags]Flags
--kafka-cluster string REQUIRED: Kafka cluster ID for scope of ACL commands.
--principal string Principal for this operation, prefixed with "User:" or "Group:".
--operation string Set ACL Operation to: (all, alter, alter-configs, cluster-action, create, delete, describe, describe-configs, idempotent-write, read, write).
--host string Set host for access. Only IP addresses are supported. (default "*")
--allow ACL permission to allow access.
--deny ACL permission to restrict access to resource.
--cluster-scope Set the cluster resource. With this option the ACL grants access to the provided operations on the Kafka cluster itself.
--consumer-group string Set the Consumer Group resource.
--transactional-id string Set the TransactionalID resource.
--topic string Set the topic resource. With this option the ACL grants the provided operations on the topics that start with that prefix, depending on whether the "--prefix" option was also passed.
--prefix Set to match all resource names prefixed with this value.
--client-cert-path string Path to client cert to be verified by MDS. Include for mTLS authentication.
--client-key-path string Path to client private key, include for mTLS authentication.
--context string CLI context name.
-o, --output string Specify the output format as "human", "json", or "yaml". (default "human")Global Flags
-h, --help Show help for this command.
--unsafe-trace Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).例如,列出指定叢集的所有ACL,樣本如下:
confluent iam acl list --kafka-cluster <kafka-cluster-id>刪除ACL
執行以下命令,刪除ACL。
confluent iam acl delete [flags]Flags
--kafka-cluster string REQUIRED: Kafka cluster ID for scope of ACL commands.
--principal string REQUIRED: Principal for this operation, prefixed with "User:" or "Group:".
--operation string REQUIRED: Set ACL Operation to: (all, alter, alter-configs, cluster-action, create, delete, describe, describe-configs, idempotent-write, read, write).
--host string REQUIRED: Set host for access. Only IP addresses are supported. (default "*")
--allow ACL permission to allow access.
--deny ACL permission to restrict access to resource.
--cluster-scope Set the cluster resource. With this option the ACL grants access to the provided operations on the Kafka cluster itself.
--consumer-group string Set the Consumer Group resource.
--transactional-id string Set the TransactionalID resource.
--topic string Set the topic resource. With this option the ACL grants the provided operations on the topics that start with that prefix, depending on whether the "--prefix" option was also passed.
--prefix Set to match all resource names prefixed with this value.
--client-cert-path string Path to client cert to be verified by MDS. Include for mTLS authentication.
--client-key-path string Path to client private key, include for mTLS authentication.
--force Skip the deletion confirmation prompt.
--context string CLI context name.Global Flags
-h, --help Show help for this command.
--unsafe-trace Equivalent to -vvvv, but also log HTTP requests and responses which might contain plaintext secrets.
-v, --verbose count Increase verbosity (-v for warn, -vv for info, -vvv for debug, -vvvv for trace).樣本如下:
confluent iam acl delete --allow --principal User:Bob --operation READ --host 198.51.xx.xx --topic test-topic --kafka-cluster <kafka-cluster-id>相關文檔
Confluent CLI命令手冊,請參見Confluent CLI Command Reference。