diff --git a/src/UserGuide/Master/Tree/Tools-System/CLI_apache.md b/src/UserGuide/Master/Tree/Tools-System/CLI_apache.md index 665af2052..5261ff35a 100644 --- a/src/UserGuide/Master/Tree/Tools-System/CLI_apache.md +++ b/src/UserGuide/Master/Tree/Tools-System/CLI_apache.md @@ -133,117 +133,8 @@ Special commands of Cli are below. | `help` | Get hints for CLI special commands | | `exit/quit` | Exit CLI | -### 2.4 Note on using the CLI with OpenID Connect Auth enabled on Server side -Openid connect (oidc) uses keycloack as the authority authentication service of oidc service - - -#### configuration - -The configuration is located in iotdb-system.properties , set the author_provider_class is org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer Openid service is enabled, and the default value is org.apache.iotdb.db.auth.authorizer.LocalFileAuthorizer Indicates that the openid service is not enabled. - -``` -authorizer_provider_class=org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer -``` - -If the openid service is turned on, openid_URL is required,openID_url value is http://ip:port/realms/{realmsName} - -``` -openID_url=http://127.0.0.1:8080/realms/iotdb/ -``` - -#### keycloack configuration - -1、Download the keycloack file (This tutorial is version 21.1.0) and start keycloack in keycloack/bin - -```shell -Shell >cd bin -Shell >./kc.sh start-dev -``` - -2、use url(https://ip:port) login keycloack, the first login needs to create a user -![avatar](/img/UserGuide/CLI/Command-Line-Interface/login_keycloak.png?raw=true) - -3、Click administration console -![avatar](/img/UserGuide/CLI/Command-Line-Interface/AdministrationConsole.png?raw=true) - -4、In the master menu on the left, click Create realm and enter Realm name to create a new realm -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_1.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_2.jpg?raw=true) - - -5、Click the menu clients on the left to create clients - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/client.jpg?raw=true) - -6、Click user on the left menu to create user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/user.jpg?raw=true) - -7、Click the newly created user ID, click the credentials navigation, enter the password and close the temporary option. The configuration of keycloud is completed - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/pwd.jpg?raw=true) - -8、To create a role, click Roles on the left menu and then click the Create Role button to add a role - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role1.jpg?raw=true) - -9、 Enter `iotdb_admin` in the Role Name and click the save button. Tip: `iotdb_admin` here cannot be any other name, otherwise even after successful login, you will not have permission to use iotdb's query, insert, create database, add users, roles and other functions - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role2.jpg?raw=true) - -10、Click on the User menu on the left and then click on the user in the user list to add the `iotdb_admin` role we just created for that user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role3.jpg?raw=true) - -11、 Select Role Mappings, select the `iotdb_admin` role in Assign Role - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role4.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role5.jpg?raw=true) - - -Tip: If the user role is adjusted, you need to regenerate the token and log in to iotdb again to take effect - -The above steps provide a way for keycloak to log into iotdb. For more ways, please refer to keycloak configuration - -If OIDC is enabled on server side then no username / passwort is needed but a valid Access Token from the OIDC Provider. -So as username you use the token and the password has to be empty, e.g. - -```shell -Shell > bash sbin/start-cli.sh -h 10.129.187.21 -p 6667 -u {my-access-token} -pw "" -``` - -Among them, you need to replace {my access token} (note, including {}) with your token, that is, the value corresponding to access_token. The password is empty and needs to be confirmed again. - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/iotdbpw.jpeg?raw=true) - - -How to get the token is dependent on your OpenID Connect setup and not covered here. -In the simplest case you can get this via the command line with the `passwort-grant`. -For example, if you use keycloack as OIDC and you have a realm with a client `iotdb` defined as public you could use -the following `curl` command to fetch a token (replace all `{}` with appropriate values). - -```shell -curl -X POST "https://{your-keycloack-server}/realms/{your-realm}/protocol/openid-connect/token" \ - -H "Content-Type: application/x-www-form-urlencoded" \ - -d "username={username}" \ - -d "password={password}" \ - -d 'grant_type=password' \ - -d "client_id=iotdb-client" -``` - -The response looks something like - -```json -{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzOTgwNzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNjA0ZmYxMDctN2NiNy00NTRmLWIwYmQtY2M2ZDQwMjFiNGU4IiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhMzJlNDcxLWM3NzItNGIzMy04ZGE2LTZmZThhY2RhMDA3MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsibG9jYWxob3N0OjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJpb3RkYl9hZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIn0.nwbrJkWdCNjzFrTDwKNuV5h9dDMg5ytRKGOXmFIajpfsbOutJytjWTCB2WpA8E1YI3KM6gU6Jx7cd7u0oPo5syHhfCz119n_wBiDnyTZkFOAPsx0M2z20kvBLN9k36_VfuCMFUeddJjO31MeLTmxB0UKg2VkxdczmzMH3pnalhxqpnWWk3GnrRrhAf2sZog0foH4Ae3Ks0lYtYzaWK_Yo7E4Px42-gJpohy3JevOC44aJ4auzJR1RBj9LUbgcRinkBy0JLi6XXiYznSC2V485CSBHW3sseXn7pSXQADhnmGQrLfFGO5ZljmPO18eFJaimdjvgSChsrlSEmTDDsoo5Q","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhMzZlMGU0NC02MWNmLTQ5NmMtOGRlZi03NTkwNjQ5MzQzMjEifQ.eyJleHAiOjE1OTAzOTk1NzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNmMxNTBiY2EtYmE5NC00NTgxLWEwODEtYjI2YzhhMmI5YmZmIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwic3ViIjoiYmEzMmU0NzEtYzc3Mi00YjMzLThkYTYtNmZlOGFjZGEwMDczIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.ayNpXdNX28qahodX1zowrMGiUCw2AodlHBQFqr8Ui7c","token_type":"bearer","not-before-policy":0,"session_state":"060d2862-14ed-42fe-baf7-8d1f784657f1","scope":"email profile"} -``` - -The interesting part here is the access token with the key `access_token`. -This has to be passed as username (with parameter `-u`) and empty password to the CLI. - -### 2.5 Batch Operation of Cli +### 2.4 Batch Operation of Cli -e parameter is designed for the Cli/shell tool in the situation where you would like to manipulate IoTDB in batches through scripts. By using the -e parameter, you can operate IoTDB without entering the cli's input mode. diff --git a/src/UserGuide/Master/Tree/Tools-System/CLI_timecho.md b/src/UserGuide/Master/Tree/Tools-System/CLI_timecho.md index a756abe34..d2bf58f53 100644 --- a/src/UserGuide/Master/Tree/Tools-System/CLI_timecho.md +++ b/src/UserGuide/Master/Tree/Tools-System/CLI_timecho.md @@ -119,117 +119,8 @@ Special commands of Cli are below. | `help` | Get hints for CLI special commands | | `exit/quit` | Exit CLI | -## 4. Note on using the CLI with OpenID Connect Auth enabled on Server side -Openid connect (oidc) uses keycloack as the authority authentication service of oidc service - - -#### configuration - -The configuration is located in iotdb-system.properties , set the author_provider_class is org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer Openid service is enabled, and the default value is org.apache.iotdb.db.auth.authorizer.LocalFileAuthorizer Indicates that the openid service is not enabled. - -``` -authorizer_provider_class=org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer -``` - -If the openid service is turned on, openid_URL is required,openID_url value is http://ip:port/realms/{realmsName} - -``` -openID_url=http://127.0.0.1:8080/realms/iotdb/ -``` - -#### keycloack configuration - -1、Download the keycloack file (This tutorial is version 21.1.0) and start keycloack in keycloack/bin - -```shell -Shell >cd bin -Shell >./kc.sh start-dev -``` - -2、use url(https://ip:port) login keycloack, the first login needs to create a user -![avatar](/img/UserGuide/CLI/Command-Line-Interface/login_keycloak.png?raw=true) - -3、Click administration console -![avatar](/img/UserGuide/CLI/Command-Line-Interface/AdministrationConsole.png?raw=true) - -4、In the master menu on the left, click Create realm and enter Realm name to create a new realm -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_1.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_2.jpg?raw=true) - - -5、Click the menu clients on the left to create clients - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/client.jpg?raw=true) - -6、Click user on the left menu to create user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/user.jpg?raw=true) - -7、Click the newly created user ID, click the credentials navigation, enter the password and close the temporary option. The configuration of keycloud is completed - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/pwd.jpg?raw=true) - -8、To create a role, click Roles on the left menu and then click the Create Role button to add a role - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role1.jpg?raw=true) - -9、 Enter `iotdb_admin` in the Role Name and click the save button. Tip: `iotdb_admin` here cannot be any other name, otherwise even after successful login, you will not have permission to use iotdb's query, insert, create database, add users, roles and other functions - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role2.jpg?raw=true) - -10、Click on the User menu on the left and then click on the user in the user list to add the `iotdb_admin` role we just created for that user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role3.jpg?raw=true) - -11、 Select Role Mappings, select the `iotdb_admin` role in Assign Role - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role4.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role5.jpg?raw=true) - - -Tip: If the user role is adjusted, you need to regenerate the token and log in to iotdb again to take effect - -The above steps provide a way for keycloak to log into iotdb. For more ways, please refer to keycloak configuration - -If OIDC is enabled on server side then no username / passwort is needed but a valid Access Token from the OIDC Provider. -So as username you use the token and the password has to be empty, e.g. - -```shell -Shell > bash sbin/start-cli.sh -h 10.129.187.21 -p 6667 -u {my-access-token} -pw "" -``` - -Among them, you need to replace {my access token} (note, including {}) with your token, that is, the value corresponding to access_token. The password is empty and needs to be confirmed again. - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/iotdbpw.jpeg?raw=true) - - -How to get the token is dependent on your OpenID Connect setup and not covered here. -In the simplest case you can get this via the command line with the `passwort-grant`. -For example, if you use keycloack as OIDC and you have a realm with a client `iotdb` defined as public you could use -the following `curl` command to fetch a token (replace all `{}` with appropriate values). - -```shell -curl -X POST "https://{your-keycloack-server}/realms/{your-realm}/protocol/openid-connect/token" \ - -H "Content-Type: application/x-www-form-urlencoded" \ - -d "username={username}" \ - -d "password={password}" \ - -d 'grant_type=password' \ - -d "client_id=iotdb-client" -``` - -The response looks something like - -```json -{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzOTgwNzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNjA0ZmYxMDctN2NiNy00NTRmLWIwYmQtY2M2ZDQwMjFiNGU4IiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhMzJlNDcxLWM3NzItNGIzMy04ZGE2LTZmZThhY2RhMDA3MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsibG9jYWxob3N0OjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJpb3RkYl9hZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIn0.nwbrJkWdCNjzFrTDwKNuV5h9dDMg5ytRKGOXmFIajpfsbOutJytjWTCB2WpA8E1YI3KM6gU6Jx7cd7u0oPo5syHhfCz119n_wBiDnyTZkFOAPsx0M2z20kvBLN9k36_VfuCMFUeddJjO31MeLTmxB0UKg2VkxdczmzMH3pnalhxqpnWWk3GnrRrhAf2sZog0foH4Ae3Ks0lYtYzaWK_Yo7E4Px42-gJpohy3JevOC44aJ4auzJR1RBj9LUbgcRinkBy0JLi6XXiYznSC2V485CSBHW3sseXn7pSXQADhnmGQrLfFGO5ZljmPO18eFJaimdjvgSChsrlSEmTDDsoo5Q","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhMzZlMGU0NC02MWNmLTQ5NmMtOGRlZi03NTkwNjQ5MzQzMjEifQ.eyJleHAiOjE1OTAzOTk1NzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNmMxNTBiY2EtYmE5NC00NTgxLWEwODEtYjI2YzhhMmI5YmZmIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwic3ViIjoiYmEzMmU0NzEtYzc3Mi00YjMzLThkYTYtNmZlOGFjZGEwMDczIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.ayNpXdNX28qahodX1zowrMGiUCw2AodlHBQFqr8Ui7c","token_type":"bearer","not-before-policy":0,"session_state":"060d2862-14ed-42fe-baf7-8d1f784657f1","scope":"email profile"} -``` - -The interesting part here is the access token with the key `access_token`. -This has to be passed as username (with parameter `-u`) and empty password to the CLI. - -## 5. Batch Operation of Cli +## 4. Batch Operation of Cli -e parameter is designed for the Cli/shell tool in the situation where you would like to manipulate IoTDB in batches through scripts. By using the -e parameter, you can operate IoTDB without entering the cli's input mode. diff --git a/src/UserGuide/V1.3.x/Tools-System/CLI_apache.md b/src/UserGuide/V1.3.x/Tools-System/CLI_apache.md index 47a038952..0173bfe64 100644 --- a/src/UserGuide/V1.3.x/Tools-System/CLI_apache.md +++ b/src/UserGuide/V1.3.x/Tools-System/CLI_apache.md @@ -125,115 +125,6 @@ Special commands of Cli are below. | `help` | Get hints for CLI special commands | | `exit/quit` | Exit CLI | -### Note on using the CLI with OpenID Connect Auth enabled on Server side - -Openid connect (oidc) uses keycloack as the authority authentication service of oidc service - - -#### configuration - -The configuration is located in iotdb-system.properties , set the author_provider_class is org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer Openid service is enabled, and the default value is org.apache.iotdb.db.auth.authorizer.LocalFileAuthorizer Indicates that the openid service is not enabled. - -``` -authorizer_provider_class=org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer -``` - -If the openid service is turned on, openid_URL is required,openID_url value is http://ip:port/realms/{realmsName} - -``` -openID_url=http://127.0.0.1:8080/realms/iotdb/ -``` - -#### keycloack configuration - -1、Download the keycloack file (This tutorial is version 21.1.0) and start keycloack in keycloack/bin - -```shell -Shell >cd bin -Shell >./kc.sh start-dev -``` - -2、use url(https://ip:port) login keycloack, the first login needs to create a user -![avatar](/img/UserGuide/CLI/Command-Line-Interface/login_keycloak.png?raw=true) - -3、Click administration console -![avatar](/img/UserGuide/CLI/Command-Line-Interface/AdministrationConsole.png?raw=true) - -4、In the master menu on the left, click Create realm and enter Realm name to create a new realm -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_1.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_2.jpg?raw=true) - - -5、Click the menu clients on the left to create clients - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/client.jpg?raw=true) - -6、Click user on the left menu to create user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/user.jpg?raw=true) - -7、Click the newly created user ID, click the credentials navigation, enter the password and close the temporary option. The configuration of keycloud is completed - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/pwd.jpg?raw=true) - -8、To create a role, click Roles on the left menu and then click the Create Role button to add a role - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role1.jpg?raw=true) - -9、 Enter `iotdb_admin` in the Role Name and click the save button. Tip: `iotdb_admin` here cannot be any other name, otherwise even after successful login, you will not have permission to use iotdb's query, insert, create database, add users, roles and other functions - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role2.jpg?raw=true) - -10、Click on the User menu on the left and then click on the user in the user list to add the `iotdb_admin` role we just created for that user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role3.jpg?raw=true) - -11、 Select Role Mappings, select the `iotdb_admin` role in Assign Role - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role4.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role5.jpg?raw=true) - - -Tip: If the user role is adjusted, you need to regenerate the token and log in to iotdb again to take effect - -The above steps provide a way for keycloak to log into iotdb. For more ways, please refer to keycloak configuration - -If OIDC is enabled on server side then no username / passwort is needed but a valid Access Token from the OIDC Provider. -So as username you use the token and the password has to be empty, e.g. - -```shell -Shell > bash sbin/start-cli.sh -h 10.129.187.21 -p 6667 -u {my-access-token} -pw "" -``` - -Among them, you need to replace {my access token} (note, including {}) with your token, that is, the value corresponding to access_token. The password is empty and needs to be confirmed again. - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/iotdbpw.jpeg?raw=true) - - -How to get the token is dependent on your OpenID Connect setup and not covered here. -In the simplest case you can get this via the command line with the `passwort-grant`. -For example, if you use keycloack as OIDC and you have a realm with a client `iotdb` defined as public you could use -the following `curl` command to fetch a token (replace all `{}` with appropriate values). - -```shell -curl -X POST "https://{your-keycloack-server}/realms/{your-realm}/protocol/openid-connect/token" \ - -H "Content-Type: application/x-www-form-urlencoded" \ - -d "username={username}" \ - -d "password={password}" \ - -d 'grant_type=password' \ - -d "client_id=iotdb-client" -``` - -The response looks something like - -```json -{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzOTgwNzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNjA0ZmYxMDctN2NiNy00NTRmLWIwYmQtY2M2ZDQwMjFiNGU4IiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhMzJlNDcxLWM3NzItNGIzMy04ZGE2LTZmZThhY2RhMDA3MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsibG9jYWxob3N0OjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJpb3RkYl9hZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIn0.nwbrJkWdCNjzFrTDwKNuV5h9dDMg5ytRKGOXmFIajpfsbOutJytjWTCB2WpA8E1YI3KM6gU6Jx7cd7u0oPo5syHhfCz119n_wBiDnyTZkFOAPsx0M2z20kvBLN9k36_VfuCMFUeddJjO31MeLTmxB0UKg2VkxdczmzMH3pnalhxqpnWWk3GnrRrhAf2sZog0foH4Ae3Ks0lYtYzaWK_Yo7E4Px42-gJpohy3JevOC44aJ4auzJR1RBj9LUbgcRinkBy0JLi6XXiYznSC2V485CSBHW3sseXn7pSXQADhnmGQrLfFGO5ZljmPO18eFJaimdjvgSChsrlSEmTDDsoo5Q","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhMzZlMGU0NC02MWNmLTQ5NmMtOGRlZi03NTkwNjQ5MzQzMjEifQ.eyJleHAiOjE1OTAzOTk1NzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNmMxNTBiY2EtYmE5NC00NTgxLWEwODEtYjI2YzhhMmI5YmZmIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwic3ViIjoiYmEzMmU0NzEtYzc3Mi00YjMzLThkYTYtNmZlOGFjZGEwMDczIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.ayNpXdNX28qahodX1zowrMGiUCw2AodlHBQFqr8Ui7c","token_type":"bearer","not-before-policy":0,"session_state":"060d2862-14ed-42fe-baf7-8d1f784657f1","scope":"email profile"} -``` - -The interesting part here is the access token with the key `access_token`. -This has to be passed as username (with parameter `-u`) and empty password to the CLI. ### Batch Operation of Cli diff --git a/src/UserGuide/V1.3.x/Tools-System/CLI_timecho.md b/src/UserGuide/V1.3.x/Tools-System/CLI_timecho.md index dfc5fdc56..87376dca4 100644 --- a/src/UserGuide/V1.3.x/Tools-System/CLI_timecho.md +++ b/src/UserGuide/V1.3.x/Tools-System/CLI_timecho.md @@ -111,115 +111,6 @@ Special commands of Cli are below. | `help` | Get hints for CLI special commands | | `exit/quit` | Exit CLI | -## Note on using the CLI with OpenID Connect Auth enabled on Server side - -Openid connect (oidc) uses keycloack as the authority authentication service of oidc service - - -### configuration - -The configuration is located in iotdb-system.properties , set the author_provider_class is org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer Openid service is enabled, and the default value is org.apache.iotdb.db.auth.authorizer.LocalFileAuthorizer Indicates that the openid service is not enabled. - -``` -authorizer_provider_class=org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer -``` - -If the openid service is turned on, openid_URL is required,openID_url value is http://ip:port/realms/{realmsName} - -``` -openID_url=http://127.0.0.1:8080/realms/iotdb/ -``` - -### keycloack configuration - -1、Download the keycloack file (This tutorial is version 21.1.0) and start keycloack in keycloack/bin - -```shell -Shell >cd bin -Shell >./kc.sh start-dev -``` - -2、use url(https://ip:port) login keycloack, the first login needs to create a user -![avatar](/img/UserGuide/CLI/Command-Line-Interface/login_keycloak.png?raw=true) - -3、Click administration console -![avatar](/img/UserGuide/CLI/Command-Line-Interface/AdministrationConsole.png?raw=true) - -4、In the master menu on the left, click Create realm and enter Realm name to create a new realm -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_1.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_2.jpg?raw=true) - - -5、Click the menu clients on the left to create clients - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/client.jpg?raw=true) - -6、Click user on the left menu to create user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/user.jpg?raw=true) - -7、Click the newly created user ID, click the credentials navigation, enter the password and close the temporary option. The configuration of keycloud is completed - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/pwd.jpg?raw=true) - -8、To create a role, click Roles on the left menu and then click the Create Role button to add a role - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role1.jpg?raw=true) - -9、 Enter `iotdb_admin` in the Role Name and click the save button. Tip: `iotdb_admin` here cannot be any other name, otherwise even after successful login, you will not have permission to use iotdb's query, insert, create database, add users, roles and other functions - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role2.jpg?raw=true) - -10、Click on the User menu on the left and then click on the user in the user list to add the `iotdb_admin` role we just created for that user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role3.jpg?raw=true) - -11、 Select Role Mappings, select the `iotdb_admin` role in Assign Role - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role4.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role5.jpg?raw=true) - - -Tip: If the user role is adjusted, you need to regenerate the token and log in to iotdb again to take effect - -The above steps provide a way for keycloak to log into iotdb. For more ways, please refer to keycloak configuration - -If OIDC is enabled on server side then no username / passwort is needed but a valid Access Token from the OIDC Provider. -So as username you use the token and the password has to be empty, e.g. - -```shell -Shell > bash sbin/start-cli.sh -h 10.129.187.21 -p 6667 -u {my-access-token} -pw "" -``` - -Among them, you need to replace {my access token} (note, including {}) with your token, that is, the value corresponding to access_token. The password is empty and needs to be confirmed again. - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/iotdbpw.jpeg?raw=true) - - -How to get the token is dependent on your OpenID Connect setup and not covered here. -In the simplest case you can get this via the command line with the `passwort-grant`. -For example, if you use keycloack as OIDC and you have a realm with a client `iotdb` defined as public you could use -the following `curl` command to fetch a token (replace all `{}` with appropriate values). - -```shell -curl -X POST "https://{your-keycloack-server}/realms/{your-realm}/protocol/openid-connect/token" \ - -H "Content-Type: application/x-www-form-urlencoded" \ - -d "username={username}" \ - -d "password={password}" \ - -d 'grant_type=password' \ - -d "client_id=iotdb-client" -``` - -The response looks something like - -```json -{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzOTgwNzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNjA0ZmYxMDctN2NiNy00NTRmLWIwYmQtY2M2ZDQwMjFiNGU4IiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhMzJlNDcxLWM3NzItNGIzMy04ZGE2LTZmZThhY2RhMDA3MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsibG9jYWxob3N0OjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJpb3RkYl9hZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIn0.nwbrJkWdCNjzFrTDwKNuV5h9dDMg5ytRKGOXmFIajpfsbOutJytjWTCB2WpA8E1YI3KM6gU6Jx7cd7u0oPo5syHhfCz119n_wBiDnyTZkFOAPsx0M2z20kvBLN9k36_VfuCMFUeddJjO31MeLTmxB0UKg2VkxdczmzMH3pnalhxqpnWWk3GnrRrhAf2sZog0foH4Ae3Ks0lYtYzaWK_Yo7E4Px42-gJpohy3JevOC44aJ4auzJR1RBj9LUbgcRinkBy0JLi6XXiYznSC2V485CSBHW3sseXn7pSXQADhnmGQrLfFGO5ZljmPO18eFJaimdjvgSChsrlSEmTDDsoo5Q","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhMzZlMGU0NC02MWNmLTQ5NmMtOGRlZi03NTkwNjQ5MzQzMjEifQ.eyJleHAiOjE1OTAzOTk1NzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNmMxNTBiY2EtYmE5NC00NTgxLWEwODEtYjI2YzhhMmI5YmZmIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwic3ViIjoiYmEzMmU0NzEtYzc3Mi00YjMzLThkYTYtNmZlOGFjZGEwMDczIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.ayNpXdNX28qahodX1zowrMGiUCw2AodlHBQFqr8Ui7c","token_type":"bearer","not-before-policy":0,"session_state":"060d2862-14ed-42fe-baf7-8d1f784657f1","scope":"email profile"} -``` - -The interesting part here is the access token with the key `access_token`. -This has to be passed as username (with parameter `-u`) and empty password to the CLI. ## Batch Operation of Cli diff --git a/src/UserGuide/dev-1.3/Tools-System/CLI_apache.md b/src/UserGuide/dev-1.3/Tools-System/CLI_apache.md index 47a038952..0173bfe64 100644 --- a/src/UserGuide/dev-1.3/Tools-System/CLI_apache.md +++ b/src/UserGuide/dev-1.3/Tools-System/CLI_apache.md @@ -125,115 +125,6 @@ Special commands of Cli are below. | `help` | Get hints for CLI special commands | | `exit/quit` | Exit CLI | -### Note on using the CLI with OpenID Connect Auth enabled on Server side - -Openid connect (oidc) uses keycloack as the authority authentication service of oidc service - - -#### configuration - -The configuration is located in iotdb-system.properties , set the author_provider_class is org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer Openid service is enabled, and the default value is org.apache.iotdb.db.auth.authorizer.LocalFileAuthorizer Indicates that the openid service is not enabled. - -``` -authorizer_provider_class=org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer -``` - -If the openid service is turned on, openid_URL is required,openID_url value is http://ip:port/realms/{realmsName} - -``` -openID_url=http://127.0.0.1:8080/realms/iotdb/ -``` - -#### keycloack configuration - -1、Download the keycloack file (This tutorial is version 21.1.0) and start keycloack in keycloack/bin - -```shell -Shell >cd bin -Shell >./kc.sh start-dev -``` - -2、use url(https://ip:port) login keycloack, the first login needs to create a user -![avatar](/img/UserGuide/CLI/Command-Line-Interface/login_keycloak.png?raw=true) - -3、Click administration console -![avatar](/img/UserGuide/CLI/Command-Line-Interface/AdministrationConsole.png?raw=true) - -4、In the master menu on the left, click Create realm and enter Realm name to create a new realm -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_1.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_2.jpg?raw=true) - - -5、Click the menu clients on the left to create clients - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/client.jpg?raw=true) - -6、Click user on the left menu to create user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/user.jpg?raw=true) - -7、Click the newly created user ID, click the credentials navigation, enter the password and close the temporary option. The configuration of keycloud is completed - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/pwd.jpg?raw=true) - -8、To create a role, click Roles on the left menu and then click the Create Role button to add a role - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role1.jpg?raw=true) - -9、 Enter `iotdb_admin` in the Role Name and click the save button. Tip: `iotdb_admin` here cannot be any other name, otherwise even after successful login, you will not have permission to use iotdb's query, insert, create database, add users, roles and other functions - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role2.jpg?raw=true) - -10、Click on the User menu on the left and then click on the user in the user list to add the `iotdb_admin` role we just created for that user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role3.jpg?raw=true) - -11、 Select Role Mappings, select the `iotdb_admin` role in Assign Role - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role4.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role5.jpg?raw=true) - - -Tip: If the user role is adjusted, you need to regenerate the token and log in to iotdb again to take effect - -The above steps provide a way for keycloak to log into iotdb. For more ways, please refer to keycloak configuration - -If OIDC is enabled on server side then no username / passwort is needed but a valid Access Token from the OIDC Provider. -So as username you use the token and the password has to be empty, e.g. - -```shell -Shell > bash sbin/start-cli.sh -h 10.129.187.21 -p 6667 -u {my-access-token} -pw "" -``` - -Among them, you need to replace {my access token} (note, including {}) with your token, that is, the value corresponding to access_token. The password is empty and needs to be confirmed again. - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/iotdbpw.jpeg?raw=true) - - -How to get the token is dependent on your OpenID Connect setup and not covered here. -In the simplest case you can get this via the command line with the `passwort-grant`. -For example, if you use keycloack as OIDC and you have a realm with a client `iotdb` defined as public you could use -the following `curl` command to fetch a token (replace all `{}` with appropriate values). - -```shell -curl -X POST "https://{your-keycloack-server}/realms/{your-realm}/protocol/openid-connect/token" \ - -H "Content-Type: application/x-www-form-urlencoded" \ - -d "username={username}" \ - -d "password={password}" \ - -d 'grant_type=password' \ - -d "client_id=iotdb-client" -``` - -The response looks something like - -```json -{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzOTgwNzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNjA0ZmYxMDctN2NiNy00NTRmLWIwYmQtY2M2ZDQwMjFiNGU4IiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhMzJlNDcxLWM3NzItNGIzMy04ZGE2LTZmZThhY2RhMDA3MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsibG9jYWxob3N0OjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJpb3RkYl9hZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIn0.nwbrJkWdCNjzFrTDwKNuV5h9dDMg5ytRKGOXmFIajpfsbOutJytjWTCB2WpA8E1YI3KM6gU6Jx7cd7u0oPo5syHhfCz119n_wBiDnyTZkFOAPsx0M2z20kvBLN9k36_VfuCMFUeddJjO31MeLTmxB0UKg2VkxdczmzMH3pnalhxqpnWWk3GnrRrhAf2sZog0foH4Ae3Ks0lYtYzaWK_Yo7E4Px42-gJpohy3JevOC44aJ4auzJR1RBj9LUbgcRinkBy0JLi6XXiYznSC2V485CSBHW3sseXn7pSXQADhnmGQrLfFGO5ZljmPO18eFJaimdjvgSChsrlSEmTDDsoo5Q","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhMzZlMGU0NC02MWNmLTQ5NmMtOGRlZi03NTkwNjQ5MzQzMjEifQ.eyJleHAiOjE1OTAzOTk1NzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNmMxNTBiY2EtYmE5NC00NTgxLWEwODEtYjI2YzhhMmI5YmZmIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwic3ViIjoiYmEzMmU0NzEtYzc3Mi00YjMzLThkYTYtNmZlOGFjZGEwMDczIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.ayNpXdNX28qahodX1zowrMGiUCw2AodlHBQFqr8Ui7c","token_type":"bearer","not-before-policy":0,"session_state":"060d2862-14ed-42fe-baf7-8d1f784657f1","scope":"email profile"} -``` - -The interesting part here is the access token with the key `access_token`. -This has to be passed as username (with parameter `-u`) and empty password to the CLI. ### Batch Operation of Cli diff --git a/src/UserGuide/dev-1.3/Tools-System/CLI_timecho.md b/src/UserGuide/dev-1.3/Tools-System/CLI_timecho.md index dfc5fdc56..87376dca4 100644 --- a/src/UserGuide/dev-1.3/Tools-System/CLI_timecho.md +++ b/src/UserGuide/dev-1.3/Tools-System/CLI_timecho.md @@ -111,115 +111,6 @@ Special commands of Cli are below. | `help` | Get hints for CLI special commands | | `exit/quit` | Exit CLI | -## Note on using the CLI with OpenID Connect Auth enabled on Server side - -Openid connect (oidc) uses keycloack as the authority authentication service of oidc service - - -### configuration - -The configuration is located in iotdb-system.properties , set the author_provider_class is org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer Openid service is enabled, and the default value is org.apache.iotdb.db.auth.authorizer.LocalFileAuthorizer Indicates that the openid service is not enabled. - -``` -authorizer_provider_class=org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer -``` - -If the openid service is turned on, openid_URL is required,openID_url value is http://ip:port/realms/{realmsName} - -``` -openID_url=http://127.0.0.1:8080/realms/iotdb/ -``` - -### keycloack configuration - -1、Download the keycloack file (This tutorial is version 21.1.0) and start keycloack in keycloack/bin - -```shell -Shell >cd bin -Shell >./kc.sh start-dev -``` - -2、use url(https://ip:port) login keycloack, the first login needs to create a user -![avatar](/img/UserGuide/CLI/Command-Line-Interface/login_keycloak.png?raw=true) - -3、Click administration console -![avatar](/img/UserGuide/CLI/Command-Line-Interface/AdministrationConsole.png?raw=true) - -4、In the master menu on the left, click Create realm and enter Realm name to create a new realm -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_1.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_2.jpg?raw=true) - - -5、Click the menu clients on the left to create clients - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/client.jpg?raw=true) - -6、Click user on the left menu to create user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/user.jpg?raw=true) - -7、Click the newly created user ID, click the credentials navigation, enter the password and close the temporary option. The configuration of keycloud is completed - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/pwd.jpg?raw=true) - -8、To create a role, click Roles on the left menu and then click the Create Role button to add a role - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role1.jpg?raw=true) - -9、 Enter `iotdb_admin` in the Role Name and click the save button. Tip: `iotdb_admin` here cannot be any other name, otherwise even after successful login, you will not have permission to use iotdb's query, insert, create database, add users, roles and other functions - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role2.jpg?raw=true) - -10、Click on the User menu on the left and then click on the user in the user list to add the `iotdb_admin` role we just created for that user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role3.jpg?raw=true) - -11、 Select Role Mappings, select the `iotdb_admin` role in Assign Role - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role4.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role5.jpg?raw=true) - - -Tip: If the user role is adjusted, you need to regenerate the token and log in to iotdb again to take effect - -The above steps provide a way for keycloak to log into iotdb. For more ways, please refer to keycloak configuration - -If OIDC is enabled on server side then no username / passwort is needed but a valid Access Token from the OIDC Provider. -So as username you use the token and the password has to be empty, e.g. - -```shell -Shell > bash sbin/start-cli.sh -h 10.129.187.21 -p 6667 -u {my-access-token} -pw "" -``` - -Among them, you need to replace {my access token} (note, including {}) with your token, that is, the value corresponding to access_token. The password is empty and needs to be confirmed again. - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/iotdbpw.jpeg?raw=true) - - -How to get the token is dependent on your OpenID Connect setup and not covered here. -In the simplest case you can get this via the command line with the `passwort-grant`. -For example, if you use keycloack as OIDC and you have a realm with a client `iotdb` defined as public you could use -the following `curl` command to fetch a token (replace all `{}` with appropriate values). - -```shell -curl -X POST "https://{your-keycloack-server}/realms/{your-realm}/protocol/openid-connect/token" \ - -H "Content-Type: application/x-www-form-urlencoded" \ - -d "username={username}" \ - -d "password={password}" \ - -d 'grant_type=password' \ - -d "client_id=iotdb-client" -``` - -The response looks something like - -```json -{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzOTgwNzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNjA0ZmYxMDctN2NiNy00NTRmLWIwYmQtY2M2ZDQwMjFiNGU4IiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhMzJlNDcxLWM3NzItNGIzMy04ZGE2LTZmZThhY2RhMDA3MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsibG9jYWxob3N0OjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJpb3RkYl9hZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIn0.nwbrJkWdCNjzFrTDwKNuV5h9dDMg5ytRKGOXmFIajpfsbOutJytjWTCB2WpA8E1YI3KM6gU6Jx7cd7u0oPo5syHhfCz119n_wBiDnyTZkFOAPsx0M2z20kvBLN9k36_VfuCMFUeddJjO31MeLTmxB0UKg2VkxdczmzMH3pnalhxqpnWWk3GnrRrhAf2sZog0foH4Ae3Ks0lYtYzaWK_Yo7E4Px42-gJpohy3JevOC44aJ4auzJR1RBj9LUbgcRinkBy0JLi6XXiYznSC2V485CSBHW3sseXn7pSXQADhnmGQrLfFGO5ZljmPO18eFJaimdjvgSChsrlSEmTDDsoo5Q","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhMzZlMGU0NC02MWNmLTQ5NmMtOGRlZi03NTkwNjQ5MzQzMjEifQ.eyJleHAiOjE1OTAzOTk1NzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNmMxNTBiY2EtYmE5NC00NTgxLWEwODEtYjI2YzhhMmI5YmZmIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwic3ViIjoiYmEzMmU0NzEtYzc3Mi00YjMzLThkYTYtNmZlOGFjZGEwMDczIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.ayNpXdNX28qahodX1zowrMGiUCw2AodlHBQFqr8Ui7c","token_type":"bearer","not-before-policy":0,"session_state":"060d2862-14ed-42fe-baf7-8d1f784657f1","scope":"email profile"} -``` - -The interesting part here is the access token with the key `access_token`. -This has to be passed as username (with parameter `-u`) and empty password to the CLI. ## Batch Operation of Cli diff --git a/src/UserGuide/latest/Tools-System/CLI_apache.md b/src/UserGuide/latest/Tools-System/CLI_apache.md index 665af2052..5261ff35a 100644 --- a/src/UserGuide/latest/Tools-System/CLI_apache.md +++ b/src/UserGuide/latest/Tools-System/CLI_apache.md @@ -133,117 +133,8 @@ Special commands of Cli are below. | `help` | Get hints for CLI special commands | | `exit/quit` | Exit CLI | -### 2.4 Note on using the CLI with OpenID Connect Auth enabled on Server side -Openid connect (oidc) uses keycloack as the authority authentication service of oidc service - - -#### configuration - -The configuration is located in iotdb-system.properties , set the author_provider_class is org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer Openid service is enabled, and the default value is org.apache.iotdb.db.auth.authorizer.LocalFileAuthorizer Indicates that the openid service is not enabled. - -``` -authorizer_provider_class=org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer -``` - -If the openid service is turned on, openid_URL is required,openID_url value is http://ip:port/realms/{realmsName} - -``` -openID_url=http://127.0.0.1:8080/realms/iotdb/ -``` - -#### keycloack configuration - -1、Download the keycloack file (This tutorial is version 21.1.0) and start keycloack in keycloack/bin - -```shell -Shell >cd bin -Shell >./kc.sh start-dev -``` - -2、use url(https://ip:port) login keycloack, the first login needs to create a user -![avatar](/img/UserGuide/CLI/Command-Line-Interface/login_keycloak.png?raw=true) - -3、Click administration console -![avatar](/img/UserGuide/CLI/Command-Line-Interface/AdministrationConsole.png?raw=true) - -4、In the master menu on the left, click Create realm and enter Realm name to create a new realm -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_1.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_2.jpg?raw=true) - - -5、Click the menu clients on the left to create clients - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/client.jpg?raw=true) - -6、Click user on the left menu to create user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/user.jpg?raw=true) - -7、Click the newly created user ID, click the credentials navigation, enter the password and close the temporary option. The configuration of keycloud is completed - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/pwd.jpg?raw=true) - -8、To create a role, click Roles on the left menu and then click the Create Role button to add a role - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role1.jpg?raw=true) - -9、 Enter `iotdb_admin` in the Role Name and click the save button. Tip: `iotdb_admin` here cannot be any other name, otherwise even after successful login, you will not have permission to use iotdb's query, insert, create database, add users, roles and other functions - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role2.jpg?raw=true) - -10、Click on the User menu on the left and then click on the user in the user list to add the `iotdb_admin` role we just created for that user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role3.jpg?raw=true) - -11、 Select Role Mappings, select the `iotdb_admin` role in Assign Role - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role4.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role5.jpg?raw=true) - - -Tip: If the user role is adjusted, you need to regenerate the token and log in to iotdb again to take effect - -The above steps provide a way for keycloak to log into iotdb. For more ways, please refer to keycloak configuration - -If OIDC is enabled on server side then no username / passwort is needed but a valid Access Token from the OIDC Provider. -So as username you use the token and the password has to be empty, e.g. - -```shell -Shell > bash sbin/start-cli.sh -h 10.129.187.21 -p 6667 -u {my-access-token} -pw "" -``` - -Among them, you need to replace {my access token} (note, including {}) with your token, that is, the value corresponding to access_token. The password is empty and needs to be confirmed again. - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/iotdbpw.jpeg?raw=true) - - -How to get the token is dependent on your OpenID Connect setup and not covered here. -In the simplest case you can get this via the command line with the `passwort-grant`. -For example, if you use keycloack as OIDC and you have a realm with a client `iotdb` defined as public you could use -the following `curl` command to fetch a token (replace all `{}` with appropriate values). - -```shell -curl -X POST "https://{your-keycloack-server}/realms/{your-realm}/protocol/openid-connect/token" \ - -H "Content-Type: application/x-www-form-urlencoded" \ - -d "username={username}" \ - -d "password={password}" \ - -d 'grant_type=password' \ - -d "client_id=iotdb-client" -``` - -The response looks something like - -```json -{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzOTgwNzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNjA0ZmYxMDctN2NiNy00NTRmLWIwYmQtY2M2ZDQwMjFiNGU4IiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhMzJlNDcxLWM3NzItNGIzMy04ZGE2LTZmZThhY2RhMDA3MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsibG9jYWxob3N0OjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJpb3RkYl9hZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIn0.nwbrJkWdCNjzFrTDwKNuV5h9dDMg5ytRKGOXmFIajpfsbOutJytjWTCB2WpA8E1YI3KM6gU6Jx7cd7u0oPo5syHhfCz119n_wBiDnyTZkFOAPsx0M2z20kvBLN9k36_VfuCMFUeddJjO31MeLTmxB0UKg2VkxdczmzMH3pnalhxqpnWWk3GnrRrhAf2sZog0foH4Ae3Ks0lYtYzaWK_Yo7E4Px42-gJpohy3JevOC44aJ4auzJR1RBj9LUbgcRinkBy0JLi6XXiYznSC2V485CSBHW3sseXn7pSXQADhnmGQrLfFGO5ZljmPO18eFJaimdjvgSChsrlSEmTDDsoo5Q","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhMzZlMGU0NC02MWNmLTQ5NmMtOGRlZi03NTkwNjQ5MzQzMjEifQ.eyJleHAiOjE1OTAzOTk1NzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNmMxNTBiY2EtYmE5NC00NTgxLWEwODEtYjI2YzhhMmI5YmZmIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwic3ViIjoiYmEzMmU0NzEtYzc3Mi00YjMzLThkYTYtNmZlOGFjZGEwMDczIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.ayNpXdNX28qahodX1zowrMGiUCw2AodlHBQFqr8Ui7c","token_type":"bearer","not-before-policy":0,"session_state":"060d2862-14ed-42fe-baf7-8d1f784657f1","scope":"email profile"} -``` - -The interesting part here is the access token with the key `access_token`. -This has to be passed as username (with parameter `-u`) and empty password to the CLI. - -### 2.5 Batch Operation of Cli +### 2.4 Batch Operation of Cli -e parameter is designed for the Cli/shell tool in the situation where you would like to manipulate IoTDB in batches through scripts. By using the -e parameter, you can operate IoTDB without entering the cli's input mode. diff --git a/src/UserGuide/latest/Tools-System/CLI_timecho.md b/src/UserGuide/latest/Tools-System/CLI_timecho.md index a756abe34..d2bf58f53 100644 --- a/src/UserGuide/latest/Tools-System/CLI_timecho.md +++ b/src/UserGuide/latest/Tools-System/CLI_timecho.md @@ -119,117 +119,8 @@ Special commands of Cli are below. | `help` | Get hints for CLI special commands | | `exit/quit` | Exit CLI | -## 4. Note on using the CLI with OpenID Connect Auth enabled on Server side -Openid connect (oidc) uses keycloack as the authority authentication service of oidc service - - -#### configuration - -The configuration is located in iotdb-system.properties , set the author_provider_class is org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer Openid service is enabled, and the default value is org.apache.iotdb.db.auth.authorizer.LocalFileAuthorizer Indicates that the openid service is not enabled. - -``` -authorizer_provider_class=org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer -``` - -If the openid service is turned on, openid_URL is required,openID_url value is http://ip:port/realms/{realmsName} - -``` -openID_url=http://127.0.0.1:8080/realms/iotdb/ -``` - -#### keycloack configuration - -1、Download the keycloack file (This tutorial is version 21.1.0) and start keycloack in keycloack/bin - -```shell -Shell >cd bin -Shell >./kc.sh start-dev -``` - -2、use url(https://ip:port) login keycloack, the first login needs to create a user -![avatar](/img/UserGuide/CLI/Command-Line-Interface/login_keycloak.png?raw=true) - -3、Click administration console -![avatar](/img/UserGuide/CLI/Command-Line-Interface/AdministrationConsole.png?raw=true) - -4、In the master menu on the left, click Create realm and enter Realm name to create a new realm -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_1.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_2.jpg?raw=true) - - -5、Click the menu clients on the left to create clients - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/client.jpg?raw=true) - -6、Click user on the left menu to create user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/user.jpg?raw=true) - -7、Click the newly created user ID, click the credentials navigation, enter the password and close the temporary option. The configuration of keycloud is completed - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/pwd.jpg?raw=true) - -8、To create a role, click Roles on the left menu and then click the Create Role button to add a role - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role1.jpg?raw=true) - -9、 Enter `iotdb_admin` in the Role Name and click the save button. Tip: `iotdb_admin` here cannot be any other name, otherwise even after successful login, you will not have permission to use iotdb's query, insert, create database, add users, roles and other functions - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role2.jpg?raw=true) - -10、Click on the User menu on the left and then click on the user in the user list to add the `iotdb_admin` role we just created for that user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role3.jpg?raw=true) - -11、 Select Role Mappings, select the `iotdb_admin` role in Assign Role - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role4.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role5.jpg?raw=true) - - -Tip: If the user role is adjusted, you need to regenerate the token and log in to iotdb again to take effect - -The above steps provide a way for keycloak to log into iotdb. For more ways, please refer to keycloak configuration - -If OIDC is enabled on server side then no username / passwort is needed but a valid Access Token from the OIDC Provider. -So as username you use the token and the password has to be empty, e.g. - -```shell -Shell > bash sbin/start-cli.sh -h 10.129.187.21 -p 6667 -u {my-access-token} -pw "" -``` - -Among them, you need to replace {my access token} (note, including {}) with your token, that is, the value corresponding to access_token. The password is empty and needs to be confirmed again. - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/iotdbpw.jpeg?raw=true) - - -How to get the token is dependent on your OpenID Connect setup and not covered here. -In the simplest case you can get this via the command line with the `passwort-grant`. -For example, if you use keycloack as OIDC and you have a realm with a client `iotdb` defined as public you could use -the following `curl` command to fetch a token (replace all `{}` with appropriate values). - -```shell -curl -X POST "https://{your-keycloack-server}/realms/{your-realm}/protocol/openid-connect/token" \ - -H "Content-Type: application/x-www-form-urlencoded" \ - -d "username={username}" \ - -d "password={password}" \ - -d 'grant_type=password' \ - -d "client_id=iotdb-client" -``` - -The response looks something like - -```json -{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzOTgwNzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNjA0ZmYxMDctN2NiNy00NTRmLWIwYmQtY2M2ZDQwMjFiNGU4IiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhMzJlNDcxLWM3NzItNGIzMy04ZGE2LTZmZThhY2RhMDA3MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsibG9jYWxob3N0OjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJpb3RkYl9hZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIn0.nwbrJkWdCNjzFrTDwKNuV5h9dDMg5ytRKGOXmFIajpfsbOutJytjWTCB2WpA8E1YI3KM6gU6Jx7cd7u0oPo5syHhfCz119n_wBiDnyTZkFOAPsx0M2z20kvBLN9k36_VfuCMFUeddJjO31MeLTmxB0UKg2VkxdczmzMH3pnalhxqpnWWk3GnrRrhAf2sZog0foH4Ae3Ks0lYtYzaWK_Yo7E4Px42-gJpohy3JevOC44aJ4auzJR1RBj9LUbgcRinkBy0JLi6XXiYznSC2V485CSBHW3sseXn7pSXQADhnmGQrLfFGO5ZljmPO18eFJaimdjvgSChsrlSEmTDDsoo5Q","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhMzZlMGU0NC02MWNmLTQ5NmMtOGRlZi03NTkwNjQ5MzQzMjEifQ.eyJleHAiOjE1OTAzOTk1NzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNmMxNTBiY2EtYmE5NC00NTgxLWEwODEtYjI2YzhhMmI5YmZmIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwic3ViIjoiYmEzMmU0NzEtYzc3Mi00YjMzLThkYTYtNmZlOGFjZGEwMDczIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.ayNpXdNX28qahodX1zowrMGiUCw2AodlHBQFqr8Ui7c","token_type":"bearer","not-before-policy":0,"session_state":"060d2862-14ed-42fe-baf7-8d1f784657f1","scope":"email profile"} -``` - -The interesting part here is the access token with the key `access_token`. -This has to be passed as username (with parameter `-u`) and empty password to the CLI. - -## 5. Batch Operation of Cli +## 4. Batch Operation of Cli -e parameter is designed for the Cli/shell tool in the situation where you would like to manipulate IoTDB in batches through scripts. By using the -e parameter, you can operate IoTDB without entering the cli's input mode. diff --git a/src/zh/UserGuide/Master/Tree/Tools-System/CLI_apache.md b/src/zh/UserGuide/Master/Tree/Tools-System/CLI_apache.md index 1adf00af4..d69e49e06 100644 --- a/src/zh/UserGuide/Master/Tree/Tools-System/CLI_apache.md +++ b/src/zh/UserGuide/Master/Tree/Tools-System/CLI_apache.md @@ -115,107 +115,8 @@ Shell > sbin\windows\start-cli.bat -h 10.129.187.21 -p 6667 -u root -pw root -di | `help` | 获取CLI特殊命令的提示 | | `exit/quit` | 退出CLI | -### 2.4 使用 OpenID 作为用户名认证登录 -OpenID Connect (OIDC) 使用 keycloack 作为 OIDC 服务权限认证服务。 - -#### 配置 -配置位于 iotdb-system.properties,设定 authorizer_provider_class 为 org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer 则开启了 openID 服务,默认情况下值为 org.apache.iotdb.commons.auth.authorizer.LocalFileAuthorizer 表示没有开启 openID 服务。 - -``` -authorizer_provider_class=org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer -``` -如果开启了 openID 服务则 openID_url 为必填项,openID_url 值为 http://ip:port/realms/{realmsName} - -``` -openID_url=http://127.0.0.1:8080/realms/iotdb/ -``` -#### keycloack 配置 - -1、下载 keycloack 程序(此教程为21.1.0版本),在 keycloack/bin 中启动 keycloack - -```shell -Shell > cd bin -Shell > ./kc.sh start-dev -``` -2、使用 https://ip:port 登陆 keycloack, 首次登陆需要创建用户 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/login_keycloak.png?raw=true) - -3、点击 Administration Console 进入管理端 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/AdministrationConsole.png?raw=true) - -4、在左侧的 Master 菜单点击 Create Realm, 输入 Realm Name 创建一个新的 Realm - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_1.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_2.jpg?raw=true) - -5、点击左侧菜单 Clients,创建 client - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/client.jpg?raw=true) - -6、点击左侧菜单 User,创建 user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/user.jpg?raw=true) - -7、点击新创建的用户 id,点击 Credentials 导航输入密码和关闭 Temporary 选项,至此 keyclork 配置完成 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/pwd.jpg?raw=true) - -8、创建角色,点击左侧菜单的 Roles然后点击Create Role 按钮添加角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role1.jpg?raw=true) - -9、在Role Name 中输入`iotdb_admin`,点击save 按钮。提示:这里的`iotdb_admin`不能为其他名称否则即使登陆成功后也将无权限使用iotdb的查询、插入、创建 database、添加用户、角色等功能 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role2.jpg?raw=true) - -10、点击左侧的User 菜单然后点击用户列表中的用户为该用户添加我们刚创建的`iotdb_admin`角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role3.jpg?raw=true) - -11、选择Role Mappings ,在Assign role选择`iotdb_admin`增加角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role4.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role5.jpg?raw=true) - -提示:如果用户角色有调整需要重新生成token并且重新登陆iotdb才会生效 - -以上步骤提供了一种 keycloak 登陆 iotdb 方式,更多方式请参考 keycloak 配置 - -若对应的 IoTDB 服务器开启了使用 OpenID Connect (OIDC) 作为权限认证服务,那么就不再需要使用用户名密码进行登录。 -替而代之的是使用 Token,以及空密码。 -此时,登录命令如下: - -```shell -Shell > bash sbin/start-cli.sh -h 10.129.187.21 -p 6667 -u {my-access-token} -pw "" -``` - -其中,需要将{my-access-token} (注意,包括{})替换成你的 token,即 access_token 对应的值。密码为空需要再次确认。 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/iotdbpw.jpeg?raw=true) - -如何获取 token 取决于你的 OIDC 设置。 最简单的一种情况是使用`password-grant`。例如,假设你在用 keycloack 作为你的 OIDC 服务, -并且你在 keycloack 中有一个被定义成 public 的`iotdb`客户的 realm,那么你可以使用如下`curl`命令获得 token。 -(注意例子中的{}和里面的内容需要替换成具体的服务器地址和 realm 名字): -```shell -curl -X POST "http://{your-keycloack-server}/realms/{your-realm}/protocol/openid-connect/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ - -d "username={username}" \ - -d "password={password}" \ - -d 'grant_type=password' \ - -d "client_id=iotdb-client" -``` - -示例结果如下: - -```json -{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzOTgwNzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNjA0ZmYxMDctN2NiNy00NTRmLWIwYmQtY2M2ZDQwMjFiNGU4IiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhMzJlNDcxLWM3NzItNGIzMy04ZGE2LTZmZThhY2RhMDA3MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsibG9jYWxob3N0OjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJpb3RkYl9hZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIn0.nwbrJkWdCNjzFrTDwKNuV5h9dDMg5ytRKGOXmFIajpfsbOutJytjWTCB2WpA8E1YI3KM6gU6Jx7cd7u0oPo5syHhfCz119n_wBiDnyTZkFOAPsx0M2z20kvBLN9k36_VfuCMFUeddJjO31MeLTmxB0UKg2VkxdczmzMH3pnalhxqpnWWk3GnrRrhAf2sZog0foH4Ae3Ks0lYtYzaWK_Yo7E4Px42-gJpohy3JevOC44aJ4auzJR1RBj9LUbgcRinkBy0JLi6XXiYznSC2V485CSBHW3sseXn7pSXQADhnmGQrLfFGO5ZljmPO18eFJaimdjvgSChsrlSEmTDDsoo5Q","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhMzZlMGU0NC02MWNmLTQ5NmMtOGRlZi03NTkwNjQ5MzQzMjEifQ.eyJleHAiOjE1OTAzOTk1NzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNmMxNTBiY2EtYmE5NC00NTgxLWEwODEtYjI2YzhhMmI5YmZmIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwic3ViIjoiYmEzMmU0NzEtYzc3Mi00YjMzLThkYTYtNmZlOGFjZGEwMDczIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.ayNpXdNX28qahodX1zowrMGiUCw2AodlHBQFqr8Ui7c","token_type":"bearer","not-before-policy":0,"session_state":"060d2862-14ed-42fe-baf7-8d1f784657f1","scope":"email profile"} -``` - -### 2.5 Cli 的批量操作 +### 2.4 Cli 的批量操作 当您想要通过脚本的方式通过 Cli / Shell 对 IoTDB 进行批量操作时,可以使用-e 参数。通过使用该参数,您可以在不进入客户端输入模式的情况下操作 IoTDB。 为了避免 SQL 语句和其他参数混淆,现在只支持-e 参数作为最后的参数使用。 diff --git a/src/zh/UserGuide/Master/Tree/Tools-System/CLI_timecho.md b/src/zh/UserGuide/Master/Tree/Tools-System/CLI_timecho.md index c3d9f570f..2ec16f94c 100644 --- a/src/zh/UserGuide/Master/Tree/Tools-System/CLI_timecho.md +++ b/src/zh/UserGuide/Master/Tree/Tools-System/CLI_timecho.md @@ -102,107 +102,8 @@ Shell > sbin\windows\start-cli.bat -h 10.129.187.21 -p 6667 -u root -pw root -di | `help` | 获取CLI特殊命令的提示 | | `exit/quit` | 退出CLI | -## 4. 使用 OpenID 作为用户名认证登录 -OpenID Connect (OIDC) 使用 keycloack 作为 OIDC 服务权限认证服务。 - -### 配置 -配置位于 iotdb-system.properties,设定 authorizer_provider_class 为 org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer 则开启了 openID 服务,默认情况下值为 org.apache.iotdb.commons.auth.authorizer.LocalFileAuthorizer 表示没有开启 openID 服务。 - -``` -authorizer_provider_class=org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer -``` -如果开启了 openID 服务则 openID_url 为必填项,openID_url 值为 http://ip:port/realms/{realmsName} - -``` -openID_url=http://127.0.0.1:8080/realms/iotdb/ -``` -### keycloack 配置 - -1、下载 keycloack 程序(此教程为21.1.0版本),在 keycloack/bin 中启动 keycloack - -```shell -Shell > cd bin -Shell > ./kc.sh start-dev -``` -2、使用 https://ip:port 登陆 keycloack, 首次登陆需要创建用户 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/login_keycloak.png?raw=true) - -3、点击 Administration Console 进入管理端 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/AdministrationConsole.png?raw=true) - -4、在左侧的 Master 菜单点击 Create Realm, 输入 Realm Name 创建一个新的 Realm - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_1.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_2.jpg?raw=true) - -5、点击左侧菜单 Clients,创建 client - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/client.jpg?raw=true) - -6、点击左侧菜单 User,创建 user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/user.jpg?raw=true) - -7、点击新创建的用户 id,点击 Credentials 导航输入密码和关闭 Temporary 选项,至此 keyclork 配置完成 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/pwd.jpg?raw=true) - -8、创建角色,点击左侧菜单的 Roles然后点击Create Role 按钮添加角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role1.jpg?raw=true) - -9、在Role Name 中输入`iotdb_admin`,点击save 按钮。提示:这里的`iotdb_admin`不能为其他名称否则即使登陆成功后也将无权限使用iotdb的查询、插入、创建 database、添加用户、角色等功能 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role2.jpg?raw=true) - -10、点击左侧的User 菜单然后点击用户列表中的用户为该用户添加我们刚创建的`iotdb_admin`角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role3.jpg?raw=true) - -11、选择Role Mappings ,在Assign role选择`iotdb_admin`增加角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role4.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role5.jpg?raw=true) - -提示:如果用户角色有调整需要重新生成token并且重新登陆iotdb才会生效 - -以上步骤提供了一种 keycloak 登陆 iotdb 方式,更多方式请参考 keycloak 配置 - -若对应的 IoTDB 服务器开启了使用 OpenID Connect (OIDC) 作为权限认证服务,那么就不再需要使用用户名密码进行登录。 -替而代之的是使用 Token,以及空密码。 -此时,登录命令如下: - -```shell -Shell > bash sbin/start-cli.sh -h 10.129.187.21 -p 6667 -u {my-access-token} -pw "" -``` - -其中,需要将{my-access-token} (注意,包括{})替换成你的 token,即 access_token 对应的值。密码为空需要再次确认。 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/iotdbpw.jpeg?raw=true) - -如何获取 token 取决于你的 OIDC 设置。 最简单的一种情况是使用`password-grant`。例如,假设你在用 keycloack 作为你的 OIDC 服务, -并且你在 keycloack 中有一个被定义成 public 的`iotdb`客户的 realm,那么你可以使用如下`curl`命令获得 token。 -(注意例子中的{}和里面的内容需要替换成具体的服务器地址和 realm 名字): -```shell -curl -X POST "http://{your-keycloack-server}/realms/{your-realm}/protocol/openid-connect/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ - -d "username={username}" \ - -d "password={password}" \ - -d 'grant_type=password' \ - -d "client_id=iotdb-client" -``` - -示例结果如下: - -```json -{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzOTgwNzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNjA0ZmYxMDctN2NiNy00NTRmLWIwYmQtY2M2ZDQwMjFiNGU4IiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhMzJlNDcxLWM3NzItNGIzMy04ZGE2LTZmZThhY2RhMDA3MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsibG9jYWxob3N0OjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJpb3RkYl9hZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIn0.nwbrJkWdCNjzFrTDwKNuV5h9dDMg5ytRKGOXmFIajpfsbOutJytjWTCB2WpA8E1YI3KM6gU6Jx7cd7u0oPo5syHhfCz119n_wBiDnyTZkFOAPsx0M2z20kvBLN9k36_VfuCMFUeddJjO31MeLTmxB0UKg2VkxdczmzMH3pnalhxqpnWWk3GnrRrhAf2sZog0foH4Ae3Ks0lYtYzaWK_Yo7E4Px42-gJpohy3JevOC44aJ4auzJR1RBj9LUbgcRinkBy0JLi6XXiYznSC2V485CSBHW3sseXn7pSXQADhnmGQrLfFGO5ZljmPO18eFJaimdjvgSChsrlSEmTDDsoo5Q","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhMzZlMGU0NC02MWNmLTQ5NmMtOGRlZi03NTkwNjQ5MzQzMjEifQ.eyJleHAiOjE1OTAzOTk1NzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNmMxNTBiY2EtYmE5NC00NTgxLWEwODEtYjI2YzhhMmI5YmZmIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwic3ViIjoiYmEzMmU0NzEtYzc3Mi00YjMzLThkYTYtNmZlOGFjZGEwMDczIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.ayNpXdNX28qahodX1zowrMGiUCw2AodlHBQFqr8Ui7c","token_type":"bearer","not-before-policy":0,"session_state":"060d2862-14ed-42fe-baf7-8d1f784657f1","scope":"email profile"} -``` - -## 5. Cli 的批量操作 +## 4. Cli 的批量操作 当您想要通过脚本的方式通过 Cli / Shell 对 IoTDB 进行批量操作时,可以使用-e 参数。通过使用该参数,您可以在不进入客户端输入模式的情况下操作 IoTDB。 为了避免 SQL 语句和其他参数混淆,现在只支持-e 参数作为最后的参数使用。 diff --git a/src/zh/UserGuide/V1.3.x/Tools-System/CLI_apache.md b/src/zh/UserGuide/V1.3.x/Tools-System/CLI_apache.md index 4e7125f51..7d0d48e73 100644 --- a/src/zh/UserGuide/V1.3.x/Tools-System/CLI_apache.md +++ b/src/zh/UserGuide/V1.3.x/Tools-System/CLI_apache.md @@ -107,105 +107,6 @@ Shell > sbin\start-cli.bat -h 10.129.187.21 -p 6667 -u root -pw root -disableISO | `help` | 获取CLI特殊命令的提示 | | `exit/quit` | 退出CLI | -### 使用 OpenID 作为用户名认证登录 - -OpenID Connect (OIDC) 使用 keycloack 作为 OIDC 服务权限认证服务。 - -#### 配置 -配置位于 iotdb-system.properties,设定 authorizer_provider_class 为 org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer 则开启了 openID 服务,默认情况下值为 org.apache.iotdb.commons.auth.authorizer.LocalFileAuthorizer 表示没有开启 openID 服务。 - -``` -authorizer_provider_class=org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer -``` -如果开启了 openID 服务则 openID_url 为必填项,openID_url 值为 http://ip:port/realms/{realmsName} - -``` -openID_url=http://127.0.0.1:8080/realms/iotdb/ -``` -#### keycloack 配置 - -1、下载 keycloack 程序(此教程为21.1.0版本),在 keycloack/bin 中启动 keycloack - -```shell -Shell > cd bin -Shell > ./kc.sh start-dev -``` -2、使用 https://ip:port 登陆 keycloack, 首次登陆需要创建用户 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/login_keycloak.png?raw=true) - -3、点击 Administration Console 进入管理端 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/AdministrationConsole.png?raw=true) - -4、在左侧的 Master 菜单点击 Create Realm, 输入 Realm Name 创建一个新的 Realm - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_1.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_2.jpg?raw=true) - -5、点击左侧菜单 Clients,创建 client - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/client.jpg?raw=true) - -6、点击左侧菜单 User,创建 user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/user.jpg?raw=true) - -7、点击新创建的用户 id,点击 Credentials 导航输入密码和关闭 Temporary 选项,至此 keyclork 配置完成 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/pwd.jpg?raw=true) - -8、创建角色,点击左侧菜单的 Roles然后点击Create Role 按钮添加角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role1.jpg?raw=true) - -9、在Role Name 中输入`iotdb_admin`,点击save 按钮。提示:这里的`iotdb_admin`不能为其他名称否则即使登陆成功后也将无权限使用iotdb的查询、插入、创建 database、添加用户、角色等功能 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role2.jpg?raw=true) - -10、点击左侧的User 菜单然后点击用户列表中的用户为该用户添加我们刚创建的`iotdb_admin`角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role3.jpg?raw=true) - -11、选择Role Mappings ,在Assign role选择`iotdb_admin`增加角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role4.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role5.jpg?raw=true) - -提示:如果用户角色有调整需要重新生成token并且重新登陆iotdb才会生效 - -以上步骤提供了一种 keycloak 登陆 iotdb 方式,更多方式请参考 keycloak 配置 - -若对应的 IoTDB 服务器开启了使用 OpenID Connect (OIDC) 作为权限认证服务,那么就不再需要使用用户名密码进行登录。 -替而代之的是使用 Token,以及空密码。 -此时,登录命令如下: - -```shell -Shell > bash sbin/start-cli.sh -h 10.129.187.21 -p 6667 -u {my-access-token} -pw "" -``` - -其中,需要将{my-access-token} (注意,包括{})替换成你的 token,即 access_token 对应的值。密码为空需要再次确认。 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/iotdbpw.jpeg?raw=true) - -如何获取 token 取决于你的 OIDC 设置。 最简单的一种情况是使用`password-grant`。例如,假设你在用 keycloack 作为你的 OIDC 服务, -并且你在 keycloack 中有一个被定义成 public 的`iotdb`客户的 realm,那么你可以使用如下`curl`命令获得 token。 -(注意例子中的{}和里面的内容需要替换成具体的服务器地址和 realm 名字): -```shell -curl -X POST "http://{your-keycloack-server}/realms/{your-realm}/protocol/openid-connect/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ - -d "username={username}" \ - -d "password={password}" \ - -d 'grant_type=password' \ - -d "client_id=iotdb-client" -``` - -示例结果如下: - -```json -{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzOTgwNzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNjA0ZmYxMDctN2NiNy00NTRmLWIwYmQtY2M2ZDQwMjFiNGU4IiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhMzJlNDcxLWM3NzItNGIzMy04ZGE2LTZmZThhY2RhMDA3MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsibG9jYWxob3N0OjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJpb3RkYl9hZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIn0.nwbrJkWdCNjzFrTDwKNuV5h9dDMg5ytRKGOXmFIajpfsbOutJytjWTCB2WpA8E1YI3KM6gU6Jx7cd7u0oPo5syHhfCz119n_wBiDnyTZkFOAPsx0M2z20kvBLN9k36_VfuCMFUeddJjO31MeLTmxB0UKg2VkxdczmzMH3pnalhxqpnWWk3GnrRrhAf2sZog0foH4Ae3Ks0lYtYzaWK_Yo7E4Px42-gJpohy3JevOC44aJ4auzJR1RBj9LUbgcRinkBy0JLi6XXiYznSC2V485CSBHW3sseXn7pSXQADhnmGQrLfFGO5ZljmPO18eFJaimdjvgSChsrlSEmTDDsoo5Q","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhMzZlMGU0NC02MWNmLTQ5NmMtOGRlZi03NTkwNjQ5MzQzMjEifQ.eyJleHAiOjE1OTAzOTk1NzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNmMxNTBiY2EtYmE5NC00NTgxLWEwODEtYjI2YzhhMmI5YmZmIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwic3ViIjoiYmEzMmU0NzEtYzc3Mi00YjMzLThkYTYtNmZlOGFjZGEwMDczIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.ayNpXdNX28qahodX1zowrMGiUCw2AodlHBQFqr8Ui7c","token_type":"bearer","not-before-policy":0,"session_state":"060d2862-14ed-42fe-baf7-8d1f784657f1","scope":"email profile"} -``` ### Cli 的批量操作 当您想要通过脚本的方式通过 Cli / Shell 对 IoTDB 进行批量操作时,可以使用-e 参数。通过使用该参数,您可以在不进入客户端输入模式的情况下操作 IoTDB。 diff --git a/src/zh/UserGuide/V1.3.x/Tools-System/CLI_timecho.md b/src/zh/UserGuide/V1.3.x/Tools-System/CLI_timecho.md index e8fc508bd..605beefea 100644 --- a/src/zh/UserGuide/V1.3.x/Tools-System/CLI_timecho.md +++ b/src/zh/UserGuide/V1.3.x/Tools-System/CLI_timecho.md @@ -94,105 +94,6 @@ Shell > sbin\start-cli.bat -h 10.129.187.21 -p 6667 -u root -pw root -disableISO | `help` | 获取CLI特殊命令的提示 | | `exit/quit` | 退出CLI | -## 使用 OpenID 作为用户名认证登录 - -OpenID Connect (OIDC) 使用 keycloack 作为 OIDC 服务权限认证服务。 - -### 配置 -配置位于 iotdb-system.properties,设定 authorizer_provider_class 为 org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer 则开启了 openID 服务,默认情况下值为 org.apache.iotdb.commons.auth.authorizer.LocalFileAuthorizer 表示没有开启 openID 服务。 - -``` -authorizer_provider_class=org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer -``` -如果开启了 openID 服务则 openID_url 为必填项,openID_url 值为 http://ip:port/realms/{realmsName} - -``` -openID_url=http://127.0.0.1:8080/realms/iotdb/ -``` -### keycloack 配置 - -1、下载 keycloack 程序(此教程为21.1.0版本),在 keycloack/bin 中启动 keycloack - -```shell -Shell > cd bin -Shell > ./kc.sh start-dev -``` -2、使用 https://ip:port 登陆 keycloack, 首次登陆需要创建用户 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/login_keycloak.png?raw=true) - -3、点击 Administration Console 进入管理端 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/AdministrationConsole.png?raw=true) - -4、在左侧的 Master 菜单点击 Create Realm, 输入 Realm Name 创建一个新的 Realm - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_1.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_2.jpg?raw=true) - -5、点击左侧菜单 Clients,创建 client - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/client.jpg?raw=true) - -6、点击左侧菜单 User,创建 user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/user.jpg?raw=true) - -7、点击新创建的用户 id,点击 Credentials 导航输入密码和关闭 Temporary 选项,至此 keyclork 配置完成 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/pwd.jpg?raw=true) - -8、创建角色,点击左侧菜单的 Roles然后点击Create Role 按钮添加角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role1.jpg?raw=true) - -9、在Role Name 中输入`iotdb_admin`,点击save 按钮。提示:这里的`iotdb_admin`不能为其他名称否则即使登陆成功后也将无权限使用iotdb的查询、插入、创建 database、添加用户、角色等功能 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role2.jpg?raw=true) - -10、点击左侧的User 菜单然后点击用户列表中的用户为该用户添加我们刚创建的`iotdb_admin`角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role3.jpg?raw=true) - -11、选择Role Mappings ,在Assign role选择`iotdb_admin`增加角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role4.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role5.jpg?raw=true) - -提示:如果用户角色有调整需要重新生成token并且重新登陆iotdb才会生效 - -以上步骤提供了一种 keycloak 登陆 iotdb 方式,更多方式请参考 keycloak 配置 - -若对应的 IoTDB 服务器开启了使用 OpenID Connect (OIDC) 作为权限认证服务,那么就不再需要使用用户名密码进行登录。 -替而代之的是使用 Token,以及空密码。 -此时,登录命令如下: - -```shell -Shell > bash sbin/start-cli.sh -h 10.129.187.21 -p 6667 -u {my-access-token} -pw "" -``` - -其中,需要将{my-access-token} (注意,包括{})替换成你的 token,即 access_token 对应的值。密码为空需要再次确认。 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/iotdbpw.jpeg?raw=true) - -如何获取 token 取决于你的 OIDC 设置。 最简单的一种情况是使用`password-grant`。例如,假设你在用 keycloack 作为你的 OIDC 服务, -并且你在 keycloack 中有一个被定义成 public 的`iotdb`客户的 realm,那么你可以使用如下`curl`命令获得 token。 -(注意例子中的{}和里面的内容需要替换成具体的服务器地址和 realm 名字): -```shell -curl -X POST "http://{your-keycloack-server}/realms/{your-realm}/protocol/openid-connect/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ - -d "username={username}" \ - -d "password={password}" \ - -d 'grant_type=password' \ - -d "client_id=iotdb-client" -``` - -示例结果如下: - -```json -{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzOTgwNzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNjA0ZmYxMDctN2NiNy00NTRmLWIwYmQtY2M2ZDQwMjFiNGU4IiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhMzJlNDcxLWM3NzItNGIzMy04ZGE2LTZmZThhY2RhMDA3MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsibG9jYWxob3N0OjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJpb3RkYl9hZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIn0.nwbrJkWdCNjzFrTDwKNuV5h9dDMg5ytRKGOXmFIajpfsbOutJytjWTCB2WpA8E1YI3KM6gU6Jx7cd7u0oPo5syHhfCz119n_wBiDnyTZkFOAPsx0M2z20kvBLN9k36_VfuCMFUeddJjO31MeLTmxB0UKg2VkxdczmzMH3pnalhxqpnWWk3GnrRrhAf2sZog0foH4Ae3Ks0lYtYzaWK_Yo7E4Px42-gJpohy3JevOC44aJ4auzJR1RBj9LUbgcRinkBy0JLi6XXiYznSC2V485CSBHW3sseXn7pSXQADhnmGQrLfFGO5ZljmPO18eFJaimdjvgSChsrlSEmTDDsoo5Q","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhMzZlMGU0NC02MWNmLTQ5NmMtOGRlZi03NTkwNjQ5MzQzMjEifQ.eyJleHAiOjE1OTAzOTk1NzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNmMxNTBiY2EtYmE5NC00NTgxLWEwODEtYjI2YzhhMmI5YmZmIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwic3ViIjoiYmEzMmU0NzEtYzc3Mi00YjMzLThkYTYtNmZlOGFjZGEwMDczIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.ayNpXdNX28qahodX1zowrMGiUCw2AodlHBQFqr8Ui7c","token_type":"bearer","not-before-policy":0,"session_state":"060d2862-14ed-42fe-baf7-8d1f784657f1","scope":"email profile"} -``` ## Cli 的批量操作 当您想要通过脚本的方式通过 Cli / Shell 对 IoTDB 进行批量操作时,可以使用-e 参数。通过使用该参数,您可以在不进入客户端输入模式的情况下操作 IoTDB。 diff --git a/src/zh/UserGuide/dev-1.3/Tools-System/CLI_apache.md b/src/zh/UserGuide/dev-1.3/Tools-System/CLI_apache.md index 4e7125f51..7d0d48e73 100644 --- a/src/zh/UserGuide/dev-1.3/Tools-System/CLI_apache.md +++ b/src/zh/UserGuide/dev-1.3/Tools-System/CLI_apache.md @@ -107,105 +107,6 @@ Shell > sbin\start-cli.bat -h 10.129.187.21 -p 6667 -u root -pw root -disableISO | `help` | 获取CLI特殊命令的提示 | | `exit/quit` | 退出CLI | -### 使用 OpenID 作为用户名认证登录 - -OpenID Connect (OIDC) 使用 keycloack 作为 OIDC 服务权限认证服务。 - -#### 配置 -配置位于 iotdb-system.properties,设定 authorizer_provider_class 为 org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer 则开启了 openID 服务,默认情况下值为 org.apache.iotdb.commons.auth.authorizer.LocalFileAuthorizer 表示没有开启 openID 服务。 - -``` -authorizer_provider_class=org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer -``` -如果开启了 openID 服务则 openID_url 为必填项,openID_url 值为 http://ip:port/realms/{realmsName} - -``` -openID_url=http://127.0.0.1:8080/realms/iotdb/ -``` -#### keycloack 配置 - -1、下载 keycloack 程序(此教程为21.1.0版本),在 keycloack/bin 中启动 keycloack - -```shell -Shell > cd bin -Shell > ./kc.sh start-dev -``` -2、使用 https://ip:port 登陆 keycloack, 首次登陆需要创建用户 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/login_keycloak.png?raw=true) - -3、点击 Administration Console 进入管理端 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/AdministrationConsole.png?raw=true) - -4、在左侧的 Master 菜单点击 Create Realm, 输入 Realm Name 创建一个新的 Realm - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_1.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_2.jpg?raw=true) - -5、点击左侧菜单 Clients,创建 client - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/client.jpg?raw=true) - -6、点击左侧菜单 User,创建 user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/user.jpg?raw=true) - -7、点击新创建的用户 id,点击 Credentials 导航输入密码和关闭 Temporary 选项,至此 keyclork 配置完成 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/pwd.jpg?raw=true) - -8、创建角色,点击左侧菜单的 Roles然后点击Create Role 按钮添加角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role1.jpg?raw=true) - -9、在Role Name 中输入`iotdb_admin`,点击save 按钮。提示:这里的`iotdb_admin`不能为其他名称否则即使登陆成功后也将无权限使用iotdb的查询、插入、创建 database、添加用户、角色等功能 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role2.jpg?raw=true) - -10、点击左侧的User 菜单然后点击用户列表中的用户为该用户添加我们刚创建的`iotdb_admin`角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role3.jpg?raw=true) - -11、选择Role Mappings ,在Assign role选择`iotdb_admin`增加角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role4.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role5.jpg?raw=true) - -提示:如果用户角色有调整需要重新生成token并且重新登陆iotdb才会生效 - -以上步骤提供了一种 keycloak 登陆 iotdb 方式,更多方式请参考 keycloak 配置 - -若对应的 IoTDB 服务器开启了使用 OpenID Connect (OIDC) 作为权限认证服务,那么就不再需要使用用户名密码进行登录。 -替而代之的是使用 Token,以及空密码。 -此时,登录命令如下: - -```shell -Shell > bash sbin/start-cli.sh -h 10.129.187.21 -p 6667 -u {my-access-token} -pw "" -``` - -其中,需要将{my-access-token} (注意,包括{})替换成你的 token,即 access_token 对应的值。密码为空需要再次确认。 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/iotdbpw.jpeg?raw=true) - -如何获取 token 取决于你的 OIDC 设置。 最简单的一种情况是使用`password-grant`。例如,假设你在用 keycloack 作为你的 OIDC 服务, -并且你在 keycloack 中有一个被定义成 public 的`iotdb`客户的 realm,那么你可以使用如下`curl`命令获得 token。 -(注意例子中的{}和里面的内容需要替换成具体的服务器地址和 realm 名字): -```shell -curl -X POST "http://{your-keycloack-server}/realms/{your-realm}/protocol/openid-connect/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ - -d "username={username}" \ - -d "password={password}" \ - -d 'grant_type=password' \ - -d "client_id=iotdb-client" -``` - -示例结果如下: - -```json -{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzOTgwNzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNjA0ZmYxMDctN2NiNy00NTRmLWIwYmQtY2M2ZDQwMjFiNGU4IiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhMzJlNDcxLWM3NzItNGIzMy04ZGE2LTZmZThhY2RhMDA3MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsibG9jYWxob3N0OjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJpb3RkYl9hZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIn0.nwbrJkWdCNjzFrTDwKNuV5h9dDMg5ytRKGOXmFIajpfsbOutJytjWTCB2WpA8E1YI3KM6gU6Jx7cd7u0oPo5syHhfCz119n_wBiDnyTZkFOAPsx0M2z20kvBLN9k36_VfuCMFUeddJjO31MeLTmxB0UKg2VkxdczmzMH3pnalhxqpnWWk3GnrRrhAf2sZog0foH4Ae3Ks0lYtYzaWK_Yo7E4Px42-gJpohy3JevOC44aJ4auzJR1RBj9LUbgcRinkBy0JLi6XXiYznSC2V485CSBHW3sseXn7pSXQADhnmGQrLfFGO5ZljmPO18eFJaimdjvgSChsrlSEmTDDsoo5Q","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhMzZlMGU0NC02MWNmLTQ5NmMtOGRlZi03NTkwNjQ5MzQzMjEifQ.eyJleHAiOjE1OTAzOTk1NzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNmMxNTBiY2EtYmE5NC00NTgxLWEwODEtYjI2YzhhMmI5YmZmIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwic3ViIjoiYmEzMmU0NzEtYzc3Mi00YjMzLThkYTYtNmZlOGFjZGEwMDczIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.ayNpXdNX28qahodX1zowrMGiUCw2AodlHBQFqr8Ui7c","token_type":"bearer","not-before-policy":0,"session_state":"060d2862-14ed-42fe-baf7-8d1f784657f1","scope":"email profile"} -``` ### Cli 的批量操作 当您想要通过脚本的方式通过 Cli / Shell 对 IoTDB 进行批量操作时,可以使用-e 参数。通过使用该参数,您可以在不进入客户端输入模式的情况下操作 IoTDB。 diff --git a/src/zh/UserGuide/dev-1.3/Tools-System/CLI_timecho.md b/src/zh/UserGuide/dev-1.3/Tools-System/CLI_timecho.md index e8fc508bd..605beefea 100644 --- a/src/zh/UserGuide/dev-1.3/Tools-System/CLI_timecho.md +++ b/src/zh/UserGuide/dev-1.3/Tools-System/CLI_timecho.md @@ -94,105 +94,6 @@ Shell > sbin\start-cli.bat -h 10.129.187.21 -p 6667 -u root -pw root -disableISO | `help` | 获取CLI特殊命令的提示 | | `exit/quit` | 退出CLI | -## 使用 OpenID 作为用户名认证登录 - -OpenID Connect (OIDC) 使用 keycloack 作为 OIDC 服务权限认证服务。 - -### 配置 -配置位于 iotdb-system.properties,设定 authorizer_provider_class 为 org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer 则开启了 openID 服务,默认情况下值为 org.apache.iotdb.commons.auth.authorizer.LocalFileAuthorizer 表示没有开启 openID 服务。 - -``` -authorizer_provider_class=org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer -``` -如果开启了 openID 服务则 openID_url 为必填项,openID_url 值为 http://ip:port/realms/{realmsName} - -``` -openID_url=http://127.0.0.1:8080/realms/iotdb/ -``` -### keycloack 配置 - -1、下载 keycloack 程序(此教程为21.1.0版本),在 keycloack/bin 中启动 keycloack - -```shell -Shell > cd bin -Shell > ./kc.sh start-dev -``` -2、使用 https://ip:port 登陆 keycloack, 首次登陆需要创建用户 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/login_keycloak.png?raw=true) - -3、点击 Administration Console 进入管理端 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/AdministrationConsole.png?raw=true) - -4、在左侧的 Master 菜单点击 Create Realm, 输入 Realm Name 创建一个新的 Realm - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_1.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_2.jpg?raw=true) - -5、点击左侧菜单 Clients,创建 client - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/client.jpg?raw=true) - -6、点击左侧菜单 User,创建 user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/user.jpg?raw=true) - -7、点击新创建的用户 id,点击 Credentials 导航输入密码和关闭 Temporary 选项,至此 keyclork 配置完成 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/pwd.jpg?raw=true) - -8、创建角色,点击左侧菜单的 Roles然后点击Create Role 按钮添加角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role1.jpg?raw=true) - -9、在Role Name 中输入`iotdb_admin`,点击save 按钮。提示:这里的`iotdb_admin`不能为其他名称否则即使登陆成功后也将无权限使用iotdb的查询、插入、创建 database、添加用户、角色等功能 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role2.jpg?raw=true) - -10、点击左侧的User 菜单然后点击用户列表中的用户为该用户添加我们刚创建的`iotdb_admin`角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role3.jpg?raw=true) - -11、选择Role Mappings ,在Assign role选择`iotdb_admin`增加角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role4.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role5.jpg?raw=true) - -提示:如果用户角色有调整需要重新生成token并且重新登陆iotdb才会生效 - -以上步骤提供了一种 keycloak 登陆 iotdb 方式,更多方式请参考 keycloak 配置 - -若对应的 IoTDB 服务器开启了使用 OpenID Connect (OIDC) 作为权限认证服务,那么就不再需要使用用户名密码进行登录。 -替而代之的是使用 Token,以及空密码。 -此时,登录命令如下: - -```shell -Shell > bash sbin/start-cli.sh -h 10.129.187.21 -p 6667 -u {my-access-token} -pw "" -``` - -其中,需要将{my-access-token} (注意,包括{})替换成你的 token,即 access_token 对应的值。密码为空需要再次确认。 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/iotdbpw.jpeg?raw=true) - -如何获取 token 取决于你的 OIDC 设置。 最简单的一种情况是使用`password-grant`。例如,假设你在用 keycloack 作为你的 OIDC 服务, -并且你在 keycloack 中有一个被定义成 public 的`iotdb`客户的 realm,那么你可以使用如下`curl`命令获得 token。 -(注意例子中的{}和里面的内容需要替换成具体的服务器地址和 realm 名字): -```shell -curl -X POST "http://{your-keycloack-server}/realms/{your-realm}/protocol/openid-connect/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ - -d "username={username}" \ - -d "password={password}" \ - -d 'grant_type=password' \ - -d "client_id=iotdb-client" -``` - -示例结果如下: - -```json -{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzOTgwNzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNjA0ZmYxMDctN2NiNy00NTRmLWIwYmQtY2M2ZDQwMjFiNGU4IiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhMzJlNDcxLWM3NzItNGIzMy04ZGE2LTZmZThhY2RhMDA3MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsibG9jYWxob3N0OjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJpb3RkYl9hZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIn0.nwbrJkWdCNjzFrTDwKNuV5h9dDMg5ytRKGOXmFIajpfsbOutJytjWTCB2WpA8E1YI3KM6gU6Jx7cd7u0oPo5syHhfCz119n_wBiDnyTZkFOAPsx0M2z20kvBLN9k36_VfuCMFUeddJjO31MeLTmxB0UKg2VkxdczmzMH3pnalhxqpnWWk3GnrRrhAf2sZog0foH4Ae3Ks0lYtYzaWK_Yo7E4Px42-gJpohy3JevOC44aJ4auzJR1RBj9LUbgcRinkBy0JLi6XXiYznSC2V485CSBHW3sseXn7pSXQADhnmGQrLfFGO5ZljmPO18eFJaimdjvgSChsrlSEmTDDsoo5Q","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhMzZlMGU0NC02MWNmLTQ5NmMtOGRlZi03NTkwNjQ5MzQzMjEifQ.eyJleHAiOjE1OTAzOTk1NzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNmMxNTBiY2EtYmE5NC00NTgxLWEwODEtYjI2YzhhMmI5YmZmIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwic3ViIjoiYmEzMmU0NzEtYzc3Mi00YjMzLThkYTYtNmZlOGFjZGEwMDczIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.ayNpXdNX28qahodX1zowrMGiUCw2AodlHBQFqr8Ui7c","token_type":"bearer","not-before-policy":0,"session_state":"060d2862-14ed-42fe-baf7-8d1f784657f1","scope":"email profile"} -``` ## Cli 的批量操作 当您想要通过脚本的方式通过 Cli / Shell 对 IoTDB 进行批量操作时,可以使用-e 参数。通过使用该参数,您可以在不进入客户端输入模式的情况下操作 IoTDB。 diff --git a/src/zh/UserGuide/latest/Tools-System/CLI_apache.md b/src/zh/UserGuide/latest/Tools-System/CLI_apache.md index 1adf00af4..d69e49e06 100644 --- a/src/zh/UserGuide/latest/Tools-System/CLI_apache.md +++ b/src/zh/UserGuide/latest/Tools-System/CLI_apache.md @@ -115,107 +115,8 @@ Shell > sbin\windows\start-cli.bat -h 10.129.187.21 -p 6667 -u root -pw root -di | `help` | 获取CLI特殊命令的提示 | | `exit/quit` | 退出CLI | -### 2.4 使用 OpenID 作为用户名认证登录 -OpenID Connect (OIDC) 使用 keycloack 作为 OIDC 服务权限认证服务。 - -#### 配置 -配置位于 iotdb-system.properties,设定 authorizer_provider_class 为 org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer 则开启了 openID 服务,默认情况下值为 org.apache.iotdb.commons.auth.authorizer.LocalFileAuthorizer 表示没有开启 openID 服务。 - -``` -authorizer_provider_class=org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer -``` -如果开启了 openID 服务则 openID_url 为必填项,openID_url 值为 http://ip:port/realms/{realmsName} - -``` -openID_url=http://127.0.0.1:8080/realms/iotdb/ -``` -#### keycloack 配置 - -1、下载 keycloack 程序(此教程为21.1.0版本),在 keycloack/bin 中启动 keycloack - -```shell -Shell > cd bin -Shell > ./kc.sh start-dev -``` -2、使用 https://ip:port 登陆 keycloack, 首次登陆需要创建用户 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/login_keycloak.png?raw=true) - -3、点击 Administration Console 进入管理端 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/AdministrationConsole.png?raw=true) - -4、在左侧的 Master 菜单点击 Create Realm, 输入 Realm Name 创建一个新的 Realm - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_1.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_2.jpg?raw=true) - -5、点击左侧菜单 Clients,创建 client - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/client.jpg?raw=true) - -6、点击左侧菜单 User,创建 user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/user.jpg?raw=true) - -7、点击新创建的用户 id,点击 Credentials 导航输入密码和关闭 Temporary 选项,至此 keyclork 配置完成 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/pwd.jpg?raw=true) - -8、创建角色,点击左侧菜单的 Roles然后点击Create Role 按钮添加角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role1.jpg?raw=true) - -9、在Role Name 中输入`iotdb_admin`,点击save 按钮。提示:这里的`iotdb_admin`不能为其他名称否则即使登陆成功后也将无权限使用iotdb的查询、插入、创建 database、添加用户、角色等功能 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role2.jpg?raw=true) - -10、点击左侧的User 菜单然后点击用户列表中的用户为该用户添加我们刚创建的`iotdb_admin`角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role3.jpg?raw=true) - -11、选择Role Mappings ,在Assign role选择`iotdb_admin`增加角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role4.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role5.jpg?raw=true) - -提示:如果用户角色有调整需要重新生成token并且重新登陆iotdb才会生效 - -以上步骤提供了一种 keycloak 登陆 iotdb 方式,更多方式请参考 keycloak 配置 - -若对应的 IoTDB 服务器开启了使用 OpenID Connect (OIDC) 作为权限认证服务,那么就不再需要使用用户名密码进行登录。 -替而代之的是使用 Token,以及空密码。 -此时,登录命令如下: - -```shell -Shell > bash sbin/start-cli.sh -h 10.129.187.21 -p 6667 -u {my-access-token} -pw "" -``` - -其中,需要将{my-access-token} (注意,包括{})替换成你的 token,即 access_token 对应的值。密码为空需要再次确认。 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/iotdbpw.jpeg?raw=true) - -如何获取 token 取决于你的 OIDC 设置。 最简单的一种情况是使用`password-grant`。例如,假设你在用 keycloack 作为你的 OIDC 服务, -并且你在 keycloack 中有一个被定义成 public 的`iotdb`客户的 realm,那么你可以使用如下`curl`命令获得 token。 -(注意例子中的{}和里面的内容需要替换成具体的服务器地址和 realm 名字): -```shell -curl -X POST "http://{your-keycloack-server}/realms/{your-realm}/protocol/openid-connect/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ - -d "username={username}" \ - -d "password={password}" \ - -d 'grant_type=password' \ - -d "client_id=iotdb-client" -``` - -示例结果如下: - -```json -{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzOTgwNzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNjA0ZmYxMDctN2NiNy00NTRmLWIwYmQtY2M2ZDQwMjFiNGU4IiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhMzJlNDcxLWM3NzItNGIzMy04ZGE2LTZmZThhY2RhMDA3MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsibG9jYWxob3N0OjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJpb3RkYl9hZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIn0.nwbrJkWdCNjzFrTDwKNuV5h9dDMg5ytRKGOXmFIajpfsbOutJytjWTCB2WpA8E1YI3KM6gU6Jx7cd7u0oPo5syHhfCz119n_wBiDnyTZkFOAPsx0M2z20kvBLN9k36_VfuCMFUeddJjO31MeLTmxB0UKg2VkxdczmzMH3pnalhxqpnWWk3GnrRrhAf2sZog0foH4Ae3Ks0lYtYzaWK_Yo7E4Px42-gJpohy3JevOC44aJ4auzJR1RBj9LUbgcRinkBy0JLi6XXiYznSC2V485CSBHW3sseXn7pSXQADhnmGQrLfFGO5ZljmPO18eFJaimdjvgSChsrlSEmTDDsoo5Q","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhMzZlMGU0NC02MWNmLTQ5NmMtOGRlZi03NTkwNjQ5MzQzMjEifQ.eyJleHAiOjE1OTAzOTk1NzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNmMxNTBiY2EtYmE5NC00NTgxLWEwODEtYjI2YzhhMmI5YmZmIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwic3ViIjoiYmEzMmU0NzEtYzc3Mi00YjMzLThkYTYtNmZlOGFjZGEwMDczIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.ayNpXdNX28qahodX1zowrMGiUCw2AodlHBQFqr8Ui7c","token_type":"bearer","not-before-policy":0,"session_state":"060d2862-14ed-42fe-baf7-8d1f784657f1","scope":"email profile"} -``` - -### 2.5 Cli 的批量操作 +### 2.4 Cli 的批量操作 当您想要通过脚本的方式通过 Cli / Shell 对 IoTDB 进行批量操作时,可以使用-e 参数。通过使用该参数,您可以在不进入客户端输入模式的情况下操作 IoTDB。 为了避免 SQL 语句和其他参数混淆,现在只支持-e 参数作为最后的参数使用。 diff --git a/src/zh/UserGuide/latest/Tools-System/CLI_timecho.md b/src/zh/UserGuide/latest/Tools-System/CLI_timecho.md index c3d9f570f..2ec16f94c 100644 --- a/src/zh/UserGuide/latest/Tools-System/CLI_timecho.md +++ b/src/zh/UserGuide/latest/Tools-System/CLI_timecho.md @@ -102,107 +102,8 @@ Shell > sbin\windows\start-cli.bat -h 10.129.187.21 -p 6667 -u root -pw root -di | `help` | 获取CLI特殊命令的提示 | | `exit/quit` | 退出CLI | -## 4. 使用 OpenID 作为用户名认证登录 -OpenID Connect (OIDC) 使用 keycloack 作为 OIDC 服务权限认证服务。 - -### 配置 -配置位于 iotdb-system.properties,设定 authorizer_provider_class 为 org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer 则开启了 openID 服务,默认情况下值为 org.apache.iotdb.commons.auth.authorizer.LocalFileAuthorizer 表示没有开启 openID 服务。 - -``` -authorizer_provider_class=org.apache.iotdb.commons.auth.authorizer.OpenIdAuthorizer -``` -如果开启了 openID 服务则 openID_url 为必填项,openID_url 值为 http://ip:port/realms/{realmsName} - -``` -openID_url=http://127.0.0.1:8080/realms/iotdb/ -``` -### keycloack 配置 - -1、下载 keycloack 程序(此教程为21.1.0版本),在 keycloack/bin 中启动 keycloack - -```shell -Shell > cd bin -Shell > ./kc.sh start-dev -``` -2、使用 https://ip:port 登陆 keycloack, 首次登陆需要创建用户 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/login_keycloak.png?raw=true) - -3、点击 Administration Console 进入管理端 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/AdministrationConsole.png?raw=true) - -4、在左侧的 Master 菜单点击 Create Realm, 输入 Realm Name 创建一个新的 Realm - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_1.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_Realm_2.jpg?raw=true) - -5、点击左侧菜单 Clients,创建 client - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/client.jpg?raw=true) - -6、点击左侧菜单 User,创建 user - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/user.jpg?raw=true) - -7、点击新创建的用户 id,点击 Credentials 导航输入密码和关闭 Temporary 选项,至此 keyclork 配置完成 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/pwd.jpg?raw=true) - -8、创建角色,点击左侧菜单的 Roles然后点击Create Role 按钮添加角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role1.jpg?raw=true) - -9、在Role Name 中输入`iotdb_admin`,点击save 按钮。提示:这里的`iotdb_admin`不能为其他名称否则即使登陆成功后也将无权限使用iotdb的查询、插入、创建 database、添加用户、角色等功能 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role2.jpg?raw=true) - -10、点击左侧的User 菜单然后点击用户列表中的用户为该用户添加我们刚创建的`iotdb_admin`角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role3.jpg?raw=true) - -11、选择Role Mappings ,在Assign role选择`iotdb_admin`增加角色 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role4.jpg?raw=true) - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/add_role5.jpg?raw=true) - -提示:如果用户角色有调整需要重新生成token并且重新登陆iotdb才会生效 - -以上步骤提供了一种 keycloak 登陆 iotdb 方式,更多方式请参考 keycloak 配置 - -若对应的 IoTDB 服务器开启了使用 OpenID Connect (OIDC) 作为权限认证服务,那么就不再需要使用用户名密码进行登录。 -替而代之的是使用 Token,以及空密码。 -此时,登录命令如下: - -```shell -Shell > bash sbin/start-cli.sh -h 10.129.187.21 -p 6667 -u {my-access-token} -pw "" -``` - -其中,需要将{my-access-token} (注意,包括{})替换成你的 token,即 access_token 对应的值。密码为空需要再次确认。 - -![avatar](/img/UserGuide/CLI/Command-Line-Interface/iotdbpw.jpeg?raw=true) - -如何获取 token 取决于你的 OIDC 设置。 最简单的一种情况是使用`password-grant`。例如,假设你在用 keycloack 作为你的 OIDC 服务, -并且你在 keycloack 中有一个被定义成 public 的`iotdb`客户的 realm,那么你可以使用如下`curl`命令获得 token。 -(注意例子中的{}和里面的内容需要替换成具体的服务器地址和 realm 名字): -```shell -curl -X POST "http://{your-keycloack-server}/realms/{your-realm}/protocol/openid-connect/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ - -d "username={username}" \ - -d "password={password}" \ - -d 'grant_type=password' \ - -d "client_id=iotdb-client" -``` - -示例结果如下: - -```json -{"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJxMS1XbTBvelE1TzBtUUg4LVNKYXAyWmNONE1tdWNXd25RV0tZeFpKNG93In0.eyJleHAiOjE1OTAzOTgwNzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNjA0ZmYxMDctN2NiNy00NTRmLWIwYmQtY2M2ZDQwMjFiNGU4IiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiYWNjb3VudCIsInN1YiI6ImJhMzJlNDcxLWM3NzItNGIzMy04ZGE2LTZmZThhY2RhMDA3MyIsInR5cCI6IkJlYXJlciIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsImFjciI6IjEiLCJhbGxvd2VkLW9yaWdpbnMiOlsibG9jYWxob3N0OjgwODAiXSwicmVhbG1fYWNjZXNzIjp7InJvbGVzIjpbIm9mZmxpbmVfYWNjZXNzIiwidW1hX2F1dGhvcml6YXRpb24iLCJpb3RkYl9hZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sInNjb3BlIjoiZW1haWwgcHJvZmlsZSIsImVtYWlsX3ZlcmlmaWVkIjp0cnVlLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJ1c2VyIn0.nwbrJkWdCNjzFrTDwKNuV5h9dDMg5ytRKGOXmFIajpfsbOutJytjWTCB2WpA8E1YI3KM6gU6Jx7cd7u0oPo5syHhfCz119n_wBiDnyTZkFOAPsx0M2z20kvBLN9k36_VfuCMFUeddJjO31MeLTmxB0UKg2VkxdczmzMH3pnalhxqpnWWk3GnrRrhAf2sZog0foH4Ae3Ks0lYtYzaWK_Yo7E4Px42-gJpohy3JevOC44aJ4auzJR1RBj9LUbgcRinkBy0JLi6XXiYznSC2V485CSBHW3sseXn7pSXQADhnmGQrLfFGO5ZljmPO18eFJaimdjvgSChsrlSEmTDDsoo5Q","expires_in":300,"refresh_expires_in":1800,"refresh_token":"eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJhMzZlMGU0NC02MWNmLTQ5NmMtOGRlZi03NTkwNjQ5MzQzMjEifQ.eyJleHAiOjE1OTAzOTk1NzEsImlhdCI6MTU5MDM5Nzc3MSwianRpIjoiNmMxNTBiY2EtYmE5NC00NTgxLWEwODEtYjI2YzhhMmI5YmZmIiwiaXNzIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwiYXVkIjoiaHR0cDovL2F1dGguZGVtby5wcmFnbWF0aWNpbmR1c3RyaWVzLmRlL2F1dGgvcmVhbG1zL0lvVERCIiwic3ViIjoiYmEzMmU0NzEtYzc3Mi00YjMzLThkYTYtNmZlOGFjZGEwMDczIiwidHlwIjoiUmVmcmVzaCIsImF6cCI6ImlvdGRiIiwic2Vzc2lvbl9zdGF0ZSI6IjA2MGQyODYyLTE0ZWQtNDJmZS1iYWY3LThkMWY3ODQ2NTdmMSIsInNjb3BlIjoiZW1haWwgcHJvZmlsZSJ9.ayNpXdNX28qahodX1zowrMGiUCw2AodlHBQFqr8Ui7c","token_type":"bearer","not-before-policy":0,"session_state":"060d2862-14ed-42fe-baf7-8d1f784657f1","scope":"email profile"} -``` - -## 5. Cli 的批量操作 +## 4. Cli 的批量操作 当您想要通过脚本的方式通过 Cli / Shell 对 IoTDB 进行批量操作时,可以使用-e 参数。通过使用该参数,您可以在不进入客户端输入模式的情况下操作 IoTDB。 为了避免 SQL 语句和其他参数混淆,现在只支持-e 参数作为最后的参数使用。