analytics-link-setup
Manage Analytics links
SYNOPSIS
couchbase-cli analytics-link-setup [--cluster <cluster>] [--username <username>] [--password <password>] [--client-cert <path>] [--client-cert-password <password>] [--client-key <path>] [--client-key-password <password>] [--create] [--delete] [--edit] [--list] [--dataverse <name>] [--scope <name>] [--name <name>] [--type <type>] [--hostname <hostname>] [--link-username <username>] [--link-password <password>] [--user-certificate <path>] [--user-key <path>] [--user-key-passphrase <path>] [--certificate <path>] [--encryption <type>] [--access-key-id <id>] [--secret-access-key <key>] [--session-token <token>] [--region <region>] [--service-endpoint <url>] [--account-name <id>] [--account-key <key>] [--shared-access-signature <token>] [--managed-identity-id <id>] [--client-id <id>] [--tenant-id <id>] [--client-secret <key>] [--client-certificate <key>] [--client-certificate-password <key>] [--endpoint <url>]
DESCRIPTION
This command is used to manage links used by the external dataset and remote cluster capabilities of the Analytics Service.
OPTIONS
Common Link Options
- -c
- --cluster
-
Specifies the hostname of a node in the cluster. See the HOST FORMATS section for more information on specifying a hostname.
- -u
- --username <username>
-
Specifies the username of the user executing the command. If you do not have a user account with permission to execute the command then it will fail with an unauthorized error.
- -p
- --password <password>
-
Specifies the password of the user executing the command. If you do not have a user account with permission to execute the command then it will fail with an unauthorized error. If this argument is specified, but no password is given then the command will prompt the user for a password through non-echoed stdin. You may also specify your password by using the environment variable CB_REST_PASSWORD.
- --client-cert <path>
-
The path to a client certificate used to authenticate when connecting to a cluster. May be supplied with
--client-key
as an alternative to the--username
and--password
flags. See the CERTIFICATE AUTHENTICATION section for more information. - --client-cert-password <password>
-
The password for the certificate provided to the
--client-cert
flag, when using this flag, the certificate/key pair is expected to be in the PKCS#12 format. See the CERTIFICATE AUTHENTICATION section for more information. - --client-key <path>
-
The path to the client private key whose public key is contained in the certificate provided to the
--client-cert
flag. May be supplied with--client-cert
as an alternative to the--username
and--password
flags. See the CERTIFICATE AUTHENTICATION section for more information. - --client-key-password <password>
-
The password for the key provided to the
--client-key
flag, when using this flag, the key is expected to be in the PKCS#8 format. See the CERTIFICATE AUTHENTICATION section for more information. - --create
-
Creates a new link.
- --delete
-
Deletes a link.
- --edit
-
Edits a link.
- --list
-
List defined links.
- --name <name>
-
The name for the link.
- --type <type>
-
The type of the link. It can be 'couchbase', 's3' or 'azureblob'.
- --dataverse <name>
-
(Deprecated) The dataverse of the link. Use --scope instead.
- --scope <name>
-
The scope of the link in its canonical form. The canonical form of a scope is each part of the form, joined with a '/' character. e.g. the canonical form of the scope '`remote.links`.s3' would be represented as 'remote.links/s3'
Couchbase Link Options
Following are the options specific to --type couchbase, i.e. Couchbase links
- --hostname <hostname>
-
The hostname of the link.
- --encryption <type>
-
Specifies the type of encryption to use. This flag may be set to 'half', 'full', or 'none'. Half encryption means that passwords are encrypted, but data is not. This results in faster data transfer, but less security. Full encryption means that all data and passwords are encrypted which increases security, but reduces overall data transfer speed. If no encryption is needed then "none" can be specified.
- --link-username <username>
-
The username of the link.
- --link-password <password>
-
The password of the link.
- --user-certificate <path>
-
The local path to the file containing the user certificate for authentication. This and --user-key are used in place of --link-username and --link-password when utilizing certificate-based authentication. Certificate-based auth requires --encryption full.
- --user-key <path>
-
The local path to the file containing the user key for authentication. This and --user-certificate are used in place of --link-username and --link-password when utilizing certificate-based authentication. Certificate-based auth requires --encryption full.
- --user-key-passphrase <path>
-
The local path to a JSON file containing the private key passphrase settings, see below for examples for the accepted configurations. Required when using --encryption full with Certificate-based auth, where the specified --user-key is encrypted.
When sending a plain text password, the file may look something like the one below. Note that plain passphrases will be encrypted with secret management when arrives to the server, but will be transmitted unencrypted (unless HTTPS is used)
{ "type": "plain", "password": "asdasd" }
When using a REST call to fetch the password, the file may look similar to the one below.
{ "type": "rest", "url": "<url to call>", "httpsOpts": { "verifyPeer": true }, "timeout": 5000 }
- --certificate <path>
-
The local path to the file containing the certificate used for encryption. Multiple certificates can be configured by specifying --certificate <path> for each certificate. At least one certificate required with --encryption full.
S3 Link Options
Following are the options specific to --type s3, i.e. S3 links
- --access-key-id <id>
-
The access key ID of the s3 link.
- --secret-access-key <key>
-
The secret access key of the s3 link.
- --session-token <token>
-
The session token of the s3 link. This is used when Multi-Factor Authentication (MFA) temporary credentials are used.
- --region <region>
-
The region of the s3 link.
- --service-endpoint <url>
-
The service endpoint of the link (optional).
Azure Blob Link Options
Following are the options specific to --type azureblob, i.e. Azure Blob links. Only a single authentication method is allowed to be provided at the same time. If anonymous authentication (no authentication) is desired, then none of the authentication parameters should be provided.
- --account-name <id>
-
The account name of the link. This property needs to be provided together with the --account-key.
- --account-key <key>
-
The account key of the link. This property needs to be provided together with the --account-name.
- --shared-access-signature <token>
-
The shared access signature of the link.
- --managed-identity-id <id>
-
The managed identity id of the link.
- --client-id <id>
-
The client id of the link. This property needs to be provided together with the --tenant-id and either the --client-secret or --client-certificate.
- --client-secret <key>
-
The client secret of the link. This property needs to be provided together with the --client-id and the --tenant-id.
- --client-certificate <key>
-
The client certificate of the link. This property needs to be provided together with the --client-id and the --tenant-id. If the client certificate is password protected, then the --client-certificate-password property needs to be provided as well.
- --client-certificate-password <key>
-
The client certificate password of the link. This property is provided if the provided --client-certificate is password protected.
- --tenant-id <id>
-
The tenant id of the link. This property is provided together with the --client-id.
- --endpoint <url>
-
The endpoint of the link (required).
Azure Data Lake Link Options (Developer Preview)
Note: Azure Data Lake links are available only in Developer Preview mode.
Following are the options specific to --type azuredatalake, i.e. Azure Data Lake links. Only a single authentication method is allowed to be provided at the same time. If anonymous authentication (no authentication) is desired, then none of the authentication parameters should be provided.
- --account-name <id>
-
The account name of the link. This property needs to be provided together with the --account-key.
- --account-key <key>
-
The account key of the link. This property needs to be provided together with the --account-name.
- --shared-access-signature <token>
-
The shared access signature of the link.
- --managed-identity-id <id>
-
The managed identity id of the link.
- --client-id <id>
-
The client id of the link. This property needs to be provided together with the --tenant-id and either the --client-secret or --client-certificate.
- --client-secret <key>
-
The client secret of the link. This property needs to be provided together with the --client-id and the --tenant-id.
- --client-certificate <key>
-
The client certificate of the link. This property needs to be provided together with the --client-id and the --tenant-id. If the client certificate is password protected, then the --client-certificate-password property needs to be provided as well.
- --client-certificate-password <key>
-
The client certificate password of the link. This property is provided if the provided --client-certificate is password protected.
- --tenant-id <id>
-
The tenant id of the link. This property is provided together with the --client-id.
- --endpoint <url>
-
The endpoint of the link (required).
HOST FORMATS
When specifying a host for the couchbase-cli command the following formats are expected:
-
couchbase://<addr>
orcouchbases://<addr>
-
http://<addr>:<port>
orhttps://<addr>:<port>
-
<addr>:<port>
It is recommended to use the couchbase://<addr> or couchbases://<addr> format for standard installations. The other formats allow an option to take a port number which is needed for non-default installations where the admin port has been set up on a port other that 8091 (or 18091 for https).
CERTIFICATE AUTHENTICATION (MTLS AUTHENTICATION)
This tool supports authenticating against a Couchbase Cluster by using certificate based authentication (mTLS authentication). To use certificate based authentication a certificate/key must be supplied, there a currently multiple ways this may be done.
PEM ENCODED CERTIFICATE/KEY
An unencrypted PEM encoded certificate/key may be supplied by using:
- --client-cert <path>
- --client-key <path>
The file passed to --client-cert
must contain the client certificate, and an optional chain required to authenticate
the client certificate.
The file passed to --client-key
must contain at most one private key, the key can be in one of the following formats:
- PKCS#1
- PKCS#8
Currently, only the following key types are supported: - RSA - DSA
PEM ENCODED CERTIFICATE/PEM OR DER ENCRYPTED PKCS#8 KEY
An encrypted PKCS#8 formatted key may be provided using:
- --client-cert <path>
- --client-key <path>
- --client-key-password <password>
The file passed to --client-cert
must contain the client certificate, and an optional chain required to authenticate
the client certificate.
Currently, only the following key types are supported: - RSA - DSA
ENCRYPTED PKCS#12 CERTIFICATE/KEY
An encrypted PKCS#12 certificate/key may be provided using:
- --client-cert <path>
- --client-cert-password <password>
The file passed to --client-cert
must contain the client certificate and exactly one private key. It may also contain
the chain required to authenticate the client certificate.
Currently, only the following key types are supported: - RSA - DSA
EXAMPLES
To create a new link to a Couchbase cluster named "east", run the following command:
$ couchbase-cli analytics-link-setup -c 192.168.1.5 -u Administrator \ -p password --create --scope Default --name east --type couchbase \ --hostname 192.168.1.6 --link-username Administrator \ --link-password password --encryption none
If the new remote reference should be fully encrypted then make sure to enable encryption. Two certificates are specified for the remote cluster in the following command:
$ couchbase-cli analytics-link-setup -c 192.168.1.5 -u Administrator \ -p password --create --scope Default --name east --type couchbase \ --hostname 192.168.1.6 --link-username Administrator \ --link-password password --encryption full \ --certificate /root/cert1.pem --certificate /root/cert2.pem
To create an S3 link named myAwsLink
in the "`remote.links`.s3" scope, run
the following command:
$ couchbase-cli analytics-link-setup -c 192.168.1.5 -u Administrator \ -p password --create --scope remote.links/s3 --name myAwsLink --type s3 \ --region us-west-2 --access-key-id LOREMIPSUMDOLORSITAMET123 \ --secret-access-key CoNSEcteTuRadipIsciNGelITSEDDoeiUSmODTEMpor456
To create an S3 link named myAwsLink
in the "`remote.links`.s3" scope, with
temporary S3 credentials, run the following command:
$ couchbase-cli analytics-link-setup -c 192.168.1.5 -u Administrator \ -p password --create --scope remote.links/s3 --name myAwsLink --type s3 \ --region us-west-2 --access-key-id myTemporaryAccessKeyId \ --secret-access-key myTemporarySecretAccessKey \ --session-token myTemporarySessionToken
To create an AzureBlob link named myAzureBlobLink
in the "`remote.links`.azure"
scope, using "account name and account key" for authentication, run the
following command:
$ couchbase-cli analytics-link-setup -c 192.168.1.5 -u Administrator \ -p password --create --scope remote.links/azure --name myAzureBlobLink --type \ azureblob --account-name myAccountName --account-key myAccountKey --endpoint myendpoint.com
To create an AzureBlob link named myAzureBlobLink
in the "`remote.links`.azure"
scope, using "shared access signature" for authentication,
run the following command:
$ couchbase-cli analytics-link-setup -c 192.168.1.5 -u Administrator \ -p password --create --scope remote.links/azure --name myAzureBlobLink --type \ azureblob --shared-access-signature mySharedAccessSignature --endpoint myendpoint.com
To create an AzureBlob link named myAzureBlobLink
in the "`remote.links`.azure"
scope, using "managed identity id" for authentication, run the following command:
$ couchbase-cli analytics-link-setup -c 192.168.1.5 -u Administrator \ -p password --create --scope remote.links/azure --name myAzureBlobLink --type \ azureblob --managed-identity-id myManagedIdentityId --endpoint myendpoint.com
To create an AzureBlob link named myAzureBlobLink
in the "`remote.links`.azure"
scope, using "client id and client secret" for authentication, run the following command:
$ couchbase-cli analytics-link-setup -c 192.168.1.5 -u Administrator \ -p password --create --scope remote.links/azure --name myAzureBlobLink --type \ azureblob --client-id myClientId --client-secret myClientSecret --endpoint myendpoint.com
To create an AzureBlob link named myAzureBlobLink
in the "`remote.links`.azure"
scope, using "client id and client certificate" for authentication, run the following command:
$ couchbase-cli analytics-link-setup -c 192.168.1.5 -u Administrator \ -p password --create --scope remote.links/azure --name myAzureBlobLink --type \ azureblob --client-id myClientId --client-certificate myClientCertificate --endpoint myendpoint.com
to create an Azure Data Lake link named myAzureDataLakeLink
in the "`remote.links`.azure"
scope, using "account name and account key" for authentication, run the
following command:
$ couchbase-cli analytics-link-setup -c 192.168.1.5 -u Administrator \ -p password --create --scope remote.links/azure --name myAzureDataLakeLink --type \ azuredatalake --account-name myAccountName --account-key myAccountKey --endpoint myendpoint.com
to create an Azure Data Lake link named myAzureDataLakeLink
in the "`remote.links`.azure"
scope, using "shared access signature" for authentication,
run the following command:
$ couchbase-cli analytics-link-setup -c 192.168.1.5 -u Administrator \ -p password --create --scope remote.links/azure --name myAzureDataLakeLink --type \ azuredatalake --shared-access-signature mySharedAccessSignature --endpoint myendpoint.com
to create an Azure Data Lake link named myAzureDataLakeLink
in the "`remote.links`.azure"
scope, using "managed identity id" for authentication, run the following command:
$ couchbase-cli analytics-link-setup -c 192.168.1.5 -u Administrator \ -p password --create --scope remote.links/azure --name myAzureDataLakeLink --type \ azuredatalake --managed-identity-id myManagedIdentityId --endpoint myendpoint.com
to create an Azure Data Lake link named myAzureDataLakeLink
in the "`remote.links`.azure"
scope, using "client id and client secret" for authentication, run the following command:
$ couchbase-cli analytics-link-setup -c 192.168.1.5 -u Administrator \ -p password --create --scope remote.links/azure --name myAzureDataLakeLink --type \ azuredatalake --client-id myClientId --client-secret myClientSecret --endpoint myendpoint.com
to create an Azure Data Lake link named myAzureDataLakeLink
in the "`remote.links`.azure"
scope, using "client id and client certificate" for authentication, run the following command:
$ couchbase-cli analytics-link-setup -c 192.168.1.5 -u Administrator \ -p password --create --scope remote.links/azure --name myAzureDataLakeLink --type \ azuredatalake --client-id myClientId --client-certificate myClientCertificate --endpoint myendpoint.com
To list all current links, run the following command:
$ couchbase-cli analytics-link-setup -c 192.168.1.5 -u Administrator \ -p password --list
To list current S3 links, run the following command:
$ couchbase-cli analytics-link-setup -c 192.168.1.5 -u Administrator \ -p password --list --type s3
To list current AzureBlob links, run the following command:
$ couchbase-cli analytics-link-setup -c 192.168.1.5 -u Administrator \ -p password --list --type azureblob
To list current Azure Data Lake links, run the following command:
$ couchbase-cli analytics-link-setup -c 192.168.1.5 -u Administrator \ -p password --list --type azuredatalake
If you need to edit a link named "east" and change the password, run the following command:
$ couchbase-cli analytics-link-setup -c 192.168.1.5 -u Administrator \ -p password --edit --scope Default --name east --type couchbase \ --hostname 192.168.1.6 --link-username Administrator \ --link-password new_password --encryption half
Note in the above example that you need to re-specify all of the current unchanging configuration parameters in addition to changing ones, except --type which cannot change.
If a link is no longer needed it can be deleted. The following example deletes the link named "east" in the "Default" scope:
$ couchbase-cli analytics-link-setup -c 192.168.1.5 -u Administrator \ -p password --delete --scope Default --link east
ENVIRONMENT AND CONFIGURATION VARIABLES
- CB_REST_USERNAME
-
Specifies the username to use when executing the command. This environment variable allows you to specify a default argument for the -u/--username argument on the command line.
- CB_REST_PASSWORD
-
Specifies the password of the user executing the command. This environment variable allows you to specify a default argument for the -p/--password argument on the command line. It also allows the user to ensure that their password are not cached in their command line history.
- CB_CLIENT_CERT
-
The path to a client certificate used to authenticate when connecting to a cluster. May be supplied with
CB_CLIENT_KEY
as an alternative to theCB_USERNAME
andCB_PASSWORD
variables. See the CERTIFICATE AUTHENTICATION section for more information. - CB_CLIENT_CERT_PASSWORD
-
The password for the certificate provided to the
CB_CLIENT_CERT
variable, when using this variable, the certificate/key pair is expected to be in the PKCS#12 format. See the CERTIFICATE AUTHENTICATION section for more information. - CB_CLIENT_KEY
-
The path to the client private key whose public key is contained in the certificate provided to the
CB_CLIENT_CERT
variable. May be supplied withCB_CLIENT_CERT
as an alternative to theCB_USERNAME
andCB_PASSWORD
variables. See the CERTIFICATE AUTHENTICATION section for more information. - CB_CLIENT_KEY_PASSWORD
-
The password for the key provided to the
CB_CLIENT_KEY
variable, when using this variable, the key is expected to be in the PKCS#8 format. See the CERTIFICATE AUTHENTICATION section for more information.
COUCHBASE-CLI
Part of the couchbase-cli suite