Skip to main content

kwbase Command Reference

kwbase start

Description

The kwbase start command is used to start a KWDB node.

Command Syntax

./kwbase start [flags]

Parameters

Parameter Details
ParameterDescription
--advertise-addrThe IP address or hostname used by the node to communicate with other nodes, in the format <addr/host>[:<port>]. If a hostname is used, it must be resolvable. If an IP address is used, it must be accessible. For IPv6 addresses, use the [...] notation, for example: [::1]:26257 or [fe80::f6f2::1]:26257. If not specified, the value of --listen-addr is used by default. If only part of the parameter value is specified, the unspecified parts use the corresponding values from --listen-addr. The effect of this parameter depends on the combination with --listen-addr. For example, if the port number differs from the one used in --listen-addr, port forwarding needs to be configured.
Default value: the value of --listen-addr.
--attrsAn ordered list of node attributes separated by colons (:). Node attributes can be arbitrary strings that specify machine capabilities. Machine capabilities may include specialized hardware or core counts (for example, gpu, x16c). For example, --attrs=x16c:gpu.
--backgroundStart the KWDB node in the background. This is similar to adding & at the end of the command line directly. However, when starting the KWDB node with the --background option, control is not returned to the shell until the KWDB node is ready to accept requests.
Note
The --background parameter is suitable for short-lived running and testing services. Currently, since it cannot be fully detached from the current terminal, it is not recommended for long-running services. In such cases, it is recommended to use a service manager or tools like daemon(8).
--brpc-addrThe brpc communication address between timing engines, in the format <host>:<port> or :<port>:
- The port number must be included, otherwise the system reports an error failed to start server: --brpc-addr's port not specified.
- The IP address can be omitted; if not specified, the system will use the IP from --advertise-addr or --listen-addr in order.
Note
--advertise-addr and --brpc-addr are both inter-node communication addresses, so ensure network connectivity between all nodes. It is recommended to use the format --brpc-addr=:<port>, and the system will automatically obtain the IP address.
--buffer-pool-sizeAE executor buffer pool size.
Default value: 4096
--cacheThe cache size, shared across multiple physical storage devices. The parameter value supports precise memory values (in bytes), decimal values (converted to percentage values), and percentage values:
- --cache=.25
- --cache=25%
- --cache=1000000000: 1000000000 bytes
- --cache=1GB: 1000000000 bytes
- --cache=1GiB: 1073741824 bytes
Default value: 128 MiB
Note
If using the format with a percentage sign (%), ensure the system can properly recognize the escaped percentage sign (%). For example, in some configuration files, the percentage sign (%) may be recognized as a comment character. Therefore, it is recommended to use decimal values.
--certs-dirThe path to the secure certificates directory, used to access and verify clusters deployed in secure mode.
Default value: ${HOME}/.kaiwudb-certs/
-h, --helpHelp information for the kwbase start command.
--http-addrThe IP address or hostname for the Admin interface. IPv6 addresses use the [...] notation, for example: [::1]:8080 or [fe80::f6f2::1]:8080.
Default value: same as --listen-addr parameter, with port 8080.
--import-pathThe path where import files are located.
--insecureStart the cluster in insecure mode. If not specified, the cluster starts in secure mode.
-j, --joinThe address for the node to join the cluster. During initialization, you need to specify the addresses and ports of 3-5 nodes in the cluster, then execute the kwbase init command to start the cluster. If this parameter is not specified, a single-node cluster is started. In this case, you do not need to execute the kwbase init command. To add new nodes to an existing cluster, you can use this parameter to specify the addresses and ports of 3-5 nodes in the cluster.
--listen-addrThe IP address/hostname and port for listening to connections from other nodes and clients. IPv6 addresses use the [...] notation, for example: [::1] or [fe80::f6f2::1]. The effect of this parameter depends on the combination with --advertise-addr. If --advertise-addr is not specified, it uses the canonical hostname to communicate with other nodes.
Default value: listen on all IP addresses, port 26257.
--log-dirEnable logging and record logs in the specified directory. When --log-dir is set to an empty string (--log-dir=""), it means logging is disabled.
--log-dir-max-sizeWhen the total size of all log files reaches the threshold, KWDB will delete the earliest log.
Default value: 100 MiB
--log-file-verbosityOutput logs at and above the specified level to the log file, for example: --log-file-verbosity=WARNING.
Default value: INFO
--max-disk-temp-storageThe maximum storage space available on disk for temporary data from SQL queries that exceed the memory budget. This ensures that JOIN, SORT, and other memory-intensive SQL operations can spill intermediate results to disk. This value can be a percentage or an exact value (in bytes), for example:
- --max-disk-temp-storage=.25
- --max-disk-temp-storage=25%
- --max-disk-temp-storage=10000000000: 1000000000 bytes
- --max-disk-temp-storage=1GB: 1000000000 bytes
- --max-disk-temp-storage=1GiB: 1073741824 bytes.
These temporary files are stored in a subdirectory of the first storage directory specified by the --store parameter.
Default value: 32GiB
Note
If using the format with a percentage sign (%), ensure the system can properly recognize the escaped percentage sign (%). For example, in some configuration files, the percentage sign (%) may be recognized as a comment character. Therefore, it is recommended to use decimal values.
--max-offsetThe maximum clock offset allowed for the cluster. If the observed clock offset exceeds this limit, the server will crash to minimize the possibility of reading inconsistent data. Increasing this value will prolong failure recovery time and increase the frequency of uncertainty-based read restarts. Note that this value must be consistent across all nodes in the cluster. To change this value, you must stop all nodes in the cluster and then restart them with the new value.
Default value: 500ms
--max-sql-memoryThe maximum memory space available for temporary data cached by SQL queries, including prepared queries and intermediate data rows during query execution. This value can be a percentage or an exact value (in bytes), for example:
- --max-sql-memory=.25
- --max-sql-memory=25%
- --max-sql-memory=10000000000: 1000000000 bytes
- --max-sql-memory=1GB: 1000000000 bytes
- --max-sql-memory=1GiB: 1073741824 bytes.
These temporary files are stored in the --temp-dir folder.
Note
If using the format with a percentage sign (%), ensure the system can properly recognize the escaped percentage sign (%). For example, in some configuration files, the percentage sign (%) may be recognized as a comment character. Therefore, it is recommended to use decimal values.
--restful-portRESTful port, valid range: [0, 65535].
Default value: 8080
--restful-timeoutRESTful API timeout.
Default value: 60
--sql-audit-dirThe location of the security audit log. By default, SQL audit logs are written to the same directory as other logs generated by KWDB.
-s, --storeThe storage device path for storing database data. Supports specifying device attributes and space size simultaneously. If using multiple devices to store data, use the format --store=/mnt/ssd01 --store=/mnt/ssd02.
--thread-pool-sizeAE executor thread pool size.
Default value: 10
--upgrade-completeNode upgrade completed.

Examples

The following example starts a multi-node KWDB cluster.

  • TLS secure mode

    The following example assumes certificates have been generated for the root user. For more details about generating certificates, see the Examples section of the kwbase cert command.

    ./kwbase start \
    --certs-dir=/root/certs \
    --store=/opt/node1 \
    --advertise-addr=<node1_address>:26257 \
    --brpc-addr=:27257 \
    --listen-addr=<node1_address>:26257 \
    --http-addr=<node1_address>:8080 \
    --join=<node1_address>,<node2_address>,<node3_address> \
    --cache=.25 \
    --max-sql-memory=.25 \
    --background
  • Insecure mode

    ./kwbase start \
    --insecure \
    --store=/opt/node1 \
    --advertise-addr=<node1_address>:26257 \
    --brpc-addr=:27257 \
    --listen-addr=<node1_address>:26257 \
    --http-addr=<node1_address>:8080 \
    --join=<node1_address>,<node2_address>,<node3_address> \
    --cache=.25 \
    --max-sql-memory=.25 \
    --background

kwbase start-single-replica

Description

The kwbase start-single-replica command is used to start a single-replica node.

Command Syntax

./kwbase start-single-replica [flags]

Parameters

Parameter Details
ParameterDescription
--advertise-addrThe IP address or hostname used by the node to communicate with other nodes. Format: <addr/host>[:<port>].
- Hostname must be resolvable
- IP address must be accessible
- IPv6 addresses use [...] notation, like [::1]:26257
- If not specified, defaults to the value of --listen-addr
- If only part of the value is specified, the unspecified part uses the corresponding value from --listen-addr
- Works with --listen-addr, port forwarding is needed when ports differ
Default value: the value of --listen-addr
--attrsNode attribute list, separated by colons (:). Can be arbitrary strings to specify machine capabilities, such as specialized hardware or core counts.
Example: --attrs=x16c:gpu
--backgroundStart the node in the background. Similar to adding & at the end of the command line, but waits for the node to be ready before returning control.
Note: Suitable for short-term testing, not recommended for long-term running. For long-term running, use a service manager or daemon(8)
--brpc-addrbrpc communication address between timing engines. Format: <host>:<port> or :<port>.
- Port number must be specified
- IP can be omitted; if not specified, uses the IP from --advertise-addr or --listen-addr
Note: Both --advertise-addr and --brpc-addr are inter-node communication addresses, ensure network connectivity. Recommended to use the :<port> format
--buffer-pool-sizeAE executor buffer pool size. Default value: 4096
--cacheCache size shared across multiple storage devices. Supports the following formats:
- Decimal: --cache=.25
- Percentage: --cache=25%
- Bytes: --cache=1000000000
- GB: --cache=1GB (1000000000 bytes)
- GiB: --cache=1GiB (1073741824 bytes)
Default value: 128 MiB
Note: Recommended to use decimal format to avoid percentage escaping issues
--certs-dirSecure certificates directory path. Default value: ${HOME}/.kaiwudb-certs/
-h, --helpDisplay help information
--http-addrIP address or hostname for the Admin interface. IPv6 uses [...] notation.
Default value: same as --listen-addr, port 8080
--import-pathImport file path
--insecureStart in insecure mode. Secure mode is used if not specified
-j, --joinNode address to join the cluster. During initialization, 3-5 node addresses and ports need to be specified. Starts a single-node cluster if not specified
--listen-addrListening address for receiving connections from other nodes and clients. IPv6 uses [...] notation.
Default value: listen on all IPs, port 26257
--log-dirLog directory. Set to empty string to disable logging
--log-dir-max-sizeMaximum total size of log files; deletes oldest logs when exceeded. Default value: 100 MiB
--log-file-verbosityLog file recording level. Default value: INFO
--max-offsetMaximum allowed clock offset. Server crashes if exceeded. Must be consistent across all nodes. Default value: 500ms
--max-sql-memoryMaximum memory for SQL query temporary data. Supports the same formats as --cache. Data is stored in the --temp-dir directory
--restful-portRESTful port. Range: [0,65535]. Default value: 8080
--restful-timeoutRESTful API timeout. Default value: 60
--sql-audit-dirSQL audit log directory. Default is the same directory as other logs
-s, --storeData storage path. Can specify multiple: --store=/mnt/ssd01 --store=/mnt/ssd02
--thread-pool-sizeAE executor thread pool size. Default value: 10
--upgrade-completeMark node upgrade as complete

Examples

The following example starts a single-replica node.

./kwbase start-single-replica \
--insecure \
--store=/opt/node1 \
--advertise-addr=<node1_address>:26257 \
--brpc-addr=:27257 \
--listen-addr=<node1_address>:26257 \
--http-addr=<node1_address>:8080 \
--join=<node1_address>

kwbase start-single-node

Description

The kwbase start-single-node command is used to start a single-node cluster.

Command Syntax

./kwbase start-single-node [flags]

Parameters

Parameter Details
ParameterDescription
--attrsNode attribute list, separated by colons (:). Can be arbitrary strings to specify machine capabilities, such as specialized hardware or core counts.
Example: --attrs=x16c:gpu
--backgroundStart the node in the background. Similar to adding & at the end of the command line, but waits for the node to be ready before returning control.
Note: Suitable for short-term testing, not recommended for long-term running. For long-term running, use a service manager or daemon(8)
--buffer-pool-sizeAE executor buffer pool size.
Default value: 4096
--cacheCache size shared across multiple storage devices. Supports the following formats:
- Decimal: --cache=.25
- Percentage: --cache=25%
- Bytes: --cache=1000000000
- GB: --cache=1GB (1000000000 bytes)
- GiB: --cache=1GiB (1073741824 bytes)
Default value: 128 MiB
Note: Recommended to use decimal format to avoid percentage escaping issues
--certs-dirSecure certificates directory path.
Default value: ${HOME}/.kaiwudb-certs/
-h, --helpHelp information for the kwbase start-single-node command
--http-addrIP address or hostname for the Admin interface. IPv6 uses [...] notation.
Default value: same as --listen-addr, port 8080
--import-pathImport file path
--insecureStart in insecure mode. Secure mode is used if not specified
--listen-addrListening address for receiving connections from other nodes and clients. IPv6 uses [...] notation.
Default value: listen on all IPs, port 26257
--log-dirLog directory. Set to empty string to disable logging
--log-dir-max-sizeMaximum total size of log files; deletes oldest logs when exceeded.
Default value: 100 MiB
--log-file-verbosityLog file recording level.
Default value: INFO
--max-disk-temp-storageMaximum disk storage for SQL query temporary data. Supports the following formats:
- Decimal: --max-disk-temp-storage=.25
- Percentage: --max-disk-temp-storage=25%
- Bytes: --max-disk-temp-storage=10000000000
- GB: --max-disk-temp-storage=1GB
- GiB: --max-disk-temp-storage=1GiB
Temporary files are stored in the first --store directory.
Default value: 32GiB
Note: Recommended to use decimal format to avoid percentage escaping issues
--max-sql-memoryMaximum memory space for SQL query temporary data. Supports the following formats:
- Decimal: --max-sql-memory=.25
- Percentage: --max-sql-memory=25%
- Bytes: --max-sql-memory=10000000000
- GB: --max-sql-memory=1GB
- GiB: --max-sql-memory=1GiB
Temporary files are stored in the --temp-dir directory.
Note: Recommended to use decimal format to avoid percentage escaping issues
--restful-portRESTful port. Range: [0,65535].
Default value: 8080
--restful-timeoutRESTful API timeout.
Default value: 60
--sql-audit-dirSQL audit log directory. Default is the same directory as other logs
-s, --storeData storage path. Can specify multiple: --store=/mnt/ssd01 --store=/mnt/ssd02
--thread-pool-sizeAE executor thread pool size.
Default value: 10
--upgrade-completeMark node upgrade as complete

Examples

The following example starts a single-node KWDB cluster.

  • TLS secure mode

    The following example assumes certificates have been generated for the root user. For more details about generating certificates, see the Examples section of the kwbase cert command.

    ./kwbase start-single-node \
    --certs-dir=/root/certs \
    --listen-addr=0.0.0.0:26257 \
    --advertise-addr=127.0.0.1:26257 \
    --http-addr=0.0.0.0:8080 \
    --store=/kaiwudb/deploy/kaiwudb
  • Insecure mode

    ./kwbase start-single-node \
    --insecure \
    --listen-addr=0.0.0.0:26257 \
    --advertise-addr=127.0.0.1:26257 \
    --http-addr=0.0.0.0:8080 \
    --store=/kaiwudb/deploy/kaiwudb

kwbase init

Description

The kwbase init command is used to initialize a KWDB cluster.

Command Syntax

./kwbase init [flags]

Parameters

Parameter Details
ParameterDescription
--certs-dirThe path to the secure certificates directory, used to access and verify clusters deployed in secure mode.
Default value: ${HOME}/.kaiwudb-certs/
-h, --helpHelp information for the kwbase init command.
--hostThe KWDB node to connect to. Supports IP address/hostname, in the format <addr/host>[:<port>].
- Default port is 26257 if not specified
- IPv6 addresses use [...] notation, like [::1]:26257
Environment variable: KWBASE_HOST
--insecureStart the cluster in insecure mode. Secure mode is used if not specified.
--urlThe connection URL, in the format postgresql://[user[:passwd]@]host[:port]/[db][?parameters...]
Example: postgresql://myuser@localhost:26257/mydb
If not specified, uses connection parameters such as host, port, user, database, insecure, certs-dir.
Environment variable: KWBASE_URL

Examples

The following example assumes KWDB has been started. For more details, see the Examples section of the kwbase start command.

You can execute the kwbase init command on any node in the cluster.

./kwbase init \
--certs-dir=/root/certs \
--host=<address_of_any_node>

kwbase cert

Description

The kwbase cert command is used to generate Certificate Authority (CA), node, and client certificates.

Command Syntax

./kwbase cert <subcommand> [flags]
  • create-ca

    ./kwbase cert create-ca --certs-dir=<path-to-kaiwudb-certs-dir> --ca-key=<path-to-ca-key> [flags]
  • create-client-ca

    ./kwbase cert create-client-ca --certs-dir=<path-to-kaiwudb-certs-dir> --ca-key=<path-to-client-ca-key> [flags]
  • create-node

    ./kwbase cert create-node --certs-dir=<path-to-kaiwudb-certs-dir> --ca-key=<path-to-ca-key> <host1> <host2> ... <hostN> [flags]
  • create-client

    ./kwbase cert create-client --certs-dir=<path-to-kaiwudb-certs-dir> --ca-key=<path-to-ca-key> <username> [flags]
  • list

    ./kwbase cert list [flags]

Subcommands

SubcommandDescription
create-caGenerate CA certificate and key.
create-client-caGenerate client CA certificate and key.
create-nodeGenerate node certificate and key.
create-clientGenerate client certificate and key.
listView certificates in the --cert-dir directory.

Parameters

Parameter Details
ParameterDescriptionSupported Commands
--allow-ca-key-reuseUse an existing CA key.- kwbase cert create-ca
- kwbase cert create-client-ca
--ca-keyThe path to the CA key.
Environment variable: KWBASE_CA_KEY
- kwbase cert create-ca
- kwbase cert create-client-ca
- kwbase cert create-node
- kwbase cert create-client
--cert-principal-mapA comma-separated list of <cert-principal>:<db-principal> mappings that allows mapping principals in certificates to database principals, such as nodes, root, or any SQL user. This applies when the certificate management system has restrictions on the Subject.CommonName or SubjectAlternateName fields in certificates (for example, not allowing node or root as CommonName). If there are multiple mappings for the same certificate principal, the last specified mapping takes precedence. Principals not specified in the mapping are passed through as-is. If the database principal name is contained in the mapped CommonName or DNS-type SubjectAlternateName field, the certificate is allowed to authenticate for the database principal.- kwbase cert create-ca
- kwbase cert create-client-ca
- kwbase cert create-node
- kwbase cert create-client
- kwbase cert list
--certs-dirThe path to the secure certificates directory, used to access and verify clusters deployed in secure mode.
Default value: ${HOME}/.kaiwudb-certs/
- kwbase cert create-ca
- kwbase cert create-client-ca
- kwbase cert create-node
- kwbase cert create-client
- kwbase cert list
-h, --helpHelp information for the command.- kwbase cert
- kwbase cert create-ca
- kwbase cert create-client-ca
- kwbase cert create-node
- kwbase cert create-client
- kwbase cert list
--key-sizeThe size of the CA, node, and client certificate keys (in bits).
Default value: 2048 bits
- kwbase cert create-ca
- kwbase cert create-client-ca
- kwbase cert create-node
- kwbase cert create-client
--lifetimeThe lifetime of the certificate.
Default value: 43920h0m0s
- kwbase cert create-ca
- kwbase cert create-client-ca
- kwbase cert create-node
- kwbase cert create-client
--overwriteOverwrite existing certificate and key files.- kwbase cert create-ca
- kwbase cert create-client-ca
- kwbase<br/>- cert create-nodekwbase cert create-client

Examples

  1. Create the /opt/certs and /opt/my-safe-directory directories.

    mkdir /opt/certs
    mkdir /opt/my-safe-directory
    • /opt/certs: Used to store the generated CA certificate and all node and client certificate and key files, some of which will be transferred to node machines.
    • /opt/my-safe-directory: Used to store the generated CA key file, used when creating certificates and keys for nodes and users.
  2. Create the CA certificate and key.

    ./ kwbase cert create-ca \
    --certs-dir=/opt/certs \
    --ca-key=/opt/my-safe-directory/ca.key

    It is recommended to back up the generated CA certificate and key pair.

  3. Create the certificate and key for the first node in the cluster.

    ./kwbase cert create-node <IP_address_of_node1> [<node1_hostname>]   [<other_common_names_for_ node1>] localhost 127.0.0.1 [<load_balancer_IP_address>]   [<load_balancer hostname>] [<other_common_names_for_load_balancer>] \
    --certs-dir=/opt/certs \
    --ca-key=/opt/my-safe-directory/ca.key

    ::: warning Note

    The node IP address is the internal or external IP address used for generating certificates. Example:

    ./kwbase cert create-node 117.73.10.12 localhost   127.0.0.1 \
    --certs-dir=/opt/certs \
    --ca-key=/opt/my-safe-directory/ca.key

    :::

  4. Transfer the CA certificate, node certificate, and key to the first node.

    ssh <username>@<node1_address>   "mkdir /root/certs"
    scp /opt/certs/ca.crt /opt/certs/node.crt /opt/certs/node.key <username>@<node1_address>:/root/certs
  5. Delete the local node certificate and key.

    rm /opt/certs/node.crt /opt/certs/node.key
  6. Repeat steps 3-5 to create certificates and keys for other nodes in the cluster.

  7. Create the client certificate and key for the root user.

    ./kwbase cert create-client root   \
    --certs-dir=/opt/certs \
    --ca-key=/opt/my-safe-directory/ca.key
  8. Transfer the certificate and key to the machine where KWDB commands are executed, which can be a node inside or outside the cluster. Machines with certificates can execute KWDB commands using the root account and access the cluster through that node.

    ssh <username>@<workload address>   "mkdir /root/certs"
    scp /opt/certs/ca.crt /opt/certs/client.root.crt /opt/certs/client.root.key <username>@<workload address>:/root/certs

    ::: warning Note

    If you need to run KWDB client commands on other machines in the future, you need to copy the root user's certificate and key to that node. Only nodes that have the root user's certificate and key can access the cluster. :::

kwbase sql

Description

The kwbase sql command is used to open an interactive SQL Shell.

Command Syntax

./kwbase sql [flags]

Parameters

Parameter Details
ParameterDescription
--cert-principal-mapA comma-separated list of <cert-principal>:<db-principal> mappings. Used to map certificate principals to database principals (such as nodes, root, or other SQL users). Applies when the certificate system has restrictions on Subject.CommonName or SubjectAlternateName fields. When multiple mappings exist, the last one takes precedence. Unmapped principals are passed through as-is. The database principal name must be contained in the mapped CommonName or DNS-type SubjectAlternateName field.
--certs-dirThe path to the secure certificates directory, used to access and verify clusters deployed in secure mode.
Default value: ${HOME}/.kaiwudb-certs/
-d, --databaseThe name of the database to connect to.
Environment variable: KWBASE_DATABASE
--debug-sql-cliSimplify SQL CLI for debugging. Echo SQL statements, remove database name and transaction status from prompts, making behavior independent of transaction state.
--echo-sqlDisplay SQL statements implicitly sent by the command line tool.
-e, --executeExecute SQL statements and exit. Can be used multiple times, supporting multiple statements separated by semicolons. Exits with a non-zero status code on error. Results are output to standard output.
--formatSet the table display format:
- tsv
- csv
- table
- records
- sql
- raw
- html
Non-interactive defaults to tsv, interactive defaults to table.
Default value: table
-h, --helpDisplay help information for the kwbase sql command.
--insecureStart the cluster in insecure mode. Secure mode is used by default.
--safe-updatesDisable SQL statements that may have unexpected side effects (such as DELETE/UPDATE without WHERE clause). Enabled by default (true). Can be disabled with SET sql_safe_updates = FALSE.
--setSet client configuration parameters before starting the SQL Shell.
--urlThe connection URL, in the format: postgresql://[user[:passwd]@]host[:port]/[db][?parameters...]
Example: postgresql://myuser@localhost:26257/mydb
If not specified, uses other connection parameters.
Environment variable: KWBASE_URL
-u, --userThe KWDB database username.
Environment variable: KWBASE_USER
--watchRepeatedly execute the SQL statements specified by --execute at the specified interval. Stops monitoring when execution fails.

Examples

  • TLS secure mode

    The following example assumes certificates have been generated for the root user. For more details about generating certificates, see the Examples section of the kwbase cert command.

    ./kwbase sql --certs-dir=certs --host=<address_of_any node>
  • Insecure mode

    ./kwbase sql --insecure --host=<address_of_any_node>

kwbase auth-session

Description

The kwbase auth-session command is used to create and manage sessions and authentication tokens for HTTP interfaces.

Required Permissions

The user is a member of the admin role. By default, the root user belongs to the admin role.

Command Syntax

./kwbase auth-session <subcommand> [flags]
  • login

    ./kwbase auth-session login <session-username> [flags]
  • logout

    ./kwbase auth-session logout <session-username> [flags]
  • list

    ./kwbase auth-session list [flags]

Subcommands

SubcommandDescription
loginCreate an HTTP session and token for the specified user.
logoutRevoke all HTTP session tokens previously created for the specified user.
listView currently active HTTP sessions.

Parameters

Parameter Details
ParameterDescriptionSupported Commands
--cert-principal-mapA comma-separated list of <cert-principal>:<db-principal> mappings. Used to map certificate principals to database principals (such as nodes, root, or other SQL users). Applies when the certificate system has restrictions on Subject.CommonName or SubjectAlternateName fields. When multiple mappings exist, later ones take precedence. Unmapped principals are passed through as-is.- kwbase auth-session login
- kwbase auth-session logout
- kwbase auth-session list
--certs-dirThe path to the secure certificates directory, used to access and verify clusters deployed in secure mode.
Default value: ${HOME}/.kaiwudb-certs/
- kwbase auth-session login
- kwbase auth-session logout
- kwbase auth-session list
--echo-sqlDisplay SQL statements implicitly sent by the command line tool.- kwbase auth-session login
- kwbase auth-session logout
- kwbase auth-session list
--expire-afterThe validity period of the HTTP authentication token. Specify using a number followed by h (hours), m (minutes), or s (seconds).
Default value: 1h0m0s
kwbase auth-session login
--formatTable display format for results:
- tsv
- csv
- table
- records
- sql
- raw
- html
Default: tsv for non-interactive, table for interactive
- kwbase auth-session login
- kwbase auth-session logout
- kwbase auth-session list
-h, --helpDisplay help information for the command.- kwbase auth-session
- kwbase auth-session login
- kwbase auth-session logout
- kwbase auth-session list
--insecureStart the cluster in insecure mode. Secure mode is used if not specified.- kwbase auth-session login
- kwbase auth-session logout
- kwbase auth-session list
--only-cookieOnly display the newly created HTTP authentication token (cookie), for output to other commands.kwbase auth-session login
--urlThe connection URL, in the format: postgresql://[user[:passwd]@]host[:port]/[db][?parameters...]
Example: postgresql://myuser@localhost:26257/mydb
If not specified, uses other connection parameters.
Environment variable: KWBASE_URL
- kwbase auth-session login
- kwbase auth-session logout
- kwbase auth-session list
-u, --userThe KWDB database username.
Environment variable: KWBASE_USER
- kwbase auth-session login
- kwbase auth-session logout
- kwbase auth-session list

Return Fields Description

auth-session login

FieldDescription
usernameThe username of the authenticated user.
session IDThe HTTP interface session ID created for the specified user.
authentication cookieThe authentication token used for users to authenticate when accessing the HTTP interface through CLI tools or other tools.

auth-session logout

FieldDescription
usernameThe username of the user whose session was revoked
session IDThe HTTP interface session ID created for the specified user
revokedThe date and time when the authentication session was revoked for the specified user

auth-session list

FieldDescription
usernameThe username of the authenticated user
session IDThe HTTP interface session ID created for the specified user
createdThe date and time when the authentication session was created
expiredThe date and time when the authentication session expires
revokedThe date and time when the authentication session was revoked for the specified user. If the authentication session is still active, displays NULL
last usedThe date and time when the session token was last used to access the HTTP interface

kwbase node

Description

The kwbase node command is used to view, inspect, drain, or remove each node in a KWDB cluster.

Command Syntax

./kwbase node <subcommand> [flags]
  • ls

    ./kwbase node ls [flags]
  • status

    ./kwbase node status [<node_id>] [flags]
  • decommission

    ./kwbase node decommission <node_id 1> [<node_id 2> ...] [flags]
  • recommission

    ./kwbase node recommission <node_id 1> [<node_id 2> ...] [flags]
  • drain

    ./kwbase node drain [flags]
  • upgrade

    ./kwbase node upgrade <node_id 1> [<node_id 2> ...] [flags]

Subcommands

SubcommandDescription
lsList all node IDs in the cluster.
statusView the status of a single or all nodes in the cluster.
decommissionDecommission cluster nodes.
recommissionRecommission decommissioned cluster nodes.
drainDrain nodes.
upgradeUpgrade nodes.

Parameters

Parameter Details
ParameterDescriptionSupported Commands
--allView detailed information for all nodes. If node ID is not specified, view all decommissioned nodes in the cluster.kwbase node status
--cert-principal-mapA comma-separated list of <cert-principal>:<db-principal> mappings that allows mapping principals in certificates to database principals, such as nodes, root, or any SQL user. This applies when the certificate management system has restrictions on the Subject.CommonName or SubjectAlternateName fields in certificates (for example, not allowing node or root as CommonName). If there are multiple mappings for the same certificate principal, the last specified mapping takes precedence. Principals not specified in the mapping are passed through as-is. If the database principal name is contained in the mapped CommonName or DNS-type SubjectAlternateName field, the certificate is allowed to authenticate for the database principal.kwbase node ls
kwbase node status
kwbase node decommission
kwbase node recommission
kwbase node drain
kwbase node upgrade
--certs-dirThe path to the secure certificates directory, used to access and verify clusters deployed in secure mode.
Default value: ${HOME}/.kaiwudb-certs/
kwbase node ls
kwbase node status
kwbase node decommission
kwbase node recommission
kwbase node drain
kwbase node upgrade
--cluster-nameSet a name for the remote node or cluster to verify its identity. This value must match this node and the remote nodes specified via the --join parameter. This name can be used as an additional verification means when the node or cluster or both are not yet initialized and their cluster ID is unknown. To add a cluster name to an already initialized cluster, use this parameter together with --disable-cluster-name-verification.kwbase node ls
kwbase node status
kwbase node decommission
kwbase node recommission
kwbase node drain
kwbase node upgrade
--decommissionView detailed information about node decommissioning. If node ID is not specified, view all decommissioned nodes in the cluster.kwbase node status
--disable-cluster-name-verificationConfigure the server to ignore cluster name mismatches. Applicable when starting an existing cluster or after changing the cluster name. Restart the cluster with --cluster-name and --disable-cluster-name-verification parameters. Once all nodes have been updated to know the new cluster name, you can remove this parameter and restart the cluster again.kwbase node ls
kwbase node status
kwbase node decommission
kwbase node recommission
kwbase node drain
kwbase node upgrade
--drain-waitThe time the system waits for the node to drain all active client connections and migrate data shard leases.
Default value: 10m0s
kwbase node drain
--formatChoose how to display table rows in results. Supports the following values:
- tsv
- csv
- table
- records
- sql
- raw
- html
If not specified, defaults to tsv for non-interactive sessions and table for interactive sessions.
Default value: table
kwbase node ls
kwbase node status
kwbase node decommission
kwbase node recommission
kwbase node drain
kwbase node upgrade
-h, --helpHelp information for the command.kwbase node
kwbase node ls
kwbase node status
kwbase node decommission
kwbase node recommission
kwbase node drain
kwbase node upgrade
--hostThe KWDB node to connect to. Supports IP address/hostname, in the format <addr/host>[:<port>]. If port is not specified, defaults to 26257. For IPv6 addresses, use [...] notation, for example: [::1]:26257 or [fe80::f6f2::1]:26257.
Environment variable: KWBASE_HOST
kwbase node ls
kwbase node status
kwbase node decommission
kwbase node recommission
kwbase node drain
kwbase node upgrade
--insecureStart the cluster in insecure mode. If not specified, the cluster starts in secure mode.kwbase node ls
kwbase node status
kwbase node decommission
kwbase node recommission
kwbase node drain
kwbase node upgrade
--rangesView detailed information about node data shards and replicas.kwbase node status
--statsView detailed information about node disk usage.kwbase node status
--timeoutSet the timeout for the subcommand to run. If the operation is not completed within the specified time,
--urlThe connection URL, in the format postgresql://[user[:passwd]@]host[:port]/[db][?parameters...], for example "postgresql://myuser@localhost:26257/mydb". If not specified, uses connection parameters such as host, port, user, database, insecure, certs-dir.
Environment variable: KWBASE_URL
- kwbase node ls
- kwbase node decommission
- kwbase node recommission
- kwbase node drain
- kwbase node upgrade
--waitSpecify when to return after marking the target node as decommissioned. This parameter supports the following values:
- all: Wait until the replica count on all target nodes drops to zero.
- none: Mark the target node as decommissioned without waiting for the entire process to complete. Use this value when manually polling from an external system.
Default value: all
- kwbase node decommission
- kwbase node upgrade

kwbase gen

Description

The kwbase gen command is used to generate CLI tool information, SQL Shell configuration examples, database examples, and other information.

Command Syntax

./kwbase gen <subcommand> [flags]
  • haproxy

    ./kwbase gen haproxy [flags]
  • encryption-key

    ./kwbase gen encryption-key [flags]

Subcommands

SubcommandDescription
haproxyGenerate an haproxy.cfg file for the connected cluster.
encryption-keyGenerate a storage key for static encryption.

Parameters

Parameter Details
ParameterDescriptionSupported Commands
--cert-principal-mapA comma-separated list of <cert-principal>:<db-principal> mappings used to map certificate principals to database principals (such as nodes, root, or SQL users). Applies when the certificate system has restrictions on Subject.CommonName or SubjectAlternateName fields. When multiple mappings exist, the last one takes precedence. Unmapped principals are passed through as-is.kwbase gen haproxy
--certs-dirSecure certificates directory path.
Default value: ${HOME}/.kaiwudb-certs/
kwbase gen haproxy
--cluster-nameSet the remote node/cluster name for identity verification. Must match this node and the remote nodes specified by --join. Used for additional verification of uninitialized nodes. Use with --disable-cluster-name-verification when joining an already initialized cluster.kwbase gen haproxy
--disable-cluster-name-verificationIgnore cluster name mismatches. Used when starting an existing cluster or after changing the cluster name. Use with --cluster-name to restart the cluster. Can be removed and restart after all nodes are updated with the new cluster name.kwbase gen haproxy
-h, --helpDisplay help information.- kwbase gen
- kwbase gen haproxy
- kwbase gen encryption-key
--hostThe address of the node to connect to. Format: <addr/host>[:<port>].
- Default port: 26257
- IPv6 format: [::1]:26257
Environment variable: KWBASE_HOST
kwbase gen haproxy
--insecureStart in insecure mode. Secure mode is used by default.kwbase gen haproxy
--outHAProxy configuration file path.
Default value: haproxy.cfg
kwbase gen haproxy
--overwriteOverwrite existing keys.kwbase gen encryption-key
-s, --sizeAES static encryption key size:
- 128
- 192
- 256
Default value: 128
kwbase gen encryption-key
--urlThe connection URL. Format: postgresql://[user[:passwd]@]host[:port]/[db][?parameters...]
Example: postgresql://myuser@localhost:26257/mydb
If not specified, uses individual connection parameters.
Environment variable: KWBASE_URL
kwbase gen haproxy

kwbase version

Description

The kwbase version command is used to view version information for KWDB.

Command Syntax

./kwbase version [flags]

Parameters

ParameterDescription
-h, --helpHelp information for the kwbase version command.

Examples

The following example views KWDB version information.

./kwbase version
KWDB Version: 2.1.1
Build Time: 2024/12/02 06:42:24
Distribution:
Platform: linux amd64 (x86_64-linux-gnu)
Go Version: go1.16.15
C Compiler: gcc 11.4.0
Build SHA-1: 83c35a67ab352611ce97300307ebe7d704d24888

kwbase help

Description

The kwbase help command is used to view help information for the kwbase CLI tool.

Command Syntax

./kwbase help

Parameters

None

Examples

./kwbase help
KwDB command-line interface and server.

Usage:
kwbase [command]

Available Commands:
start start a node in a multi-node cluster
start-single-replica start a single-replica node in a multi-node cluster
start-single-node start a single-node cluster
init initialize a cluster
cert create ca, node, and client certs
sql open a sql shell
statement-diag commands for managing statement diagnostics bundles
auth-session log in and out of HTTP sessions
node list, inspect, drain or remove nodes
nodelocal upload and delete nodelocal files
demo open a demo sql shell (not suitable for time-series scenario)
gen generate auxiliary files
version output version information
debug debugging commands
sqlfmt format SQL statements
workload generators for data and query loads
systembench Run systembench
help Help about any command

Flags:
-h, --help help for kwbase
--logtostderr Severity[=DEFAULT] logs at or above this threshold go to stderr (default NONE)
--no-color disable standard error log colorization
--vmodule moduleSpec comma-separated list of pattern=N settings for file-filtered logging (significantly hurts performance)

Use "kwbase [command] --help" for more information about a command.