A command-line interface for interacting with Riak clusters using the official OpenRiak Riak Java client library.
- TLS Support: Secure connections with robust TLS implementation
- Authentication: Username/password and client certificate authentication
- Full CRUD Operations: Get, Put, Delete operations
- Bucket Management: List buckets and keys
- Interactive Mode: Command-line interface for interactive use
- Certificate Authentication: Full support for mutual TLS with client certificates
- TLS-Only Mode: STARTTLS with optional CA trust and no auth credentials
- HEAD Metadata Output: Prints object metadata and user metadata for
headrequests
- Java 21 or higher
- Git (used to clone and build the OpenRiak client from source, default configuration)
This CLI supports multiple Riak client implementations. You can configure which client to use by editing gradle.properties:
- OpenRiak Client (default) - The OpenRiak Java client, cloned and built from source
- Custom Client - Use your own JAR file
Edit gradle.properties to set the client type:
# Use the OpenRiak client, built from source (default)
riak.client.type=openriak
riak.client.openriak.repository=https://github.com/OpenRiak/riak-java-client.git
riak.client.openriak.ref=main
riak.client.openriak.path=../riak-java-client
# Use custom JAR file
riak.client.type=custom
riak.client.custom.jar.path=/path/to/your/riak-client.jar
riak.client.custom.dependencies=com.example:extra-dep:1.0.0Use these Gradle tasks to quickly switch between clients:
# Switch to the OpenRiak client (built from source)
./gradlew useOpenRiakClient
# Show current configuration
./gradlew showClientConfigAfter switching clients, restart your Gradle daemon:
./gradlew --stop
./gradlew build- Source: Git repository
https://github.com/OpenRiak/riak-java-client.git - Build: Cloned into
riak.client.openriak.path(default../riak-java-client) and built from source automatically - Use Case: Default; tracks the OpenRiak client. If the path already contains a checkout, it is reused instead of cloned.
- Source: Local JAR file path
- Build: Use existing JAR file
- Use Case: Testing custom builds or alternative implementations
The project uses Gradle for building and dependency management:
# Build the project
./gradlew build
# Or use make
make buildThe build process will:
- Download the configured Riak client dependency
- Compile the Java source code
- Create a fat JAR with all dependencies included
To create a self-contained JAR file that can be run on any machine:
# Create fat JAR
./gradlew shadowJar
# Or use make
make jarThis creates build/libs/riak-cli-fat.jar which includes all dependencies and can be run with:
java -jar build/libs/riak-cli-fat.jar --helpBuild from source and run via the wrapper script:
./gradlew shadowJar
./interactive-riak-cli.sh --helpThe wrapper uses build/libs/riak-cli-fat.jar by default.
# Connect to local Riak cluster
./interactive-riak-cli.sh
# Connect to remote cluster with TLS
./interactive-riak-cli.sh -h riak.example.com -p port --tls --username user --password pass
# Connect with client certificate authentication
./interactive-riak-cli.sh -h riak.example.com -p port --tls --client-cert /path/to/client-cert.pem --ca-cert /path/to/ca-cert.pem -u username| Option | Description | Default |
|---|---|---|
-h, --host HOST |
Riak host | localhost |
-p, --port PORT |
Riak port | 8087 |
-u, --username USERNAME |
Username for authentication | none |
-w, --password PASSWORD |
Password for authentication | none |
--tls |
Use TLS connection | false |
--client-cert PATH |
Path to client certificate file (PEM with cert and private key) | none |
--ca-cert PATH |
Path to CA certificate file (PEM) | none |
--mcp |
Run as MCP stdio server (no interactive prompt) | false |
--mcp-stats-port PORT |
MCP mode only: HTTP(S) stats port | 8098 |
--mcp-stats-insecure |
MCP mode only: disable HTTPS cert/hostname verification for stats | false |
--mcp-riak-bin PATH |
MCP mode only: explicit riak executable path |
PATH lookup |
--help |
Show help message | - |
Run the CLI as a local MCP server:
./interactive-riak-cli.sh --host riak.example.com --port 10017 --tls --mcpIn --mcp mode:
- The process connects to Riak and serves MCP tools over stdio
- No interactive
riak>prompt is started - Tool surface does not mutate Riak key/value data, but includes operational and security-sensitive read commands
- Always available tools:
riak_ping,riak_get,riak_head,riak_list_buckets,riak_list_keysriak_http_stats(callshttp(s)://<host>:<mcp-stats-port>/stats)
- Local-only tools (registered only when host is local and
riak pingsucceeds):riak_cli_pingriak_admin_cluster_statusriak_admin_security_statusriak_admin_security_print_usersriak_admin_security_print_sourcesriak_admin_ring_statusriak_admin_member_status
For client-specific setup, see MCP_SETUP.md and the templates in:
mcp-config/claude/mcp-config/cursor/mcp-config/copilot/
Once in interactive mode, you can use these commands:
ping- Test connection to Riak cluster (uses GET request for better permission compatibility)get <bucket> <key>- Retrieve a value from Riakhead <bucket> <key>- Retrieve head only (metadata)put <bucket> <key> <value>- Store a value in Riakdelete <bucket> <key>- Delete a key from Riaklist-buckets- List all buckets in the cluster (requires list_buckets permission)list-keys <bucket>- List all keys in a bucket (requires list_keys permission)help- Show available commandsquitorexit- Exit the CLI
# Connect and perform operations
./interactive-riak-cli.sh -p 10017 --tls --username myname --password 123456
riak> put test-bucket test-key "Hello World"
Value stored successfully
riak> get test-bucket test-key
Value: Hello World
riak> delete test-bucket test-key
Key deleted successfully
riak> quit# Connect with TLS and username/password authentication
./interactive-riak-cli.sh -h riak.example.com -p 10017 --tls --username user --password passConnect to a Riak cluster using TLS encryption. The CLI enables STARTTLS and does not send auth credentials unless auth credentials are provided.
# TLS-only with custom CA certificate (no username/password)
./interactive-riak-cli.sh -h riak.example.com -p 10017 --tls --ca-cert /path/to/ca.pem
# TLS-only using the JVM default trust store
./interactive-riak-cli.sh -h riak.example.com -p 10017 --tlshead <bucket> <key> prints metadata-oriented output:
- sibling count
- content type
- vclock (when present)
- charset (when present)
- user metadata entries
# If you have separate .crt and .key files in RSA format:
# Step 1: Convert RSA private key to PKCS#8
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in client.key -out client.key.pkcs8
# Step 2: Combine certificate and converted key
cat client.crt client.key.pkcs8 > client-combined.pem
# Step 3: Connect with certificate authentication
./interactive-riak-cli.sh -p 10017 --tls \
--client-cert client-combined.pem \
--ca-cert ca.crt \
-u usernameIf you have separate certificate and key files, or RSA format keys, use these commands:
# Convert RSA private key to PKCS#8 format
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in private_key.pem -out private_key.pkcs8.pem# Combine certificate and PKCS#8 private key into single PEM file
cat certificate.crt private_key.pkcs8.pem > combined.pem# Step 1: Convert RSA private key to PKCS#8
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in client.key -out client.key.pkcs8
# Step 2: Combine certificate and converted private key
cat client.crt client.key.pkcs8 > client-combined.pem
# Step 3: Use the combined file for authentication
./interactive-riak-cli.sh -p 10017 --tls \
--client-cert client-combined.pem \
--ca-cert ca.crt \
-u username