emqx/changes/ce/feat-12872.en.md

Customizable client attributes in clientinfo.

Introduced a new field client_attrs in the clientinfo object. This enhancement enables the initialization of client_attrs with specific attributes derived from the clientinfo fields, immediately up on accepting an MQTT connection.

Initialization of client_attrs

• The client_attrs fields can be initially populated from one of the following clientinfo fields:
  • cn: The common name from the TLS client's certificate.
  • dn: The distinguished name from the TLS client's certificate, that is, the certificate "Subject".
  • clientid: The MQTT client ID provided by the client.
  • username: The username provided by the client.
  • user_property: Extract a property value from 'User-Property' of the MQTT CONNECT packet.

Extension through Authentication Responses

• Additional attributes may be merged into client_attrs from authentication responses. Supported authentication backends include:
  • HTTP: Attributes can be included in the JSON object of the HTTP response body through a client_attrs field.
  • JWT: Attributes can be included via a client_attrs claim within the JWT.

Usage in Authentication and Authorization

• If client_attrs is initialized before authentication, it can be used in external authentication requests. For instance, ${client_attrs.property1} can be used within request templates directed at an HTTP server for the purpose of authenticity validation.

• The client_attrs can be utilized in authorization configurations or request templates, enhancing flexibility and control. Examples include:

  • In acl.conf, use {allow, all, all, ["${client_attrs.namespace}/#"]} to apply permissions based on the namespace attribute.
  • In other authorization backends, ${client_attrs.namespace} can be used within request templates to dynamically include client attributes.