emqx/apps/emqx_authz
Zaiming (Stone) Shi d5f5f35787 Merge remote-tracking branch 'origin/release-50' into 0502-merge-release-50-back-to-master 2023-05-02 18:08:04 +02:00
..
etc refactor: delete default authz config from emqx.conf 2023-04-29 22:10:19 +02:00
include chore: update copyright year 2023 2023-01-02 09:22:27 +01:00
src Merge remote-tracking branch 'origin/release-50' into 0502-merge-release-50-back-to-master 2023-05-02 18:08:04 +02:00
test fix(auth): fix uri path handling 2023-04-17 23:57:56 +03:00
.gitignore feat: add authz (#4852) 2021-06-23 10:55:38 +08:00
README.md refactor: remove the auto_reconnect field 2023-01-11 21:47:06 +08:00
docker-ct ci: only start required docker for integration tests 2022-09-06 19:25:53 +02:00
rebar.config refactor: move emqx_json to emqx_utils_json 2023-04-14 13:31:27 +02:00

README.md

emqx_authz

Configure

File: etc/plugins/authz.conf

authz:{
    rules: [
       {
           type: mysql
           config: {
              server: "127.0.0.1:3306"
              database: mqtt
              pool_size: 1
              username: root
              password: public
              ssl: {
                enable: true
                cacertfile:  "etc/certs/cacert.pem"
                certfile: "etc/certs/client-cert.pem"
                keyfile: "etc/certs/client-key.pem"
              }
           }
           sql: "select ipaddress, username, clientid, action, permission, topic from mqtt_authz where ipaddr = ${peerhost} or username = ${username} or clientid = ${clientid}"
       },
       {
           type: postgresql
           config: {
              server: "127.0.0.1:5432"
              database: mqtt
              pool_size: 1
              username: root
              password: public
              ssl: {enable: false}
           }
           sql: "select ipaddress, username, clientid, action, permission, topic from mqtt_authz where ipaddr = ${peerhost} or username = ${username} or username = '$all' or clientid = ${clientid}"
       },
       {
           type: redis
           config: {
              servers: "127.0.0.1:6379"
              database: 0
              pool_size: 1
              password: public
              ssl: {enable: false}
           }
           cmd: "HGETALL mqtt_authz:${username}"
       },
       {
           principal: {username: "^admin?"}
           permission: allow
           action: subscribe
           topics: ["$SYS/#"]
       },
       {
           permission: deny
           action: subscribe
           topics: ["$SYS/#"]
       },
       {
           permission: allow
           action: all
           topics: ["#"]
       }
    ]
}

Database Management

MySQL

Create Example Table

CREATE TABLE `mqtt_authz` (
  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
  `ipaddress` VARCHAR(60) NOT NULL DEFAULT '',
  `username` VARCHAR(100) NOT NULL DEFAULT '',
  `clientid` VARCHAR(100) NOT NULL DEFAULT '',
  `action` ENUM('publish', 'subscribe', 'all') NOT NULL,
  `permission` ENUM('allow', 'deny') NOT NULL,
  `topic` VARCHAR(100) NOT NULL DEFAULT '',
  PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;

Sample data in the default configuration:

-- Only 127.0.0.1 users can subscribe to system topics
INSERT INTO mqtt_authz (ipaddress, username, clientid, action, permission, topic) VALUES ('127.0.0.1', '', '', 'subscribe', 'allow', '$SYS/#');

PostgreSQL

Create Example Table

CREATE TYPE ACTION AS ENUM('publish','subscribe','all');
CREATE TYPE PERMISSION AS ENUM('allow','deny');

CREATE TABLE mqtt_authz (
  id SERIAL PRIMARY KEY,
  ipaddress CHARACTER VARYING(60) NOT NULL DEFAULT '',
  username CHARACTER VARYING(100) NOT NULL DEFAULT '',
  clientid CHARACTER VARYING(100) NOT NULL DEFAULT '',
  action ACTION,
  permission PERMISSION,
  topic CHARACTER VARYING(100) NOT NULL
);

Sample data in the default configuration:

-- Only 127.0.0.1 users can subscribe to system topics
INSERT INTO mqtt_authz (ipaddress, username, clientid, action, permission, topic) VALUES ('127.0.0.1', '', '', 'subscribe', 'allow', '$SYS/#');

Redis

Sample data in the default configuration:

HSET mqtt_authz:emqx '$SYS/#' subscribe

A rule of Redis AuthZ defines publish, subscribe, or all information. All lists in the rule are allow lists.

MongoDB

Create Example BSON documents

db.inventory.insertOne(
    {username: "emqx",
     clientid: "emqx",
     ipaddress: "127.0.0.1",
     permission: "allow",
     action: "all",
     topics: ["#"]
    })