03a135c592
Improve authn/authz error log when query failed. |
||
|---|---|---|
| .. | ||
| etc | ||
| include | ||
| src | ||
| test | ||
| .gitignore | ||
| README.md | ||
| rebar.config | ||
README.md
emqx_authz
Configure
File: etc/pulgins/authz.conf
authz:{
rules: [
{
type: mysql
config: {
server: "127.0.0.1:3306"
database: mqtt
pool_size: 1
username: root
password: public
auto_reconnect: true
ssl: {
enable: true
cacertfile: "etc/certs/cacert.pem"
certfile: "etc/certs/client-cert.pem"
keyfile: "etc/certs/client-key.pem"
}
}
sql: "select ipaddress, username, clientid, action, permission, topic from mqtt_authz where ipaddr = ${peerhost} or username = ${username} or clientid = ${clientid}"
},
{
type: postgresql
config: {
server: "127.0.0.1:5432"
database: mqtt
pool_size: 1
username: root
password: public
auto_reconnect: true
ssl: {enable: false}
}
sql: "select ipaddress, username, clientid, action, permission, topic from mqtt_authz where ipaddr = ${peerhost} or username = ${username} or username = '$all' or clientid = ${clientid}"
},
{
type: redis
config: {
servers: "127.0.0.1:6379"
database: 0
pool_size: 1
password: public
auto_reconnect: true
ssl: {enable: false}
}
cmd: "HGETALL mqtt_authz:${username}"
},
{
principal: {username: "^admin?"}
permission: allow
action: subscribe
topics: ["$SYS/#"]
},
{
permission: deny
action: subscribe
topics: ["$SYS/#"]
},
{
permission: allow
action: all
topics: ["#"]
}
]
}
Database Management
Mysql
Create Example Table
CREATE TABLE `mqtt_authz` (
`id` int(11) unsigned NOT NULL AUTO_INCREMENT,
`ipaddress` VARCHAR(60) NOT NULL DEFAULT '',
`username` VARCHAR(100) NOT NULL DEFAULT '',
`clientid` VARCHAR(100) NOT NULL DEFAULT '',
`action` ENUM('publish', 'subscribe', 'all') NOT NULL,
`permission` ENUM('allow', 'deny') NOT NULL,
`topic` VARCHAR(100) NOT NULL DEFAULT '',
PRIMARY KEY (`id`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4;
Sample data in the default configuration:
-- Only 127.0.0.1 users can subscribe to system topics
INSERT INTO mqtt_authz (ipaddress, username, clientid, action, permission, topic) VALUES ('127.0.0.1', '', '', 'subscribe', 'allow', '$SYS/#');
PostgreSQL
Create Example Table
CREATE TYPE ACTION AS ENUM('publish','subscribe','all');
CREATE TYPE PERMISSION AS ENUM('allow','deny');
CREATE TABLE mqtt_authz (
id SERIAL PRIMARY KEY,
ipaddress CHARACTER VARYING(60) NOT NULL DEFAULT '',
username CHARACTER VARYING(100) NOT NULL DEFAULT '',
clientid CHARACTER VARYING(100) NOT NULL DEFAULT '',
action ACTION,
permission PERMISSION,
topic CHARACTER VARYING(100) NOT NULL
);
Sample data in the default configuration:
-- Only 127.0.0.1 users can subscribe to system topics
INSERT INTO mqtt_authz (ipaddress, username, clientid, action, permission, topic) VALUES ('127.0.0.1', '', '', 'subscribe', 'allow', '$SYS/#');
Redis
Sample data in the default configuration:
HSET mqtt_authz:emqx '$SYS/#' subscribe
A rule of Redis AuthZ defines publish, subscribe, or all information. All lists in the rule are allow lists.
Mongo
Create Example BSON documents
db.inventory.insertOne(
{username: "emqx",
clientid: "emqx",
ipaddress: "127.0.0.1",
permission: "allow",
action: "all",
topics: ["#"]
})