396 lines
8.5 KiB
Plaintext
396 lines
8.5 KiB
Plaintext
emqx_authz_schema {
|
|
sources {
|
|
desc {
|
|
en: """
|
|
Authorization data sources.</br>
|
|
An array of authorization (ACL) data providers.
|
|
It is designed as an array, not a hash-map, so the sources can be
|
|
ordered to form a chain of access controls.</br>
|
|
|
|
When authorizing a 'publish' or 'subscribe' action, the configured
|
|
sources are checked in order. When checking an ACL source,
|
|
in case the client (identified by username or client ID) is not found,
|
|
it moves on to the next source. And it stops immediately
|
|
once an 'allow' or 'deny' decision is returned.</br>
|
|
|
|
If the client is not found in any of the sources,
|
|
the default action configured in 'authorization.no_match' is applied.</br>
|
|
|
|
NOTE:
|
|
The source elements are identified by their 'type'.
|
|
It is NOT allowed to configure two or more sources of the same type.
|
|
"""
|
|
zh: """
|
|
鉴权数据源.</br>
|
|
鉴权(ACL)数据源的列表.
|
|
它被设计为一个数组,而不是一个散列映射,
|
|
所以可以作为链式访问控制.</br>
|
|
|
|
当授权一个 'publish' 或 'subscribe' 行为时,
|
|
该配置列表中的所有数据源将按顺序进行检查。
|
|
如果在某个客户端未找到时(使用 ClientID 或 Username),
|
|
将会移动到下一个数据源. 直至得到 'allow' 或 'deny' 的结果.</br>
|
|
|
|
如果在任何数据源中都未找到对应的客户端信息,
|
|
配置的默认行为 ('authorization.no_match') 将生效.</br>
|
|
|
|
注意:
|
|
数据源使用 'type' 进行标识.
|
|
使用同一类型的数据源多于一次不被允许.
|
|
"""
|
|
}
|
|
label {
|
|
en: """sources"""
|
|
zh: """数据源"""
|
|
}
|
|
}
|
|
|
|
authorization {
|
|
desc {
|
|
en: """Configuration related to the client authorization."""
|
|
zh: """客户端授权相关配置"""
|
|
}
|
|
label {
|
|
en: """authorization"""
|
|
zh: """授权"""
|
|
}
|
|
}
|
|
|
|
enable {
|
|
desc {
|
|
en: """Set to <code>true</code> or <code>false</code> to disable this ACL provider"""
|
|
zh: """设为 <code>true</code> 或 <code>false</code> 以启用或禁用此访问控制数据源"""
|
|
}
|
|
label {
|
|
en: """enable"""
|
|
zh: """enable"""
|
|
}
|
|
}
|
|
|
|
type {
|
|
desc {
|
|
en: """Backend type."""
|
|
zh: """数据后端类型"""
|
|
}
|
|
label {
|
|
en: """type"""
|
|
zh: """type"""
|
|
}
|
|
}
|
|
|
|
#==== authz_file
|
|
|
|
file {
|
|
desc {
|
|
en: """Authorization using a static file."""
|
|
zh: """使用静态文件鉴权"""
|
|
}
|
|
label {
|
|
en: """file"""
|
|
zh: """文件"""
|
|
}
|
|
}
|
|
|
|
path {
|
|
desc {
|
|
en: """
|
|
Path to the file which contains the ACL rules.
|
|
If the file provisioned before starting EMQX node,
|
|
it can be placed anywhere as long as EMQX has read access to it.
|
|
|
|
In case the rule-set is created from EMQX Dashboard or management API,
|
|
the file will be placed in `authz` subdirectory inside EMQX's `data_dir`,
|
|
and the new rules will override all rules from the old config file.
|
|
"""
|
|
zh: """
|
|
包含 ACL 规则的文件路径。
|
|
如果在启动 EMQX 节点前预先配置该路径,
|
|
那么可以将该文件置于任何 EMQX 可以访问到的位置。
|
|
|
|
如果从 EMQX Dashboard 或 management API 创建规则集,
|
|
那么文件将会自动生成在 `authz` 目录下,该目录位于 EMQX 的 `data_dir` 子目录下,
|
|
并且之后新的规则集将会覆写旧文件。"""
|
|
}
|
|
label {
|
|
en: """path"""
|
|
zh: """path"""
|
|
}
|
|
}
|
|
|
|
#==== authz_http
|
|
|
|
http_get {
|
|
desc {
|
|
en: """Authorization using an external HTTP server (via GET requests)."""
|
|
zh: """使用外部 HTTP 服务器鉴权(GET 请求)."""
|
|
}
|
|
label {
|
|
en: """http_get"""
|
|
zh: """http_get"""
|
|
}
|
|
}
|
|
|
|
http_post {
|
|
desc {
|
|
en: """Authorization using an external HTTP server (via POST requests)."""
|
|
zh: """使用外部 HTTP 服务器鉴权(POST 请求)."""
|
|
}
|
|
label {
|
|
en: """http_post"""
|
|
zh: """http_post"""
|
|
}
|
|
}
|
|
|
|
method {
|
|
desc {
|
|
en: """HTTP method."""
|
|
zh: """HTTP 请求方法"""
|
|
}
|
|
label {
|
|
en: """method"""
|
|
zh: """method"""
|
|
}
|
|
}
|
|
|
|
url {
|
|
desc {
|
|
en: """URL of the auth server."""
|
|
zh: """认证服务器 URL"""
|
|
}
|
|
label {
|
|
en: """url"""
|
|
zh: """url"""
|
|
}
|
|
}
|
|
|
|
headers {
|
|
desc {
|
|
en: """List of HTTP headers."""
|
|
zh: """"""
|
|
}
|
|
label {
|
|
en: """headers"""
|
|
zh: """请求头"""
|
|
}
|
|
}
|
|
|
|
headers_no_content_type {
|
|
desc {
|
|
en: """List of HTTP headers (without `content_type`)."""
|
|
zh: """"""
|
|
}
|
|
label {
|
|
en: """headers_no_content_type"""
|
|
zh: """请求头(无 content-type)"""
|
|
}
|
|
}
|
|
|
|
body {
|
|
desc {
|
|
en: """HTTP request body."""
|
|
zh: """HTTP 请求体"""
|
|
}
|
|
label {
|
|
en: """body"""
|
|
zh: """请求体"""
|
|
}
|
|
}
|
|
|
|
request_timeout {
|
|
desc {
|
|
en: """Request timeout."""
|
|
zh: """请求超时时间"""
|
|
}
|
|
label {
|
|
en: """request_timeout"""
|
|
zh: """请求超时"""
|
|
}
|
|
}
|
|
|
|
#==== authz_mnesia
|
|
|
|
mnesia {
|
|
desc {
|
|
en: """Authorization using a built-in database (mnesia)."""
|
|
zh: """使用内部数据库鉴权 (mnesia)."""
|
|
}
|
|
label {
|
|
en: """mnesia"""
|
|
zh: """mnesia"""
|
|
}
|
|
}
|
|
|
|
#==== authz_mongo
|
|
|
|
mongo_single {
|
|
desc {
|
|
en: """Authorization using a single MongoDB instance."""
|
|
zh: """使用 MongoDB 鉴权(单实例)"""
|
|
}
|
|
label {
|
|
en: """mongo_single"""
|
|
zh: """mongo_single"""
|
|
}
|
|
}
|
|
|
|
mongo_rs {
|
|
desc {
|
|
en: """Authorization using a MongoDB replica set."""
|
|
zh: """使用 MongoDB 鉴权(副本集模式)"""
|
|
}
|
|
label {
|
|
en: """mongo_rs"""
|
|
zh: """mongo_rs"""
|
|
}
|
|
}
|
|
|
|
mongo_sharded {
|
|
desc {
|
|
en: """Authorization using a sharded MongoDB cluster."""
|
|
zh: """使用 MongoDB 鉴权(分片集群模式)"""
|
|
}
|
|
label {
|
|
en: """mongo_sharded"""
|
|
zh: """mongo_sharded"""
|
|
}
|
|
}
|
|
|
|
collection {
|
|
desc {
|
|
en: """`MongoDB` collection containing the authorization data."""
|
|
zh: """`MongoDB` 鉴权数据集"""
|
|
}
|
|
label {
|
|
en: """collection"""
|
|
zh: """数据集"""
|
|
}
|
|
}
|
|
|
|
selector {
|
|
desc {
|
|
en: """
|
|
Statement that is executed during the authorize process.
|
|
Commands can support following wildcards:\n
|
|
- `${username}`: substituted with client's username\n
|
|
- `${clientid}`: substituted with the clientid
|
|
"""
|
|
zh: """
|
|
鉴权过程中所使用的查询命令。
|
|
查询命令支持如下占位符:
|
|
- `${username}`: 代替客户端的用户名
|
|
- `${clientid}`: 代替客户端的客户端标识符"""
|
|
}
|
|
label {
|
|
en: """selector"""
|
|
zh: """selector"""
|
|
}
|
|
}
|
|
|
|
#==== authz_mysql
|
|
|
|
mysql {
|
|
desc {
|
|
en: """Authorization using a MySQL database."""
|
|
zh: """使用 MySOL 数据库鉴权"""
|
|
}
|
|
label {
|
|
en: """mysql"""
|
|
zh: """mysql"""
|
|
}
|
|
}
|
|
|
|
#==== authz_pgsql
|
|
|
|
postgresql {
|
|
desc {
|
|
en: """Authorization using a PostgreSQL database."""
|
|
zh: """使用 PostgreSQL 数据库鉴权"""
|
|
}
|
|
label {
|
|
en: """postgresql"""
|
|
zh: """postgresql"""
|
|
}
|
|
}
|
|
|
|
#==== authz_redis
|
|
|
|
redis_single {
|
|
desc {
|
|
en: """Authorization using a single Redis instance."""
|
|
zh: """使用 Redis 鉴权(单实例)"""
|
|
}
|
|
label {
|
|
en: """redis_single"""
|
|
zh: """redis_single"""
|
|
}
|
|
}
|
|
|
|
redis_sentinel {
|
|
desc {
|
|
en: """Authorization using a Redis Sentinel."""
|
|
zh: """使用 Redis 鉴权(哨兵模式)"""
|
|
}
|
|
label {
|
|
en: """redis_sentinel"""
|
|
zh: """redis_sentinel"""
|
|
}
|
|
}
|
|
|
|
redis_cluster {
|
|
desc {
|
|
en: """Authorization using a Redis cluster."""
|
|
zh: """使用 Redis 鉴权(集群模式)"""
|
|
}
|
|
label {
|
|
en: """redis_cluster"""
|
|
zh: """redis_cluster"""
|
|
}
|
|
}
|
|
|
|
jwt {
|
|
desc {
|
|
en: """Authorization using ACL rules from authentication JWT."""
|
|
zh: """使用 JWT 登录认证中携带的 ACL 规则来进行发布和订阅的授权。"""
|
|
}
|
|
label {
|
|
en: """jwt"""
|
|
zh: """jwt"""
|
|
}
|
|
}
|
|
|
|
acl_claim_name {
|
|
desc {
|
|
en: """JWT claim name to use for getting ACL rules."""
|
|
zh: """JWT claim name to use for getting ACL rules."""
|
|
}
|
|
label {
|
|
en: """acl_claim_name"""
|
|
zh: """acl_claim_name"""
|
|
}
|
|
}
|
|
|
|
cmd {
|
|
desc {
|
|
en: """Database query used to retrieve authorization data."""
|
|
zh: """访问控制数据查查询命令"""
|
|
}
|
|
label {
|
|
en: """cmd"""
|
|
zh: """查询命令"""
|
|
}
|
|
}
|
|
|
|
#==== common field for DBs (except redis)
|
|
|
|
query {
|
|
desc {
|
|
en: """Database query used to retrieve authorization data."""
|
|
zh: """访问控制数据查询语句/查询命令"""
|
|
}
|
|
label {
|
|
en: """query"""
|
|
zh: """查询语句"""
|
|
}
|
|
}
|
|
}
|