Mnesia ACL

Mnesia ACL 使用 EMQX 内置的 Mnesia 数据库存储 ACL 规则,可以存储数据、动态管理 ACL,方便与外部设备管理系统集成

插件:

  1. emqx_auth_mnesia

ACL 规则结构体

  1. {
  2.     "username":"emqx",
  3.     "clientid":"client1",
  4.     "topic":"testtopic/1",
  5.     "action":"pub",
  6.     "access": "allow"
  7. }

规则字段说明:

  • clientid:客户端的 Client ID.
  • username: 客户端的 Username.
  • topic:控制的主题,可以使用通配符,并且可以在主题中加入占位符来匹配客户端信息,例如 t/%c 则在匹配时主题将会替换为当前客户端的 Client ID
    • %u:用户名
    • %c:Client ID
  • action:操作行为,可选值:pub | sub | pubsub
  • Access:是否允许,可选值:allow | deny

usernameclientid是可选的,当两个都没有提供时,该规则适用于所有的客户端

Mnesia ACL 默认不设规则,你可以使用 HTTP API 和 emqx_ctl 管理 ACL 规则。

使用 HTTP API 管理 ACL 规则

添加 ACL 规则

  • Clientid ACL:

    1. # Request
    2. POST api/v4/acl
    3. {
    4.   "clientid":"emqx_c",
    5.   "topic":"Topic/A",
    6.   "action":"pub",
    7.   "access": "allow"
    8. }
    10. # Response
    11. {
    12.     "data": {
    13.         "clientid":"emqx_c",
    14.         "topic":"Topic/A",
    15.         "action":"pub",
    16.         "access": "allow"
    17.         "result": "ok"
    18.     },
    19.     "code": 0
    20. }

  • Username ACL:

    1. # Request
    2. POST api/v4/acl
    3. {
    4.   "username":"emqx_u",
    5.   "topic":"Topic/A",
    6.   "action":"pub",
    7.   "access": "allow"
    8. }
    10. # Response
    11. {
    12.     "data": {
    13.         "username":"emqx_u",
    14.         "topic":"Topic/A",
    15.         "action":"pub",
    16.         "access": "allow"
    17.         "result": "ok"
    18.     },
    19.     "code": 0
    20. }

  • $all ACL:

    1. # Request
    2. POST api/v4/acl
    3. {
    4.   "topic":"Topic/A",
    5.   "action":"pub",
    6.   "access": "allow"
    7. }
    9. # Response
    10. {
    11.     "data": {
    12.         "all": "$all",
    13.         "topic":"Topic/A",
    14.         "action":"pub",
    15.         "access": "allow"
    16.         "result": "ok"
    17.     },
    18.     "code": 0
    19. }

批量添加 ACL 规则

  1. # Request
  2. POST api/v4/acl
  3. [
  4.   {
  5.     "clientid":"emqx_c_1",
  6.     "topic":"Topic/A",
  7.     "action":"pub",
  8.     "access": "allow"
  9.   },
  10.   {
  11.     "username":"emqx_u_1",
  12.     "topic":"Topic/A",
  13.     "action":"sub",
  14.     "access": "allow"
  15.   },
  16.   {
  17.     "topic":"Topic/+",
  18.     "action":"pubsub",
  19.     "access": "deny"
  20.   }
  21. ]
  23. # Response
  24. {
  25.     "data": [
  26.       {
  27.         "clientid":"emqx_c_1",
  28.         "topic":"Topic/A",
  29.         "action":"pub",
  30.         "access": "allow",
  31.         "result": "ok"
  32.       },
  33.       {
  34.         "username":"emqx_u_1",
  35.         "topic":"Topic/A",
  36.         "action":"pub",
  37.         "access": "allow"
  38.         "result": "ok"
  39.       },
  40.       {
  41.         "all": "$all",
  42.         "topic":"Topic/+",
  43.         "action":"pubsub",
  44.         "access": "deny"
  45.       },
  46.     ],
  47.     "code": 0
  48. }

查看已经添加的 ACL 规则

  • Clientid ACL:

    1. # Request
    2. GET api/v4/acl/clientid
    4. # Response
    5. {
    6.   "meta": {
    7.     "page": 1,
    8.     "limit": 10,
    9.     "count": 1
    10.   },
    11.   "data": [
    12.     {
    13.       "clientid": "emqx_c",
    14.       "topic": "Topic/A",
    15.       "action": "pub",
    16.       "access": "allow"
    17.     },
    18.     {
    19.       "clientid": "emqx_c_1",
    20.       "topic": "Topic/A",
    21.       "action": "pub",
    22.       "access": "allow"
    23.     },
    24.     {
    25.       "clientid": "emqx_c_2",
    26.       "topic": "Topic/A",
    27.       "action": "pub",
    28.       "access": "allow"
    29.     }
    30.   ],
    31.   "code": 0
    32. }

  • Username ACL:

    1. # Request
    2. GET api/v4/acl/username
    4. # Response
    5. {
    6.   "meta": {
    7.     "page": 1,
    8.     "limit": 10,
    9.     "count": 1
    10.   },
    11.   "data": [
    12.     {
    13.       "username": "emqx_u",
    14.       "topic": "Topic/A",
    15.       "action": "pub",
    16.       "access": "allow"
    17.     },
    18.     {
    19.       "username": "emqx_u_1",
    20.       "topic": "Topic/A",
    21.       "action": "pub",
    22.       "access": "allow"
    23.     },
    24.     {
    25.       "username": "emqx_u_2",
    26.       "topic": "Topic/A",
    27.       "action": "pub",
    28.       "access": "allow"
    29.     }
    30.   ],
    31.   "code": 0
    32. }

  • $all ACL:

    1. # Request
    2. GET api/v4/acl/$all
    4. # Response
    5. {
    6.   "meta": {
    7.     "page": 1,
    8.     "limit": 10,
    9.     "count": 1
    10.   },
    11.   "data": [
    12.     {
    13.       "all": "$all",
    14.       "topic": "Topic/A",
    15.       "action": "pub",
    16.       "access": "allow"
    17.     },
    18.     {
    19.       "all": "$all",
    20.       "topic": "Topic/+",
    21.       "action": "pubsub",
    22.       "access": "deny"
    23.     }
    24.   ],
    25.   "code": 0
    26. }

查看指定 ACL 规则

  • Clientid ACL:

    1. # Request
    2. GET api/v4/acl/clientid/emqx_c
    4. # Response
    5. {
    6.     "data": [
    7.       {
    8.         "topic": "Topic/A",
    9.         "clientid": "emqx_c",
    10.         "access": "allow",
    11.         "action": "pub"
    12.       },
    13.       {
    14.         "topic": "Topic/B",
    15.         "clientid": "emqx_c",
    16.         "access": "allow",
    17.         "action": "pub"
    18.       }
    19.     ],
    20.     "code": 0
    21. }

  • Username ACL:

    1. # Request
    2. GET api/v4/acl/username/emqx_u
    4. # Response
    5. {
    6.     "data": [
    7.       {
    8.         "topic": "Topic/A",
    9.         "username": "emqx_u",
    10.         "access": "allow",
    11.         "action": "pub"
    12.       },
    13.       {
    14.         "topic": "Topic/B",
    15.         "username": "emqx_u",
    16.         "access": "allow",
    17.         "action": "pub"
    18.       }
    19.     ],
    20.     "code": 0
    21. }

删除 ACL 规则

  • Client ACL

    1. # Request
    2. # 请注意 ${topic} 需要使用 UrlEncode 编码
    3. DELETE api/v4/acl/clientid/${clientid}/topic/${topic}
    5. # Response
    6. {
    7.     "code": 0
    8. }

  • Username ACL

    1. # Request
    2. # 请注意 ${topic} 需要使用 UrlEncode 编码
    3. DELETE api/v4/acl/username/${username}/topic/${topic}
    5. # Response
    6. {
    7.     "code": 0
    8. }

  • $all ACL

    1. # Request
    2. # 请注意 ${topic} 需要使用 UrlEncode 编码
    3. DELETE api/v4/acl/$all/topic/${topic}
    5. # Response
    6. {
    7.     "code": 0
    8. }