EMQX Platform Docs

English

简体中文

English

简体中文

Appearance

Contact Us

Default Authorization

Default authorization is based on a built-in database, offering users a low-cost, plug-and-play authorization method. This document provides a detailed guide on configuring client ID, username, and quota limits and using whitelists and placeholders for more advanced permission control.

Add Authorization Information

Note

The maximum number of entries for built-in authorization is twice the number of deployment connections, with an upper limit of 100,000. If this limit is exceeded, please use an external ACL.

Authorization can be controlled at three levels:

  1. Client ID: Authorization validation for a specific client ID.
  2. Username: Authorization validation for a specific username.
  3. All Users: Authorization validation based on topics for all users.

Select + Add on the Client Authorization page to add new authorization information based on the current category.

Add Client ID Authorization

Under the Client ID tab, create authorization rules for specific client IDs.

  • Client ID: The client to which this authorization rule is applied.
  • Topic: Configure the topic corresponding to this rule.
  • Action: Configure the operation corresponding to this rule. Options: Publish, Subscribe, Publish and Subscribe.
  • Permission: Whether to allow the current client to perform the requested operation; Options: Allow, Deny.

Add Username Authorization

Under the Username tab, create authorization rules for specific usernames.

  • Username: The username applicable to this rule.
  • Topic: Configure the topic corresponding to this rule.
  • Action: Configure the operation corresponding to this rule. Options: Publish, Subscribe, Publish and Subscribe.
  • Permission: Whether to allow the current user to perform the requested operation; Options: Allow, Deny.

Add Topic Authorization

Under the All Users tab, create authorization rules for specific topics.

  • Topic: Configure the topic corresponding to this rule.
  • Action: Configure the operation corresponding to this rule. Options: Publish, Subscribe, Publish and Subscribe.
  • Permission: Whether to allow the current topic to perform the requested operation; Options: Allow, Deny.

Use Placeholders

When using placeholders in a topic, you can dynamically replace the current client information in the topic-matching rules. The supported placeholders are:

  • ${clientid}
  • ${username}

If you want to restrict all users to only subscribe to or publish specific topics, you can set it like this:

  • Username ${username}, Topic xx/${username}/report
  • Client ID ${clientid}, Topic xx/${clientid}/report

add_acl

Placeholders can only be used to replace an entire field in a topic, e.g., a/b/${username}/c/d, but cannot be used to replace a part of a field, e.g., a/b${username}c/d.

Import Authorization Information

You can use the provided CSV template to import authorization information in batches (not supported for "All Users"). The fields for import are as follows:

  • clientid: Client ID
  • username: Username
  • topic: Authorized topic
  • action: Action (sub/pub/pubsub)
  • access: Whether to allow (allow/deny)

You can follow the instructions below to import authorization information in batch:

  1. Click the Import button.

  2. Download the template. An example template file (client ID template as an example) is shown below:

    auth_csv

  3. Fill in the authorization information and upload the file.

  4. Click Import.

View Authorization Information

After you add the authorization information, you can view them on the Authorization page. The details of authorization entries can be viewed through three dimensions: Client ID, Username, and All Users (topic).

Edit Authorization Information

Click the edit icon next to the authorization information to modify the current authorization information.

Delete Authorization Information

Click the delete icon next to the authorization information to delete it.

Enable Authorization Whitelist Mode

When the whitelist mode is enabled, all users are prohibited from subscribing and publishing by default. Clients need to be granted authorization to perform subscription and publishing actions.

Click Access Control -> Authorization in the left menu of the deployment. Under the All Users tab, add an authorization entry. Enter # in the Topic field, select Publish & Subscribe for Action, select Deny for Permission, and click Confirm to enable whitelist mode.

add_acl

Note

  • By default, authorization uses a blacklist mode (i.e., all subscriptions and publish are allowed by default).
  • The order of authorization matching is: All Users authorization -> Username/Client ID authorization.
  • The combination of Client ID/Username and Topic is unique. For multiple records with the same Client ID/Username + Topic, only the most recent record is valid.
  • If you have added extended authorization data sources, ensure that "Default Authorization" is placed last in the Authorization order on the extended authorization page to enable whitelist mode.

View Authorization Statistics

Click the Authorization Statistics icon at the upper right corner to view the metrics and rate indicators of authorization.

new_authentication