Authorization
In EMQX Edge, authorization controls what MQTT clients are allowed to do—specifically, whether they can publish messages to a topic or subscribe to one.
When a client tries to publish or subscribe, EMQX Edge checks their permissions in one of two ways:
Build-in file – It follows ACL rules written in file.
HTTP query – It runs a HTTP query against your configured authorization server.
Based on the query results, EMQX Edge will either allow the action or deny it—helping you protect topics and ensure only the right clients have access.
Build-in file
To verify the permissions of a client, the most direct way is to edit the ACL rule itself.
Here we create three ACL rules. The first rule {"permit": "allow", "username": "dashboard", "action": "subscribe", "topics": ["$SYS/#"]} allows all the clients with username dashboard to subscribe topic $SYS/#. The second rule {"permit": "deny", "username": "#", "action": "subscribe", "topics": ["$SYS/#", "#"]} deny all the client to subscribe topics $SYS/# and # except these clients with username dashboard. The third rule {"permit": "allow"} allow any other subscribe or publish operations.
The rules in build-in file will not take effect after clicking the Save button. They will take effect till EMQX Edge restart.
HTTP Query
Authorization HTTP Query is the process of verifying the permissions of a client against HTTP Query.
When a MQTT client try to do publish or subscribe. A HTTP requests will be constructed by following Method, Headers and Parameters. Then this HTTP request will be sent to the authorization server URL. EMQX Edge will allow this publish or subscribe when the status of corresponding HTTP response is 200. Otherwise EMQX Edge will not stop doing this publish or subscribe.
Method
Specifies the HTTP request method for the corresponding request. This could be either POST or GET. Default: POST.
URL
Specifies the HTTP URL API path for the corresponding request. Example: http://127.0.0.1:8991/mqtt/acl.
Headers
Specify the data in the HTTP request header.
Available Keys
content-type: The content-type header is used to indicate the media type of the resource that the request sends to the server. And the corresponding value should beapplication/x-www-form-urlencodedorapplication/json.accept: It's a optional header. You can set other headers likecookieanddate. And all these headers will be sent withcontent-type.
Parameters
Specifies the parameters used to construct the request body or query string parameters
Available Keys
- clientid: MQTT Client ID
- username: MQTT Username
- password: MQTT Password
- topic: The topic in MQTT packets
- access: The type of MQTT Packet. 1 -> A Subscribe Request. 2 -> A Publish Request
These keys are not supported yet.
- ipaddr
- mountpoint
- sockport
- protocol
- common
- subject
Available Values
%c: Client ID%u: Username%P: Password%t: Topic%A: Type of MQTT Packet
These values are not supported yet.
%a: Client's network IP address%m: Mountpoint%p: Server port for client connection%r: The protocol used by the client can be:mqtt, mqtt-sn, coap, lwm2m and stomp%C: Common Name in client certificate%d: Subject in client certificate