EMQX Enterprise

English

简体中文
日本語

English

简体中文
日本語

Appearance

Contact Us

Use Built-in Database

EMQX provides users with a low-cost, out-of-the-box authorization rule storage method through the built-in database. You can use the built-in database (Mnesia) as a data source by setting it up through the Dashboard or configuration files, and add relevant authorization check rules through the Dashboard or HTTP API.

Prerequisite

Knowledge about basic EMQX authorization concepts

Create Built-in Database Authorizer via Dashboard

  1. On the EMQX Dashboard, navigate to Access Control > Authorization in the left-hand menu to open the Authorization page.

  2. Click Create in the top-right corner, select Built-in Database as the Backend, then click Next to continue.

    authz-mnesia_ee

  3. In the Configuration step, set the value for Max Rules (default: 100), which defines the maximum number of authorization rules allowed per client or user.

    Note

    Setting a high number of rules may impact system performance.

  4. Click Create to complete the setup.

Create Built-in Database Authorizer via Configuration File

The built-in database authorizer is identified by type built_in_database.

Sample configuration:

bash
{
    type = built_in_database
    enable = true
}

  • type: The data source type of the authorization checker; fill in built_in_database here.

  • enable: Whether to activate this checker; optional values: true, false.

Create Authorization Rules

You can create authorization rules through the Dashboard or API.

Create Authorization Rules via Dashboard

You can define authorization rules directly from the EMQX Dashboard by using the Permissions page of the Built-in Database backend.

Access the Permissions Page

  1. In the Dashboard, go to the Authorization page.
  2. In the Actions column of the Built-in Database backend, click Permissions.

authz-mnesia-rule

Authorization Rule Scope

Authorization rules can be configured at three scopes:

  • Client ID: Apply rules to a specific client ID.
  • Username: Apply rules to a specific username.
  • All Users: Apply rules to all clients/users, optionally filtered by patterns or IP ranges.

Common Rule Fields

These fields are available for all rule types:

FieldDescription
ActionThe operation type the rule applies to. Options: Publish, Subscribe, Publish & Subscribe.
PermissionWhether to allow or deny the operation. Options: Allow, Deny.
TopicThe MQTT topic this rule applies to. Wildcards (+, #) are supported.
QoSAllowed QoS levels. Multiple values can be selected: 0, 1, 2.
RetainWhether the rule applies to retained messages. Options: true, false, All.
IP Address RangeSpecifies the client IP range this rule applies to. Supports CIDR notation (e.g., 192.168.1.0/24) or exact IPs.
ListenerThe listener this rule applies to. Use {type}:{name} format, e.g., tcp:default, ws:default.
ZoneThe Zone in which the rule takes effect. Applicable in multi-Zone deployments.

Fields by Rule Scope

Rule ScopeFields
Client IDClient ID: (Required) Exact client ID to which this rule applies.
Username Pattern: (Optional) A regular expression to match usernames for which this rule is valid.
UsernameUsername: (Required) Exact username to which this rule applies.
Client ID Pattern: (Optional) A regular expression to match client IDs for which this rule is valid.
All UsersClient ID Pattern: (Optional) A regular expression to match usernames for which this rule is valid.
Username Pattern: (Optional) A regular expression to match usernames for which this rule is valid.

Example patterns:

  • ^device-user-.*: Matches usernames starting with device-user-.
  • ^sensor-.*: Matches client IDs starting with sensor-.

Add a Rule

  1. On the Permissions page, select the target tab: Client ID, Username, or All Users.
  2. Click Add.
  3. Fill in the common fields and any scope-specific fields.
  4. (Optional) Click Add Permission to add multiple rules. Use the Up and Down buttons to adjust rule execution order.
  5. Click Add to save the rule.

Manage Multiple Rules (All Users Only)

For All Users rules, you can change rule order from the More menu in the Actions column:

  • Move Up
  • Move Down
  • Move to Top
  • Move to Bottom

Rules are evaluated from top to bottom, so order determines priority.

Edit and Manage Rules

On the Permissions page, you can edit or delete existing rules:

  • In the Actions column of the corresponding rule, click the Edit button to modify rule fields, matching patterns, or IP range settings.
  • Click the Delete button to remove a rule.

Create Authorization Rules via REST API

You can also manage authorization rules through the REST API. The API endpoints correspond directly to the Dashboard's three scopes: Username, Client ID, and All Users.

Endpoints

  • Username rules
    • POST /authorization/sources/built_in_database/rules/users: Create rules for a user.
    • PUT /authorization/sources/built_in_database/rules/users/:username: Replace rules for a specific user.
  • Client ID rules
    • POST /authorization/sources/built_in_database/rules/clients: Create rules for a client.
    • PUT /authorization/sources/built_in_database/rules/clients/:clientid: Replace rules for a specific client.
  • All Users rules
    • POST /authorization/sources/built_in_database/rules/all: Create or replace global rules that apply to all clients/users.
    • There is no PUT request, just POST updating or creating all the rules.

Step 1: Obtain Authentication Token

You need to authenticate with the EMQX Dashboard to obtain a token for API access:

bash
export EMQX_TOKEN=$(curl --silent -X 'POST' "http://localhost:18083/api/v5/login" \
  -H 'Accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{"username": "admin","password": "public"}' | jq -r ".token")

Step 2: Create the Built-in Database Authorization Source

Before creating rules, ensure the Built-in Database authorization source is created:

bash
curl -X 'POST' \
  'http://localhost:18083/api/v5/authorization/sources' \
  -H "Authorization: Bearer $EMQX_TOKEN" \
  -H 'Accept: */*' \
  -H 'Content-Type: application/json' \
  -d '{
        "enable": true,
        "max_rules": 100,
        "type": "built_in_database"
  }'

Step 3: Create Authorization Rules

You can create rules for:

  • A specific client by client ID:

    bash
    curl -X 'POST' \
  'http://localhost:18083/api/v5/authorization/sources/built_in_database/rules/clients' \
  -H "Authorization: Bearer $EMQX_TOKEN" \
  -H 'Accept: */*' \
  -H 'Content-Type: application/json' \
  -d '[
  {
    "clientid": "client1",
    "rules": [
      {
        "action": "publish",
        "permission": "allow",
        "topic": "test/topic/1"
      },
      {
        "action": "subscribe",
        "permission": "allow",
        "topic": "test/topic/2"
      },
      {
        "action": "all",
        "permission": "deny",
        "topic": "eq test/#"
      }
    ]
  }
]'

  • A specific client by username:

    bash
    curl -X 'POST' \
  'http://localhost:18083/api/v5/authorization/sources/built_in_database/rules/users' \
  -H "Authorization: Bearer $EMQX_TOKEN" \
  -H 'Accept: */*' \
  -H 'Content-Type: application/json' \
  -d '[
  {
    "username": "user1",
    "rules": [
      {
        "topic": "v1/devices/#",
        "permission": "allow",
        "action": "publish",
        "qos": [0,1,2],
        "retain": "all"
      }
    ]
  }
]'

Example: Update Rules for a User

bash
curl -X PUT 'http://localhost:18083/api/v5/authorization/sources/built_in_database/rules/users/user1' \
  -H "Authorization: Bearer $EMQX_TOKEN" \
  -H 'Content-Type: application/json' \
  -d '{
    "username": "user1",
    "rules": [
      {
        "topic": "v1/devices/+/state",
        "permission": "allow",
        "action": "subscribe",
        "qos": [0,1],
        "retain": "all"
      }
    ]
  }'

Example: Create Rules for All Users

bash
curl -X POST 'http://localhost:18083/api/v5/authorization/sources/built_in_database/rules/all' \\
  -H "Authorization: Bearer $EMQX_TOKEN" \\
  -H 'Content-Type: application/json' \\
  -d '[
    {
      "rules": [
        {
          "topic": "v1/#",
          "permission": "deny",
          "action": "all"
        }
      ]
    }
  ]'

Rule Fields

Each rule can include the following fields:

FieldDescription
username / clientidThe exact username or client ID this rule applies to (depending on endpoint).
topicThe MQTT topic this rule applies to. Supports wildcards (+, #) and topic placeholders.
permissionWhether to allow or deny the operation request from the current client/user. Options: allow, deny.
actionOperation type. Options: publish, subscribe, all.
qos(Optional) Allowed QoS levels. Example: [0,1]. Default: all levels.
retain(Optional) Whether the rule applies to retained messages. Options: true, false, all.