• emqtt emq 的主题访问控制 acl.conf


    访问控制(ACL)

    EMQ 消息服务器通过 ACL(Access Control List) 实现 MQTT 客户端访问控制。

    ACL 访问控制规则定义:

    允许(Allow)|拒绝(Deny) (Who) 订阅(Subscribe)|发布(Publish) 主题列表(Topics)
    

    MQTT 客户端发起订阅/发布请求时,EMQ 消息服务器的访问控制模块,会逐条匹配 ACL 规则,直到匹配成功为止:

              ---------              ---------              ---------
    Client -> | Rule1 | --nomatch--> | Rule2 | --nomatch--> | Rule3 | --> Default
              ---------              ---------              ---------
                  |                      |                      |
                match                  match                  match
                 |/                    |/                    |/
            allow | deny           allow | deny           allow | deny
    

    默认访问控制设置

    EMQ 消息服务器默认访问控制,在 etc/emq.conf 中设置:

    ## ACL nomatch
    mqtt.acl_nomatch = allow
    
    ## Default ACL File
    mqtt.acl_file = etc/acl.conf
    

    ACL 规则定义在 etc/acl.conf,EMQ 启动时加载到内存:

    %% Allow 'dashboard' to subscribe '$SYS/#'
    {allow, {user, "dashboard"}, subscribe, ["$SYS/#"]}.
    
    %% Allow clients from localhost to subscribe any topics
    {allow, {ipaddr, "127.0.0.1"}, pubsub, ["$SYS/#", "#"]}.
    
    %% Deny clients to subscribe '$SYS#' and '#'
    {deny, all, subscribe, ["$SYS/#", {eq, "#"}]}.
    
    %% Allow all by default
    {allow, all}.
    

    HTTP 插件访问控制

    注解

    开启 HTTP 插件后,会终结 ACL 链

    HTTP API 实现访问控制: https://github.com/emqtt/emq_auth_http

    配置 etc/plugins/emq_auth_http.conf, 启用 HTTP 认证插件后:

    ## 'access' parameter: sub = 1, pub = 2
    auth.http.acl_req = http://127.0.0.1:8080/mqtt/acl
    auth.http.acl_req.method = get
    auth.http.acl_req.params = access=%A,username=%u,clientid=%c,ipaddr=%a,topic=%t
    

    MySQL 插件访问控制

    MySQL 插件访问控制,通过 mqtt_acl 表定义 ACL 规则:

    CREATE TABLE `mqtt_acl` (
      `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
      `allow` int(1) DEFAULT NULL COMMENT '0: deny, 1: allow',
      `ipaddr` varchar(60) DEFAULT NULL COMMENT 'IpAddress',
      `username` varchar(100) DEFAULT NULL COMMENT 'Username',
      `clientid` varchar(100) DEFAULT NULL COMMENT 'ClientId',
      `access` int(2) NOT NULL COMMENT '1: subscribe, 2: publish, 3: pubsub',
      `topic` varchar(100) NOT NULL DEFAULT '' COMMENT 'Topic Filter',
      PRIMARY KEY (`id`)
    ) ENGINE=InnoDB DEFAULT CHARSET=utf8;
    
    INSERT INTO mqtt_acl (id, allow, ipaddr, username, clientid, access, topic)
    VALUES
        (1,1,NULL,'$all',NULL,2,'#'),
        (2,0,NULL,'$all',NULL,1,'$SYS/#'),
        (3,0,NULL,'$all',NULL,1,'eq #'),
        (5,1,'127.0.0.1',NULL,NULL,2,'$SYS/#'),
        (6,1,'127.0.0.1',NULL,NULL,2,'#'),
        (7,1,NULL,'dashboard',NULL,1,'$SYS/#');
    

    etc/plugins/emq_auth_mysql.conf 配置 ‘acl_query’ 与 ‘acl_nomatch’:

    ## ACL Query Command
    auth.mysql.acl_query = select allow, ipaddr, username, clientid, access, topic from mqtt_acl where ipaddr = '%a' or username = '%u' or username = '$all' or clientid = '%c'
    

    Postgre 插件访问控制

    PostgreSQL 插件访问控制,通过 mqtt_acl 表定义 ACL 规则:

    CREATE TABLE mqtt_acl (
      id SERIAL primary key,
      allow integer,
      ipaddr character varying(60),
      username character varying(100),
      clientid character varying(100),
      access  integer,
      topic character varying(100)
    );
    
    INSERT INTO mqtt_acl (id, allow, ipaddr, username, clientid, access, topic)
    VALUES
        (1,1,NULL,'$all',NULL,2,'#'),
        (2,0,NULL,'$all',NULL,1,'$SYS/#'),
        (3,0,NULL,'$all',NULL,1,'eq #'),
        (5,1,'127.0.0.1',NULL,NULL,2,'$SYS/#'),
        (6,1,'127.0.0.1',NULL,NULL,2,'#'),
        (7,1,NULL,'dashboard',NULL,1,'$SYS/#');
    

    etc/plugins/emq_auth_pgsql.conf 设置 ‘acl_query’ 与 ‘acl_nomatch’:

    ## ACL Query. Comment this query, the acl will be disabled.
    auth.pgsql.acl_query = select allow, ipaddr, username, clientid, access, topic from mqtt_acl where ipaddr = '%a' or username = '%u' or username = '$all' or clientid = '%c'
    

    Redis 插件访问控制

    Redis Hash 存储一个 MQTT 客户端的访问控制规则:

    HSET mqtt_acl:<username> topic1 1
    HSET mqtt_acl:<username> topic2 2
    HSET mqtt_acl:<username> topic3 3
    

    etc/plugins/emq_auth_redis.conf 配置 ‘acl_cmd’ 与 ‘acl_nomatch’:

    ## ACL Query Command
    auth.redis.acl_cmd = HGETALL mqtt_acl:%u
    

    MongoDB 插件访问控制

    MongoDB 数据库创建 mqtt_acl 集合:

    {
        username: "username",
        clientid: "clientid",
        publish: ["topic1", "topic2", ...],
        subscribe: ["subtop1", "subtop2", ...],
        pubsub: ["topic/#", "topic1", ...]
    }
    

    mqtt_acl 集合插入数据,例如:

    db.mqtt_acl.insert({username: "test", publish: ["t/1", "t/2"], subscribe: ["user/%u", "client/%c"]})
    db.mqtt_acl.insert({username: "admin", pubsub: ["#"]})
    

    etc/plugins/emq_auth_mongo.conf 配置 ‘acl_query’ 与 ‘acl_nomatch’:

    ## acl_query
    auth.mongo.acl_query.collection = mqtt_user
    
    auth.mongo.acl_query.selector = username=%u
  • 相关阅读:
    3D数学 矩阵的更多知识(5)
    D3D中的光照(1)
    双节棍(C语言版)
    D3D中的Alpha融合技术(1)
    D3D编程必备的数学知识(5)
    Direct3D中的绘制(1)
    初始化Direct3D(2)
    D3D中的纹理映射(2)
    Direct3D中的绘制(1)
    D3D编程必备的数学知识(2)
  • 原文地址:https://www.cnblogs.com/sttchengfei/p/12028484.html
Copyright © 2020-2023  润新知