-
Notifications
You must be signed in to change notification settings - Fork 14
topicauth.policy
The topic authorization file contains authorization rules for topics on a DXL fabric.
It is important to note that an identical copy of this policy file must exist on each broker within the fabric for topic authorization to work correctly.
Topics are open by default. Any topics that are to be restricted to certain clients must be listed within this file. Clients are identified by the thumbprint of their certificate. This policy also supports using the thumbprints of certificate authorities which would apply to any certificates that have been signed by that CA (or as part of a chain containing the CA).
The format for the topic authorization policy file is JSON. It is also worth noting that C-style comments are allowed within the file.
The thumbprint must be in the following format (no colons and lowercase):
0a97b7282ab8fc30a1be704ed6c208fb7637ddeb
The following openssl
output piped through sed
generates a compatible thumbprint:
openssl x509 -in <certificate-file> -fingerprint -noout \
| sed -e 's/://g' -e 's/.*=\(.*\)/\L\1/'
The following is an example of a valid authorization policy:
{
"send": [
{
// Restrict sending messages on "/topic1" to the following clients
"topic":"/topic1",
"clients": [
"0a97b7282ab8fc30a1be704ed6c208fb7637ddeb", // My test client
"ba8f5dd8763143444a86fefeecd3eb7b4aa2fe4f" // Some other client
]
}
],
"receive": [
{
// Restrict receiving messages on "/topic2" to the following clients
"topic":"/topic2",
"clients": [
"0a97b7282ab8fc30a1be704ed6c208fb7637ddeb" // My test client
]
},
{
// No clients can receive messages on "/topic3"
"topic":"/topic3",
"clients": []
}
]
}
The broker state policy file is comprised of two arrays (one for describing send
restrictions and one for describing receive
restrictions).
The fields for each of these restriction types are detailed below.
Field | Description |
---|---|
topic | The topic to restrict |
clients | An array containing the clients or CAs (as identified by certificate thumbprint) that are allowed to send messages to the topic. |
Field | Description |
---|---|
topic | The topic to restrict |
clients | An array containing the clients or CAs (as identified by certificate thumbprint) that are allowed to receive messages from the topic. |
OpenDXL Broker
Configuration and Logging
- Overview (All files)
- Bridging Guide
- Configuration Files
- Policy Files
Internal Documentation
- Doxygen (Broker)
Management Console