topicauth.policy

Overview

The topic authorization file contains authorization rules for topics on a DXL fabric.

It is important to note that an identical copy of this policy file must exist on each broker within the fabric for topic authorization to work correctly.

Topics are open by default. Any topics that are to be restricted to certain clients must be listed within this file. Clients are identified by the thumbprint of their certificate. This policy also supports using the thumbprints of certificate authorities which would apply to any certificates that have been signed by that CA (or as part of a chain containing the CA).

The format for the topic authorization policy file is JSON. It is also worth noting that C-style comments are allowed within the file.

The thumbprint must be in the following format (no colons and lowercase):

0a97b7282ab8fc30a1be704ed6c208fb7637ddeb

The following openssl output piped through sed generates a compatible thumbprint:

openssl x509 -in <certificate-file> -fingerprint -noout \
    | sed -e 's/://g' -e 's/.*=\(.*\)/\L\1/'

Example

The following is an example of a valid authorization policy:

{
    "send": [
        {
            // Restrict sending messages on "/topic1" to the following clients
            "topic":"/topic1",
            "clients": [
                "0a97b7282ab8fc30a1be704ed6c208fb7637ddeb", // My test client
                "ba8f5dd8763143444a86fefeecd3eb7b4aa2fe4f"  // Some other client
            ]
        }
    ],
    "receive": [
        {
            // Restrict receiving messages on "/topic2" to the following clients
            "topic":"/topic2",
            "clients": [
                "0a97b7282ab8fc30a1be704ed6c208fb7637ddeb"  // My test client
            ]
        },
        {
             // No clients can receive messages on "/topic3"
            "topic":"/topic3",
            "clients": []
        }
    ]
}

Format

The broker state policy file is comprised of two arrays (one for describing send restrictions and one for describing receive restrictions).

The fields for each of these restriction types are detailed below.

Send Restriction Fields

Field	Description
topic	The topic to restrict
clients	An array containing the clients or CAs (as identified by certificate thumbprint) that are allowed to send messages to the topic.

Receive Restriction Fields

Field	Description
topic	The topic to restrict
clients	An array containing the clients or CAs (as identified by certificate thumbprint) that are allowed to receive messages from the topic.

Home

OpenDXL Broker

Overview
Comparison with MQTT
Performance
Installation
- Graphical (Kitematic)
- Command Line
FAQ

Configuration and Logging

Overview (All files)
Bridging Guide
Configuration Files
- dxlbroker.conf.defaults
- dxlconsole.config
Policy Files
- brokerstate.policy
- topicauth.policy

Internal Documentation

Doxygen (Broker)

Management Console

Provide feedback

Saved searches