English | 简体中文
The built-in ACL sets rules through files, which is simple and lightweight to use. It is suitable for projects with a predictable number of rules, no change, or small change requirements.
rmqtt-acl
plugins/rmqtt-acl.toml
The built-in ACL is the lowest priority rule table. If it is not hit after all the ACL checks are completed, the default ACL rule is checked.
The rules file is described in Toml syntax:
rules = [
# Allow "dashboard" users to subscribe to "$SYS/#" topics
["allow", { user = "dashboard" }, "subscribe", ["$SYS/#"]],
# Allow client with IP address "127.0.0.1" to publish/subscribe to "$SYS/#" or "#" topics.
["allow", { ipaddr = "127.0.0.1" }, "pubsub", ["$SYS/#", "#"]],
# Deny "All Users" subscribe to "$SYS/#" "#" Topics
["deny", "all", "subscribe", ["$SYS/#", { eq = "#" }]],
# Allow any other clients connect and publish/subscribe operations
["allow", "all"]
]
- The first rule allows clients with the username
dashboard
to subscribe to the topic$SYS/#
, which makes a special case for the third rule - The second rule allows clients with IP address
127.0.0.1
to publish / subscribe to the topics$SYS/#
or#
, which makes a special case for the third rule - The third rule prohibits all clients from subscribing to the topics
$SYS/#
and#
- The fourth rule allows clients to connect and publish/subscribe to all topics
It can be seen that the default ACL is mainly to restrict the client's permissions on the system topic $SYS/#
and the
all wildcard topic #
.
The rules in the rmqtt-acl.toml
file are matched from top to bottom in writing order.
- Line comments are expressed as
#
. - Each rule consists of four tuples.
- The first position of the tuple indicates that after the rule is successfully hit, the permission control operation is
performed. The possible values are:
allow
deny
- The second position of the tuple indicates the user to which the rule takes effect. The format that can be used is:
{ user = "dashboard" }
: The rule only takes effect for users whose Username is dashboard{ user = "dashboard", password = "123456", superuser = true }
:Indicates that the rule is effective for users with * Username * as "dashboard" and * Password * as "123456"; Superuser indicates that this user is a superuser and will skip authentication when publish/subscribe to messages.{ clientid = "dashboard" }
: The rule only takes effect for users whose ClientId is dashboard{ ipaddr = "127.0.0.1" }
: The rule only takes effect for users whose Source Address is "127.0.0.1"all
: The rule takes effect for all users
- The third position of the tuple indicates the operation controlled by the rule with the possible value:
connect
:The rule applies to CONNECT operationspublish
: The rule applies to PUBLISH operationssubscribe
: The rule applies to SUBSCRIBE operationspubsub
: The rule applies to both PUBLISH and SUBSCRIBE operationsall
:The rule applies to all operations (default)
- The fourth position of the tuple means the list of topics restricted by the rule. The content is given in the form of
an array. For example:
"$SYS/#"
: Topic Filter which means that the rule is applied to topics that match$SYS/#
; for example rules created for "$SYS/#" applies to publish/subscribe actions on topic "$SYS/a/b/c", and subscribe actions on topic "$SYS/#"{ eq = "#" }
: It indicates full equivalence of characters. The rule is only applied for topic#
but not for/a/b/c
, etc.
- In addition, there are two special rules:
{allow, all}
: Allow all operations{deny, all}
: Deny all operations
After the rmqtt-acl.toml
modification is completed, it will not be automatically loaded into the RMQTT Broker system,
but needs to be performed manually:
curl -X PUT "http://127.0.0.1:6060/api/v1/plugins/1/rmqtt-acl/config/reload"
The built-in rmqtt-acl.toml
supports only the following placeholders in the subject's field (the 4th position of the
tuple).
%c
: For Client ID, which is replaced by the client ID when the rule takes effect.%u
: For username, which is replaced by the client's username when the rule takes effect.
E.g:
["allow", "all", "pubsub", ["sensor/%c/ctrl"]]
This means that a client with ID 'light' is Allowed to Subscribe and Publish to the sensor/light/ctrl
topic.
::: tip Only a few simple and general rules are contained in rmqtt-acl.toml
that make it a system-based ACL principle.
If you need to support complex, large amounts of ACL content, you should implement it in an authentication plugin.
:::