From 1d64f18868b01d332f74beb6b134e5c999f67510 Mon Sep 17 00:00:00 2001 From: zmstone Date: Thu, 13 Feb 2025 16:57:01 +0100 Subject: [PATCH 1/2] feat: add client_attr in ACL rules --- en_US/access-control/authn/acl.md | 8 ++++++-- en_US/access-control/authz/file.md | 2 ++ zh_CN/access-control/authn/acl.md | 8 ++++++-- zh_CN/access-control/authz/file.md | 2 ++ 4 files changed, 16 insertions(+), 4 deletions(-) diff --git a/en_US/access-control/authn/acl.md b/en_US/access-control/authn/acl.md index 2d2516e53..d001fb1e9 100644 --- a/en_US/access-control/authn/acl.md +++ b/en_US/access-control/authn/acl.md @@ -1,8 +1,12 @@ # Access Control List -EMQX allows presetting client permissions during the authentication phase to control the publish-subscribe permission checks after the client logs in. Currently, both JWT authentication and HTTP authentication support permission presets, using Access Control Lists (ACL) as an optional extension of the authentication result. For example, this can be a private claim `acl` defined in JWT, or an `acl` JSON property returned as part of the HTTP authentication response. After a client connects, its publish and subscribe actions are restricted by these ACL rules. +This page introduces ACL rules embedded in JWT and HTTP authentication responses. -This page introduces the ACL rules for presetting client permissions. Authorizing a client using the ACL rules included in the authentication response is concise, efficient, and generally sufficient for most use cases. For more comprehensive but generic authorization methods, refer to [Authorization](../authz/authz.md). +General ACL rules are stored in `acl.conf`. For details, see [acl.conf](../authz/file.md). + +For more comprehensive authorization methods, refer to [Authorization](../authz/authz.md). + +Currently, JWT authentication and HTTP authentication support permission presets, using Access Control Lists (ACL) as an optional extension of the authentication result. For example, this can be a private claim `acl` defined in JWT, or an `acl` JSON property returned as part of the HTTP authentication response. After a client connects, its publish and subscribe actions are restricted by these ACL rules. ::: tip diff --git a/en_US/access-control/authz/file.md b/en_US/access-control/authz/file.md index c6ec3caf8..1875ad593 100644 --- a/en_US/access-control/authz/file.md +++ b/en_US/access-control/authz/file.md @@ -47,6 +47,8 @@ The rules are matched from top to bottom. If a rule matches, its permission is a * `{username, {re, "^dash"}}` : clients with user name matching the [regular expression](https://www.erlang.org/doc/man/re.html#regexp_syntax) `^dash` * `{clientid, "dashboard"}` : clients with client ID `dashboard`; also can be `{client, "dashboard"}` * `{clientid, {re, "^dash"}}` : clients with client ID matching the [regular expression](https://www.erlang.org/doc/man/re.html#regexp_syntax) `^dash` + * `{client_attr, "name", "dashboard"}` : clients with client attribute `name` equal to `dashboard` + * `{client_attr, "name", {re, "^dash"}}` : clients with client attribute `name` matching the [regular expression](https://www.erlang.org/doc/man/re.html#regexp_syntax) `^dash` * `{ipaddr, "127.0.0.1"}`: clients connecting from IP address `127.0.0.1`. Netmasks are allowed. If EMQX is behind a load balance, `proxy_protocol` should be enabled for the client's MQTT listener. * `{ipaddrs, ["127.0.0.1", ..., ]}` : clients connecting from one of the specified IP addresses `127.0.0.1, ..., `. Netmasks are allowed. * `all` : any clients diff --git a/zh_CN/access-control/authn/acl.md b/zh_CN/access-control/authn/acl.md index 17eff7c0f..ad5bd194b 100644 --- a/zh_CN/access-control/authn/acl.md +++ b/zh_CN/access-control/authn/acl.md @@ -1,8 +1,12 @@ # 权限列表 -EMQX 允许在认证阶段为客户端预设权限,用于控制客户端登录后的发布订阅权限检查。目前,JWT 认证和 HTTP 认证支持权限预设,使用权限列表 (ACL) 作为认证结果的可选扩展,例如,JWT 中定义的私有声明 `acl`,或作为 HTTP 认证响应的一部分返回 `acl` JSON 属性。客户端连接后的发布和订阅动作将会受到这些 ACL 规则的限制。 +本页面介绍了 JWT 认证和 HTTP 认证支持的权限列表 (ACL) 规则。 -本页面介绍了针对客户端权限预设的 ACL 规则。使用包含在认证响应中的 ACL 规则对客户端进行授权,简洁高效,且通常足以满足大多数使用场景。对于更全面但通用的授权方法,请参阅[授权文档](../authz/authz.md) 。 +通用的 ACL 规则存储在 `acl.conf` 中。详情请参见[acl.conf](../authz/file.md)。 + +更全面的授权方法请参见[授权](../authz/authz.md)。 + +目前,JWT 认证和 HTTP 认证支持权限预设,使用权限列表 (ACL) 作为认证结果的可选扩展,例如,JWT 中定义的私有声明 `acl`,或作为 HTTP 认证响应的一部分返回 `acl` JSON 属性。客户端连接后的发布和订阅动作将会受到这些 ACL 规则的限制。 ::: tip 通过认证设置的权限列表,将优先于所有授权检查器被检查,参考[授权检查优先级](../authz/authz.md#授权检查优先级)。 diff --git a/zh_CN/access-control/authz/file.md b/zh_CN/access-control/authz/file.md index d204d7164..9c786b79c 100644 --- a/zh_CN/access-control/authz/file.md +++ b/zh_CN/access-control/authz/file.md @@ -50,6 +50,8 @@ EMQX 支持基于 ACL 文件中存储的规则进行授权检查。您可在文 - `{username, {re, "^dash"}}`:用户名匹配 [正则表达式](https://www.erlang.org/doc/man/re.html#regexp_syntax) `^dash` 的客户端 - `{clientid, "dashboard"}`:客户端 ID 为 `dashboard` 的客户端,也可写作`{client, "dashboard"}` - `{clientid, {re, "^dash"}}`:客户端 ID 匹配 [正则表达式](https://www.erlang.org/doc/man/re.html#regexp_syntax) `^dash` 的客户端 +- `{client_attr, "name", "dashboard"}`:客户端属性 `name` 为 `dashboard` 的客户端 +- `{client_attr, "name", {re, "^dash"}}`:客户端属性 `name` 匹配 [正则表达式](https://www.erlang.org/doc/man/re.html#regexp_syntax) `^dash` 的客户端 - `{ipaddr, "127.0.0.1"}`:源地址为 `127.0.0.1` 的客户端;支持 CIDR 地址格式。注意:如果 EMQX 部署在负载均衡器后侧,建议为 EMQX 的监听器开启 `proxy_protocol` 配置 ,否则 EMQX 可能会使用负载均衡器的源地址。 - `{ipaddrs, ["127.0.0.1", ..., ]}`:来自多个源地址的客户端,不同 IP 地址之间以 `,` 区分 - `all`:匹配所有客户端 From d163c9591e8737b2184babd59f10bf25c60840d6 Mon Sep 17 00:00:00 2001 From: Meggielqk <126552073+Meggielqk@users.noreply.github.com> Date: Mon, 17 Feb 2025 15:45:58 +0800 Subject: [PATCH 2/2] Editorial updates --- en_US/access-control/authn/acl.md | 8 ++------ zh_CN/access-control/authn/acl.md | 8 ++------ 2 files changed, 4 insertions(+), 12 deletions(-) diff --git a/en_US/access-control/authn/acl.md b/en_US/access-control/authn/acl.md index d001fb1e9..8d758c331 100644 --- a/en_US/access-control/authn/acl.md +++ b/en_US/access-control/authn/acl.md @@ -1,12 +1,8 @@ # Access Control List -This page introduces ACL rules embedded in JWT and HTTP authentication responses. +This page introduces Access Control Lists (ACL) rules embedded in JWT and HTTP authentication responses. Currently, JWT authentication and HTTP authentication support permission presets, using ACL as an optional extension of the authentication result. For example, this can be a private claim `acl` defined in JWT, or an `acl` JSON property returned as part of the HTTP authentication response. After a client connects, its publish and subscribe actions are restricted by these ACL rules. -General ACL rules are stored in `acl.conf`. For details, see [acl.conf](../authz/file.md). - -For more comprehensive authorization methods, refer to [Authorization](../authz/authz.md). - -Currently, JWT authentication and HTTP authentication support permission presets, using Access Control Lists (ACL) as an optional extension of the authentication result. For example, this can be a private claim `acl` defined in JWT, or an `acl` JSON property returned as part of the HTTP authentication response. After a client connects, its publish and subscribe actions are restricted by these ACL rules. +General ACL rules are stored in `acl.conf`. For details, see [acl.conf](../authz/file.md). For more comprehensive authorization methods, refer to [Authorization](../authz/authz.md). ::: tip diff --git a/zh_CN/access-control/authn/acl.md b/zh_CN/access-control/authn/acl.md index ad5bd194b..4668b90cd 100644 --- a/zh_CN/access-control/authn/acl.md +++ b/zh_CN/access-control/authn/acl.md @@ -1,12 +1,8 @@ # 权限列表 -本页面介绍了 JWT 认证和 HTTP 认证支持的权限列表 (ACL) 规则。 +本页面介绍了 JWT 认证和 HTTP 认证支持的权限列表 (ACL) 规则。目前,JWT 认证和 HTTP 认证支持权限预设,使用 ACL 作为认证结果的可选扩展,例如,JWT 中定义的私有声明 `acl`,或作为 HTTP 认证响应的一部分返回 `acl` JSON 属性。客户端连接后的发布和订阅动作将会受到这些 ACL 规则的限制。 -通用的 ACL 规则存储在 `acl.conf` 中。详情请参见[acl.conf](../authz/file.md)。 - -更全面的授权方法请参见[授权](../authz/authz.md)。 - -目前,JWT 认证和 HTTP 认证支持权限预设,使用权限列表 (ACL) 作为认证结果的可选扩展,例如,JWT 中定义的私有声明 `acl`,或作为 HTTP 认证响应的一部分返回 `acl` JSON 属性。客户端连接后的发布和订阅动作将会受到这些 ACL 规则的限制。 +通用的 ACL 规则存储在 `acl.conf` 中。详情请参见[acl.conf](../authz/file.md)。更全面的授权方法请参见[授权](../authz/authz.md)。 ::: tip 通过认证设置的权限列表,将优先于所有授权检查器被检查,参考[授权检查优先级](../authz/authz.md#授权检查优先级)。