feat: add client_attr in ACL rules

en_US/access-control/authn/acl.md

@@ -1,8 +1,8 @@
 # Access Control List
 
-EMQX allows presetting client permissions during the authentication phase to control the publish-subscribe permission checks after the client logs in. Currently, both JWT authentication and HTTP authentication support permission presets, using Access Control Lists (ACL) as an optional extension of the authentication result. For example, this can be a private claim `acl` defined in JWT, or an `acl` JSON property returned as part of the HTTP authentication response. After a client connects, its publish and subscribe actions are restricted by these ACL rules.
+This page introduces Access Control Lists (ACL) rules embedded in JWT and HTTP authentication responses. Currently, JWT authentication and HTTP authentication support permission presets, using ACL as an optional extension of the authentication result. For example, this can be a private claim `acl` defined in JWT, or an `acl` JSON property returned as part of the HTTP authentication response. After a client connects, its publish and subscribe actions are restricted by these ACL rules.
 
-This page introduces the ACL rules for presetting client permissions. Authorizing a client using the ACL rules included in the authentication response is concise, efficient, and generally sufficient for most use cases. For more comprehensive but generic authorization methods, refer to [Authorization](../authz/authz.md).
+General ACL rules are stored in `acl.conf`. For details, see [acl.conf](../authz/file.md). For more comprehensive authorization methods, refer to [Authorization](../authz/authz.md).
 
 ::: tip
 

en_US/access-control/authz/file.md

@@ -47,6 +47,8 @@ The rules are matched from top to bottom. If a rule matches, its permission is a
   * `{username, {re, "^dash"}}` : clients with user name matching the [regular expression](https://www.erlang.org/doc/man/re.html#regexp_syntax) `^dash`
   * `{clientid, "dashboard"}` : clients with client ID `dashboard`; also can be `{client, "dashboard"}`
   * `{clientid, {re, "^dash"}}` : clients with client ID matching the [regular expression](https://www.erlang.org/doc/man/re.html#regexp_syntax) `^dash`
+  * `{client_attr, "name", "dashboard"}` : clients with client attribute `name` equal to `dashboard`
+  * `{client_attr, "name", {re, "^dash"}}` : clients with client attribute `name` matching the [regular expression](https://www.erlang.org/doc/man/re.html#regexp_syntax) `^dash`
   * `{ipaddr, "127.0.0.1"}`: clients connecting from IP address `127.0.0.1`. Netmasks are allowed. If EMQX is behind a load balance, `proxy_protocol` should be enabled for the client's MQTT listener. 
   * `{ipaddrs, ["127.0.0.1", ..., ]}` : clients connecting from one of the specified IP addresses `127.0.0.1, ..., `. Netmasks are allowed.
   * `all` : any clients

zh_CN/access-control/authn/acl.md

@@ -1,8 +1,8 @@
 # 权限列表
 
-EMQX 允许在认证阶段为客户端预设权限，用于控制客户端登录后的发布订阅权限检查。目前，JWT 认证和 HTTP 认证支持权限预设，使用权限列表 (ACL) 作为认证结果的可选扩展，例如，JWT 中定义的私有声明 `acl`，或作为 HTTP 认证响应的一部分返回 `acl` JSON 属性。客户端连接后的发布和订阅动作将会受到这些 ACL 规则的限制。
+本页面介绍了 JWT 认证和 HTTP 认证支持的权限列表 (ACL) 规则。目前，JWT 认证和 HTTP 认证支持权限预设，使用 ACL 作为认证结果的可选扩展，例如，JWT 中定义的私有声明 `acl`，或作为 HTTP 认证响应的一部分返回 `acl` JSON 属性。客户端连接后的发布和订阅动作将会受到这些 ACL 规则的限制。
 
-本页面介绍了针对客户端权限预设的 ACL 规则。使用包含在认证响应中的 ACL 规则对客户端进行授权，简洁高效，且通常足以满足大多数使用场景。对于更全面但通用的授权方法，请参阅[授权文档](../authz/authz.md) 。
+通用的 ACL 规则存储在 `acl.conf` 中。详情请参见[acl.conf](../authz/file.md)。更全面的授权方法请参见[授权](../authz/authz.md)。
 
 ::: tip
 通过认证设置的权限列表，将优先于所有授权检查器被检查，参考[授权检查优先级](../authz/authz.md#授权检查优先级)。

zh_CN/access-control/authz/file.md

@@ -50,6 +50,8 @@ EMQX 支持基于 ACL 文件中存储的规则进行授权检查。您可在文
 - `{username, {re, "^dash"}}`：用户名匹配 [正则表达式](https://www.erlang.org/doc/man/re.html#regexp_syntax) `^dash` 的客户端
 - `{clientid, "dashboard"}`：客户端 ID 为 `dashboard` 的客户端，也可写作`{client, "dashboard"}`
 - `{clientid, {re, "^dash"}}`：客户端 ID 匹配 [正则表达式](https://www.erlang.org/doc/man/re.html#regexp_syntax) `^dash` 的客户端
+- `{client_attr, "name", "dashboard"}`：客户端属性 `name` 为 `dashboard` 的客户端
+- `{client_attr, "name", {re, "^dash"}}`：客户端属性 `name` 匹配 [正则表达式](https://www.erlang.org/doc/man/re.html#regexp_syntax) `^dash` 的客户端
 - `{ipaddr, "127.0.0.1"}`：源地址为 `127.0.0.1` 的客户端；支持 CIDR 地址格式。注意：如果 EMQX 部署在负载均衡器后侧，建议为 EMQX 的监听器开启 `proxy_protocol` 配置 <!--这里需要一个超链接，告诉用户如何配置-->，否则 EMQX 可能会使用负载均衡器的源地址。
 - `{ipaddrs, ["127.0.0.1", ..., ]}`：来自多个源地址的客户端，不同 IP 地址之间以 `,` 区分
 - `all`：匹配所有客户端