碼上快樂

相關內容    簡體    繁體

emqtt 試用(四)emq 的主題訪問控制 acl.conf

本文轉載自   查看原文   2018-02-01 10:41   3185    IOT

訪問控制(ACL)

EMQ 消息服務器通過 ACL(Access Control List) 實現 MQTT 客戶端訪問控制。

ACL 訪問控制規則定義:

允許(Allow)|拒絕(Deny) (Who) 訂閱(Subscribe)|發布(Publish) 主題列表(Topics)

MQTT 客戶端發起訂閱/發布請求時,EMQ 消息服務器的訪問控制模塊,會逐條匹配 ACL 規則,直到匹配成功為止:

          ---------              --------- --------- Client -> | Rule1 | --nomatch--> | Rule2 | --nomatch--> | Rule3 | --> Default --------- --------- --------- | | | match match match \|/ \|/ \|/ allow | deny allow | deny allow | deny

默認訪問控制設置

EMQ 消息服務器默認訪問控制,在 etc/emq.conf 中設置:

## ACL nomatch
mqtt.acl_nomatch = allow ## Default ACL File mqtt.acl_file = etc/acl.conf

ACL 規則定義在 etc/acl.conf,EMQ 啟動時加載到內存:

%% Allow 'dashboard' to subscribe '$SYS/#'
{allow, {user, "dashboard"}, subscribe, ["$SYS/#"]}. %% Allow clients from localhost to subscribe any topics {allow, {ipaddr, "127.0.0.1"}, pubsub, ["$SYS/#", "#"]}. %% Deny clients to subscribe '$SYS#' and '#' {deny, all, subscribe, ["$SYS/#", {eq, "#"}]}. %% Allow all by default {allow, all}.

HTTP 插件訪問控制

注解

開啟 HTTP 插件后,會終結 ACL 鏈

HTTP API 實現訪問控制: https://github.com/emqtt/emq_auth_http

配置 etc/plugins/emq_auth_http.conf, 啟用 HTTP 認證插件后:

## 'access' parameter: sub = 1, pub = 2
auth.http.acl_req = http://127.0.0.1:8080/mqtt/acl auth.http.acl_req.method = get auth.http.acl_req.params = access=%A,username=%u,clientid=%c,ipaddr=%a,topic=%t

MySQL 插件訪問控制

MySQL 插件訪問控制,通過 mqtt_acl 表定義 ACL 規則:

CREATE TABLE `mqtt_acl` ( `id` int(11) unsigned NOT NULL AUTO_INCREMENT, `allow` int(1) DEFAULT NULL COMMENT '0: deny, 1: allow', `ipaddr` varchar(60) DEFAULT NULL COMMENT 'IpAddress', `username` varchar(100) DEFAULT NULL COMMENT 'Username', `clientid` varchar(100) DEFAULT NULL COMMENT 'ClientId', `access` int(2) NOT NULL COMMENT '1: subscribe, 2: publish, 3: pubsub', `topic` varchar(100) NOT NULL DEFAULT '' COMMENT 'Topic Filter', PRIMARY KEY (`id`) ) ENGINE=InnoDB DEFAULT CHARSET=utf8; INSERT INTO mqtt_acl (id, allow, ipaddr, username, clientid, access, topic) VALUES (1,1,NULL,'$all',NULL,2,'#'), (2,0,NULL,'$all',NULL,1,'$SYS/#'), (3,0,NULL,'$all',NULL,1,'eq #'), (5,1,'127.0.0.1',NULL,NULL,2,'$SYS/#'), (6,1,'127.0.0.1',NULL,NULL,2,'#'), (7,1,NULL,'dashboard',NULL,1,'$SYS/#');

etc/plugins/emq_auth_mysql.conf 配置 ‘acl_query’ 與 ‘acl_nomatch’:

## ACL Query Command
auth.mysql.acl_query = select allow, ipaddr, username, clientid, access, topic from mqtt_acl where ipaddr = '%a' or username = '%u' or username = '$all' or clientid = '%c'

Postgre 插件訪問控制

PostgreSQL 插件訪問控制,通過 mqtt_acl 表定義 ACL 規則:

CREATE TABLE mqtt_acl ( id SERIAL primary key, allow integer, ipaddr character varying(60), username character varying(100), clientid character varying(100), access integer, topic character varying(100) ); INSERT INTO mqtt_acl (id, allow, ipaddr, username, clientid, access, topic) VALUES (1,1,NULL,'$all',NULL,2,'#'), (2,0,NULL,'$all',NULL,1,'$SYS/#'), (3,0,NULL,'$all',NULL,1,'eq #'), (5,1,'127.0.0.1',NULL,NULL,2,'$SYS/#'), (6,1,'127.0.0.1',NULL,NULL,2,'#'), (7,1,NULL,'dashboard',NULL,1,'$SYS/#');

etc/plugins/emq_auth_pgsql.conf 設置 ‘acl_query’ 與 ‘acl_nomatch’:

## ACL Query. Comment this query, the acl will be disabled.
auth.pgsql.acl_query = select allow, ipaddr, username, clientid, access, topic from mqtt_acl where ipaddr = '%a' or username = '%u' or username = '$all' or clientid = '%c'

Redis 插件訪問控制

Redis Hash 存儲一個 MQTT 客戶端的訪問控制規則:

HSET mqtt_acl:<username> topic1 1 HSET mqtt_acl:<username> topic2 2 HSET mqtt_acl:<username> topic3 3

etc/plugins/emq_auth_redis.conf 配置 ‘acl_cmd’ 與 ‘acl_nomatch’:

## ACL Query Command
auth.redis.acl_cmd = HGETALL mqtt_acl:%u

MongoDB 插件訪問控制

MongoDB 數據庫創建 mqtt_acl 集合:

{
    username: "username", clientid: "clientid", publish: ["topic1", "topic2", ...], subscribe: ["subtop1", "subtop2", ...], pubsub: ["topic/#", "topic1", ...] }

mqtt_acl 集合插入數據,例如:

db.mqtt_acl.insert({username: "test", publish: ["t/1", "t/2"], subscribe: ["user/%u", "client/%c"]}) db.mqtt_acl.insert({username: "admin", pubsub: ["#"]})

etc/plugins/emq_auth_mongo.conf 配置 ‘acl_query’ 與 ‘acl_nomatch’:

## acl_query
auth.mongo.acl_query.collection = mqtt_user auth.mongo.acl_query.selector = username=%u


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 ACL訪問控制 MQTT研究之EMQ:【EMQ之HTTP認證/訪問控制】 十二、訪問控制列表ACL ACL 訪問控制列表 emqtt 試用(五)emq 的用戶密碼認證 emqtt 試用(二)驗證 emq 和 mosquito 的共享訂閱 負載均衡服務之HAProxy訪問控制ACL ora-24247 網絡訪問被訪問控制列表ACL拒絕 ORA-24247:網絡訪問被訪問控制列表(ACL)拒絕器 ZooKeeper 筆記(5) ACL(Access Control List)訪問控制列表
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM