Builtin ACL File

    Builtin ACL module is enabled by default, it could be updated or stopped by dashboard but can not be deleted.

    Editing ACL file content directly, or select a file to replace

    image-20200927213049265

    The builtin ACL is the rule table with the lowest priority. After all ACL checks are completed, if there are still no matches, the default ACL rules will be checked.

    The rules file is described in the format of Erlang syntax:

    1. The second rule prohibits all clients from subscribing to the topics and #

    2. The fourth rule allows clients with a username of dashboard to subscribe to the topic of $SYS/#, opening a special case for the second

    It can be seen that the default ACL is mainly to restrict the client’s authority to the system topic $SYS/# and the all-wildcard topic #.

    The grammar rules of ʻacl.conf` are contained in the comments at the top. Those familiar with Erlang grammar can directly read the comments at the top of the file. Or refer to the following interpretation:

    -Use to indicate line comments.

    -Each rule consists of a four-tuple and ends with ..

    -The first place of the tuple: indicates that the permission control operation is performed after the rule is successfully hit. The possible values ​​are:

    ​ * allow: means allow

    ​ * deny: means deny

    -The second digit of the tuple: indicates the user whose rule takes effect, and the available formats are:

    ​ * {user, "dashboard"}: indicates that the rule only takes effect for the user whose Username (Username) is “dashboard”

    ​ * {client, "dashboard"}: indicates that the rule only takes effect for users whose client ID (ClientId) is “dashboard”

    ​ * {ipaddr, "127.0.0.1"}: indicates that the rule only takes effect for users whose source address is “127.0.0.1”

    ​ * : indicates that the rule is effective for all users

    ​ * publish: indicates that the rule is applied to PUBLISH operations

    ​ * subscribe: indicates that the rule is applied to the SUBSCRIBE operation

    ​ * pubsub: indicates that the rule is valid for both PUBLISH and SUBSCRIBE operations

    -The fourth place of the tuple: indicates the list of topics restricted by the rule, the content is given in the format of an array, for example:

    ​ * $SYS/#: It is a topic filter (Topic Filter); it means that the rule can hit the topic that matches $SYS/#; for example, it can hit “$SYS/#” , You can also hit “$SYS/a/b/c”

    ​ * {eq, "#"}: indicates the congruence of characters. The rule can only hit the string with subject #, not /a/b/c etc.

    -In addition, there are two special rules:

    -: Allow all operations

    -{deny, all}: Deny all operations

    TIP

    acl.conf should only contain some simple and general rules, making it the basic ACL principle of the system. If you need to support complex and massive ACL content, you can choose external resources to implement it.