49 lines
1.5 KiB
Plaintext
49 lines
1.5 KiB
Plaintext
%%--------------------------------------------------------------------
|
|
%% EMQX ACL configuration
|
|
%%--------------------------------------------------------------------
|
|
|
|
%% =========================
|
|
%% Device user permissions
|
|
%% =========================
|
|
|
|
%% Devices can publish ONLY to their own namespace
|
|
{allow, {user, "device"}, publish, ["device/${clientid}/meta/#"]}.
|
|
{allow, {user, "device"}, publish, ["device/${clientid}/property/#"]}.
|
|
{allow, {user, "device"}, publish, ["device/${clientid}/command/#"]}.
|
|
|
|
%% Devices can receive commands
|
|
{allow, {user, "device"}, subscribe, ["device/${clientid}/command/#"]}.
|
|
|
|
|
|
%% =========================
|
|
%% Authenticated users
|
|
%% =========================
|
|
|
|
|
|
%% Any authenticated user can read all device topics
|
|
{allow, all, subscribe, ["device/+/meta/#"]}.
|
|
{allow, all, subscribe, ["device/+/property/#"]}.
|
|
{allow, all, subscribe, ["device/+/command/#"]}.
|
|
|
|
%% Any authenticated user can publish commands to any device
|
|
{allow, all, publish, ["device/+/command/+"]}.
|
|
|
|
|
|
%% =========================
|
|
%% Response topic mechanism
|
|
%% =========================
|
|
|
|
%% Clients can SUBSCRIBE to their own response inbox
|
|
{allow, all, subscribe, ["client/${clientid}/responses/#"]}.
|
|
|
|
%% Authenticated users can PUBLISH to any client response inbox
|
|
{allow, all, publish, ["client/+/responses/#"]}.
|
|
|
|
%% (No subscribe permission for others -> enforced by default deny)
|
|
|
|
|
|
%% =========================
|
|
%% Default deny
|
|
%% =========================
|
|
|
|
{deny, all}. |