58 lines
1.7 KiB
Plaintext
58 lines
1.7 KiB
Plaintext
%%--------------------------------------------------------------------
|
|
%% EMQX ACL configuration
|
|
%%--------------------------------------------------------------------
|
|
|
|
%% =========================
|
|
%% Device user permissions
|
|
%% =========================
|
|
|
|
%% Devices can publish ONLY to their own namespace
|
|
{allow, {user, "device"}, publish, ["device/${clientid}/meta/#"]}.
|
|
{allow, {user, "device"}, publish, ["device/${clientid}/property/#"]}.
|
|
{allow, {user, "device"}, publish, ["device/${clientid}/command/#"]}.
|
|
|
|
%% Devices can receive commands
|
|
{allow, {user, "device"}, subscribe, ["device/${clientid}/command/#"]}.
|
|
|
|
|
|
%% =========================
|
|
%% Authenticated users
|
|
%% =========================
|
|
|
|
{allow, {user, "bob"}, subscribe, ["device/#"]}.
|
|
|
|
%% Any authenticated user can read all device topics
|
|
{allow, {user, all}, subscribe, ["device/+/meta/#"]}.
|
|
{allow, {user, all}, subscribe, ["device/+/property/#"]}.
|
|
{allow, {user, all}, subscribe, ["device/+/command/#"]}.
|
|
|
|
%% Any authenticated user can publish commands to any device
|
|
{allow, {user, all}, publish, ["device/+/command/+"]}.
|
|
|
|
|
|
%% =========================
|
|
%% Response topic mechanism
|
|
%% =========================
|
|
|
|
%% Clients can SUBSCRIBE to their own response inbox
|
|
{allow, {user, all}, subscribe, ["client/${clientid}/responses/#"]}.
|
|
|
|
%% Authenticated users can PUBLISH to any client response inbox
|
|
{allow, {user, all}, publish, ["client/+/responses/#"]}.
|
|
|
|
%% (No subscribe permission for others -> enforced by default deny)
|
|
|
|
|
|
%% =========================
|
|
%% Unauthenticated users
|
|
%% =========================
|
|
|
|
%% Allow anonymous users to read ONLY meta topics
|
|
{allow, {ipaddr, "0.0.0.0/0"}, subscribe, ["device/+/meta/#"]}.
|
|
|
|
|
|
%% =========================
|
|
%% Default deny
|
|
%% =========================
|
|
|
|
{deny, all}. |