Skip to content

update(authn&authz): Add ${peername} placeholder #2901

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Apr 30, 2025
Merged

update(authn&authz): Add ${peername} placeholder #2901

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions en_US/access-control/authn/authn.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,7 @@ The authentication mechanisms supported in EMQX include:

### X.509 Certificate Authentication

EMQX supports [X.509 certificate authentication](./x509.md) for client authentication. Using X.509 certificate authentication in EMQX, clients and servers can establish trusted connections through TLS/SSL, ensuring the authenticity of communication parties and the integrity of the data transmitted. EMQX allows for both one-way and two-way authentication: one-way authentication where only the server is authenticated by the client, and two-way authentication where both client and server mutually verify each other's certificates. This flexibility caters to various levels of security requirements and deployment scenarios.
EMQX supports [X.509 certificate authentication](./x509.md) for client authentication. Using X.509 certificate authentication in EMQX, clients and servers can establish trusted connections through TLS/SSL, ensuring the authenticity of communication parties and the integrity of the data transmitted. EMQX allows for both one-way and two-way authentication: one-way authentication, where only the server is authenticated by the client, and two-way authentication, where both client and server mutually verify each other's certificates. This flexibility caters to various levels of security requirements and deployment scenarios.

### JWT Authentication

Expand Down Expand Up @@ -209,7 +209,9 @@ EMQX currently supports the following placeholders:

- `${peerhost}`: It will be replaced with the client's IP address at runtime. EMQX supports [Proxy Protocol](http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt), that is, even if EMQX is deployed behind some TCP proxy or load balancer, users can still use this placeholder to get the real IP address.

- `${peerport}`: It will be replaced with the client's IP port in runtime.
- `${peerport}`: It will be replaced with the client's IP port at runtime.

- `${peername}`: It will be replaced with the client's IP address and port at runtime, and the format is `IP: PORT`.

- `${cert_subject}`: It will be replaced by the subject of the client's TLS certificate at runtime. If the load balancer sends client certificate information to the TCP listener, ensure that Proxy Protocol v2 is in use.

Expand Down
3 changes: 2 additions & 1 deletion en_US/access-control/authz/authz.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -91,7 +91,8 @@ The following placeholders are supported in query statements:
* `${username}`: It is replaced with the username at runtime. The username comes from the `Username` field in the `CONNECT` packet. If `peer_cert_as_username` is enabled, it is overridden by the fields or the content of the certificate.
* `${clientid}`: It is replaced by the client ID at runtime. The client ID is normally explicitly specified by the client in the `CONNECT` packet. If `use_username_as_clientid` or `peer_cert_as_clientid` is enabled, this field is overridden by the username, fields in the certificate, or the content of the certificate.
* `${peerhost}`: It is replaced with the client's IP address at runtime. EMQX supports [Proxy Protocol](http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt), that is, even if EMQX is deployed behind some TCP proxy or load balancer, users can still use this placeholder to get the real IP address.
- `${peerport}`: It will be replaced with the client's IP port in runtime.
- `${peerport}`: It will be replaced with the client's IP port at runtime.
- `${peername}`: It will be replaced with the client's IP address and port at runtime, and the format is `IP: PORT`.
* `${cert_common_name}`: It is replaced by the Common Name of the client's TLS certificate at runtime. If the load balancer sends client certificate information to the TCP listener, ensure that Proxy Protocol v2 is in use.
* `${cert_subject}`: It is replaced by the subject of the client's TLS certificate at runtime. If the load balancer sends client certificate information to the TCP listener, ensure that Proxy Protocol v2 is in use.
* `${client_attrs.NAME}`: A client attribute. `NAME` will be replaced by an attribute name set based on predefined configurations at runtime. For details about the client attributes, see [MQTT Client Attributes](../../client-attributes/client-attributes.md).
Expand Down
18 changes: 10 additions & 8 deletions zh_CN/access-control/authn/authn.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -188,23 +188,25 @@ SELECT password_hash, salt FROM mqtt_user where username = 'emqx_u' LIMIT 1

目前 EMQX 支持以下占位符:

- `${clientid}`: 将在运行时被替换为客户端 ID。客户端 ID 一般由客户端在 `CONNECT` 报文中显式指定,如果启用了 `use_username_as_clientid` 或 `peer_cert_as_clientid`,则会在连接时被用户名、证书中的字段或证书内容所覆盖。
- `${clientid}`将在运行时被替换为客户端 ID。客户端 ID 一般由客户端在 `CONNECT` 报文中显式指定,如果启用了 `use_username_as_clientid` 或 `peer_cert_as_clientid`,则会在连接时被用户名、证书中的字段或证书内容所覆盖。

- `${username}`: 将在运行时被替换为用户名。用户名来自 `CONNECT` 报文中的 `Username` 字段。如果启用了 `peer_cert_as_username`,则会在连接时被证书中的字段或证书内容所覆盖。
- `${username}`将在运行时被替换为用户名。用户名来自 `CONNECT` 报文中的 `Username` 字段。如果启用了 `peer_cert_as_username`,则会在连接时被证书中的字段或证书内容所覆盖。

- `${password}`: 将在运行时被替换为密码。密码来自 `CONNECT` 报文中的 `Password` 字段。
- `${password}`将在运行时被替换为密码。密码来自 `CONNECT` 报文中的 `Password` 字段。

- `${peerhost}`: 将在运行时被替换为客户端的 IP 地址。EMQX 支持 [Proxy Protocol](http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt),即使 EMQX 部署在某些 TCP 代理或负载均衡器之后,用户也可以使用此占位符获得真实 IP 地址。
- `${peerhost}`将在运行时被替换为客户端的 IP 地址。EMQX 支持 [Proxy Protocol](http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt),即使 EMQX 部署在某些 TCP 代理或负载均衡器之后,用户也可以使用此占位符获得真实 IP 地址。

- `${peerport}`: 它将在运行时被客户端的 IP 端口替换。
- `${peerport}`:将在运行时被客户端的 IP 端口替换。

- `${cert_subject}`: 将在运行时被替换为客户端 TLS 证书的主题(Subject)。如果证书信息是从负载均衡器发送到 EMQX 的 TCP 端口,需要确保负载均衡器使用的是 Proxy Protocol v2
- `${peername}`:将在运行时被替换为客户端的 IP 地址和端口,格式为 `IP: PORT`

- `${cert_common_name}`: 将在运行时被替换为客户端 TLS 证书的通用名称(Common Name)。如果证书信息是从负载均衡器发送到 EMQX 的 TCP 端口,需要确保负载均衡器使用的是 Proxy Protocol v2。
- `${cert_subject}`:将在运行时被替换为客户端 TLS 证书的主题(Subject)。如果证书信息是从负载均衡器发送到 EMQX 的 TCP 端口,需要确保负载均衡器使用的是 Proxy Protocol v2。

- `${cert_common_name}`:将在运行时被替换为客户端 TLS 证书的通用名称(Common Name)。如果证书信息是从负载均衡器发送到 EMQX 的 TCP 端口,需要确保负载均衡器使用的是 Proxy Protocol v2。

- `${client_attrs.NAME}`:某个客户端属性。`NAME` 将在运行时根据预定义配置替换为属性名称。有客户端属性的详细信息,请参见 [MQTT 客户端属性](../../client-attributes/client-attributes.md)。

- `${zone}`: 在运行时将替换为客户端的 Zone。`${zone}` 占位符可以直接用于认证模板中,简化规则创建,并支持基于 Zone 的特定配置。有关 Zone 的详细配置信息,请参见 [Zone 覆盖](../../configuration/configuration.md#zone-覆盖)。
- `${zone}`在运行时将替换为客户端的 Zone。`${zone}` 占位符可以直接用于认证模板中,简化规则创建,并支持基于 Zone 的特定配置。有关 Zone 的详细配置信息,请参见 [Zone 覆盖](../../configuration/configuration.md#zone-覆盖)。

例如,以下 ACL 规则使用 `${zone}` 根据客户端的指定 zone 动态应用权限:

Expand Down
17 changes: 9 additions & 8 deletions zh_CN/access-control/authz/authz.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -90,14 +90,15 @@ SELECT action, permission, topic FROM mqtt_acl where username = 'emqx_u'

EMQX 授权支持的数据查询占位符如下:

- `${username}`: 将在运行时被替换为用户名。用户名来自 `CONNECT` 报文中的 `Username` 字段。如果启用了 `peer_cert_as_username`,则会在连接时被证书中的字段或证书内容所覆盖。
- `${clientid}`: 将在运行时被替换为客户端 ID。客户端 ID 一般由客户端在 `CONNECT` 报文中显式指定,如果启用了 `use_username_as_clientid` 或 `peer_cert_as_clientid`,则会在连接时被用户名、证书中的字段或证书内容所覆盖。
- `${peerhost}`: 将在运行时被替换为客户端的 IP 地址。EMQX 支持 [Proxy Protocol](http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt),即使 EMQX 部署在某些 TCP 代理或负载均衡器之后,用户也可以使用此占位符获得真实 IP 地址。
- `${peerport}`: 它将在运行时被客户端的 IP 端口替换。
- `${cert_common_name}`: 将在运行时被替换为客户端 TLS 证书的通用名称(Common Name)。如果证书信息是从负载均衡器发送到 EMQX 的 TCP 端口,需要确保负载均衡器使用的是 Proxy Protocol v2。
- `${cert_subject}`: 将在运行时被替换为客户端 TLS 证书的主题(Subject)。如果证书信息是从负载均衡器发送到 EMQX 的 TCP 端口,需要确保负载均衡器使用的是 Proxy Protocol v2。
- `${client_attrs.NAME}`: 某个客户端属性。`NAME` 将在运行时根据预定义配置替换为属性名称。有客户端属性的详细信息,请参见 [MQTT 客户端属性](../../client-attributes/client-attributes.md)。
- `${zone}`: 在运行时将替换为客户端的 Zone。`${zone}` 占位符可以直接用于授权模板中。有关 Zone 的详细配置信息,请参见 [Zone 覆盖](../../configuration/configuration.md#zone-覆盖)。
- `${username}`:将在运行时被替换为用户名。用户名来自 `CONNECT` 报文中的 `Username` 字段。如果启用了 `peer_cert_as_username`,则会在连接时被证书中的字段或证书内容所覆盖。
- `${clientid}`:将在运行时被替换为客户端 ID。客户端 ID 一般由客户端在 `CONNECT` 报文中显式指定,如果启用了 `use_username_as_clientid` 或 `peer_cert_as_clientid`,则会在连接时被用户名、证书中的字段或证书内容所覆盖。
- `${peerhost}`:将在运行时被替换为客户端的 IP 地址。EMQX 支持 [Proxy Protocol](http://www.haproxy.org/download/1.8/doc/proxy-protocol.txt),即使 EMQX 部署在某些 TCP 代理或负载均衡器之后,用户也可以使用此占位符获得真实 IP 地址。
- `${peerport}`:将在运行时被客户端的 IP 端口替换。
- `${peername}`:将在运行时被替换为客户端的 IP 地址和端口,格式为 `IP: PORT`。
- `${cert_common_name}`:将在运行时被替换为客户端 TLS 证书的通用名称(Common Name)。如果证书信息是从负载均衡器发送到 EMQX 的 TCP 端口,需要确保负载均衡器使用的是 Proxy Protocol v2。
- `${cert_subject}`:将在运行时被替换为客户端 TLS 证书的主题(Subject)。如果证书信息是从负载均衡器发送到 EMQX 的 TCP 端口,需要确保负载均衡器使用的是 Proxy Protocol v2。
- `${client_attrs.NAME}`:某个客户端属性。`NAME` 将在运行时根据预定义配置替换为属性名称。有客户端属性的详细信息,请参见 [MQTT 客户端属性](../../client-attributes/client-attributes.md)。
- `${zone}`:在运行时将替换为客户端的 Zone。`${zone}` 占位符可以直接用于授权模板中。有关 Zone 的详细配置信息,请参见 [Zone 覆盖](../../configuration/configuration.md#zone-覆盖)。

<!-- TODO
确认 HTTP AuthZ 为什么会多出几个
Expand Down