Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ACL implementation #36

Open
Francesko90 opened this issue Apr 12, 2018 · 11 comments
Open

ACL implementation #36

Francesko90 opened this issue Apr 12, 2018 · 11 comments
Assignees
@HJianBo
Labels
enhancement

Comments

@Francesko90
Copy link

Francesko90 commented Apr 12, 2018
edited
Loading

I see that all authentication plugin have ACL (mysql, postgree, etc)

In this plugin it's possibile for all client subscribe to all topics if client know topic structure
My idea was to have inside the jwt the names of the topic where client can subscribe or publish

{
  "id": 5,
  "iat": 1522935842,
  "exp": 1522939442
 "topics" ["x","y","z"]
}

Is it a bad idea? Is there anything else that allows you to do this already?
@dopry
Copy link

dopry commented Jun 18, 2018

@terry-xiaoyu, @emqplus, I've asked someone to help with this feature over the next few days for one of my projects. It's being done in our fork, getautomata#1. If you have any feedback on the specification so we can keep it ready to submit here let me know.

@memelet
Copy link

memelet commented Jan 26, 2019

What ever happened to this? It looks like the work was completed on the fork.

@dopry
Copy link

dopry commented Jan 28, 2019

We completed it and are using it in our own projects. We never got feedback from @terry-xiaoyu or @emqplus as to whether they like the implementation and would like us to submit a PR.

@memelet
Copy link

memelet commented Jan 29, 2019

So its not your master branch, but with the PR applied?

@knvpk
Copy link

knvpk commented Mar 11, 2019
edited
Loading

Can i use authentication with jwt and ACL with mysql plugin is that possible because, currently i have a doubt that is raised in fork project above on static scopes. getautomata#1 (comment)

@turtleDeng turtleDeng assigned HJianBo and unassigned terry-xiaoyu Dec 26, 2019
@kozelok
Copy link

kozelok commented Mar 9, 2020

Is it possible to add this to the main plugin?

@dopry
Copy link

dopry commented Mar 10, 2020

@pavankumarkatakam I suspect you can use JWT for authentication (getting the user identity) and mysql for authorization as long as permissions are keyed on the subject of the JWT. You'd probably have to review the code to be sure. Our design is meant to minimize points of failure. Our requirements for the brokers reliability are fairly high and we didn't want to introduce an additional dependency on SQL. RDBMS typically does not scale well in real-time applications. We issue access tokens with fairly narrow scopes and short lifespans Typically there are only 3 -5 topic permissions in a single token. Althought a client may request multiple access tokens with different scopes. We determine scopes based on the audience of the token request to our OIDC server.

@pigochu
Copy link

pigochu commented Oct 16, 2020

I want to use JWT for authentication and use emqx-auth-http for acl .
But JWT login has no username , and emqx-auth-http will not send password( JWT ) to web server.
So I don't know who login ....
I want to implement dynamic topic ACL .... so I hope EMQX can add this feature.

@hylowaker
Copy link

+1

1 similar comment
@n8o
Copy link

n8o commented Jun 28, 2021

+1

@sj-lt
Copy link

sj-lt commented Jul 21, 2021

Hi all,
It would be very nice to have this feature in main implementation. @HJianBo is this even considered in emqx team ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@HJianBo HJianBo

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests