Authentication and ACL functions depend on auth database. EMQ cloud uses PostgreSQL as the data source of two functions. Before using authentication and ACL functions, you must open auth database.
Auth Database is a value-added service, which requires you to pay extra fees each month. See the table below for the price information:
|Number of connections||Price|
|Less than 100,000||$200/month|
|Less than 500,000||$300/month|
|Less than or equal to 1 million||$500/month|
|More than 1 million||Contact business department|
After the deployment is successfully launched, you can initialize the database as prompted in the details page Auth Database form:
When deleting the database, the Authentication and ACL functions will be turned off and all clients and ACL data will be deleted. Please follow the prompts carefully.
Before Authentication is enabled, EMQ Cloud uses anonymous authentication by default, meaning that any client can connect to your deployment.
Based on MQTT, Authentication perform connection authentication through a preset Client ID and password, and provides functions such as viewing device online status , changing status change time , and so on.
Before enabling client authentication, the Auth Database must be initialized.
You can add, delete, and modify the client. The modification can only disable/enable the client. If you need to change the password, you can only delete the previously added and then add the new.
Cloud supports batch import of
csv format files, and you can download template files for import
Use the added clientid and password to connect. After the connection is successful, you can see the client online time and status.
When the client authentication function is enabled/disabled, the system will restart EMQX Broker, so please ensure that the restart will not affect you
After the ACL function is enabled, you can restrict subscribe and publish actions of client globally and at the client level. You can also use placeholders to implement dynamic ACLs.
Before enabling ACL, the Auth Database must be initialized
EMQ Cloud sets the following ACLs by default:
-Allow all devices to publish/subscribe to any topic
Prohibit non-local devices to publish/subscribe $SYS/# and # topics
Before enabling ACL, the Database must be initialized
You can add and delete ACL rules on the interface. EMQ Cloud supports batch import of
csv format files. You can also download template files for import.
Prohibit all devices from subscribing to the
Select clientid as All ($ all), which matches all clients
Prohibit devices with clientid
test_client from publish/subscribe
EMQ Cloud supports dynamic ACL settings using placeholders in topics. The supported placeholders are as follows:
Client ID placeholder
%c, which will replace the current client Client ID when matched
%u, which will replace the current client Username when matched
ACL Rule coverage
The ACL is based on the most recent creation, that is, the ACL above the list (most recently created) will partially/fully override the rules below the list.
In the rule shown in the figure below, the bottom rule prohibits all devices from subscribing to the topic
/a, and the top rule allow that device with Client ID is
test_client subscribing to the topic
The actual effect is: only
test_client is allowed to subscribe to the topic
The new ACL will take effect immediately. It will take a minute after the existing ACL is deleted or changed to take effect.
When enabling/disabling the ACL function, the system will restart the EMQX broker, so please ensure that the restart will not affect you