Zone support for HTTP authn/authz #5136
dzmitry-dziokin
started this conversation in
Ideas
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hi folks!
We would like to introduce Zone support in emqx_auth_http to customize authentication/authorization for clients connecting to the internal zone. These changes would help us to improve authentication/authorization for service type users with wide shared subsriptions.
Firstly, service user can connect only to internal zone (through internal Load Balancer). So we have introduced zone parameter to send to authentication REST endpoint.
Secondly, ACL 'ignore zone' is introduced to define the zone for which calls of authorization REST endpoint should be ignored (ignore is returned). This ACL ignore zone help authorize service user that use wide shared subscriptions, for example in our case: $share/be/d/+/out/+/+/# . These changes help us to improve performance.
As alternative we considered superuser check for service user, but approach with ignore zone give us possibility to restrict permission for service user using acl.conf.
Patch is attached ('diff' format is not supported, thus I've made it .txt):
emqx-auth-http-v4.3.4.diff.txt
Guide to apply patch:
mv emqx-auth-http-v4.3.4.diff.txt emqx-auth-http-v4.3.4.diff
git clone https://github.com/emqx/emqx.git
cd emqx
git checkout main-v4.3
git patch -p1 <../emqx-auth-http-v4.3.4.diff
Beta Was this translation helpful? Give feedback.
All reactions