deploy(M00-E): 补充EMQX检查模板

2026-06-15 16:48:30 +08:00
parent 4cb3ab6529
commit 86f7da2168
21 changed files with 210 additions and 35 deletions
@@ -0,0 +1,29 @@
+%% Qipai EMQX ACL baseline for device topic isolation.
+%% EMQX ACL files use Erlang tuple rules and are matched from top to bottom.
+%% Replace example usernames and topic namespaces after M06 device onboarding.
+
+%% Device clients may publish telemetry/status under their own client id.
+{allow, {clientid, {re, "^qipai-device-[A-Za-z0-9_-]+$"}}, publish, [
+  "qipai/${clientid}/telemetry",
+  "qipai/${clientid}/status",
+  "qipai/${clientid}/event/#"
+]}.
+
+%% Device clients may subscribe only to commands for their own client id.
+{allow, {clientid, {re, "^qipai-device-[A-Za-z0-9_-]+$"}}, subscribe, [
+  "qipai/${clientid}/command/#"
+]}.
+
+%% Backend service may publish commands and subscribe to device events.
+{allow, {username, "qipai_backend"}, all, [
+  "qipai/+/command/#",
+  "qipai/+/telemetry",
+  "qipai/+/status",
+  "qipai/+/event/#"
+]}.
+
+%% Do not expose system topics or broad wildcards to ordinary clients.
+{deny, all, subscribe, ["$SYS/#", {eq, "#"}, {eq, "+/#"}]}.
+
+%% Production default: deny anything not explicitly allowed above.
+{deny, all}.