Codex
30 lines
1.0 KiB
Plaintext
30 lines
1.0 KiB
Plaintext
%% Qipai EMQX ACL baseline for device topic isolation.
|
|
%% EMQX ACL files use Erlang tuple rules and are matched from top to bottom.
|
|
%% Replace example usernames and topic namespaces after M06 device onboarding.
|
|
|
|
%% Device clients may publish telemetry/status under their own client id.
|
|
{allow, {clientid, {re, "^qipai-device-[A-Za-z0-9_-]+$"}}, publish, [
|
|
"qipai/${clientid}/telemetry",
|
|
"qipai/${clientid}/status",
|
|
"qipai/${clientid}/event/#"
|
|
]}.
|
|
|
|
%% Device clients may subscribe only to commands for their own client id.
|
|
{allow, {clientid, {re, "^qipai-device-[A-Za-z0-9_-]+$"}}, subscribe, [
|
|
"qipai/${clientid}/command/#"
|
|
]}.
|
|
|
|
%% Backend service may publish commands and subscribe to device events.
|
|
{allow, {username, "qipai_backend"}, all, [
|
|
"qipai/+/command/#",
|
|
"qipai/+/telemetry",
|
|
"qipai/+/status",
|
|
"qipai/+/event/#"
|
|
]}.
|
|
|
|
%% Do not expose system topics or broad wildcards to ordinary clients.
|
|
{deny, all, subscribe, ["$SYS/#", {eq, "#"}, {eq, "+/#"}]}.
|
|
|
|
%% Production default: deny anything not explicitly allowed above.
|
|
{deny, all}.
|