Client Authorization

If a client connection to a Message VPN is successfully authenticated, access to the router resources and messaging capabilities within that Message VPN must be authorized for the client.

For a client to be authorized, it must provide the host router with a client username that matches one that is provisioned on the Message VPN to which the connection has been made. (These client usernames can either be provided by the connected client or be automatically generated for the client based on an LDAP group that it is a member of.) If the client provides a valid client username and password, the client’s connection is authorized. The following two types of profiles that are assigned to the provisioned client username are then used to provide the client with its access permissions and messaging capabilities.

  • Access Control List (ACL) profiles—ACL profiles define whether the client is permitted to connect to the Message VPN, and, if it is, permissions are assigned to the client that set whether it can publish messages to topics and whether it can subscribe to topics. They also set whether those its publish and subscribe rights are limited to an explicit range of topics. For more information, refer to ACL Profiles.
  • Client profiles—Client profiles are sets of common configuration parameters that can be applied to groups of clients, which allows consistent configurations to be readily defined for many clients. For more information, refer to Client Profiles.

The following figure shows the basic process for authorizing an authenticated client according to the authorization properties assigned to a client username provisioned on the Message VPN.

Authorization Process Using Provisioned Client Usernames

Client Authentication With Client Usernames

Authorizing Clients Internally

When internal authorization is used (that is, LDAP group authorization is not enabled), client usernames that are provisioned on the router can determine a client’s authorization. If the client provides a client username that matches a client username provisioned in the Message VPN that the client has connected to, the client and ACL profiles configured for that client username are applied to the client. If the client does not provide a client username, the client username named default is applied if it is enabled, and the client and ACL profiles configured for that client username are applied to the client.

Internal authorization is the default authorization mode for Message VPNs.

Note:  The default client username account always exists on the Solace router and cannot be deleted. However, by default, this account is not enabled.

After the client is bound to a client username account in the specified Message VPN, the router checks whether that client username account is enabled or not. If the client username account is not enabled, the client is disconnected. (The response “403 Client Username Is Shutdown” is sent before disconnecting.)

If the bound client username account is enabled, the client is then created with the properties of the client profile and ACL profile configured for the bound client username account object.

Related Provisioning and Configuration Information

Authorizing Clients Through LDAP Groups

Clients can also receive their authorizations based on whether they belong to specific LDAP authorization groups. Using LDAP authorization groups to authorize clients can assist network administrators that deal with large numbers of clients, especially when those clients are already configured in a corporate server, and churn frequently as employees join and leave an organization.

When LDAP authorization is enabled for the Message VPN that an authenticated client is attempting to connect to, an LDAP attribute (typically MEMBEROF) is retrieved for the client, and an LDAP lookup is made to an external LDAP server to determine the LDAP groups that the client belongs to.

Any LDAP groups that the lookup returns are compared against the LDAP authorization groups configured on the router, and the client is assigned an matching authorization group with a no shutdown state that has the highest priority.

Note:  The maximum number of authorization groups that may be retrieved for a client from an external LDAP server is 128. The client will not be authorized if more authorization groups are returned.

A client username is then automatically generated for the client, and the client and ACL profiles configured for the matching group are applied to the client username that the client is bound to. These profiles provide the client with its authorizations.

The following figure shows the basic process for authorizing an authenticated client that belongs to a configured LDAP authorization group.

Authorization Process Using LDAP Groups

Authorization Process Using LDAP Groups

Related Provisioning and Configuration Information

Profiles that are Applied to Authorized Clients

A profile is a set of characteristics that can be distinctly assigned to one or more client username accounts and/or LDAP authorization groups configured on specific Message VPNs. To manage a large number of clients efficiently, you can create a profile with a specific set of common characteristics and assign it to the client usernames and/or authorization groups that can be subsequently assigned to clients that share these characteristics.

Two types of profiles can be added to client usernames and authorization groups:

  • ACL profiles—ACL profiles allow you to manage clients’ connection access to a Solace router and which topics they are permitted to publish and subscribe to. For more information, refer to Managing Access Control Lists.
  • Client Profiles—Client profiles allow you to apply and manage a set of configuration characteristics to one or more client username accounts and/or authorization groups. For more information, refer to Managing Client Authentication and Authorization.

Profiles can reduce administrators’ provisioning effort when parameters will be the same across a group of users. By configuring such parameters together in a single profile, this profile can then be used repeatedly by multiple client username accounts and authorization groups.

If specific ACL or client profiles are not assigned to a client username account by the administrator, then the ACL profile default and client profile default are assigned automatically to each client username account. An administrator can customize the configuration of the default client and ACL profiles, but they cannot be deleted from the router.

ACL Profiles

ACL profiles can be assigned to given client usernames and to LDAP authorization groups.

After a client is successfully authenticated, the ACLs that are configured for the client username used by the client or the LDAP the authorization groups that the client belongs to (when LDAP authorization is used) are checked. These ACLs are used to control whether an authenticated client is:

Note:   

  • If an administrator does not assign a specific ACL profile to a client username, it is automatically assigned the ACL profile named default.
  • All internal clients that are automatically created by the system for internal features (for example, the Config-Sync client #config‑sync) are assigned to the ACL profile #acl-profile.

Related Provisioning and Configuration Information

For information on how to use the Solace CLI to configure and manage ACLs on the Solace router, refer to Managing Access Control Lists.

Client Connection Access Controls

ACLs have a client connection access control that is used to determine whether clients are allowed to connect to a Solace router.

User-defined ACLs for client connection attempts can either be allow (permit client connections) or disallow (deny client connections). The default action is disallow. The default and #acl-profile ACL profiles have the default action of allow.

After you have set the default client connection action, you can create a list of exceptions to the default action expressed in Classless Inter‑Domain Routing (CIDR) address form (nnn.nnn.nnn.nnn/nn). Any client whose address falls into any of the IP/mask in this list gets the opposite behavior to the configured default action. There is a system-level limit of 10,000 ACL profile connect exceptions.

For example, if the client-connect access control for an ACL uses a default action of allow, but 10.1.1.0/24 is listed as an exception, clients on the 10.1.1.0/24 network are denied access to the Message VPN. Similarly, if the default client connection action is disallow, and a client on a network on the exceptions list attempts to connect, that client is connected with no restrictions.

Note:  Changing the default client connect action, or removing clients from the exceptions list, does not immediately affect clients that already have an established connection to the Solace router. They remain connected.

A global statistic and a per-message VPN statistic is incremented for every denied connection attempt. In addition, a circular log is also maintained capturing:

  • the current timestamp
  • the IP/port of the denied client
  • the username of the denied client
  • the Message VPN of the denied client
  • the client name of the denied client (shown only when the show log acl User EXEC command is used with the wide parameter option)
  • the ACL profile name that triggered the denial (shown only when the show log acl User EXEC command is used with the wide parameter option)

Topic Access Controls

When you create an ACL profile, you can configure whether you want the default action for SMF and MQTT clients assigned to the ACL profile to be allow clients to publish or subscribe to topic patterns or disallow clients from publishing or subscribing to topic patterns. (Topic patterns can be topic subscriptions, as well as the unique topics associated with individual queues [that is, #P2P/QUE/<queue‑name>].) You can also list specific topic patterns that you want to be excepted from the default action. (The default action for publish‑access and subscribe‑access controls is disallow, with no exceptions configured.)

Note:  Although the default actions apply to both Solace Message Format (SMF) and MQTT topics, topic exceptions are made for SMF and MQTT topics separately.

There is no limit to the number of publishing or subscription topic exceptions per ACL profile. However, there is a maximum of 20,000 topic exceptions (publish and subscribe combined) allowed among all profiles. Also keep in mind that the more exceptions there are, the more difficult it is to comprehend and manage your topic access control configuration.

Subscriptions are either fully accepted or fully rejected depending on whether they match the configured topic access controls. Special rules are employed when handling subscriptions containing wildcards to ensure configured ACLs are effective in blocking the traffic they have been configured to disallow. Wildcard subscriptions that match an ACL profile’s exceptions are disallowed if the ACL profile’s default rule is to allow all subscriptions. For example:

  • If an ACL profile has been configured to allow all subscriptions except for the SMF subscription ANIMALS/CATS, a subscription to ANIMALS/> (covering ANIMALS/CATS) is disallowed. If ANIMALS/> were accepted, then messages published to ANIMALS/CATS would match ANIMALS/> and be delivered to the client. This would contradict the intention of the ACL.
  • If the ACL profile’s default rule disallows all subscriptions, wildcard characters in the subscription are not given any special treatment when establishing matching exception rules. For example, if an ACL profile has been configured to disallow all subscriptions except ANIMALS/DOGS, an SMF subscription request to ANIMALS/> would be disallowed given that the ‘>’ would not be treated as a wildcard character and therefore not cover the exception rule of ANIMALS/DOG. In suppressing the subscription, which requested everything below ANIMALS, the ACL profile’s intention of only allowing access to ANIMALS/DOG is enforced.

Each Message VPN on a Solace router has a preconfigured ACL profile named default. The initial configuration of the default ACL profile is:

  • allow for publish-topic, no exceptions configured
  • allow for subscribe-topic, no exceptions configured

Although you can modify the configuration of the default ACL profile, this ACL profile cannot be deleted.

Note:  If you change the default action for an ACL profile, any existing topics listed as exceptions are maintained as exceptions, but their behavior becomes the opposite of what it was.

Using Topic Access Controls with Guaranteed Messaging

ACLs can be used with Guaranteed Messaging, but the following limitations should be considered:

  • Subscribe-topic access controls are not considered when a consuming client binds directly to a durable endpoint (either a queue or topic endpoint). Therefore, a client could bypass subscribe-topic access control restrictions that have been set for it.
  • Subscribe-topic access controls can prevent a client from adding a specific topic subscription to a queue if the client is not permitted to subscribe to that topic. However, a client can bind to an existing queue that has been mapped to a topic that the client is not permitted to subscribe to because the client’s subscribe-topic access controls are not checked when it binds to a queue.

Topic Access Control Statistics

A global, per-Message VPN, and per-client statistic is incremented for every denied publish or subscribe topic attempt. In addition, a circular log is also maintained capturing:

  • the current timestamp
  • the username of the denied client
  • the Message VPN the client was a member of
  • the topic that was denied
  • the client name of the denied client (shown only when the show log acl User EXEC command is entered with the wide parameter option)
  • the ACL profile name that triggered the denial (shown only when the show log acl User EXEC command is entered with the wide parameter option)

Client Profiles

Client profiles are objects provisioned on Message VPNs that are used to assign a common set of properties to clients that have been successfully authorized.

Client profiles control a number of client behaviors and capabilities. For example, client profiles control the allocation of resources such as the maximum number of subscriptions permitted for a single client and the per-client transport queues. Other characteristics controlled by client profiles include tuning TCP connection parameters, enabling persistent messaging capabilities, and adjusting the point at which certain events are triggered.

Client profiles can be applied to multiple client usernames or LDAP authorization groups in a Message VPN. This enables administrators to manage large groups of clients by making a configuration change once and having it apply to many clients rather than having to make individual changes to each client.

Related Provisioning and Configuration Information

For information on how to use the Solace CLI to configure client profiles and the parameters that are associated with client profiles, refer to Configuring Client Profiles.