ACL Overview
Solace PubSub+ event brokers support Access Control Lists (ACLs). ACLs are used to control which clients may connect to which Message VPNs, and which topics clients are allowed to publish and subscribe to in their Message VPN. ACLs support an allow / deny-with-exceptions type policy structure along with wildcard matching and substitution variables. ACLs provide you with a powerful and scalable means of exerting control over what clients can and cannot do within a Message VPN.
ACLs are created within a Message VPN and are assigned to its clients. An ACL has 3 parts:
- a part for controlling which clients can connect to a Message VPN.
- a part for controlling what topics a client can publish to.
- a part for controlling what topics a client can subscribe to.
Each part has a similar structure. If you're familiar with the basic concepts behind ACLs, you can jump to the detailed instructions for configuring the parts at ACL Configuration. If you are interested in some more basic information, let's look at each part in schematic form before you jump into configuring actual ACLs.
Controlling which clients can connect
The part that controls which clients can connect to a Message VPN has two components: a default action and a list of exceptions to the default. In this example, the ACL, called yourACL
, has set the default action to allow
all client connection attempts except for those on IP subnet 10.10.0.0/16. In schematic form, the ACL looks like this,
yourACL
client-connect
default-action: allow
exception: 10.10.0.0/16
You can add more than one exception, and if you make changes to the default action or exceptions while the ACL is in use, the changes do not affect the clients to which the ACL is assigned until those clients disconnect from the Message VPN and attempt to reconnect.
You can find detailed instructions for configuring the client connection part of an ACL at Configuring Client Connect Authorization.
Controlling what clients can publish to
The part that controls the topics that clients can publish to also has a default action and list of exceptions. Continuing with the example, yourACL
has the default action set to disallow
publication to all topics except animals/domestic/dogs
and animals/domestic/cats
, which clients can freely publish to.
yourACL
publish-topic
default-action: disallow
exception: animals/domestic/dogs
exception: animals/domestic/cats
You can find detailed instructions for configuring the publication part of an ACL at Configuring Topic Publish Permissions.
Controlling what clients can subscribe to
The part that controls the topics that clients can subscribe to is similar in structure to the publish permissions part we saw in the previous section. In the example, yourACL
has the default action set to disallow
subscriptions to all topics except animals/domestic/birds
, which clients can freely subscribe to.
yourACL
subscribe-topic
default-action: disallow
exception: animals/domestic/birds
You can find detailed instructions for configuring the subscribe part of an ACL at Configuring Topic Subscribe Permissions.
Additional ACL Features
The above sections only touch on ACL fundamentals. There are some additional features that extend the power of ACLs.
- Default ACL: Each Message VPN has a default ACL that is assigned to each of its clients if the clients are not assigned to another ACL. You can modify the configuration of the default ACL, but you can not delete it.
- Substitution variables: Provides a means of creating scalable ACLs for situations where clients number in the hundreds, thousands, or hundreds of thousands. You can get an overview of substitution variable functionality at Improving IoT Security with Access Control List Substitution Variables and you can learn more about configuring them at Using Substitution Variables in Topic Exceptions.
- Publishing & Subscribing to Queues: By using the topic pattern
#P2P/QUE/<queueName>
, ACL exceptions can be created to control publish actions to queues. You can find out more at Publishing to Queues.