thanks you very much.i have finished it.
I implemented a topic that port 8883 does not allow the publish of action/#和set/#。The rest of the ports are unlimited。

emqx.conf add:

zones.devicezone.mqtt.max_packet_size=10485760 
mqtt {
 client_attrs_init = [ 
         { expression = "iif(str_eq(zone,'devicezone'),'action','none')" set_as_attr = action}, 
         { expression = "iif(str_eq(zone,'devicezone'),'set','none')" set_as_attr = set} ]
 }

listeners.ssl.default{ 
zone = devicezone
}

acl add

{deny, all, publish, ["${client_attrs.action}/#","${client_attrs.set}/#"]}.

from emqx.

I see that the documentation has the following, but I don't know how to configure it. Document not found

from emqx.

Hello! Currently, only authentication may be set up per listener. Authorization is common for all the clients.

from emqx.

I see that the documentation has the following, but I don't know how to configure it. Document not found

The access rule configured for listener is a CIDR based ACL at transport layer (TCP/IP).
This not a very commonly used feature, if not in emqx official docs, you can find more information here: https://github.com/emqx/esockd?tab=readme-ov-file#allowdeny

MQTT layer ACL is not configurable per listener, however it's been made easy since 5.7.
Here are the steps.

Step 1: Configure a new zone

For example confgure any mqtt settings to add a new zone. e.g. in emqx.conf, add zones.myzone1.mqtt.max_packet_size = 1M
See doc about zone overrides here: https://docs.emqx.com/en/enterprise/latest/configuration/configuration.html#zone-override

Step 2: Configure a listener's zone parameter to this new zone.

Configure listener.tcp.name.zone=myzone1
Or set it from "Custom Configuration" in the dashboard

Step 3: Assign zone as a client attribute.

Read more about client attributes

Step 4: Make use of ${client_attrs.zone} in ACL rules

it works the same way as ${clientid} or ${username}.

from emqx.

Hi again @zhouruiruiruiyan
You might need a bit more hint for the client attribute since what you want is one listener for action/# and another for set/#
The client attribute extraction is a expression which supports naive condition control flows.
In your case, if you have one listener in the default zone, and another listener in myzone1, you can write the client attribute exaction expression like this:

iif(str_eq(zone,'default'),'action','set')

Then you can use ${client_attrs.topic_prefix} in the ACL rules like this:

% acl.conf
{allow, all, subscribe, "${client_attrs.topic_prefix}/#"}.

from emqx.

Hi again @zhouruiruiruiyan You might need a bit more hint for the client attribute since what you want is one listener for action/# and another for set/# The client attribute extraction is a expression which supports naive condition control flows. In your case, if you have one listener in the default zone, and another listener in myzone1, you can write the client attribute exaction expression like this:

iif(str_eq(zone,'default'),'action','set')

Then you can use `${client_attrs.topic_prefix}` in the ACL rules like this:

% acl.conf
{allow, all, subscribe, "${client_attrs.topic_prefix}/#"}.

yes,it's help me. but What I want to achieve is to intercept all actions/#和set/# when no zone is set.
acl.conf {deny, all, publish, ["${client_attrs.myzone1}"]}.
i dont kown how to config myzone1

from emqx.

To by default only allow permitted pub/sub actions, you must replace the last line {allow, all}. with {deny, all}. at the end of acl.conf

from emqx.

i dont kown how to config myzone1

To configure a zone: https://docs.emqx.com/en/enterprise/latest/configuration/configuration.html#zone-override

from emqx.

intercept all actions/#和set/# when no zone is set.

There is no way to "intercept" anything at listener level.
The suggested solution is to associate listener (zone) as client's attribute, and then perform ACL checks based on client attributes.

If you set a client attribute as topic_prefix based on the listener (zone), below rule will do exactly what you wanted: per-listener ACL.

{allow, all, subscribe, "${client_attrs.topic_prefix}/#"}.

from emqx.