Skip to content

Commit a14ccf4

Browse files
committed
update(authn): Add "Precondition" Dashboard config field
1 parent c6251e4 commit a14ccf4

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

45 files changed

+564
-494
lines changed
Loading
Loading
5.96 KB
Loading
-43.6 KB
Loading
64.8 KB
Loading
-47.6 KB
Loading
Loading
-5.71 KB
Loading
Loading

en_US/access-control/authn/authn.md

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -89,7 +89,7 @@ When an authentication chain is configured, EMQX processes authenticators in the
8989
Here’s how it works, using password-based authentication as an example:
9090

9191
1. **Evaluate Preconditions (if configured):**
92-
If the authenticator has a [precondition](#authenticator-preconditions), EMQX first evaluates the expression based on client information (e.g., `listener`, `clientid`, `username`).
92+
If the authenticator has a [precondition](#authenticator-preconditions), EMQX first evaluates the expression based on client attributes information (e.g., `listener`, `clientid`, `username`).
9393
- If the expression evaluates to `true`, the authenticator is invoked.
9494
- If not, the authenticator is skipped.
9595
2. **Execute the Authenticator:**
@@ -106,11 +106,23 @@ Here’s how it works, using password-based authentication as an example:
106106

107107
### Authenticator Preconditions
108108

109-
Starting from EMQX 5.9, you can assign a precondition to each authenticator to control whether it should be invoked for a given client.
109+
Starting from EMQX 5.9, you can assign a precondition to each authenticator to control whether it should be invoked for a given client. A precondition is a [Variform expression](../../configuration/configuration.md#variform-expressions) that evaluates client attributes (such as `listener`, `username`, `clientid`, etc.). If the expression does not evaluate to `true`, the authenticator is skipped.
110110

111-
A precondition is a [Variform expression](../../configuration/configuration.md#variform-expressions) that evaluates client metadata (such as `listener`, `username`, `clientid`, etc.). If the expression does not evaluate to `true`, the authenticator is skipped.
111+
This feature enables conditional logic in the authentication chain. It allows for fine-grained control over authentication logic, such as applying different authenticators for clients connecting through different listeners or based on client attributes. EMQX can then invoke authenticators only when appropriate and avoid unnecessary requests to external systems.
112112

113-
This feature enables conditional logic in the authentication chain, allowing EMQX to invoke authenticators only when appropriate and avoid unnecessary requests to external systems.
113+
#### Supported Client Attributes in Precondition
114+
115+
Supported client attributes in a precondition include:
116+
117+
- `username`: The username of the client
118+
- `password`: The password of the client
119+
- `clientid`: The client ID of the client
120+
- `client_attrs.*`: The client attributes of the client
121+
- `cert_common_name`: The subject field from the client's TLS certificate
122+
- `cert_subject`: The Common Name (CN) from the client's TLS certificate
123+
- `peersni`: The SNI (Server Name Indication) sent by the TLS client
124+
- `listener`: The listener ID (e.g. `tcp:default`)
125+
- `zone`: The associated config zone
114126

115127
#### Precondition Examples
116128

0 commit comments

Comments
 (0)