Authorizing client connections

You can use connection policies to authorize a client to connect to an endpoint on Eclipse Amlen.

The connection policies that are associated with an endpoint that a client attempts to connect to are applied when the connection attempt is made. The connection policy can restrict which clients can connect to the endpoint and can limit the resources that MQTT clients can consume by preventing clients from connecting using a setting of cleanSession=0 or publishing messages with a QoS of 1 or 2. You must apply at least one connection policy to an endpoint in order for a client to connect to that endpoint. If you apply more than one connection policy to an endpoint, the policies are applied in order.

When you create a connection policy, you can use the following attributes to restrict who is allowed to connect:
  • Client IP address
  • Client ID
  • User ID
  • Group Name
  • Protocol
  • Certificate common name
  • Allow MQTT clients with durable subscriptions

For example, for an endpoint that is bound to an external-facing ethernet, you might configure a connection policy that any IP address can connect to. Then, for an endpoint that is bound to an internal-facing ethernet, you might configure another connection policy that only certain IP addresses can connect to.

A connection policy can be applied to more than one endpoint. For example, you can use a single connection policy to allow all clients from a particular IP address range to connect. You can then restrict the access of different clients to particular queues and topic strings by using a messaging policy. For more information about messaging policies, see Authorizing client messaging.

Connection policies can be configured by using the Amlen WebUI, or REST Administration APIs. For more information about configuring connection policies, see Connection policies.

Variable substitution in connection policies

You can use variable substitution in connection policies to avoid configuring large numbers of connection policies. You can set up a connection policy so that the client ID includes a user ID or client certificate common name variable. The user ID or common name is matched to the client ID, and access is granted only if they match.

The variable for the user ID is ${UserID}. The variable for certificate common name is ${CommonName}. You can specify extra characters along with the variable, for example EXAMPLE/${UserID}. If you use an unknown variable, the matching of the policy fails.

For example, you might have thousands of users that log in to a website by using a client application. Each user has a user ID that is used by the application as a client ID. You can use the variable substitution option to ensure that only applications that use a matching user ID and client ID can connect. For example:
Name:CertificateConnPolicy
Description:Connection policy that matches the user ID and client ID for authentication.
ClientID:${UserID}