# Redis

This authorizer implements authorization checks through matching pub/sub requests against lists of rules stored in the Redis database.

The user should provide a templated Redis command that returns a key-value list with topic filters as keys and actions(publish, subscribe, or all) as values.

For example, rules can be stored as Redis hashes (opens new window):

>redis-cli
127.0.0.1:6379> HSET users:someuser foo/# subscribe
(integer) 1
127.0.0.1:6379> HSET users:someuser bar/baz publish
(integer) 1
1
2
3
4
5

The corresponding config parameters are:

cmd = "HGET users:${username}"
1

Fetched rules are used as permissive ones, i.e., a request is accepted if topic filter and action match.

# Configuration

The Redis authorizer is identified by type redis.

EMQX supports working with three kinds of Redis installation.

  • Standalone Redis.
    {
        type = redis
        enable = true
    
        redis_type = single
        server = "127.0.0.1:6379"
    
        cmd = "HGETALL mqtt_user:${username}"
        database => 1
        password = public
        server = "127.0.0.1:6379"
    
    }
    
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
  • Redis Sentinel (opens new window).
    {
        type = redis
        enable = true
    
        redis_type = sentinel
        servers = "10.123.13.11:6379,10.123.13.12:6379"
        sentinel = "mymaster"
    
        cmd = "HGETALL mqtt_user:${username}"
        database => 1
        password = public
    
    }
    
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
  • Redis Cluster (opens new window).
    {
        type = redis
        enable = true
    
        redis_type = cluster
        servers = "10.123.13.11:6379,10.123.13.12:6379"
    
        cmd = "HGETALL mqtt_user:${username}"
        database => 1
        password = public
    }
    
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11

# Common configuration parameters

# redis_type

One of single, cluster, or sentinel, required. Defines Redis installation type: standalone Redis, Redis Cluster (opens new window), or Redis Sentinel (opens new window) respectively.

# cmd

Required string value with the command used for fetching authorization rules. The following placeolders are supported for cmd value:

  • ${clientid} — Client ID of the client.
  • ${username} — username of the client.
  • ${peerhost} — client IP address.
  • ${cert_subject} — subject of client's TLS certificate, valid only for TLS connections.
  • ${cert_common_name} common name of client's TLS certificate, valid only for TLS connections.

Topic placeholders are allowed in topic filters.

# database

Redis database index to use, required.

# password

Password used for Redis authentication (opens new window), optional.

# auto_reconnect

Optional boolean value. The default value is true. Specifies whether to automatically reconnect to Redis on client failure.

# pool_size

Optional integer value defining the number of concurrent connections from an EMQX node to Redis. The default value is 8.

# ssl

Standard SSL options for secure connecting to Redis (opens new window).

# Standalone Redis options (redis_type = single).

# server

Required host:port string value, the address of the Redis server.

# Redis Cluster options (redis_type = cluster).

# servers

Required string value with comma-separated list of Redis Cluster endpoints: host1:port1,host2:port2,....

# Redis Sentinel options (redis_type = sentinel).

# servers

Required string value with comma-separated list of Redis Sentinel endpoints: host1:port1,host2:port2,....

# sentinel

Required string value with master name (opens new window) to use from Sentinel configuration.