Hi, I’ve noticed that I can set Common Name in my client’s cert, which is mapped to Client ID, to a string with a slash:
zone1/client1
…and it works for me in acl.conf:
{allow, {client, {re, “^[a-f0-9]{8}$”}}, all, [“nodes/${clientid}/+”]}
It looks like the “/” is treated as a regular part of the path internally, and allows expected subscriptions:
nodes/zone1/#
nodes/zone1/+/+
The question is:
Can I rely on that behavior? Is it safe for production?
I like it, but for security reasons, I must keep “zone” as the prefix of the Client ID, so I could simply have:
nodes/zone1.client1
…but then I end up with a flat structure for all the zones and clients, so I’m losing the benefit of the proper hierarchy.
There seems to be zero documentation addressing my case, so I’d like to collect your opinions - thanks!