Merge pull request #290138 from PatAltimore/patricka-release-aio-ga

Add MQTT broker authentication state store keys

Author: Stacyrch140

articles/iot-operations/manage-mqtt-broker/howto-configure-authorization.md

@@ -7,7 +7,7 @@ ms.subservice: azure-mqtt-broker
 ms.topic: how-to
 ms.custom:
   - ignite-2023
-ms.date: 11/02/2024
+ms.date: 11/08/2024
 
 #CustomerIntent: As an operator, I want to configure authorization so that I have secure MQTT broker communications.
 ms.service: azure-iot-operations
@@ -43,7 +43,7 @@ The following example shows how to create a *BrokerAuthorization* resource using
 
 # [Bicep](#tab/bicep)
 
-To edit the default endpoint, create a Bicep `.bicep` file with the following content. Update the settings as needed, and replace the placeholder values like `<AIO_INSTANCE_NAME>` with your own.
+To edit an authorization policy, create a Bicep `.bicep` file with the following content. Update the settings as needed, and replace the placeholder values like `<AIO_INSTANCE_NAME>` with your own.
 
 ```bicep
 param aioInstanceName string = '<AIO_INSTANCE_NAME>'
@@ -170,7 +170,7 @@ Because the `principals` field is a logical OR, you can further restrict access
 
 # [Portal](#tab/portal)
 
-In the **Broker authorization details** for your authorization policy, use the following configuration:
+In the broker authorization rules for your authorization policy, use the following configuration:
 
 ```json
 [
@@ -207,6 +207,8 @@ In the **Broker authorization details** for your authorization policy, use the f
 
 # [Bicep](#tab/bicep)
 
+To edit an authorization policy, create a Bicep `.bicep` file with the following content. Update the settings as needed, and replace the placeholder values like `<AIO_INSTANCE_NAME>` with your own.
+
 ```bicep
 param aioInstanceName string = '<AIO_INSTANCE_NAME>'
 param customLocationName string = '<CUSTOM_LOCATION_NAME>'
@@ -331,7 +333,7 @@ As the application has an authorization attribute called `authz-sat`, there's no
 
 # [Portal](#tab/portal)
 
-In the **Broker authorization details** for your authorization policy, use the following configuration:
+In the Broker authorization rules for your authorization policy, use the following configuration:
 
 ```json
 [
@@ -370,6 +372,8 @@ In the **Broker authorization details** for your authorization policy, use the f
 
 # [Bicep](#tab/bicep)
 
+To edit an authorization policy, create a Bicep `.bicep` file with the following content. Update the settings as needed, and replace the placeholder values like `<AIO_INSTANCE_NAME>` with your own.
+
 ```bicep
 param aioInstanceName string = '<AIO_INSTANCE_NAME>'
 param customLocationName string = '<CUSTOM_LOCATION_NAME>'
@@ -475,7 +479,265 @@ To set up authorization for clients that use the DSS, provide the following perm
 - Permission to publish to the system key value store `$services/statestore/_any_/command/invoke/request` topic
 - Permission to subscribe to the response-topic (set during initial publish as a parameter) `<response_topic>/#`
 
-For more information about DSS authorization, see [state store keys](https://github.com/Azure/iotedge-broker/blob/main/docs/authorization/readme.md#state-store-keys).
+### State store keys
+
+The state store is accessed over the MQTT broker on topic `statestore/v1/FA9AE35F-2F64-47CD-9BFF-08E2B32A0FE8/command/invoke`.
+Since clients have access to the topic, you can specify keys and access levels under the `stateStoreResources` section of the MQTT broker `brokerResources` configuration.
+
+The `stateStoreResources` section format consists of access level, a pattern indicator, and the pattern.
+
+# [Portal](#tab/portal)
+
+Include the `stateStoreResources` section in the rules for your authorization policy.
+
+```json
+"stateStoreResources": [
+  {
+    "method": "", // Values: read, write, readwrite 
+    "keyType": "", //Values: string, pattern, binary. Default is pattern
+    "keys": [
+      // List of patterns to match
+    ]
+  },
+]
+```
+
+# [Bicep](#tab/bicep)
+
+In Bicep, include the `stateStoreResources` section in your authorization policy.
+
+```bicep
+stateStoreResources: [
+  {
+    method: '' // Values: read, write, readwrite 
+    keyType: '' //Values: string, pattern, binary. Default is pattern
+    keys: [
+      // List of patterns to match
+    ]
+  }
+  {
+    method: 'ReadWrite'
+    keyType: 'Binary'
+    keys: [
+      'xxxxxxxxxxxxxxxxxxxx'
+    ]
+  }
+]
+```
+
+# [Kubernetes](#tab/kubernetes)
+
+In your custom resource definition, include the `stateStoreResources` section in your authorization policy.
+
+``` yaml
+stateStoreResources:
+  - method:  # Values: read, write, readwrite 
+    keyType: # Values: string, pattern, binary. Default is pattern
+    keys:
+      - # List of patterns to match
+```
+
+---
+
+The `method` field specifies the access level.
+- Read access is specified with `read`, write access with `write`, and both with `readwrite`.
+- Access level is required.
+- Read access level implies the actions of `get` and `keynotify`.
+- Write access level implies the actions of `set`, `del`, and `vdel`.
+
+The `keyType` field specifies the type of key matching.
+- `pattern` to use *glob* style pattern matching
+- `string`  to do exact match, for example when a key contains characters that might be otherwise matched as a pattern (`*`, `?`, `[0-9]`)
+- `binary`  to match a binary key
+
+The `keys` field specifies the keys to match. The keys can be specified as *Glob* style patterns, token substitutions, or exact strings. 
+- *Glob* style examples:
+    - `colors/*`: All keys under the "colors/" prefix
+    - `number[0-9]`: Any key from "number0" to "number9"
+    - `char?`: Any key with prefix "char" and a single digit suffix, like "charA"
+    - `*`: Full access to all keys.
+- State store keys also support token substitution when key type is `pattern` and curly braces are reserved for this purpose. Token substitution examples:
+    - `clients/{principal.clientId}/*`
+    - `usernames/{principal.username}/*`
+    - `rooms/{principal.attributes.room}/*`
+
+Here's an example of how you might author your state store resources:
+
+# [Portal](#tab/portal)
+
+In the Broker authorization rules for your authorization policy, add a similar configuration:
+
+```json
+[
+  {
+    "brokerResources": [
+      {
+        "clientIds": [
+          "{principal.attributes.building}*"
+        ],
+        "method": "Connect"
+      },
+      {
+        "method": "Publish",
+        "topics": [
+          "sensors/{principal.attributes.building}/{principal.clientId}/telemetry/*"
+        ]
+      },
+      {
+        "method": "Subscribe",
+        "topics": [
+          "commands/{principal.attributes.organization}"
+        ]
+      }
+    ],
+    "principals": {
+      "attributes": [
+        {
+          "building": "17",
+          "organization": "contoso"
+        }
+      ],
+      "usernames": [
+        "temperature-sensor",
+        "humidity-sensor"
+      ]
+    },
+    "stateStoreResources": [
+      {
+        "method": "Read",
+        "keyType": "Pattern",
+        "keys": [
+          "myreadkey",
+          "myotherkey?",
+          "mynumerickeysuffix[0-9]",
+          "clients/{principal.clientId}/*"
+        ]
+      },
+      {
+        "method": "ReadWrite",
+        "keyType": "Binary",
+        "keys": [
+          "xxxxxxxxxxxxxxxxxxxx"
+        ]
+      }
+    ]
+  }
+]
+```
+
+# [Bicep](#tab/bicep)
+
+To edit an authorization policy, create a Bicep `.bicep` file with the following content. Update the settings as needed, and replace the placeholder values like `<AIO_INSTANCE_NAME>` with your own.
+
+```bicep
+param aioInstanceName string = '<AIO_INSTANCE_NAME>'
+param customLocationName string = '<CUSTOM_LOCATION_NAME>'
+param policyName string = '<POLICY_NAME>'
+
+resource aioInstance 'Microsoft.IoTOperations/instances@2024-11-01' existing = {
+  name: aioInstanceName
+}
+
+resource customLocation 'Microsoft.ExtendedLocation/customLocations@2021-08-31-preview' existing = {
+  name: customLocationName
+}
+
+resource defaultBroker 'Microsoft.IoTOperations/instances/brokers@2024-11-01' existing = {
+  parent: aioInstance
+  name: 'default'
+}
+
+resource brokerAuthorization 'Microsoft.IoTOperations/instances/brokers/authorizations@2024-11-01' = {
+  parent: defaultBroker
+  name: policyName
+  extendedLocation: {
+    name: customLocation.id
+    type: 'CustomLocation'
+  }
+  properties: {
+    authorizationPolicies: {
+      cache: 'Enabled'
+      rules: [
+        {
+          principals: {
+            usernames: [
+              'temperature-sensor'
+              'humidity-sensor'
+            ]
+            attributes: [
+              {
+                city: 'seattle'
+                organization: 'contoso'
+              }
+            ]
+          }
+          brokerResources: [
+            {
+              method: 'Connect'
+            }
+            {
+              method: 'Publish'
+              topics: [
+                '/telemetry/{principal.username}'
+                '/telemetry/{principal.attributes.organization}'
+              ]
+            }
+            {
+              method: 'Subscribe'
+              topics: [
+                '/commands/{principal.attributes.organization}'
+              ]
+            }
+          ]
+          stateStoreResources: [
+            {
+              method: 'Read'
+              keyType: 'Pattern'
+              keys: [
+                'myreadkey'
+                'myotherkey?'
+                'mynumerickeysuffix[0-9]'
+                'clients/{principal.clientId}/*'
+              ]
+            }
+            {
+              method: 'ReadWrite'
+              keyType: 'Binary'
+              keys: [
+                'xxxxxxxxxxxxxxxxxxxx'
+              ]
+            }
+          ]
+        }
+      ]
+    }
+  }
+}
+```
+
+Deploy the Bicep file using Azure CLI.
+
+```azurecli
+az deployment group create --resource-group <RESOURCE_GROUP> --template-file <FILE>.bicep
+```
+
+# [Kubernetes](#tab/kubernetes)
+
+``` yaml
+stateStoreResources:
+  - method: Read # Read includes Get, Notify
+    keyType: "pattern" # string, pattern, binary
+    keys:
+      - "myreadkey" # explicit read access on key: myreadkey
+      - "myotherkey?" # single digit wildcard
+      - "mynumerickeysuffix[0-9]" # single digit number range
+      - "clients/{principal.clientId}/*" # use token substitution and a wildcard for per-client sandboxing
+  - method: ReadWrite  # ReadWrite access includes Get, Notify, Set, Del
+    keyType: "binary" # binary keys have exact match, no patterns
+    keys:
+      - "xxxxxxxxxxxxxxxxxxxx"  # base-64 encoded binary key.
+```
+---
 
 ## Update authorization