chore: rename check_authz to authorize

apps/emqx/src/emqx_access_control.erl

@@ -20,7 +20,7 @@
 
 -export([authenticate/1]).
 
--export([ check_authz/3
+-export([ authorize/3
         ]).
 
 -type(result() :: #{auth_result := emqx_types:auth_result(),
@@ -42,25 +42,25 @@ authenticate(ClientInfo = #{zone := Zone}) ->
     end.
 
 %% @doc Check ACL
--spec(check_authz(emqx_types:clientinfo(), emqx_types:pubsub(), emqx_types:topic())
+-spec(authorize(emqx_types:clientinfo(), emqx_types:pubsub(), emqx_types:topic())
       -> allow | deny).
-check_authz(ClientInfo, PubSub, Topic) ->
+authorize(ClientInfo, PubSub, Topic) ->
     case emqx_acl_cache:is_enabled() of
-        true  -> check_authz_cache(ClientInfo, PubSub, Topic);
-        false -> do_check_authz(ClientInfo, PubSub, Topic)
+        true  -> authorize_cache(ClientInfo, PubSub, Topic);
+        false -> do_authorize(ClientInfo, PubSub, Topic)
     end.
 
-check_authz_cache(ClientInfo, PubSub, Topic) ->
+authorize_cache(ClientInfo, PubSub, Topic) ->
     case emqx_acl_cache:get_acl_cache(PubSub, Topic) of
         not_found ->
-            AclResult = do_check_authz(ClientInfo, PubSub, Topic),
+            AclResult = do_authorize(ClientInfo, PubSub, Topic),
             emqx_acl_cache:put_acl_cache(PubSub, Topic, AclResult),
             AclResult;
         AclResult -> AclResult
     end.
 
-do_check_authz(ClientInfo, PubSub, Topic) ->
-    case run_hooks('client.check_authz', [ClientInfo, PubSub, Topic], allow) of
+do_authorize(ClientInfo, PubSub, Topic) ->
+    case run_hooks('client.authorize', [ClientInfo, PubSub, Topic], allow) of
         allow  -> allow;
         _Other -> deny
     end.

apps/emqx/src/emqx_channel.erl

@@ -1406,7 +1406,7 @@ check_pub_alias(_Packet, _Channel) -> ok.
 check_pub_acl(#mqtt_packet{variable = #mqtt_packet_publish{topic_name = Topic}},
               #channel{clientinfo = ClientInfo}) ->
     case is_acl_enabled(ClientInfo) andalso
-         emqx_access_control:check_authz(ClientInfo, publish, Topic) of
+         emqx_access_control:authorize(ClientInfo, publish, Topic) of
         false -> ok;
         allow -> ok;
         deny  -> {error, ?RC_NOT_AUTHORIZED}
@@ -1440,7 +1440,7 @@ check_sub_acls([], _Channel, Acc) ->
 
 check_sub_acl(TopicFilter, #channel{clientinfo = ClientInfo}) ->
     case is_acl_enabled(ClientInfo) andalso
-         emqx_access_control:check_authz(ClientInfo, subscribe, TopicFilter) of
+         emqx_access_control:authorize(ClientInfo, subscribe, TopicFilter) of
         false  -> allow;
         Result -> Result
     end.

apps/emqx/src/emqx_metrics.erl

@@ -172,7 +172,7 @@
          {counter, 'client.connected'},
          {counter, 'client.authenticate'},
          {counter, 'client.auth.anonymous'},
-         {counter, 'client.check_authz'},
+         {counter, 'client.authorize'},
          {counter, 'client.subscribe'},
          {counter, 'client.unsubscribe'},
          {counter, 'client.disconnected'}
@@ -563,7 +563,7 @@ reserved_idx('client.connected')             -> 202;
 reserved_idx('client.authenticate')          -> 203;
 reserved_idx('client.enhanced_authenticate') -> 204;
 reserved_idx('client.auth.anonymous')        -> 205;
-reserved_idx('client.check_authz')             -> 206;
+reserved_idx('client.authorize')             -> 206;
 reserved_idx('client.subscribe')             -> 207;
 reserved_idx('client.unsubscribe')           -> 208;
 reserved_idx('client.disconnected')          -> 209;

apps/emqx/test/emqx_access_control_SUITE.erl

@@ -38,9 +38,9 @@ t_authenticate(_) ->
     emqx_zone:set_env(zone, allow_anonymous, true),
     ?assertMatch({ok, _}, emqx_access_control:authenticate(clientinfo())).
 
-t_check_authz(_) ->
+t_authorize(_) ->
     Publish = ?PUBLISH_PACKET(?QOS_0, <<"t">>, 1, <<"payload">>),
-    ?assertEqual(allow, emqx_access_control:check_authz(clientinfo(), Publish, <<"t">>)).
+    ?assertEqual(allow, emqx_access_control:authorize(clientinfo(), Publish, <<"t">>)).
 
 t_bypass_auth_plugins(_) ->
     ClientInfo = clientinfo(),

apps/emqx/test/emqx_acl_test_mod.erl

@@ -18,14 +18,14 @@
 
 %% ACL callbacks
 -export([ init/1
-        , check_authz/2
+        , authorize/2
         , description/0
         ]).
 
 init(AclOpts) ->
     {ok, AclOpts}.
 
-check_authz({_User, _PubSub, _Topic}, _State) ->
+authorize({_User, _PubSub, _Topic}, _State) ->
     allow.
 
 description() ->

apps/emqx/test/emqx_channel_SUITE.erl

@@ -37,7 +37,7 @@ init_per_suite(Config) ->
     ok = meck:new(emqx_access_control, [passthrough, no_history, no_link]),
     ok = meck:expect(emqx_access_control, authenticate,
                      fun(_) -> {ok, #{auth_result => success}} end),
-    ok = meck:expect(emqx_access_control, check_authz, fun(_, _, _) -> allow end),
+    ok = meck:expect(emqx_access_control, authorize, fun(_, _, _) -> allow end),
     %% Broker Meck
     ok = meck:new(emqx_broker, [passthrough, no_history, no_link]),
     %% Hooks Meck

apps/emqx/test/emqx_mqtt_protocol_v5_SUITE.erl

@@ -198,7 +198,7 @@ t_batch_subscribe(_) ->
     {ok, Client} = emqtt:start_link([{proto_ver, v5}, {clientid, <<"batch_test">>}]),
     {ok, _} = emqtt:connect(Client),
     ok = meck:new(emqx_access_control, [non_strict, passthrough, no_history, no_link]),
-    meck:expect(emqx_access_control, check_authz, fun(_, _, _) -> deny end),
+    meck:expect(emqx_access_control, authorize, fun(_, _, _) -> deny end),
     {ok, _, [?RC_NOT_AUTHORIZED,
              ?RC_NOT_AUTHORIZED,
              ?RC_NOT_AUTHORIZED]} = emqtt:subscribe(Client, [{<<"t1">>, qos1},

apps/emqx/test/emqx_ws_connection_SUITE.erl

@@ -64,7 +64,7 @@ init_per_testcase(TestCase, Config) when
                      end),
     %% Mock emqx_access_control
     ok = meck:new(emqx_access_control, [passthrough, no_history, no_link]),
-    ok = meck:expect(emqx_access_control, check_authz, fun(_, _, _) -> allow end),
+    ok = meck:expect(emqx_access_control, authorize, fun(_, _, _) -> allow end),
     %% Mock emqx_hooks
     ok = meck:new(emqx_hooks, [passthrough, no_history, no_link]),
     ok = meck:expect(emqx_hooks, run, fun(_Hook, _Args) -> ok end),

apps/emqx_authz/src/emqx_authz.erl

@@ -26,7 +26,7 @@
         , compile/1
         , lookup/0
         , update/1
-        , check_authz/5
+        , authorize/5
         , match/4
         ]).
 
@@ -41,7 +41,7 @@ init() ->
     #{<<"authz">> := #{<<"rules">> := Rules}} = hocon_schema:check_plain(emqx_authz_schema, RawConf),
     ok = application:set_env(?APP, rules, Rules),
     NRules = [compile(Rule) || Rule <- Rules],
-    ok = emqx_hooks:add('client.check_authz', {?MODULE, check_authz, [NRules]},  -1).
+    ok = emqx_hooks:add('client.authorize', {?MODULE, authorize, [NRules]},  -1).
 
 lookup() ->
     application:get_env(?APP, rules, []).
@@ -50,8 +50,8 @@ update(Rules) ->
     ok = application:set_env(?APP, rules, Rules),
     NRules = [compile(Rule) || Rule <- Rules],
     Action = find_action_in_hooks(),
-    ok = emqx_hooks:del('client.check_authz', Action),
-    ok = emqx_hooks:add('client.check_authz', {?MODULE, check_authz, [NRules]},  -1),
+    ok = emqx_hooks:del('client.authorize', Action),
+    ok = emqx_hooks:add('client.authorize', {?MODULE, authorize, [NRules]},  -1),
     ok = emqx_acl_cache:empty_acl_cache().
 
 %%--------------------------------------------------------------------
@@ -59,8 +59,8 @@ update(Rules) ->
 %%--------------------------------------------------------------------
 
 find_action_in_hooks() ->
-    Callbacks = emqx_hooks:lookup('client.check_authz'),
-    [Action] = [Action || {callback,{?MODULE, check_authz, _} = Action, _, _} <- Callbacks ],
+    Callbacks = emqx_hooks:lookup('client.authorize'),
+    [Action] = [Action || {callback,{?MODULE, authorize, _} = Action, _, _} <- Callbacks ],
     Action.
 
 create_resource(#{<<"type">> := DB,
@@ -149,12 +149,12 @@ b2l(B) when is_binary(B) -> binary_to_list(B).
 %%--------------------------------------------------------------------
 
 %% @doc Check ACL
--spec(check_authz(emqx_types:clientinfo(), emqx_types:all(), emqx_topic:topic(), emqx_permission_rule:acl_result(), rules())
+-spec(authorize(emqx_types:clientinfo(), emqx_types:all(), emqx_topic:topic(), emqx_permission_rule:acl_result(), rules())
       -> {stop, allow} | {ok, deny}).
-check_authz(#{username := Username,
+authorize(#{username := Username,
               peerhost := IpAddress
              } = Client, PubSub, Topic, _DefaultResult, Rules) ->
-    case do_check_authz(Client, PubSub, Topic, Rules) of
+    case do_authorize(Client, PubSub, Topic, Rules) of
         {matched, allow} ->
             ?LOG(info, "Client succeeded authorization: Username: ~p, IP: ~p, Topic: ~p, Permission: allow", [Username, IpAddress, Topic]),
             emqx_metrics:inc(?ACL_METRICS(allow)),
@@ -168,25 +168,25 @@ check_authz(#{username := Username,
             {stop, deny}
     end.
 
-do_check_authz(Client, PubSub, Topic,
+do_authorize(Client, PubSub, Topic,
                [Connector = #{<<"principal">> := Principal,
                               <<"type">> := DB} | Tail] ) ->
     case match_principal(Client, Principal) of
         true ->
             Mod = list_to_existing_atom(io_lib:format("~s_~s",[emqx_authz, DB])),
-            case Mod:check_authz(Client, PubSub, Topic, Connector) of
-                nomatch -> do_check_authz(Client, PubSub, Topic, Tail);
+            case Mod:authorize(Client, PubSub, Topic, Connector) of
+                nomatch -> do_authorize(Client, PubSub, Topic, Tail);
                 Matched -> Matched
             end;
-        false -> do_check_authz(Client, PubSub, Topic, Tail)
+        false -> do_authorize(Client, PubSub, Topic, Tail)
     end;
-do_check_authz(Client, PubSub, Topic,
+do_authorize(Client, PubSub, Topic,
                [#{<<"permission">> := Permission} = Rule | Tail]) ->
     case match(Client, PubSub, Topic, Rule) of
         true -> {matched, Permission};
-        false -> do_check_authz(Client, PubSub, Topic, Tail)
+        false -> do_authorize(Client, PubSub, Topic, Tail)
     end;
-do_check_authz(_Client, _PubSub, _Topic, []) -> nomatch.
+do_authorize(_Client, _PubSub, _Topic, []) -> nomatch.
 
 match(Client, PubSub, Topic,
       #{<<"principal">> := Principal,

apps/emqx_authz/src/emqx_authz_mysql.erl

@@ -23,7 +23,7 @@
 %% ACL Callbacks
 -export([ description/0
         , parse_query/1
-        , check_authz/4
+        , authorize/4
         ]).
 
 -ifdef(TEST).
@@ -45,25 +45,25 @@ parse_query(Sql) ->
             {Sql, []}
     end.
 
-check_authz(Client, PubSub, Topic,
+authorize(Client, PubSub, Topic,
             #{<<"resource_id">> := ResourceID,
               <<"sql">> := {SQL, Params}
              }) ->
     case emqx_resource:query(ResourceID, {sql, SQL, replvar(Params, Client)}) of
         {ok, _Columns, []} -> nomatch;
         {ok, Columns, Rows} ->
-            do_check_authz(Client, PubSub, Topic, Columns, Rows);
+            do_authorize(Client, PubSub, Topic, Columns, Rows);
         {error, Reason} ->
             ?LOG(error, "[AuthZ] Query mysql error: ~p~n", [Reason]),
             nomatch
     end.
 
-do_check_authz(_Client, _PubSub, _Topic, _Columns, []) ->
+do_authorize(_Client, _PubSub, _Topic, _Columns, []) ->
     nomatch;
-do_check_authz(Client, PubSub, Topic, Columns, [Row | Tail]) ->
+do_authorize(Client, PubSub, Topic, Columns, [Row | Tail]) ->
     case match(Client, PubSub, Topic, format_result(Columns, Row)) of
         {matched, Permission} -> {matched, Permission};
-        nomatch -> do_check_authz(Client, PubSub, Topic, Columns, Tail)
+        nomatch -> do_authorize(Client, PubSub, Topic, Columns, Tail)
     end.
 
 format_result(Columns, Row) ->

apps/emqx_authz/src/emqx_authz_pgsql.erl

@@ -23,7 +23,7 @@
 %% ACL Callbacks
 -export([ description/0
         , parse_query/1
-        , check_authz/4
+        , authorize/4
         ]).
 
 -ifdef(TEST).
@@ -49,25 +49,25 @@ parse_query(Sql) ->
             {Sql, []}
     end.
 
-check_authz(Client, PubSub, Topic,
+authorize(Client, PubSub, Topic,
             #{<<"resource_id">> := ResourceID,
               <<"sql">> := {SQL, Params}
              }) ->
     case emqx_resource:query(ResourceID, {sql, SQL, replvar(Params, Client)}) of
         {ok, _Columns, []} -> nomatch;
         {ok, Columns, Rows} ->
-            do_check_authz(Client, PubSub, Topic, Columns, Rows);
+            do_authorize(Client, PubSub, Topic, Columns, Rows);
         {error, Reason} ->
             ?LOG(error, "[AuthZ] Query pgsql error: ~p~n", [Reason]),
             nomatch
     end.
 
-do_check_authz(_Client, _PubSub, _Topic, _Columns, []) ->
+do_authorize(_Client, _PubSub, _Topic, _Columns, []) ->
     nomatch;
-do_check_authz(Client, PubSub, Topic, Columns, [Row | Tail]) ->
+do_authorize(Client, PubSub, Topic, Columns, [Row | Tail]) ->
     case match(Client, PubSub, Topic, format_result(Columns, Row)) of
         {matched, Permission} -> {matched, Permission};
-        nomatch -> do_check_authz(Client, PubSub, Topic, Columns, Tail)
+        nomatch -> do_authorize(Client, PubSub, Topic, Columns, Tail)
     end.
 
 format_result(Columns, Row) ->

apps/emqx_authz/src/emqx_authz_redis.erl

@@ -21,7 +21,7 @@
 -include_lib("emqx/include/logger.hrl").
 
 %% ACL Callbacks
--export([ check_authz/4
+-export([ authorize/4
         , description/0
         ]).
 
@@ -33,7 +33,7 @@
 description() ->
     "AuthZ with redis".
 
-check_authz(Client, PubSub, Topic,
+authorize(Client, PubSub, Topic,
             #{<<"resource_id">> := ResourceID,
               <<"cmd">> := CMD 
              }) ->
@@ -41,22 +41,22 @@ check_authz(Client, PubSub, Topic,
     case emqx_resource:query(ResourceID, {cmd, NCMD}) of
         {ok, []} -> nomatch;
         {ok, Rows} ->
-            do_check_authz(Client, PubSub, Topic, Rows);
+            do_authorize(Client, PubSub, Topic, Rows);
         {error, Reason} ->
             ?LOG(error, "[AuthZ] Query redis error: ~p", [Reason]),
             nomatch
     end.
 
-do_check_authz(_Client, _PubSub, _Topic, []) ->
+do_authorize(_Client, _PubSub, _Topic, []) ->
     nomatch;
-do_check_authz(Client, PubSub, Topic, [TopicFilter, Action | Tail]) ->
+do_authorize(Client, PubSub, Topic, [TopicFilter, Action | Tail]) ->
     case match(Client, PubSub, Topic, 
                #{topics => TopicFilter,
                  action => Action
                 }) 
     of
         {matched, Permission} -> {matched, Permission};
-        nomatch -> do_check_authz(Client, PubSub, Topic, Tail)
+        nomatch -> do_authorize(Client, PubSub, Topic, Tail)
     end.
 
 match(Client, PubSub, Topic, 

apps/emqx_authz/test/emqx_authz_SUITE.erl

@@ -145,23 +145,23 @@ t_authz(_) ->
     Rules4 = [emqx_authz:compile(Rule) || Rule <- [?RULE4, ?RULE1]],
 
     ?assertEqual({stop, deny},
-        emqx_authz:check_authz(ClientInfo1, subscribe, <<"#">>, deny, [])),
+        emqx_authz:authorize(ClientInfo1, subscribe, <<"#">>, deny, [])),
     ?assertEqual({stop, deny},
-        emqx_authz:check_authz(ClientInfo1, subscribe, <<"+">>, deny, Rules1)),
+        emqx_authz:authorize(ClientInfo1, subscribe, <<"+">>, deny, Rules1)),
     ?assertEqual({stop, allow},
-        emqx_authz:check_authz(ClientInfo1, subscribe, <<"+">>, deny, Rules2)),
+        emqx_authz:authorize(ClientInfo1, subscribe, <<"+">>, deny, Rules2)),
     ?assertEqual({stop, allow},
-        emqx_authz:check_authz(ClientInfo1, publish, <<"test">>, deny, Rules3)),
+        emqx_authz:authorize(ClientInfo1, publish, <<"test">>, deny, Rules3)),
     ?assertEqual({stop, deny},
-        emqx_authz:check_authz(ClientInfo1, publish, <<"test">>, deny, Rules4)),
+        emqx_authz:authorize(ClientInfo1, publish, <<"test">>, deny, Rules4)),
     ?assertEqual({stop, deny},
-        emqx_authz:check_authz(ClientInfo2, subscribe, <<"#">>, deny, Rules2)),
+        emqx_authz:authorize(ClientInfo2, subscribe, <<"#">>, deny, Rules2)),
     ?assertEqual({stop, deny},
-        emqx_authz:check_authz(ClientInfo3, publish, <<"test">>, deny, Rules3)),
+        emqx_authz:authorize(ClientInfo3, publish, <<"test">>, deny, Rules3)),
     ?assertEqual({stop, deny},
-        emqx_authz:check_authz(ClientInfo3, publish, <<"fake">>, deny, Rules4)),
+        emqx_authz:authorize(ClientInfo3, publish, <<"fake">>, deny, Rules4)),
     ?assertEqual({stop, deny},
-        emqx_authz:check_authz(ClientInfo4, publish, <<"test">>, deny, Rules3)),
+        emqx_authz:authorize(ClientInfo4, publish, <<"test">>, deny, Rules3)),
     ?assertEqual({stop, deny},
-        emqx_authz:check_authz(ClientInfo4, publish, <<"fake">>, deny, Rules4)),
+        emqx_authz:authorize(ClientInfo4, publish, <<"fake">>, deny, Rules4)),
     ok.

apps/emqx_authz/test/emqx_authz_mysql_SUITE.erl

@@ -95,23 +95,23 @@ t_authz(_) ->
                    },
 
     meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, []} end),
-    ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"#">>)), % nomatch
-    ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, publish, <<"#">>)), % nomatch
+    ?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, subscribe, <<"#">>)), % nomatch
+    ?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, publish, <<"#">>)), % nomatch
 
     meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE1 ++ ?RULE2} end),
-    ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"+">>)),
-    ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, publish, <<"+">>)),
+    ?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, subscribe, <<"+">>)),
+    ?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, publish, <<"+">>)),
 
     meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE2 ++ ?RULE1} end),
-    ?assertEqual(allow, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"#">>)),
-    ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"+">>)),
+    ?assertEqual(allow, emqx_access_control:authorize(ClientInfo1, subscribe, <<"#">>)),
+    ?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, subscribe, <<"+">>)),
 
     meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE3 ++ ?RULE4} end),
-    ?assertEqual(allow, emqx_access_control:check_authz(ClientInfo2, subscribe, <<"test/test_clientid">>)),
-    ?assertEqual(deny,  emqx_access_control:check_authz(ClientInfo2, publish,   <<"test/test_clientid">>)),
-    ?assertEqual(deny,  emqx_access_control:check_authz(ClientInfo2, subscribe, <<"test/test_username">>)),
-    ?assertEqual(allow, emqx_access_control:check_authz(ClientInfo2, publish,   <<"test/test_username">>)),
-    ?assertEqual(deny,  emqx_access_control:check_authz(ClientInfo3, subscribe, <<"test">>)), % nomatch
-    ?assertEqual(deny,  emqx_access_control:check_authz(ClientInfo3, publish,   <<"test">>)), % nomatch
+    ?assertEqual(allow, emqx_access_control:authorize(ClientInfo2, subscribe, <<"test/test_clientid">>)),
+    ?assertEqual(deny,  emqx_access_control:authorize(ClientInfo2, publish,   <<"test/test_clientid">>)),
+    ?assertEqual(deny,  emqx_access_control:authorize(ClientInfo2, subscribe, <<"test/test_username">>)),
+    ?assertEqual(allow, emqx_access_control:authorize(ClientInfo2, publish,   <<"test/test_username">>)),
+    ?assertEqual(deny,  emqx_access_control:authorize(ClientInfo3, subscribe, <<"test">>)), % nomatch
+    ?assertEqual(deny,  emqx_access_control:authorize(ClientInfo3, publish,   <<"test">>)), % nomatch
     ok.
 

apps/emqx_authz/test/emqx_authz_pgsql_SUITE.erl

@@ -95,23 +95,23 @@ t_authz(_) ->
                    },
 
     meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, []} end),
-    ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"#">>)), % nomatch
-    ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, publish, <<"#">>)), % nomatch
+    ?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, subscribe, <<"#">>)), % nomatch
+    ?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, publish, <<"#">>)), % nomatch
 
     meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE1 ++ ?RULE2} end),
-    ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"+">>)),
-    ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo1, publish, <<"+">>)),
+    ?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, subscribe, <<"+">>)),
+    ?assertEqual(deny, emqx_access_control:authorize(ClientInfo1, publish, <<"+">>)),
 
     meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE2 ++ ?RULE1} end),
-    ?assertEqual(allow, emqx_access_control:check_authz(ClientInfo1, subscribe, <<"#">>)),
-    ?assertEqual(deny, emqx_access_control:check_authz(ClientInfo2, subscribe, <<"+">>)),
+    ?assertEqual(allow, emqx_access_control:authorize(ClientInfo1, subscribe, <<"#">>)),
+    ?assertEqual(deny, emqx_access_control:authorize(ClientInfo2, subscribe, <<"+">>)),
 
     meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?COLUMNS, ?RULE3 ++ ?RULE4} end),
-    ?assertEqual(allow, emqx_access_control:check_authz(ClientInfo2, subscribe, <<"test/test_clientid">>)),
-    ?assertEqual(deny,  emqx_access_control:check_authz(ClientInfo2, publish,   <<"test/test_clientid">>)),
-    ?assertEqual(deny,  emqx_access_control:check_authz(ClientInfo2, subscribe, <<"test/test_username">>)),
-    ?assertEqual(allow, emqx_access_control:check_authz(ClientInfo2, publish,   <<"test/test_username">>)),
-    ?assertEqual(deny,  emqx_access_control:check_authz(ClientInfo3, subscribe, <<"test">>)), % nomatch
-    ?assertEqual(deny,  emqx_access_control:check_authz(ClientInfo3, publish,   <<"test">>)), % nomatch
+    ?assertEqual(allow, emqx_access_control:authorize(ClientInfo2, subscribe, <<"test/test_clientid">>)),
+    ?assertEqual(deny,  emqx_access_control:authorize(ClientInfo2, publish,   <<"test/test_clientid">>)),
+    ?assertEqual(deny,  emqx_access_control:authorize(ClientInfo2, subscribe, <<"test/test_username">>)),
+    ?assertEqual(allow, emqx_access_control:authorize(ClientInfo2, publish,   <<"test/test_username">>)),
+    ?assertEqual(deny,  emqx_access_control:authorize(ClientInfo3, subscribe, <<"test">>)), % nomatch
+    ?assertEqual(deny,  emqx_access_control:authorize(ClientInfo3, publish,   <<"test">>)), % nomatch
     ok.
 

apps/emqx_authz/test/emqx_authz_redis_SUITE.erl

@@ -84,30 +84,30 @@ t_authz(_) ->
     meck:expect(emqx_resource, query, fun(_, _) -> {ok, []} end),
     % nomatch
     ?assertEqual(deny,
-                 emqx_access_control:check_authz(ClientInfo, subscribe, <<"#">>)),
+                 emqx_access_control:authorize(ClientInfo, subscribe, <<"#">>)),
     ?assertEqual(deny,
-                 emqx_access_control:check_authz(ClientInfo, publish, <<"#">>)),
+                 emqx_access_control:authorize(ClientInfo, publish, <<"#">>)),
 
 
     meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?RULE1 ++ ?RULE2} end),
     % nomatch
     ?assertEqual(deny,
-        emqx_access_control:check_authz(ClientInfo, subscribe, <<"+">>)),
+        emqx_access_control:authorize(ClientInfo, subscribe, <<"+">>)),
     % nomatch
     ?assertEqual(deny,
-        emqx_access_control:check_authz(ClientInfo, subscribe, <<"test/username">>)),
+        emqx_access_control:authorize(ClientInfo, subscribe, <<"test/username">>)),
 
     ?assertEqual(allow,
-        emqx_access_control:check_authz(ClientInfo, publish, <<"test/clientid">>)),
+        emqx_access_control:authorize(ClientInfo, publish, <<"test/clientid">>)),
     ?assertEqual(allow,
-        emqx_access_control:check_authz(ClientInfo, publish, <<"test/clientid">>)),
+        emqx_access_control:authorize(ClientInfo, publish, <<"test/clientid">>)),
 
     meck:expect(emqx_resource, query, fun(_, _) -> {ok, ?RULE3} end),
 
     ?assertEqual(allow,
-        emqx_access_control:check_authz(ClientInfo, subscribe, <<"#">>)),
+        emqx_access_control:authorize(ClientInfo, subscribe, <<"#">>)),
     % nomatch
     ?assertEqual(deny,
-        emqx_access_control:check_authz(ClientInfo, publish, <<"#">>)),
+        emqx_access_control:authorize(ClientInfo, publish, <<"#">>)),
     ok.
 

apps/emqx_coap/src/emqx_coap_mqtt_adapter.erl

@@ -222,7 +222,7 @@ code_change(_OldVsn, State, _Extra) ->
 
 chann_subscribe(Topic, State = #state{clientid = ClientId}) ->
     ?LOG(debug, "subscribe Topic=~p", [Topic]),
-    case emqx_access_control:check_authz(clientinfo(State), subscribe, Topic) of
+    case emqx_access_control:authorize(clientinfo(State), subscribe, Topic) of
         allow ->
             emqx_broker:subscribe(Topic, ClientId, ?SUBOPTS),
             emqx_hooks:run('session.subscribed', [clientinfo(State), Topic, ?SUBOPTS]),
@@ -241,7 +241,7 @@ chann_unsubscribe(Topic, State) ->
 
 chann_publish(Topic, Payload, State = #state{clientid = ClientId}) ->
     ?LOG(debug, "publish Topic=~p, Payload=~p", [Topic, Payload]),
-    case emqx_access_control:check_authz(clientinfo(State), publish, Topic) of
+    case emqx_access_control:authorize(clientinfo(State), publish, Topic) of
         allow ->
             _ = emqx_broker:publish(
                     emqx_message:set_flag(retain, false,

apps/emqx_coap/test/emqx_coap_SUITE.erl

@@ -77,7 +77,7 @@ t_publish_acl_deny(_Config) ->
     emqx:subscribe(Topic),
 
     ok = meck:new(emqx_access_control, [non_strict, passthrough, no_history]),
-    ok = meck:expect(emqx_access_control, check_authz, 3, deny),
+    ok = meck:expect(emqx_access_control, authorize, 3, deny),
     Reply = er_coap_client:request(put, URI, #coap_content{format = <<"application/octet-stream">>, payload = Payload}),
     ?assertEqual({error,forbidden}, Reply),
     ok = meck:unload(emqx_access_control),
@@ -114,7 +114,7 @@ t_observe_acl_deny(_Config) ->
     Topic = <<"abc">>, TopicStr = binary_to_list(Topic),
     Uri = "coap://127.0.0.1/mqtt/"++TopicStr++"?c=client1&u=tom&p=secret",
     ok = meck:new(emqx_access_control, [non_strict, passthrough, no_history]),
-    ok = meck:expect(emqx_access_control, check_authz, 3, deny),
+    ok = meck:expect(emqx_access_control, authorize, 3, deny),
     ?assertEqual({error,forbidden}, er_coap_observer:observe(Uri)),
     [] = emqx:subscribers(Topic),
     ok = meck:unload(emqx_access_control).
@@ -289,7 +289,7 @@ t_acl(Config) ->
         ok
     end,
 
-    ok = emqx_hooks:del('client.check_authz', {emqx_authz, check_authz}),
+    ok = emqx_hooks:del('client.authorize', {emqx_authz, authorize}),
     file:delete(filename:join(emqx:get_env(plugins_etc_dir), 'authz.conf')),
     application:set_env(emqx, plugins_etc_dir, OldPath),
     application:stop(emqx_authz).

apps/emqx_exhook/include/emqx_exhook.hrl

@@ -25,7 +25,7 @@
       , {'client.connected',    {emqx_exhook_handler, on_client_connected,     []}}
       , {'client.disconnected', {emqx_exhook_handler, on_client_disconnected,  []}}
       , {'client.authenticate', {emqx_exhook_handler, on_client_authenticate,  []}}
-      , {'client.check_authz',    {emqx_exhook_handler, on_client_check_authz,     []}}
+      , {'client.authorize',    {emqx_exhook_handler, on_client_authorize,     []}}
       , {'client.subscribe',    {emqx_exhook_handler, on_client_subscribe,     []}}
       , {'client.unsubscribe',  {emqx_exhook_handler, on_client_unsubscribe,   []}}
       , {'session.created',     {emqx_exhook_handler, on_session_created,      []}}

apps/emqx_exhook/priv/protos/exhook.proto

@@ -40,7 +40,7 @@ service HookProvider {
 
   rpc OnClientAuthenticate(ClientAuthenticateRequest) returns (ValuedResponse) {};
 
-  rpc OnClientCheckAuthz(ClientCheckAuthzRequest) returns (ValuedResponse) {};
+  rpc OnClientAuthorize(ClientAuthorizeRequest) returns (ValuedResponse) {};
 
   rpc OnClientSubscribe(ClientSubscribeRequest) returns (EmptySuccess) {};
 
@@ -123,7 +123,7 @@ message ClientAuthenticateRequest {
   bool result = 2;
 }
 
-message ClientCheckAuthzRequest {
+message ClientAuthorizeRequest {
 
   ClientInfo clientinfo = 1;
 
@@ -253,7 +253,7 @@ message ValuedResponse {
 
   oneof value {
 
-    // Boolean result, used on the 'client.authenticate', 'client.check_authz' hooks
+    // Boolean result, used on the 'client.authenticate', 'client.authorize' hooks
     bool bool_result = 3;
 
     // Message result, used on the 'message.*' hooks
@@ -279,7 +279,7 @@ message HookSpec {
   // Available value:
   //   "client.connect",      "client.connack"
   //   "client.connected",    "client.disconnected"
-  //   "client.authenticate", "client.check_authz"
+  //   "client.authenticate", "client.authorize"
   //   "client.subscribe",    "client.unsubscribe"
   //
   //   "session.created",      "session.subscribed"

apps/emqx_exhook/src/emqx_exhook_handler.erl

@@ -27,7 +27,7 @@
         , on_client_connected/2
         , on_client_disconnected/3
         , on_client_authenticate/2
-        , on_client_check_authz/4
+        , on_client_authorize/4
         , on_client_subscribe/3
         , on_client_unsubscribe/3
         ]).
@@ -109,7 +109,7 @@ on_client_authenticate(ClientInfo, AuthResult) ->
             {ok, AuthResult}
     end.
 
-on_client_check_authz(ClientInfo, PubSub, Topic, Result) ->
+on_client_authorize(ClientInfo, PubSub, Topic, Result) ->
     Bool = Result == allow,
     Type = case PubSub of
                publish -> 'PUBLISH';
@@ -120,7 +120,7 @@ on_client_check_authz(ClientInfo, PubSub, Topic, Result) ->
             topic => Topic,
             result => Bool
            },
-    case call_fold('client.check_authz', Req,
+    case call_fold('client.authorize', Req,
                    fun merge_responsed_bool/2) of
         {StopOrOk, #{result := Result0}} when is_boolean(Result0) ->
             NResult = case Result0 of true -> allow; _ -> deny end,

apps/emqx_exhook/src/emqx_exhook_server.erl

@@ -58,7 +58,7 @@
                    | 'client.connected'
                    | 'client.disconnected'
                    | 'client.authenticate'
-                   | 'client.check_authz'
+                   | 'client.authorize'
                    | 'client.subscribe'
                    | 'client.unsubscribe'
                    | 'session.created'
@@ -297,7 +297,7 @@ hk2func('client.connack') -> 'on_client_connack';
 hk2func('client.connected') -> 'on_client_connected';
 hk2func('client.disconnected') -> 'on_client_disconnected';
 hk2func('client.authenticate') -> 'on_client_authenticate';
-hk2func('client.check_authz') -> 'on_client_check_authz';
+hk2func('client.authorize') -> 'on_client_authorize';
 hk2func('client.subscribe') -> 'on_client_subscribe';
 hk2func('client.unsubscribe') -> 'on_client_unsubscribe';
 hk2func('session.created') -> 'on_session_created';
@@ -320,7 +320,7 @@ message_hooks() ->
 -compile({inline, [available_hooks/0]}).
 available_hooks() ->
     ['client.connect', 'client.connack', 'client.connected',
-     'client.disconnected', 'client.authenticate', 'client.check_authz',
+     'client.disconnected', 'client.authenticate', 'client.authorize',
      'client.subscribe', 'client.unsubscribe',
      'session.created', 'session.subscribed', 'session.unsubscribed',
      'session.resumed', 'session.discarded', 'session.takeovered',

apps/emqx_exhook/test/emqx_exhook_demo_svr.erl

@@ -33,7 +33,7 @@
         , on_client_connected/2
         , on_client_disconnected/2
         , on_client_authenticate/2
-        , on_client_check_authz/2
+        , on_client_authorize/2
         , on_client_subscribe/2
         , on_client_unsubscribe/2
         , on_session_created/2
@@ -122,7 +122,7 @@ on_provider_loaded(Req, Md) ->
                      #{name => <<"client.connected">>},
                      #{name => <<"client.disconnected">>},
                      #{name => <<"client.authenticate">>},
-                     #{name => <<"client.check_authz">>},
+                     #{name => <<"client.authorize">>},
                      #{name => <<"client.subscribe">>},
                      #{name => <<"client.unsubscribe">>},
                      #{name => <<"session.created">>},
@@ -197,10 +197,10 @@ on_client_authenticate(#{clientinfo := #{username := Username}} = Req, Md) ->
             {ok, #{type => 'IGNORE'}, Md}
     end.
 
--spec on_client_check_authz(emqx_exhook_pb:client_check_authz_request(), grpc:metadata())
+-spec on_client_authorize(emqx_exhook_pb:client_authorize_request(), grpc:metadata())
     -> {ok, emqx_exhook_pb:valued_response(), grpc:metadata()}
      | {error, grpc_cowboy_h:error_response()}.
-on_client_check_authz(#{clientinfo := #{username := Username}} = Req, Md) ->
+on_client_authorize(#{clientinfo := #{username := Username}} = Req, Md) ->
     ?MODULE:in({?FUNCTION_NAME, Req}),
     %io:format("fun: ~p, req: ~0p~n", [?FUNCTION_NAME, Req]),
     %% some cases for testing

apps/emqx_exhook/test/props/prop_exhook_hooks.erl

@@ -109,14 +109,14 @@ prop_client_authenticate() ->
             true
         end).
 
-prop_client_check_authz() ->
+prop_client_authorize() ->
     ?ALL({ClientInfo0, PubSub, Topic, Result},
          {clientinfo(), oneof([publish, subscribe]),
           topic(), oneof([allow, deny])},
         begin
             ClientInfo = inject_magic_into(username, ClientInfo0),
             OutResult = emqx_hooks:run_fold(
-                          'client.check_authz',
+                          'client.authorize',
                           [ClientInfo, PubSub, Topic],
                           Result),
             ExpectedOutResult = case maps:get(username, ClientInfo) of
@@ -127,7 +127,7 @@ prop_client_check_authz() ->
                                  end,
             ?assertEqual(ExpectedOutResult, OutResult),
 
-            {'on_client_check_authz', Resp} = emqx_exhook_demo_svr:take(),
+            {'on_client_authorize', Resp} = emqx_exhook_demo_svr:take(),
             Expected =
                 #{result => aclresult_to_bool(Result),
                   type => pubsub_to_enum(PubSub),

apps/emqx_exproto/src/emqx_exproto_channel.erl

@@ -305,7 +305,7 @@ handle_call({subscribe, TopicFilter, Qos},
                          conn_state = connected,
                          clientinfo = ClientInfo}) ->
     case is_acl_enabled(ClientInfo) andalso
-         emqx_access_control:check_authz(ClientInfo, subscribe, TopicFilter) of
+         emqx_access_control:authorize(ClientInfo, subscribe, TopicFilter) of
         deny ->
             {reply, {error, ?RESP_PERMISSION_DENY, <<"ACL deny">>}, Channel};
         _ ->
@@ -325,7 +325,7 @@ handle_call({publish, Topic, Qos, Payload},
                                     = #{clientid := From,
                                         mountpoint := Mountpoint}}) ->
     case is_acl_enabled(ClientInfo) andalso
-         emqx_access_control:check_authz(ClientInfo, publish, Topic) of
+         emqx_access_control:authorize(ClientInfo, publish, Topic) of
         deny ->
             {reply, {error, ?RESP_PERMISSION_DENY, <<"ACL deny">>}, Channel};
         _ ->

apps/emqx_exproto/test/emqx_exproto_SUITE.erl

@@ -167,7 +167,7 @@ t_acl_deny(Cfg) ->
     Password = <<"123456">>,
 
     ok = meck:new(emqx_access_control, [passthrough, no_history, no_link]),
-    ok = meck:expect(emqx_access_control, check_authz, fun(_, _, _) -> deny end),
+    ok = meck:expect(emqx_access_control, authorize, fun(_, _, _) -> deny end),
 
     ConnBin = frame_connect(Client, Password),
     ConnAckBin = frame_connack(0),

apps/emqx_prometheus/src/emqx_prometheus.erl

@@ -414,8 +414,8 @@ emqx_collect(emqx_client_authenticate, Stats) ->
     counter_metric(?C('client.authenticate', Stats));
 emqx_collect(emqx_client_auth_anonymous, Stats) ->
     counter_metric(?C('client.auth.anonymous', Stats));
-emqx_collect(emqx_client_check_authz, Stats) ->
-    counter_metric(?C('client.check_authz', Stats));
+emqx_collect(emqx_client_authorize, Stats) ->
+    counter_metric(?C('client.authorize', Stats));
 emqx_collect(emqx_client_subscribe, Stats) ->
     counter_metric(?C('client.subscribe', Stats));
 emqx_collect(emqx_client_unsubscribe, Stats) ->
@@ -567,7 +567,7 @@ emqx_metrics_client() ->
     [ emqx_client_connected
     , emqx_client_authenticate
     , emqx_client_auth_anonymous
-    , emqx_client_check_authz
+    , emqx_client_authorize
     , emqx_client_subscribe
     , emqx_client_unsubscribe
     , emqx_client_disconnected