| Re: [mosquitto-dev] ACL default policy deny/grant access |
|
Steve, When “allow_anonymous” is set to false, the default is to deny access to topics. Well, maybe “deny access” isn’t the correct wording; it is really more like
“deny message delivery” from what I have seen. The “mosquitto_sub” and “mosquitto_pub” programs will still allow “bob” to subscribe and post messages to those topics but the messages would just never actually be delivered. I think that what you have in your
email below for the ACL file is missing the “user” portion at the beginning of the line. It should like this: user joe topic xyz user sally topic abc I recreated this example on my laptop using the following files in the /etc/mosquitto/conf.d/ folder: test.conf ================================== allow_anonymous false password_file /etc/mosquitto/conf.d/test.users acl_file /etc/mosquitto/conf.d/test.acl ================================== test.users (entries added through the mosquitto_passwd program) ================================== joe:$6$gx0/JFD2cZTLFEDX$cDp6VPOZpV9Vg5EHUnbWebHsDJACyMqidb+IttNRcqIkicXFzYUrrZTARdoe7aZxmwfX0yDSLAzs33T4d5zlFw== sally:$6$X0yEqpZt0n5ToQm/$QlcguGRJo8SFjV9jiCikvyf7VEu5jTmDIz3GvpwcE8H1gO0Sb05L5kfZW7WlyHSjsdOLJ9p9c5YbE+mx/pC8kQ== bob:$6$2K0mPgQ9To8XeAua$LsPuFDwt3kHiBMlML3UYj/BslCzkd6z50kpcJxgK15TVujQyp7WBUOMCvezmGlvf5KWUCyEkJ5UJ7cnmhPFsKw== ================================== test.acl ================================== user joe topic xyz user sally topic abc ================================== After restarting the mosquitto broker with “sudo services mosquitto restart”,
I then ran the following command in one terminal window: mosquitto_sub -h localhost -p 1883 -v –t xyz –u joe –P <my_password> Then, in another terminal window, I ran this command: mosquitto_pub –h localhost –p 1883 –t xyz –u bob –P <my_password> -m hello In the terminal window for “joe”, he never sees the “hello” message from “bob” since joe doesn’t have read access to the “xyz” topic. I then did the reverse of this scenario. In the terminal window for “bob”, I ran this command: mosquitto_sub -h localhost -p 1883 -v -t xyz -u bob -P <my_password> Then in the terminal window for “joe”, I ran this command: mosquitto_pub -h localhost -p 1883 -t xyz -u joe -P <my_password> -m hello In the terminal window for “bob”, he never sees the “hello” message from “joe” since joe doesn’t have write access to the “xyz” topic. I hope this helps. Thanks, Dwayne From: mosquitto-dev-bounces@xxxxxxxxxxx [mailto:mosquitto-dev-bounces@xxxxxxxxxxx]
On Behalf Of info@xxxxxxxxxxxxxxxx
Hi, I am working with mosquitto 1.3.5 and its pretty exciting. Now configuring ACL to control access to topics, I am trying to configure it so that per-user access is denied unless an entry explicitly appears in the ACL. In other words a default policy to block access. I am using explcit logins having set up password file. mosquitto.conf allow_anonymous is false. Thus any publisher or subscribe client must have an explicit user/pass authorized. This works fine, now here is the ACL file: # there are no anonymous client entries in this ACL # give username joe RW access to topic xyz joe topic xyz # give username sally RW access to topic abc sally topic abc for any user other than joe and sally the objective is to deny access. Yet it appears that other usernames, for example bob, can access topics xyz and abc, unless there is a record for bob in the ACL. In other words bob has wildcard access to any topic unless bob is blocked by adding an ACL entry like this: # block bob from any access bob # or an alternative way to block bob bob null However, as a project scales up the burden of adding ACL records for each user could be hard to manage. Am I missing something here? Is there a way to configure a default ACL policy to grant or block? Cheers, Steve |