|Re: [mosquitto-dev] ACL default policy deny/grant access|
When “allow_anonymous” is set to false, the default is to deny access to topics. Well, maybe “deny access” isn’t the correct wording; it is really more like “deny message delivery” from what I have seen. The “mosquitto_sub” and “mosquitto_pub” programs will still allow “bob” to subscribe and post messages to those topics but the messages would just never actually be delivered. I think that what you have in your email below for the ACL file is missing the “user” portion at the beginning of the line. It should like this:
I recreated this example on my laptop using the following files in the /etc/mosquitto/conf.d/ folder:
test.users (entries added through the mosquitto_passwd program)
After restarting the mosquitto broker with “sudo services mosquitto restart”, I then ran the following command in one terminal window:
mosquitto_sub -h localhost -p 1883 -v –t xyz –u joe –P <my_password>
Then, in another terminal window, I ran this command:
mosquitto_pub –h localhost –p 1883 –t xyz –u bob –P <my_password> -m hello
In the terminal window for “joe”, he never sees the “hello” message from “bob” since joe doesn’t have read access to the “xyz” topic.
I then did the reverse of this scenario. In the terminal window for “bob”, I ran this command:
mosquitto_sub -h localhost -p 1883 -v -t xyz -u bob -P <my_password>
Then in the terminal window for “joe”, I ran this command:
mosquitto_pub -h localhost -p 1883 -t xyz -u joe -P <my_password> -m hello
In the terminal window for “bob”, he never sees the “hello” message from “joe” since joe doesn’t have write access to the “xyz” topic.
I hope this helps.
I am working with mosquitto 1.3.5 and its pretty exciting.
Now configuring ACL to control access to topics,
I am trying to configure it so that per-user access is denied
unless an entry explicitly appears in the ACL. In other words
a default policy to block access.
I am using explcit logins having set up password file.
mosquitto.conf allow_anonymous is false.
Thus any publisher or subscribe client must have an explicit user/pass authorized.
This works fine, now here is the ACL file:
# there are no anonymous client entries in this ACL
# give username joe RW access to topic xyz
# give username sally RW access to topic abc
for any user other than joe and sally the objective is to deny access.
Yet it appears that other usernames, for example bob,
can access topics xyz and abc, unless there is a record for bob in the ACL.
In other words bob has wildcard access to any topic unless bob is blocked
by adding an ACL entry like this:
# block bob from any access
# or an alternative way to block bob
However, as a project scales up the burden of adding ACL records for each user
could be hard to manage.
Am I missing something here? Is there a way to configure a default ACL policy
to grant or block?
Back to the top