Hi Dawid,
welcome to the Mosquitto mailing list.
In general you have two different mechanisms in the mosquitto broker to configure access control: 1. The traditional way using a password file and a ACL file 2. The dynamic_security, which will store the users, roles, etc in it’s own config file in a JSON format.
For the later one you need to add the dynamic_security plugin to the broker config. But the dynamic security plugin has the big advantage to allow modifying the configuration anytime without the need of a broker restart.
In both cases the permissions are finally assigned to the username/password combination. If you are using the the dynsec plugin with the mosquitto_ctrl don’t get confused with the term “Client”. IN the dynsec context this refers to a username/password identifying the user. So normally you may have multiple mosquito clients using the same username/password combination to connect to the broker. As long as each of these connection has a different clientid (or user auto generated clientid). Additionally the dynsec plugin does allow you to pin a username/password combination to a fixed client id. Either by using the -c option in the user creation or later on with a setClientId call. Once a user is pinned to a fixed clientid it should no longer be possible to use this username/password credentials with any other clientid than the pinned one.
If you want to restrict access to your broker to a fixed set of clientid you would need to create a single user for each clientid and pin one user to one clientid.
Best, Norbert
Hi,
this is my first mail in such a mailing list. Apologies for any (formal) mistakes i make.
I'd like to know if it's possible to grant or restrict a mqtt-client the access to the mosquitto broker based on the clientId.
I have played around with the `mosquitto_ctrl` plugin and was able to create clients and roles. I even managed to create a client with a clientId using the -c switch.
Now, i'd like to know, if i can setup a client with mosquitto_ctrl with a full access role, whose connection is accepted by only "the right" clientId?
Thanks in Advance, BR, Michael Dawid _______________________________________________ mosquitto-dev mailing list mosquitto-dev@xxxxxxxxxxxTo unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev
-- Senior Developer | Cedalo GmbH
Tel: +49 173 936 43 63
Cedalo GmbH The company behind Eclipse Mosquitto and Eclipse Streamsheets Geschäftsführer: Philipp Struss, Philip Ackermann, Dr. Stefan Lölkes Registergericht: Amtsgericht Freiburg, HRB 725414
---------------------------------------------------------------------------------------------
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
|