Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] ACL default policy deny/grant access
Hi Bradley, thanks for the feedback. 

I edited my ACL, retested and got the expected results that
denies access to a user unless there is a record in the ACL list.

(when allow_anonymous is false):

If a user record does not exist in ACL access is denied.
If a user record exists, but the topic doesn't match, access is denied.
If a user record and topic exist and match, access is granted.


What happens if access denied?
It logs 'Denied PUBLISH' if publish is unauthorized,
and silently doesn't send to an unauthorized subscriber


Cheers,
Steve





Message: 3
Date: Tue, 17 Feb 2015 21:24:55 +0000
From: "Bradley, Dwayne" <Dwayne.Bradley@xxxxxxxxxxxxxxx>
To: General development discussions for the mosquitto project
<mosquitto-dev@xxxxxxxxxxx>
Subject: Re: [mosquitto-dev] ACL default policy deny/grant access
Message-ID:
<93BF11AF89B7984B9729A6E456339572703CB1A4@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>

Content-Type: text/plain; charset="utf-8"

Steve,

When ?allow_anonymous? is set to false, the default is to deny access to topics. Well, maybe ?deny access? isn?t the correct wording; it is really more like ?deny message delivery? from what I have seen. The ?mosquitto_sub? and ?mosquitto_pub? programs will still allow ?bob? to subscribe and post messages to those topics but the messages would just never actually be delivered. I think that what you have in your email below for the ACL file is missing the ?user? portion at the beginning of the line. It should like this:

user joe
topic xyz

user sally
topic abc

I recreated this example on my laptop using the following files in the /etc/mosquitto/conf.d/ folder:

test.conf
==================================
allow_anonymous false
password_file /etc/mosquitto/conf.d/test.users
acl_file /etc/mosquitto/conf.d/test.acl
==================================

test.users (entries added through the mosquitto_passwd program)
==================================
joe:$6$gx0/JFD2cZTLFEDX$cDp6VPOZpV9Vg5EHUnbWebHsDJACyMqidb+IttNRcqIkicXFzYUrrZTARdoe7aZxmwfX0yDSLAzs33T4d5zlFw==
sally:$6$X0yEqpZt0n5ToQm/$QlcguGRJo8SFjV9jiCikvyf7VEu5jTmDIz3GvpwcE8H1gO0Sb05L5kfZW7WlyHSjsdOLJ9p9c5YbE+mx/pC8kQ==
bob:$6$2K0mPgQ9To8XeAua$LsPuFDwt3kHiBMlML3UYj/BslCzkd6z50kpcJxgK15TVujQyp7WBUOMCvezmGlvf5KWUCyEkJ5UJ7cnmhPFsKw==
==================================

test.acl
==================================
user joe
topic xyz

user sally
topic abc
==================================

After restarting the mosquitto broker with ?sudo services mosquitto restart?, I then ran the following command in one terminal window:

mosquitto_sub -h localhost -p 1883 -v ?t xyz ?u joe ?P <my_password>

Then, in another terminal window, I ran this command:

mosquitto_pub ?h localhost ?p 1883 ?t xyz ?u bob ?P <my_password> -m hello

In the terminal window for ?joe?, he never sees the ?hello? message from ?bob? since joe doesn?t have read access to the ?xyz? topic.



I then did the reverse of this scenario. In the terminal window for ?bob?, I ran this command:

mosquitto_sub -h localhost -p 1883 -v -t xyz -u bob -P <my_password>

Then in the terminal window for ?joe?, I ran this command:

mosquitto_pub -h localhost -p 1883 -t xyz -u joe -P <my_password> -m hello

In the terminal window for ?bob?, he never sees the ?hello? message from ?joe? since joe doesn?t have write access to the ?xyz? topic.


I hope this helps.

Thanks,
Dwayne


From: mosquitto-dev-bounces@xxxxxxxxxxx [mailto:mosquitto-dev-bounces@xxxxxxxxxxx] On Behalf Of info@xxxxxxxxxxxxxxxx
Sent: Monday, February 16, 2015 9:41 PM
To: mosquitto-dev@xxxxxxxxxxx
Subject: [mosquitto-dev] ACL default policy deny/grant access



*** Exercise caution. This is an EXTERNAL email. DO NOT open attachments or click links from unknown senders or unexpected email. ***


Hi,

I am working with mosquitto 1.3.5 and its pretty exciting.
Now configuring ACL to control access to topics,
I am trying to configure it so that per-user access is denied
unless an entry explicitly appears in the ACL. In other words
a default policy to block access.

I am using explcit logins having set up password file.
mosquitto.conf allow_anonymous is false.
Thus any publisher or subscribe client must have an explicit user/pass authorized.

This works fine, now here is the ACL file:

# there are no anonymous client entries in this ACL

# give username joe RW access to topic xyz
joe
topic xyz

# give username sally RW access to topic abc
sally
topic abc


for any user other than joe and sally the objective is to deny access.
Yet it appears that other usernames, for example bob,
can access topics xyz and abc, unless there is a record for bob in the ACL.
In other words bob has wildcard access to any topic unless bob is blocked
by adding an ACL entry like this:

# block bob from any access
bob

# or an alternative way to block bob
bob
null


However, as a project scales up the burden of adding ACL records for each user
could be hard to manage.

Am I missing something here? Is there a way to configure a default ACL policy
to grant or block?

Cheers,
Steve



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://dev.eclipse.org/mailman/private/mosquitto-dev/attachments/20150217/2aa081fb/attachment.html>;

------------------------------

_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/mosquitto-dev

End of mosquitto-dev Digest, Vol 14, Issue 27
*********************************************

Back to the top