[mosquitto-dev] How do I have an admin user with ACLs?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

[mosquitto-dev] How do I have an admin user with ACLs?

From: Slow Bro <slowbro904@xxxxxxxxx>
Date: Fri, 15 Feb 2019 14:50:54 -0500
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/mosquitto-dev>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>

I am using TLS client certificate authentication. I want unprivileged users to be able to read and write to topics whose root topic node is the serial number of the sending device. (For example, 42ce74c4/checkin_time.) And I need to have one privileged username/certificate which can read and write to any topic. I have require_certificate true, use_identity_as_username true, and allow_anonymous false.

I have the following pattern, which works fine by itself:

readwrite %u/#

I tried both above and below that pattern the following settings:

user mqtt01.example.com

topic readwrite #

Where mqtt01.example.com is the FQDN I typed in the CN when registering the server certificate.

When I do that the client certificate authentication totally fails. It keeps trying to connect and in the logs:

Socket error on client <unknown>, disconnecting

If I remove the user and topic entries it works. I can read and write to only my user’s topic. Nothing else. But I don’t have the ability to use an admin username/certificate which can read/write all topics. Help?

Configuration and tests below.

/etc/mosquitto/conf.d/acls.conf:
acl_file /etc/mosquitto/acls.txt


/etc/mosquitto/acls.txt:
pattern readwrite %u/#
user mqtt01.example.com
topic readwrite #


/etc/mosquitto/conf.d/tls.conf:
cafile /etc/mosquitto/ca_certificates/ca.crt
keyfile /etc/mosquitto/certs/server.key
certfile /etc/mosquitto/certs/server.crt
tls_version tlsv1.2
port 8883
require_certificate true
use_identity_as_username true


/etc/mosquitto/mosquitto.conf:
pid_file /var/run/mosquitto.pid
persistence true
persistence_location /var/lib/mosquitto/
allow_anonymous false
include_dir /etc/mosquitto/conf.d

Here's a test using only 'pattern readwrite %u/#' in acls.txt:
root@web01:/root/certs# mosquitto_sub --host mqtt01.example.com --port 8883 --topic "42ce74c4/test" --cafile /root/certs/ca.crt --cert /root/certs/42ce74c4.crt --debug --key /root/certs/42ce74c4.key --qos 1 --verbose
Client mosqsub|27727-web01 sending CONNECT
Client mosqsub|27727-web01 received CONNACK
Client mosqsub|27727-web01 sending SUBSCRIBE (Mid: 1, Topic: 42ce74c4/test, QoS: 1)
Client mosqsub|27727-web01 received SUBACK
Subscribed (mid: 1): 1
Client mosqsub|27727-web01 received PUBLISH (d0, q1, r0, m1, '42ce74c4/test', ... (13 bytes))
Client mosqsub|27727-web01 sending PUBACK (Mid: 1)
42ce74c4/test Testing 1 2 3
^C

I ran this on a second console to receive the "Testing 1 2 3" string above:
root@web01:~# mosquitto_pub --host mqtt01.example.com --port 8883 --topic "42ce74c4/test" --cafile /root/certs/ca.crt --cert /root/certs/42ce74c4.crt --debug --key /root/certs/42ce74c4.key --qos 1 --message "Testing 1 2 3"
Client mosqpub|27728-web01 sending CONNECT
Client mosqpub|27728-web01 received CONNACK
Client mosqpub|27728-web01 sending PUBLISH (d0, q1, r0, m1, '42ce74c4/test', ... (13 bytes))
Client mosqpub|27728-web01 received PUBACK (Mid: 1)
Client mosqpub|27728-web01 sending DISCONNECT
root@web01:~# 

So it works great.


Here, I added the user and topic settings to /etc/mosquitto/acls.txt and restarted the daemon:
root@web01:/root/certs# mosquitto_sub --host mqtt01.example.com --port 8883 --topic "42ce74c4/test" --cafile /root/certs/ca.crt --cert /root/certs/42ce74c4.crt --debug --key /root/certs/42ce74c4.key --qos 1 --verbose
Client mosqsub|27931-web01 sending CONNECT
Client mosqsub|27931-web01 sending CONNECT
Client mosqsub|27931-web01 sending CONNECT
^C
root@web01:/root/certs# 

So it's failing. In the logs:
Feb 15 19:35:26 web01 mosquitto[27929]: mosquitto version 1.4.15 (build date Wed, 13 Feb 2019 00:27:01 +0000) starting
Feb 15 19:35:26 web01 mosquitto[27929]: Config loaded from /etc/mosquitto/mosquitto.conf.
Feb 15 19:35:26 web01 mosquitto[27929]: Opening ipv4 listen socket on port 8883.
Feb 15 19:35:26 web01 mosquitto[27929]: Opening ipv6 listen socket on port 8883.
Feb 15 19:35:28 web01 mosquitto[27929]: New connection from 127.0.0.1 on port 8883.
Feb 15 19:35:28 web01 mosquitto[27929]: Socket error on client <unknown>, disconnecting.
Feb 15 19:35:29 web01 mosquitto[27929]: New connection from 127.0.0.1 on port 8883.
Feb 15 19:35:29 web01 mosquitto[27929]: Socket error on client <unknown>, disconnecting.
Feb 15 19:35:30 web01 mosquitto[27929]: New connection from 127.0.0.1 on port 8883.
Feb 15 19:35:30 web01 mosquitto[27929]: Socket error on client <unknown>, disconnecting.

Follow-Ups:
- Re: [mosquitto-dev] How do I have an admin user with ACLs?
  - From: Slow Bro

Prev by Date: Re: [mosquitto-dev] Connection Lost
Next by Date: Re: [mosquitto-dev] Account lockout from too many failed passwords?
Previous by thread: [mosquitto-dev] MQTT 5 test release 1
Next by thread: Re: [mosquitto-dev] How do I have an admin user with ACLs?
Index(es):
- Date
- Thread

Breadcrumbs