[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
[mosquitto-dev] RFC: Dynamic security control
|
Dear all,
I'm currently working on the design of a new way of handling user
management, authentication, and access control in Mosquitto, and would
like to solicit your comments for any additions/changes.
The aim is to make it straightforward to control users and access when
the broker is running, without needing a separate plugin or needing to
directly modify password/acl files. I intend to carry on this approach
for controlling general broker preferences, bridges, and listeners in
the future. I think this security part is the priority though.
I've put the current description up at the first link below. By
preference if you have a specific comment on an addition or change
please add it to the issue.
In conjunction with this, I intend to change the default behaviour for
Mosquitto so that it is more secure by default, by requiring anonymous
access to be configured explicitly (with the intention that the broker
admin thinks to configure authentication). Running without a
configuration file would allow anonymous access, but bind to the
loopback interface to allow easy local testing. There is an issue to
track comments below as well, I would be interested to hear any
thoughts.
https://github.com/eclipse/mosquitto/issues/1779 - security control
https://github.com/eclipse/mosquitto/issues/1780 - default behaviour change
Regards,
Roger
