Skip to main content
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [mosquitto-dev] Question regarding acl management and clientid
Hi Dawid,

welcome to the Mosquitto mailing list.

In general you have two different mechanisms in the mosquitto broker to configure access control:
1. The traditional way using a password file and a ACL file
2. The dynamic_security, which will store the users, roles, etc in it’s own config file in a JSON format. 

For the later one you need to add the dynamic_security plugin to the broker config. But the dynamic security plugin has the big advantage to allow modifying the configuration anytime without the need of a broker restart.

In both cases the permissions are finally assigned to the username/password combination. If you are using the the dynsec plugin with the mosquitto_ctrl don’t get confused with the term “Client”. IN the dynsec context this refers to a username/password identifying the user. So normally you may have multiple mosquito clients using the same username/password combination to connect to the broker. As long as each of these connection has a different clientid (or user auto generated clientid).
Additionally the dynsec plugin does allow you to pin a username/password combination to a fixed client id. Either by using the -c option in the user creation or later on with a setClientId call. Once a user is pinned to a fixed clientid it should no longer be possible to use this username/password credentials with any other clientid than the pinned one. 

If you want to restrict access to your broker to a fixed set of clientid you would need to create a single user for each clientid and pin one user to one clientid.

Best,
Norbert

On 30. Nov 2022, at 16:55, Michael Daeid <mda.forum@xxxxxxxxxxxxx> wrote:

Hi,

this is my first mail in such a mailing list. Apologies for any (formal) mistakes i make.

I'd like to know if it's possible to grant or restrict a mqtt-client the access to the mosquitto broker based on the clientId.

I have played around with the `mosquitto_ctrl` plugin and was able to create clients and roles. I even managed to create a client with a clientId using the -c switch.

Now, i'd like to know, if i can setup a client with mosquitto_ctrl with a full access role, whose connection is accepted by only "the right" clientId?

Thanks in Advance,
BR,
Michael Dawid
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev

-- 
Norbert Heußer
Senior Developer | Cedalo GmbH
Tel: +49 173 936 43 63

Cedalo GmbH
The company behind Eclipse Mosquitto and Eclipse Streamsheets

Geschäftsführer: Philipp Struss, Philip Ackermann, Dr. Stefan Lölkes Registergericht: Amtsgericht Freiburg, HRB 725414

---------------------------------------------------------------------------------------------

Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.



Back to the top