Re: [mosquitto-dev] Question regarding acl management and clientid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]

Re: [mosquitto-dev] Question regarding acl management and clientid

From: "Michael Dawid" <mda.forum@xxxxxxxxxxxxx>
Date: Thu, 01 Dec 2022 08:34:07 +0000
Delivered-to: mosquitto-dev@xxxxxxxxxxx
List-archive: <https://www.eclipse.org/mailman/private/mosquitto-dev/>
List-help: <mailto:mosquitto-dev-request@eclipse.org?subject=help>
List-subscribe: <https://www.eclipse.org/mailman/listinfo/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=subscribe>
List-unsubscribe: <https://www.eclipse.org/mailman/options/mosquitto-dev>, <mailto:mosquitto-dev-request@eclipse.org?subject=unsubscribe>

Hi Norbert,

thanks for your reply. I understand, that i can pin the clientId to a specific username/password combo. My question is, can i use only the clientId to authenticate a client towards the broker?

We are currently trying to setup a FROST-Server, with mosquitto. This server uses the mosquitto broker in the background as a "message bus" to inform all clients, that new items (observations etc.) are available.
We would like to open the mqtt broker to the public, but we'd like to restrict it so that not all topics are openly available. Now, the FROST-Server seems not to have any configuration implemented, that allows to set a username / password for authenticating towards the mqtt broker. It requires the broker to accept anonymous connections. I'm currently analysing the source code if a configurable clientId could be implemented.
I saw, that the mosquitto broker has the option to use a clientid_prefixes. This can work for now, but the comments stated, that this option is deprecated. Furthermore, when making the broker public, you would only have to guess the clientId prefix and get full access.

I have also seen, that there is the per_listener_settings option. Could i use that, to have the broker listen on port 1883 for anonymous access, and any other port that uses the dynsec-opion?

Any thoughts on that?

Thanks and BR;
Michael

30. November 2022 18:20, "Norbert Heußer" <norbert.heusser@xxxxxxxxxx> schrieb:

Hi Dawid,
welcome to the Mosquitto mailing list.
In general you have two different mechanisms in the mosquitto broker to configure access control:
1. The traditional way using a password file and a ACL file
2. The dynamic_security, which will store the users, roles, etc in it’s own config file in a JSON format.
For the later one you need to add the dynamic_security plugin to the broker config. But the dynamic security plugin has the big advantage to allow modifying the configuration anytime without the need of a broker restart.
In both cases the permissions are finally assigned to the username/password combination. If you are using the the dynsec plugin with the mosquitto_ctrl don’t get confused with the term “Client”. IN the dynsec context this refers to a username/password identifying the user. So normally you may have multiple mosquito clients using the same username/password combination to connect to the broker. As long as each of these connection has a different clientid (or user auto generated clientid).
Additionally the dynsec plugin does allow you to pin a username/password combination to a fixed client id. Either by using the -c option in the user creation or later on with a setClientId call. Once a user is pinned to a fixed clientid it should no longer be possible to use this username/password credentials with any other clientid than the pinned one.
If you want to restrict access to your broker to a fixed set of clientid you would need to create a single user for each clientid and pin one user to one clientid.
Best,
Norbert

On 30. Nov 2022, at 16:55, Michael Daeid <mda.forum@xxxxxxxxxxxxx> wrote:
Hi,

this is my first mail in such a mailing list. Apologies for any (formal) mistakes i make.

I'd like to know if it's possible to grant or restrict a mqtt-client the access to the mosquitto broker based on the clientId.

I have played around with the `mosquitto_ctrl` plugin and was able to create clients and roles. I even managed to create a client with a clientId using the -c switch.

Now, i'd like to know, if i can setup a client with mosquitto_ctrl with a full access role, whose connection is accepted by only "the right" clientId?

Thanks in Advance,
BR,
Michael Dawid
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev
--
Norbert Heußer
Senior Developer | Cedalo GmbH
Email: norbert.heusser@xxxxxxxxxx
Tel: +49 173 936 43 63
Cedalo GmbH
The company behind Eclipse Mosquitto and Eclipse Streamsheets
https://cedalo.com/
Geschäftsführer: Philipp Struss, Philip Ackermann, Dr. Stefan Lölkes Registergericht: Amtsgericht Freiburg, HRB 725414
---------------------------------------------------------------------------------------------
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.

--
Handy: 0176 201 289 18
E-Mail: Michael@xxxxxxxxxxxxx

Follow-Ups:
- Re: [mosquitto-dev] Question regarding acl management and clientid
  - From: Ben Hardill

References:
- Re: [mosquitto-dev] Question regarding acl management and clientid
  - From: Norbert Heußer
- [mosquitto-dev] Question regarding acl management and clientid
  - From: Michael Daeid

Prev by Date: Re: [mosquitto-dev] Question regarding acl management and clientid
Next by Date: Re: [mosquitto-dev] Question regarding acl management and clientid
Previous by thread: Re: [mosquitto-dev] Question regarding acl management and clientid
Next by thread: Re: [mosquitto-dev] Question regarding acl management and clientid
Index(es):
- Date
- Thread

Breadcrumbs