[
Date Prev][
Date Next][
Thread Prev][
Thread Next][
Date Index][
Thread Index]
[
List Home]
|
Re: [mosquitto-dev] Question regarding acl management and clientid
|
If you are looking at the code for the FROST-Server, patch it to provide
a username/password, it's going to only be one or 2 more lines than
adding a configured client id.
On 01/12/2022 08:34, Michael Dawid wrote:
Hi Norbert,
thanks for your reply. I understand, that i can pin the clientId to a
specific username/password combo. My question is, can i use only the
clientId to authenticate a client towards the broker?
We are currently trying to setup a FROST-Server
<https://github.com/FraunhoferIOSB/FROST-Server>, with mosquitto. This
server uses the mosquitto broker in the background as a "message bus" to
inform all clients, that new items (observations etc.) are available.
We would like to open the mqtt broker to the public, but we'd like to
restrict it so that not all topics are openly available. Now, the
FROST-Server seems not to have any configuration implemented, that
allows to set a username / password for authenticating towards the mqtt
broker. It requires the broker to accept anonymous connections. I'm
currently analysing the source code if a configurable clientId could be
implemented.
I saw, that the mosquitto broker has the option to use a
clientid_prefixes. This can work for now, but the comments stated, that
this option is deprecated. Furthermore, when making the broker public,
you would only have to guess the clientId prefix and get full access.
I have also seen, that there is the per_listener_settings option. Could
i use that, to have the broker listen on port 1883 for anonymous access,
and any other port that uses the dynsec-opion?
Any thoughts on that?
Thanks and BR;
Michael
30. November 2022 18:20, "Norbert Heußer" <norbert.heusser@xxxxxxxxxx
<mailto:norbert.heusser@xxxxxxxxxx?to=%22Norbert%20Heu%C3%9Fer%22%20<norbert.heusser@xxxxxxxxxx>>> schrieb:
Hi Dawid,
welcome to the Mosquitto mailing list.
In general you have two different mechanisms in the mosquitto broker
to configure access control:
1. The traditional way using a password file and a ACL file
2. The dynamic_security, which will store the users, roles, etc in
it’s own config file in a JSON format.
For the later one you need to add the dynamic_security plugin to the
broker config. But the dynamic security plugin has the big advantage
to allow modifying the configuration anytime without the need of a
broker restart.
In both cases the permissions are finally assigned to the
username/password combination. If you are using the the dynsec
plugin with the mosquitto_ctrl don’t get confused with the term
“Client”. IN the dynsec context this refers to a username/password
identifying the user. So normally you may have multiple mosquito
clients using the same username/password combination to connect to
the broker. As long as each of these connection has a different
clientid (or user auto generated clientid).
Additionally the dynsec plugin does allow you to pin a
username/password combination to a fixed client id. Either by using
the -c option in the user creation or later on with a setClientId
call. Once a user is pinned to a fixed clientid it should no longer
be possible to use this username/password credentials with any other
clientid than the pinned one.
If you want to restrict access to your broker to a fixed set of
clientid you would need to create a single user for each clientid
and pin one user to one clientid.
Best,
Norbert
On 30. Nov 2022, at 16:55, Michael Daeid <mda.forum@xxxxxxxxxxxxx
<mailto:mda.forum@xxxxxxxxxxxxx>> wrote:
Hi,
this is my first mail in such a mailing list. Apologies for any
(formal) mistakes i make.
I'd like to know if it's possible to grant or restrict a
mqtt-client the access to the mosquitto broker based on the clientId.
I have played around with the `mosquitto_ctrl` plugin and was able
to create clients and roles. I even managed to create a client
with a clientId using the -c switch.
Now, i'd like to know, if i can setup a client with mosquitto_ctrl
with a full access role, whose connection is accepted by only "the
right" clientId?
Thanks in Advance,
BR,
Michael Dawid
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx <mailto:mosquitto-dev@xxxxxxxxxxx>
To unsubscribe from this list, visit
https://www.eclipse.org/mailman/listinfo/mosquitto-dev
<https://www.eclipse.org/mailman/listinfo/mosquitto-dev>
--
*Norbert Heußer*
Senior Developer | Cedalo GmbH
Email: norbert.heusser@xxxxxxxxxx <mailto:philip.ackermann@xxxxxxxxxx>
Tel: +49 173 936 43 63
Cedalo GmbH
The company behind Eclipse Mosquitto and Eclipse Streamsheets
https://cedalo.com/ <https://cedalo.com/>
Geschäftsführer: Philipp Struss, Philip Ackermann, Dr. Stefan Lölkes
Registergericht: Amtsgericht Freiburg, HRB 725414
---------------------------------------------------------------------------------------------
Diese E-Mail enthält vertrauliche und/oder rechtlich geschützte
Informationen. Wenn Sie nicht der richtige Adressat sind oder diese
E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den
Absender und vernichten Sie diese Mail. Das unerlaubte Kopieren
sowie die unbefugte Weitergabe dieser Mail ist nicht gestattet.
--
Handy: 0176 201 289 18
E-Mail: Michael@xxxxxxxxxxxxx <mailto:Michael@xxxxxxxxxxxxx>
_______________________________________________
mosquitto-dev mailing list
mosquitto-dev@xxxxxxxxxxx
To unsubscribe from this list, visit https://www.eclipse.org/mailman/listinfo/mosquitto-dev
--
https://www.hardill.me.uk/wordpress
https://github.com/hardillb
https://about.me/hardillb
https://flickr.com/photos/hardillb/
https://keybase.io/hardillb
