eclipse
Weird behaviour when modifying publishClientSend for a role
I'm using the command mosquitto_ctrl -u windcredible-admin -P 12345 dynsec addRoleACL sensor_role publishClientSend 'wind_turbines/+/+/+/+' allow 1 on a role I created previously. Shouldn't this command allow clients with this role to only publish to topics that follow that structure?
That's correct. If you have the dynsec plugin loaded then the default action is to deny publishing to topics to all clients. If you create a client and add a role to it, then all ACLs in that role will apply. In your case, you've allowed a topic to publish on. Without any further information it looks fine. Is the problem that the client cannot publish on a topic with that pattern, or is it that it can publish on any topic?
The problem is that my client can publish to any topic! sorry for not mentioning
Could you please share an example dynamic-security.json that shows this behaviour?
{
"defaultACLAccess": {
"publishClientSend": false,
"publishClientReceive": true,
"subscribe": false,
"unsubscribe": true
},
"clients": [
{
"username": "sensor1",
"clientid": "sensor1",
"roles": [
{
"rolename": "sensor_role"
}
],
"password": "9ILFCvNLHHMHoIgBeuxvzxIUaqxc7hvZ/pHAUNc3H16AzKNqCrqx36GbsoPlpn7cqabXuWD1Ndb+rDlCDyxCJw==",
"salt": "EKUHv4UoOHp+xl3Y",
"iterations": 101
},
{
"username": "admin",
"textname": "Dynsec admin user",
"roles": [
{
"rolename": "admin"
}
],
"password": "4P3P1WyewVErOP+cqlrsmgH3clWtR+gRCqyRBz02C7lXNdJ1QmhLqAktWypXVgIaGJP4JLFGb10MFUH8wbhmTA==",
"salt": "nC0xAI4EpoyCIVz4",
"iterations": 101
}
],
"groups": [],
"roles": [
{
"rolename": "admin",
"acls": [
{
"acltype": "publishClientSend",
"topic": "$CONTROL/dynamic-security/#",
"priority": 0,
"allow": true
},
{
"acltype": "publishClientReceive",
"topic": "$CONTROL/dynamic-security/#",
"priority": 0,
"allow": true
},
{
"acltype": "publishClientReceive",
"topic": "$SYS/#",
"priority": 0,
"allow": true
},
{
"acltype": "publishClientReceive",
"topic": "#",
"priority": 0,
"allow": true
},
{
"acltype": "subscribePattern",
"topic": "$CONTROL/dynamic-security/#",
"priority": 0,
"allow": true
},
{
"acltype": "subscribePattern",
"topic": "$SYS/#",
"priority": 0,
"allow": true
},
{
"acltype": "subscribePattern",
"topic": "#",
"priority": 0,
"allow": true
},
{
"acltype": "unsubscribePattern",
"topic": "#",
"priority": 0,
"allow": true
}
]
},
{
"rolename": "sensor_role",
"acls": [
{
"acltype": "publishClientSend",
"topic": "wind_turbines/+/+/+/+",
"priority": 1,
"allow": true
},
{
"acltype": "publishClientReceive",
"topic": "wind_turbines/+/+/+/+",
"priority": 1,
"allow": true
}
]
}
]
}
Hmmmm, I think it is working but there's no message telling me the user doesn't have the permissions to publish in that topic. I thought it was working since the logs on mosquitto were exactly the same whether I published on the correct topic or on any other topic.
It looks like it works to me.
If you use verbose logging (log_type all in the config, or -v on the command line) then you'll get a log that looks like Denied PUBLISH from roger ....
I think that means this can be closed - if you agree please do that, or I will do at some point later.