mosquitto-go-auth icon indicating copy to clipboard operation
mosquitto-go-auth copied to clipboard

Published 20 hours ago verified publisher icon iegomez

Disallowed Wildcard "#" read write Permission for non superuser.

Open amin-is opened this issue 2 years ago • 2 comments

I am using MongoDB Backend.

using inside Config file auth_opt_mongo_disable_superuser false

My query: Is it possible to Disable Wildcard "#" read write Permission for non superuser

Here superuser able to read write wildcard "#" permission without input acls permission.

{
  "username": "superuser",
  "password": "PBKDF2$sha512$100000$aV8UHklummdI1PefjRBxpQ==$0QPNbv1dncLSBNFQY477fuE1nHzhFSVh2bACNL3Eg==",
  "superuser": true
}

And non nonsuper users able to read write "topic/device1" and wildcard "#" topic permission with input acls permission.

{
  "username": "nonsuper",
  "password": "PBKDF2$sha512$100000$aV8UHklummdI1PefjRBxpQ==$0QPNbv1d2Uk6aCe1cfQY477fuE1nHzhFSVh2bACN3Eg==",
  "superuser": false,
  "acls": [
    {
      "topic": "topic/device1",
      "acc": 3
    },
    {
      "topic": "#",
      "acc": 3
    }
  ]
}

Now I want only superuser can read write permission to Wildcard "#" topic. But nonsuper user can't read write permission to Wildcard "#" topic even if i put acls permission "#" into database then also not working. Non superuser only can read write "topic/device1" this type of specific topic permission. Wildcard permission will be completely disallowed for nonsuper users.

English_Is_Not_My_Native_Language_Sorry_About_Broken_Sentence

amin-is avatar Sep 20 '22 20:09 amin-is

Hey, not sure because I don't know what client you're using, but aren't you maybe just forgetting the subscribe permission "acc": 4 on topics you want to be able to subscribe to and then read?

iegomez avatar Sep 21 '22 13:09 iegomez

Thanks for your reply.

My case without input subscribe permission "acc": 4 users can also subscribe any topic. I just give permission "acc": 3 everything working fine read write and subscribe too. I am very happy for working all together with single permission. About client using I try with MQTTBox, MQTT X, Mobile App also web client working well. Disallow wildcard permission for non super user i think it is limitation from library. Another DB backend like Mysql when user permission given (is_admin = 1) then no need define acls permission but when user permission (is_admin = 0) then need to define acls topic. In this case if i put wildcard permission "#" then this user also can read write and subscribe permission. If possible please make an update for MongoDB "superuser": false, or Mysql (is_admin = 0) user who can't access wildcard permission even given them acls into "#" permission.

amin-is avatar Sep 22 '22 03:09 amin-is

Sorry, forgot about this issue. Could you give more details? I was looking into your example again and I'm not sure what's the issue.

iegomez avatar Oct 21 '22 01:10 iegomez

I'm closing this issue since the request for more details was never fulfilled. I hope you were able to solve your issue.

Cheers!

iegomez avatar Feb 17 '23 06:02 iegomez