mosquitto-users team mailing list archive

[Roger Light <roger@xxxxxxxxxx>]

Hi Remi,

The ACL check needs to be carried out on each publish because both
subscriptions and ACLs can contain wildcards.

If I had an ACL to allow read only access to the topic read/only ,
should I deny subscriptions to # for example?

One thing I do have on my list of things to add is explicit
subscription control, which is essentially what you are suggesting. I
think it is most useful with wildcards - denying access to
subscriptions to # would be useful in some situations for example.
This is a separate issue to the current read/write ACLs though.

Cheers,

Roger


On Thu, Dec 5, 2013 at 11:38 AM, Remi SALEMBIER <remi.salembier@xxxxxxx> wrote:
> Hi,
>
>
>
> By playing with the Mosquitto plugin and the function
> mosquitto_auth_acl_check, I found curious that every single publication is
> verified from both part, the publisher and the subscriber. Wouldn’t it be
> nicer to be able to intercept “wrong” subscriptions directly when the client
> tries to subscribe to a topic ?
>
> I suppose it would not be a lot of work, considering it would be possible to
> reuse the function mosquitto_acl_check using a third parameter pointing to a
> subscribe event (MOSQ_ACL_READ / MOSQ_ACL_WRITE / MOSQ_ACL_SUB ? ). The
> function would be called with this parameter in “mqtt3_handle_subscribe”
> (read_handle_server.c) around line 500.
>
> I tried to send a pull request on bitbucket so you can have a look at my
> proposal, but it seems it is not possible to clone the repository at the
> moment (URL not valid).
>
>
>
> Regards,
>
> Remi
>
>
> --
> Mailing list: https://launchpad.net/~mosquitto-users
> Post to     : mosquitto-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~mosquitto-users
> More help   : https://help.launchpad.net/ListHelp
>