← Back to team overview

mosquitto-users team mailing list archive

Re: Mosquitto Plugin ACL check improvements

 

Thanks for your answer Roger.

I agree with you about the current ACL system which is able to control read and/or write access.
But as you said, an explicit subscription control has also some advantages (wildcards control). It also allows to not have to verify for each subscriber if it has the read access for every publication (it will be blocked when subscribing). 

Have you got an idea if this feature could be present in the next major release (1.3) ? 

Thanks,
Remi
-----Message d'origine-----
De : rogerlight@xxxxxxxxx [mailto:rogerlight@xxxxxxxxx] De la part de Roger Light
Envoyé : jeudi 5 décembre 2013 15:14
À : Remi SALEMBIER
Cc : mosquitto-users@xxxxxxxxxxxxxxxxxxx
Objet : Re: [Mosquitto-users] Mosquitto Plugin ACL check improvements

Hi Remi,

The ACL check needs to be carried out on each publish because both subscriptions and ACLs can contain wildcards.

If I had an ACL to allow read only access to the topic read/only , should I deny subscriptions to # for example?

One thing I do have on my list of things to add is explicit subscription control, which is essentially what you are suggesting. I think it is most useful with wildcards - denying access to subscriptions to # would be useful in some situations for example.
This is a separate issue to the current read/write ACLs though.

Cheers,

Roger


On Thu, Dec 5, 2013 at 11:38 AM, Remi SALEMBIER <remi.salembier@xxxxxxx> wrote:
> Hi,
>
>
>
> By playing with the Mosquitto plugin and the function 
> mosquitto_auth_acl_check, I found curious that every single 
> publication is verified from both part, the publisher and the 
> subscriber. Wouldn’t it be nicer to be able to intercept “wrong” 
> subscriptions directly when the client tries to subscribe to a topic ?
>
> I suppose it would not be a lot of work, considering it would be 
> possible to reuse the function mosquitto_acl_check using a third 
> parameter pointing to a subscribe event (MOSQ_ACL_READ / 
> MOSQ_ACL_WRITE / MOSQ_ACL_SUB ? ). The function would be called with this parameter in “mqtt3_handle_subscribe”
> (read_handle_server.c) around line 500.
>
> I tried to send a pull request on bitbucket so you can have a look at 
> my proposal, but it seems it is not possible to clone the repository 
> at the moment (URL not valid).
>
>
>
> Regards,
>
> Remi
>
>
> --
> Mailing list: https://launchpad.net/~mosquitto-users
> Post to     : mosquitto-users@xxxxxxxxxxxxxxxxxxx
> Unsubscribe : https://launchpad.net/~mosquitto-users
> More help   : https://help.launchpad.net/ListHelp
>

Follow ups

References