mosquitto-users team mailing list archive
-
mosquitto-users team
-
Mailing list archive
-
Message #00374
Re: Mosquitto Plugin ACL check improvements
Hi Remi,
Yes, it should be in the next version as it is actually quite a
straightforward change. The next version has been accumulating
features to be implemented and so may become 2.0. This would match
nicely with being the first Eclipse release, particularly if the
MQTT-SN code from RSMB is merged.
Cheers,
Roger
On Thu, Dec 5, 2013 at 3:52 PM, Remi SALEMBIER <remi.salembier@xxxxxxx> wrote:
> Thanks for your answer Roger.
>
> I agree with you about the current ACL system which is able to control read and/or write access.
> But as you said, an explicit subscription control has also some advantages (wildcards control). It also allows to not have to verify for each subscriber if it has the read access for every publication (it will be blocked when subscribing).
>
> Have you got an idea if this feature could be present in the next major release (1.3) ?
>
> Thanks,
> Remi
> -----Message d'origine-----
> De : rogerlight@xxxxxxxxx [mailto:rogerlight@xxxxxxxxx] De la part de Roger Light
> Envoyé : jeudi 5 décembre 2013 15:14
> À : Remi SALEMBIER
> Cc : mosquitto-users@xxxxxxxxxxxxxxxxxxx
> Objet : Re: [Mosquitto-users] Mosquitto Plugin ACL check improvements
>
> Hi Remi,
>
> The ACL check needs to be carried out on each publish because both subscriptions and ACLs can contain wildcards.
>
> If I had an ACL to allow read only access to the topic read/only , should I deny subscriptions to # for example?
>
> One thing I do have on my list of things to add is explicit subscription control, which is essentially what you are suggesting. I think it is most useful with wildcards - denying access to subscriptions to # would be useful in some situations for example.
> This is a separate issue to the current read/write ACLs though.
>
> Cheers,
>
> Roger
>
>
> On Thu, Dec 5, 2013 at 11:38 AM, Remi SALEMBIER <remi.salembier@xxxxxxx> wrote:
>> Hi,
>>
>>
>>
>> By playing with the Mosquitto plugin and the function
>> mosquitto_auth_acl_check, I found curious that every single
>> publication is verified from both part, the publisher and the
>> subscriber. Wouldn’t it be nicer to be able to intercept “wrong”
>> subscriptions directly when the client tries to subscribe to a topic ?
>>
>> I suppose it would not be a lot of work, considering it would be
>> possible to reuse the function mosquitto_acl_check using a third
>> parameter pointing to a subscribe event (MOSQ_ACL_READ /
>> MOSQ_ACL_WRITE / MOSQ_ACL_SUB ? ). The function would be called with this parameter in “mqtt3_handle_subscribe”
>> (read_handle_server.c) around line 500.
>>
>> I tried to send a pull request on bitbucket so you can have a look at
>> my proposal, but it seems it is not possible to clone the repository
>> at the moment (URL not valid).
>>
>>
>>
>> Regards,
>>
>> Remi
>>
>>
>> --
>> Mailing list: https://launchpad.net/~mosquitto-users
>> Post to : mosquitto-users@xxxxxxxxxxxxxxxxxxx
>> Unsubscribe : https://launchpad.net/~mosquitto-users
>> More help : https://help.launchpad.net/ListHelp
>>
Follow ups
References