in WSO2 MB management console I'm trying to restrict read and write access for topics to certain users and roles, but it seems that it only effects JMS but not MQTT messaging, despite WSO2 MB states to support this protocol.
I would like to restrict subscribing and publishing to single roles, so a user can either publish or subscribe to a topic but not both.
Are there any solutions?
Oliver
Even though mqtt spec didn't specifically define authorization model. Workaround has been implemented recently as an experimental feature for MB 3.2.0 alpha. Implementation is based on carbon permission model with a known limitation of permissions can be defined only for static topics. Please note that this will not be visible in wso2 message broker ui permission tree. Please go through draft documentation in public Jira for more information.
Related
Considering MQTT's pub/sub behavior, topic namespace is not isolated and any user can access every other user's data on a topic.
I've seen services like flespi which claim they provide isolated name spaces but some of them use containers to isolate users...
Is it possible to modify an MQTT broker, e.g. Mosquitto, for that purpose? Or is there such open source broker?
Mosquitto can set access control to topics based on authentication username. This allows the administrator to restrict access to topics and restrict which clients can subscribe, publish or receive messages on particular topics. This is documented in Mosquitto’s documentation.
For greater flexibility you can also use the dynamic security plugin, or the mosquitto-go-auth plugin which allows you to use a variety of different data sources for authorization and ACL configuration.
I'm working toward an event-driven simulation infrastructure using Solace's PubSub+ for MQTT as a broker. I have a type of control message topic prefixed by control/.
Is there anyway to protect/restrict publish access to this topic prefix (or specific topics in general) to one authenticated user (i.e. the controller node)?
Thank you for your time!
yes indeed there is! What you are inquiring about is configuring access control list under the Client Authorization. Check out more information about ACLs in the docs here. ACLs are configured on the broker management console, so whether you are using a local broker (via docker for example), cloud solution (Solace Cloud) or an appliance, you access your ACLs from the "Access Control" tab and configure your users and topic subscriptions. You can also check out the Solace Community forum where you can see a bunch of people asking questions about Solace related concepts and messaging in general.
Note: if you are using MQTT to connect to the broker, you can create a username on the broker with predefined authentication. You will use this authentication during your mqtt client connection.
Is it possible to allow for someone in hyperledger rights only to read, and to others read+write?
So, can you specify different roles for users?
I'm going to answer the question based on Hyperledger Fabric v1.0.0.
The short answer is yes.
There are a couple of areas to discuss:
1) Ability to send (broadcast) and receive (deliver) transactions to/from the ordering service.
As you know, in order for transactions to make it to the ledger, they must go through an ordering service. An ordering service can be divided up into channels (in simplest terms think of channels as being unique ledgers). Each channel has policies which define who is able to read and write from/to the channel. The documentation on this topic is being updated, but basically there are channel reader and writer policies. If you cannot "write" to the channel, you cannot submit transactions to the ordering service. Additionally, if you don't have access to write to a channel, you cannot send endorsement proposals to peers for chaincode which is deployed on channel you don't have write permission for.
These policies are all part of channel configuration transactions (for which the documentation is currently being updated / created).
2) Chaincode
Beyond the channel-based policies mentioned above, it is also possible to restrict access to chaincode functions as well. This is actually typically handled from within chaincode itself and it is up to the deployer / developer of the chaincode to handle this (especially in the current 1.0.0-alpha release). There is some additional work underway to add some access control libraries which will make doing this a lot simpler
I was reading this about topic subscription. So if I subscribe using a wild card, to the # topic, then I will receive all the messages.
Does that mean I could intercept the communication? When someone is publishing a message to a secret topic, then I will also get it.
Obviously that is not the case. But what am I missing?
On a related issue, how does the broker prevent users from subscribing to specific topics or publising to other? I assume not anybody can just send data to a broker. Is it somehow similar to HTTP?
With the basic out of the box configuration, anybody can connect to the broker and subscribing to # will get all the messages published and you can publish to any topic you want.
The MQTT protocol includes support for authentication as part of setting up a connection to the broker. Once you have an authenticated user it becomes possible to apply rules to what that user can do. Different brokers implement how create those rules in different ways, but mosquitto has support for ACLs.
With the ACL you can define what topics a user can subscribe and publish to. The built in mechanism for this is a flat file, but there is also support for a plugin system that allows you to keep username/password and allowed topics in a database. This allows the ACL to be easily updated without having to restart the broker.
With and API Key/Token combination we can connect from an application and subscribe/publish to any topic.
Is there a way to prevent an application from publishing to a topic (eg. read-only access) ?
Is it possible to limit the topics an application can connect to ?
The topic space in which devices and applications operate is scoped within a single organization. The IoT Foundation uses the org ID to isolate topics so data from one organization is not accessible by another. Is that what you are asking or do you want to specifically prohibit applications that authenticate within the same org from publishing to a topic within the same org space?
Speaking in terms of applications and devices, are you wanting applications to only be able to subscribe to topics (events) for devices, rather than publish to topics (commands) for devices? Also, do you want to control which applications can work with (publish / subscribe) to a certain set of devices?
Currently this functionality is not available, they expect to add it in the very near future