Considering MQTT's pub/sub behavior, topic namespace is not isolated and any user can access every other user's data on a topic.
I've seen services like flespi which claim they provide isolated name spaces but some of them use containers to isolate users...
Is it possible to modify an MQTT broker, e.g. Mosquitto, for that purpose? Or is there such open source broker?
Mosquitto can set access control to topics based on authentication username. This allows the administrator to restrict access to topics and restrict which clients can subscribe, publish or receive messages on particular topics. This is documented in Mosquitto’s documentation.
For greater flexibility you can also use the dynamic security plugin, or the mosquitto-go-auth plugin which allows you to use a variety of different data sources for authorization and ACL configuration.
I'm working toward an event-driven simulation infrastructure using Solace's PubSub+ for MQTT as a broker. I have a type of control message topic prefixed by control/.
Is there anyway to protect/restrict publish access to this topic prefix (or specific topics in general) to one authenticated user (i.e. the controller node)?
Thank you for your time!
yes indeed there is! What you are inquiring about is configuring access control list under the Client Authorization. Check out more information about ACLs in the docs here. ACLs are configured on the broker management console, so whether you are using a local broker (via docker for example), cloud solution (Solace Cloud) or an appliance, you access your ACLs from the "Access Control" tab and configure your users and topic subscriptions. You can also check out the Solace Community forum where you can see a bunch of people asking questions about Solace related concepts and messaging in general.
Note: if you are using MQTT to connect to the broker, you can create a username on the broker with predefined authentication. You will use this authentication during your mqtt client connection.
We are running RabbitMQ 3.6.5 in a Windows environment and are using the LDAP plugin. This allows our developers to view the queues and inspect the messages. By default, the RabbitMQ LDAP plugin allows "all users to access all objects in all vhosts" (as documented here). This includes the ability to publish messages directly from the LDAP plugin. What we would like to do is deny this permission to LDAP users, while still allowing them to see the queues.
According to the LDAP plugin page, this is accomplished by inserting Erlang queries into the RabbitMQ configuration. Using the examples on that page, we first tried simply granting read permission with this query (LDAP specifics changed):
{resource_access_query,
{for, [{permission, configure, {in_group, "OU=someGroup,OU=Departments,OU=ABC,DC=ABC,DC=ORG"}},
{permission, read, {constant, true}}
]
}}
When that had no effect, we tried explicitly denying write permissions:
{resource_access_query,
{for, [{resource, queue, {for, [{permission, configure,
{in_group, "OU=someGroup,OU=Departments,OU=ABC,DC=ABC,DC=ORG"}
},
{permission, write, {constant, false}},
{permission, read, {constant, true}}
]}},
]}}
Unfortunately that had no effect either. In both cases, LDAP users were still able to publish messages in the LDAP plugin.
Does anybody know what we are missing?
The RabbitMQ team monitors this mailing list and only sometimes answers questions on StackOverflow.
You need to read the RabbitMQ Access Control guide as well, specifically this section. Messages are published to Exchanges in RabbitMQ, not Queues, via the basic.publish AMQP 0.9.1 method. In your case deny write permission to the exchange resource and grant read permission to the queue resource.
Once you have configured the LDAP plugin correctly, I strongly recommend enabling the auth cache plugin. Otherwise, LDAP queries will be made when every message is published or read, as well as all other operations requiring authorization.
What I want to do is to have data published from localhost only.
But I need to allow any user in the web to subscribe to that topic, is it possible to do with MQTT? How?
If not, do I have any other options to fullfill this specifics.
Additional information:
Using MQTT protocol to post.
Using Websockets to subscribe.
Using Mosquitto as broker.
Most MQTT brokers support ACLs to limit access to topics to specific users. They also tend to allow a ACL for unauthenticated (annonymous) users.
So you should be able to define a specific user that you can use to publish from localhost and then set up an anonymous ACL that only allows subscriptions to #
For Mosquitto the acl file would look something like:
user publisher
pattern readwrite #
user anonymous
pattern read #
I was reading this about topic subscription. So if I subscribe using a wild card, to the # topic, then I will receive all the messages.
Does that mean I could intercept the communication? When someone is publishing a message to a secret topic, then I will also get it.
Obviously that is not the case. But what am I missing?
On a related issue, how does the broker prevent users from subscribing to specific topics or publising to other? I assume not anybody can just send data to a broker. Is it somehow similar to HTTP?
With the basic out of the box configuration, anybody can connect to the broker and subscribing to # will get all the messages published and you can publish to any topic you want.
The MQTT protocol includes support for authentication as part of setting up a connection to the broker. Once you have an authenticated user it becomes possible to apply rules to what that user can do. Different brokers implement how create those rules in different ways, but mosquitto has support for ACLs.
With the ACL you can define what topics a user can subscribe and publish to. The built in mechanism for this is a flat file, but there is also support for a plugin system that allows you to keep username/password and allowed topics in a database. This allows the ACL to be easily updated without having to restart the broker.