eclipse-mosquitto/mosquitto

ACL, feature request

Opened this issue · 0 comments

Anders-Fromell-ITxPT commented

Topic: acl file creation with extended control

Currently the topic right are controlled by: write | read | readwrite | deny
where putting nothing after "topic" means readwrite.
"deny" will allways win over the others and block both read and write.
So, if you need to use wildchar /+/ in a part of a topic structure for write access since that part is dynamically created but need to exclude a speciffic part, that is not possible with the "deny" attribute since it the also blocks the reading.
Ex.
user client1
topic write main-topic/+/info
pattern read main-topic/#

would let you publish to:
main-topic/test1/info
main-topic/test2/info
but not:
main-topic/test1
and read all from main-topic/#

topic write main-topic/#
pattern read main-topic/#

would let you publish to:
main-topic/test1/info
main-topic/test2/info
main-topic/test1
main-topic/test2

and read from all main-topic/#

topic write main-topic/#
topic deny main-topic/test2/#
pattern read main-topic/#

would let you publish to:
main-topic/test1/info
main-topic/test1
but not:
main-topic/test2
main-topic/test2/info

and read from all main-topic/# exept from main-topic/test2/#

However, if we also introduce "readdeny" and "writedeny"
we can effectivly block out a speciffic part of a topicstructure within a wildchar selection..
topic write main-topic/+/info
topic writedeny main-topic/test2/#
pattern read main-topic/#

would let you publish to:
main-topic/test1/info
main-topic/test1
but not:
main-topic/test2
main-topic/test2/info

and read from all main-topic/# including from main-topic/test2/#
Eg. the combination ONLY restrict write credentials for main-topic/test2/# within the wildchar selection.

Other nice to have would be:
partial wildchar selection:
main-topic/test+/# ; meaning the sub-topic need to start with "test"
main-topic/+test/# ; meaning the sub-topic need to end with "test"
main-topic/+test+/# ; meaning the sub-topic need to contain "test"

The similar wildchar concept may be useful also for user names

Are there any plans for adding support for "user group" and "user role" like in the dynamic_security plugin?

Best regards,
Anders Fromell /CTO
ITxPT.org