mqtt/mqtt.org

Suggestion: Wildcard-Shielded Topics

mitchshaw opened this issue · 1 comments

mitchshaw commented

Hello!

I'm relatively new to GitHub so apologies in advance for any faux pas.

I'm working on developing an MQTT network for my company that we plan to use to get realtime data from specific devices that we resell to clients. EG: Publishing the Status of a Video Conferencing System as it goes live or shuts down. As part of the security for this system, I'm working on a way to use this network to automatically change access credentials (namely password) on a regular basis to prevent malicious access. However, while writing down this plan I misread how $ topics work and that they are specifically for debugging/admin data. I had initially thought that they could be used to create a topic that you could only view data from if you had the exact topic; which I believe is correct but I can't write any as the Broker is the only one with access to publishing on those topics.

Which brings me to my suggestion: Is there any possibility of adding an identifier like $ but for topics that Clients can publish to; operating in a similar manner that you can only subscribe to them if you have the exact topic? What I'm wanting to prevent is a Client from subscribing to # and getting all of our passwords as they are distributed. It's extremely unlikely for this to occur, I know, but this does seem like a potentially useful feature.

I tend to be a bit hard to understand so I feel that an example is best. Say I have the following topics being published to:

LocalServer/App1/Object_A
RemoteServer/AccessApp/EntryAttempt
%PasswordDist/Location_X/Machine_X/App_X/Credential_1430
foo/bar/foobar

For the sake of example, let's consider % this new identifier. What I would like it to do is if someone subscribed to #, they would get topics 1, 2, and 4 but not 3. In addition, if the malicious Client App subscribed to %PasswordDist/# it also wouldn't give them anything; meaning a Client can only pull from these special topics if they know it exactly.

All this stems from the understanding that the $Sys topics can only be subscribed to if the exact topic is used. If this is wrong then by all means ignore me and mark the issue resolved since I understand that building this kind of feature from nothing would be a monumental feat, but since my understanding has that this feature is already partially built for specific circumstances.

I hope you think this as interesting idea for a feature as I do, if not then I have alternative methods that I'm considering to reach the same goal so no worries or rush on my part. I thoroughly enjoy using MQTT in my work so far; keep up the awesome work 😄

knolleary commented

This issue tracker is for the mqtt.org website. It isn't a place to get support for individual clients or ask about the protocol itself.

If this is still an issue please use: