-
-
Notifications
You must be signed in to change notification settings - Fork 20
Mosquitto ACL setup
An acl (access control list) file can be used to restrict what can be done by users on different topics on a mosquitto broker. You can set which users that can read and write, only read, only write, or is denied from/to set topics. You also have the '+' and '#' wildcards at your disposal.
There are three levels of control you can set
- topic
- user
- client
If allow_anonymous is set to true then users can login to the broker without username/password. A line starting with topic such as
topic read test/#
will allow an anonymous user to read from the test/# topic. This means this user can read from test/A, test/B, test/a/b/c/d/e etc. But not write. Changing the line to
topic readwrite test/#
will allow the user to both read and write to the test/... topic. 'rteadwriteä is actually the default so
topic test/#
is the same as the setting above.
user works in the same way. Setting up
user lena
topic read vscp/#
will allow user lena to read the topic vscp and all subtopics. Writing this
user lena
topic read vscp/#
topic read super
topic read cool
topic write xxx
topic test
topic deny private
let the user lena read vscp and subfolders, read super (but not it's subfolders). read cool (but not it's subfolders), write to xxx (but not to it's subfolders, read write to the topic test. The topic private is not available to the user lena.
Using the keyword pattern you can set rights relative to the client id of the client. The setting
pattern write test/%c/state
allow a client to write to the set topic that is constructed by replacing %c with the client id of the connecting client.
One can also use %u in the pattern meaning the username of the logged in user.
Edit mosquitto.conf and set a path to your acl file to the acl file like
acl_file /etc/mosquitto/acl.example
There is a sample acl file in /etc/mosquitto you can start with.
The VSCP Project (https://www.vscp.org) - Copyright © 2000-2024 Åke Hedman, the VSCP Project