Access control in Mosquitto MQTT Broker

Onur picture Onur · Nov 8, 2017 · Viewed 9k times · Source

How can I restrict publishing to only selected users on a Mosquitto MQTT broker?

I want some users to be able to subscribe, some other users to be able to publish and I need these two groups of users separated.

I know there is an authorization control that allows access with username:password. But it is not clear to me how to assign roles to users.

If there are no such role assignments, is setting different ports for publishers and subscribers possible?

Answer

hardillb picture hardillb · Nov 8, 2017

The man page for the mosquitto config file covers all this.

The acl_file option specifies the file that holds the ACL list. The file contains groups of entries that control access to either a topic or pattern to match against a topic. e.g.

user user1
topic read foo/bar

user user2
topic readwrite foo/bar

This allows user1 to read from topic foo/bar and allows user2 to both read and write to the topic.

The password_file option can be used to specify the file to find username/password mappings. This file is edited with the mosquitto_passwd command, here is it's man page.

Both these options can be replaced by a plugin that provides an API to authenticate and authorize users. At the moment there is only one publicly available plugin that supports multiple different database backends to store user/acl data. You can find it here