mqttmosquittohome-automation

MQTT password protected channel

I am using Mosquitto as my local network mqtt broker and several clients posting and subscribing different channels.

As the clients are authenticated by mosquitto (using the password_file in the configuration) for accessing the broker, is there any way to secure individual channels?

I like to allow some sensors to control the lights (i.e.) but not every sensor is allowed to control the windows.

Solution

  • Mosquitto supports an ACLs which lets you set which topics a user can subscribe/publish to. Details of how to create a ACL file are included in the mosquitto.conf man page:

    acl_file file path

    Set the path to an access control list file. If defined, the contents of the file are used to control client access to topics on the broker.

    If this parameter is defined then only the topics listed will have access. Topic access is added with lines of the format:

    topic [read|write|readwrite]

    The access type is controlled using "read", "write" or "readwrite". This parameter is optional (unless includes a space character) - if not given then the access is read/write. can contain the + or # wildcards as in subscriptions.

    The first set of topics are applied to anonymous clients, assuming allow_anonymous is true. User specific topic ACLs are added after a user line as follows:

    user

    The username referred to here is the same as in password_file. It is not the clientid.

    It is also possible to define ACLs based on pattern substitution within the topic. The form is the same as for the topic keyword, but using pattern as the keyword.

    pattern [read|write|readwrite]

    The patterns available for substition are:

    %c to match the client id of the client

    %u to match the username of the client

    The substitution pattern must be the only text for that level of hierarchy. Pattern ACLs apply to all users even if the "user" keyword has previously been given.

    Example:

    pattern write sensor/%u/data

    Allow access for bridge connection messages:

    pattern write $SYS/broker/connection/%c/state

    If the first character of a line of the ACL file is a # it is treated as a comment.

    Reloaded on reload signal. The currently loaded ACLs will be freed and reloaded. Existing subscriptions will be affected after the reload.